From 8a98f4861dfcffc5e964e2d7d741ff5b5fa262ba Mon Sep 17 00:00:00 2001 From: Unrud Date: Mon, 13 Mar 2017 08:22:14 +0100 Subject: [PATCH] Fix permissions for REPORT request Only read access is required. --- radicale/__init__.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/radicale/__init__.py b/radicale/__init__.py index 09f3d55..eacb39d 100644 --- a/radicale/__init__.py +++ b/radicale/__init__.py @@ -677,12 +677,12 @@ class Application: def do_REPORT(self, environ, base_prefix, path, user): """Manage REPORT request.""" - if not self._access(user, path, "w"): + if not self._access(user, path, "r"): return NOT_ALLOWED content = self._read_content(environ) with self.Collection.acquire_lock("r", user): item = next(self.Collection.discover(path), None) - if not self._access(user, path, "w", item): + if not self._access(user, path, "r", item): return NOT_ALLOWED if not item: return NOT_FOUND