Fix access to collections
under certain conditions it was possible to pass the final access control
if-clause. the master branch granted access if:
if ((read_allowed_items or write_allowed_items)
and (not user or auth.is_authenticated(user, password))) or
function == self.options or not items:
the easy-connect branch from pull request #95 adds:
(is_authenticated and function == self.propfind) or
the last `or not items` condition levers out the previous authentication and
access control. that isn't that big secuity issue because in this case there
are no collection and items at all. but "bad" and anonymous users could gather
data and information which not destined for them.
this commit fixes and simplifies the if-clause.
This commit is contained in:
Christoph Polcin
parent
387e1fee76
commit
90d82d044c
@ -284,13 +284,12 @@ class Application(object):
|
|||||||
self.collect_allowed_items(items, user)
|
self.collect_allowed_items(items, user)
|
||||||
|
|
||||||
is_authenticated = auth.is_authenticated(user, password)
|
is_authenticated = auth.is_authenticated(user, password)
|
||||||
|
is_valid_user = is_authenticated or not user
|
||||||
|
|
||||||
if ((read_allowed_items or write_allowed_items)
|
if is_valid_user and (
|
||||||
and (not user or is_authenticated)) or \
|
(read_allowed_items or write_allowed_items) or
|
||||||
(is_authenticated and function == self.propfind) or \
|
(is_authenticated and function == self.propfind) or
|
||||||
function == self.options or not items:
|
function == self.options):
|
||||||
# Collections found, or authenticated PROPFIND request,
|
|
||||||
# or OPTIONS request, or no items at all
|
|
||||||
status, headers, answer = function(
|
status, headers, answer = function(
|
||||||
environ, read_allowed_items, write_allowed_items, content,
|
environ, read_allowed_items, write_allowed_items, content,
|
||||||
user)
|
user)
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user