From 9dd8c65d653b4e568ba2ddb40dfe0a89df66a9dd Mon Sep 17 00:00:00 2001
From: Unrud <unrud@openaliasbox.org>
Date: Mon, 1 Aug 2016 10:07:21 +0200
Subject: [PATCH] Always match full username/collection with regex It's easy to
 forget $ at the end of a regex and it's counter-intuitive that ^ is implicit
 but $ is not.

---
 radicale/rights.py |  8 ++++----
 rights             | 10 +++++-----
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/radicale/rights.py b/radicale/rights.py
index e4d780a..82eb635 100644
--- a/radicale/rights.py
+++ b/radicale/rights.py
@@ -66,7 +66,7 @@ permission:rw
     "owner_write": """
 [w]
 user:.+
-collection:^%(login)s(/.*)?$
+collection:%(login)s(/.*)?
 permission:rw
 [r]
 user:.+
@@ -76,7 +76,7 @@ permission:r
     "owner_only": """
 [rw]
 user:.+
-collection:^%(login)s(/.*)?$
+collection:%(login)s(/.*)?
 permission:rw
     """}
 
@@ -127,10 +127,10 @@ class Rights(BaseRights):
             self.logger.debug(
                 "Test if '%s:%s' matches against '%s:%s' from section '%s'" % (
                     user, collection_url, re_user, re_collection, section))
-            user_match = re.match(re_user, user)
+            user_match = re.fullmatch(re_user, user)
             if user_match:
                 re_collection = re_collection.format(*user_match.groups())
-                if re.match(re_collection, collection_url):
+                if re.fullmatch(re_collection, collection_url):
                     self.logger.debug("Section '%s' matches" % section)
                     return permission in regex.get(section, "permission")
                 else:
diff --git a/rights b/rights
index f4d3cc2..409da48 100644
--- a/rights
+++ b/rights
@@ -14,7 +14,7 @@
 
 # This means all users starting with "admin" may read any collection
 [admin]
-user: ^admin.*$
+user: admin.*
 collection: .*
 permission: r
 
@@ -22,14 +22,14 @@ permission: r
 # We do so by just not testing against the user string.
 [public]
 user: .*
-collection: ^public(/.+)?$
+collection: public(/.+)?
 permission: rw
 
 # A little more complex: give read access to users from a domain for all
 # collections of all the users (ie. user@domain.tld can read domain/*).
 [domain-wide-access]
-user: ^.+@(.+)\..+$
-collection: ^{0}/.+$
+user: .+@(.+)\..+
+collection: {0}/.+
 permission: r
 
 # Allow authenticated user to read all collections
@@ -41,5 +41,5 @@ permission: r
 # Give write access to owners
 [owner-write]
 user: .+
-collection: ^%(login)s/.*$
+collection: %(login)s/.*
 permission: w