tobias/radicale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Always match full username/collection with regex

Browse Source 
It's easy to forget $ at the end of a regex and it's counter-intuitive that ^ is implicit but $ is not.
This commit is contained in:
Unrud 2016-08-01 10:07:21 +02:00
parent f4ebe3f545
commit 9dd8c65d65
2 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
radicale/rights.py
View File

@ -66,7 +66,7 @@ permission:rw
"owner_write": """ "owner_write": """
[w] [w]
user:.+ user:.+
collection:^%(login)s(/.*)?$ collection:%(login)s(/.*)?
permission:rw permission:rw
[r] [r]
user:.+ user:.+
@ -76,7 +76,7 @@ permission:r
"owner_only": """ "owner_only": """
[rw] [rw]
user:.+ user:.+
collection:^%(login)s(/.*)?$ collection:%(login)s(/.*)?
permission:rw permission:rw
"""} """}
@ -127,10 +127,10 @@ class Rights(BaseRights):
self.logger.debug( self.logger.debug(
"Test if '%s:%s' matches against '%s:%s' from section '%s'" % ( "Test if '%s:%s' matches against '%s:%s' from section '%s'" % (
user, collection_url, re_user, re_collection, section)) user, collection_url, re_user, re_collection, section))
user_match = re.match(re_user, user) user_match = re.fullmatch(re_user, user)
if user_match: if user_match:
re_collection = re_collection.format(*user_match.groups()) re_collection = re_collection.format(*user_match.groups())
if re.match(re_collection, collection_url): if re.fullmatch(re_collection, collection_url):
self.logger.debug("Section '%s' matches" % section) self.logger.debug("Section '%s' matches" % section)
return permission in regex.get(section, "permission") return permission in regex.get(section, "permission")
else: else:

10
rights
View File

@ -14,7 +14,7 @@
# This means all users starting with "admin" may read any collection # This means all users starting with "admin" may read any collection
[admin] [admin]
user: ^admin.*$ user: admin.*
collection: .* collection: .*
permission: r permission: r
@ -22,14 +22,14 @@ permission: r
# We do so by just not testing against the user string. # We do so by just not testing against the user string.
[public] [public]
user: .* user: .*
collection: ^public(/.+)?$ collection: public(/.+)?
permission: rw permission: rw
# A little more complex: give read access to users from a domain for all # A little more complex: give read access to users from a domain for all
# collections of all the users (ie. user@domain.tld can read domain/*). # collections of all the users (ie. user@domain.tld can read domain/*).
[domain-wide-access] [domain-wide-access]
user: ^.+@(.+)\..+$ user: .+@(.+)\..+
collection: ^{0}/.+$ collection: {0}/.+
permission: r permission: r
# Allow authenticated user to read all collections # Allow authenticated user to read all collections
@ -41,5 +41,5 @@ permission: r
# Give write access to owners # Give write access to owners
[owner-write] [owner-write]
user: .+ user: .+
collection: ^%(login)s/.*$ collection: %(login)s/.*
permission: w permission: w