from_file rights: Replace config parser interpolation

This commit is contained in:
Unrud 2020-04-22 19:20:24 +02:00
parent aef58bd55c
commit d5f5eeeddf
4 changed files with 26 additions and 23 deletions

View File

@ -932,14 +932,14 @@ permissions: R
# Allow reading and writing principal collection (same as user name)
[principal]
user: .+
collection: %(login)s
collection: {user}
permissions: RW
# Allow reading and writing calendars and address books that are direct
# children of the principal collection
[calendars]
user: .+
collection: %(login)s/[^/]+
collection: {user}/[^/]+
permissions: rw
```
@ -955,16 +955,18 @@ users).
The path of the collection is separated by `/` and has no leading or trailing
`/`. Therefore, the path of the root collection is empty.
`%(login)s` gets replaced by the user name and `%(path)s` by the path of
the collection. You can also use groups from the `user` regex in the
`collection` regex with `{1}`, `{2}`, etc.
In the `collection` regex you can use `{user}` and get groups from the `user`
regex with `{0}`, `{1}`, etc.
In consequence of the parameter subsitution you have to write `{{` and `}}`
if you want to use regular curly braces in the `user` and `collection` regexes.
The following `permissions` are recognized:
* **R**: read a collection (excluding address book or calendar collections)
* **r**: read an address book or calendar collection
* **W**: write a collection (excluding address book or calendar collections)
* **w**: write an address book or calendar collection
* **R:** read a collection (excluding address book or calendar collections)
* **r:** read an address book or calendar collection
* **W:** write a collection (excluding address book or calendar collections)
* **w:** write an address book or calendar collection
## Storage

View File

@ -17,12 +17,13 @@
"""
Rights backend based on a regex-based file whose name is specified in the
config (section "right", key "file").
config (section "rights", key "file").
Authentication login is matched against the "user" key, and collection's path
is matched against the "collection" key. You can use Python's ConfigParser
interpolation values %(login)s and %(path)s. You can also get groups from the
user regex in the collection with {0}, {1}, etc.
The login is matched against the "user" key, and the collection path
is matched against the "collection" key. In the "collection" regex you can use
`{user}` and get groups from the "user" regex with `{0}`, `{1}`, etc.
In consequence of the parameter subsitution you have to write `{{` and `}}`
if you want to use regular curly braces in the "user" and "collection" regexes.
For example, for the "user" key, ".+" means "authenticated user" and ".*"
means "anybody" (including anonymous users).
@ -49,10 +50,8 @@ class Rights(rights.BaseRights):
user = user or ""
sane_path = pathutils.strip_path(path)
# Prevent "regex injection"
user_escaped = re.escape(user)
sane_path_escaped = re.escape(sane_path)
rights_config = configparser.ConfigParser(
{"login": user_escaped, "path": sane_path_escaped})
escaped_user = re.escape(user)
rights_config = configparser.ConfigParser()
try:
if not rights_config.read(self._filename):
raise RuntimeError("No such file: %r" %
@ -64,10 +63,12 @@ class Rights(rights.BaseRights):
try:
user_pattern = rights_config.get(section, "user")
collection_pattern = rights_config.get(section, "collection")
user_match = re.fullmatch(user_pattern, user)
# Use empty format() for harmonized handling of curly braces
user_match = re.fullmatch(user_pattern.format(), user)
collection_match = user_match and re.fullmatch(
collection_pattern.format(
*map(re.escape, user_match.groups())), sane_path)
*map(re.escape, user_match.groups()),
user=escaped_user), sane_path)
except Exception as e:
raise RuntimeError("Error in section %r of rights file %r: "
"%s" % (section, self._filename, e)) from e

View File

@ -125,7 +125,7 @@ class TestBaseRightsRequests(BaseTest):
f.write("""\
[owner]
user: .+
collection: %(login)s(/.*)?
collection: {user}(/.*)?
permissions: RrWw
[custom]
user: .*

4
rights
View File

@ -21,14 +21,14 @@
# Allow reading and writing principal collection (same as user name)
#[principal]
#user: .+
#collection: %(login)s
#collection: {user}
#permissions: RW
# Allow reading and writing calendars and address books that are direct
# children of the principal collection
#[calendars]
#user: .+
#collection: %(login)s/[^/]+
#collection: {user}/[^/]+
#permissions: rw