tobias/radicale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

from_file rights: Replace config parser interpolation

Browse Source
This commit is contained in:
Unrud 2020-04-22 19:20:24 +02:00
parent aef58bd55c
commit d5f5eeeddf
4 changed files with 26 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
DOCUMENTATION.md
View File

@ -932,14 +932,14 @@ permissions: R
# Allow reading and writing principal collection (same as user name) # Allow reading and writing principal collection (same as user name)
[principal] [principal]
user: .+ user: .+
collection: %(login)s collection: {user}
permissions: RW permissions: RW
# Allow reading and writing calendars and address books that are direct # Allow reading and writing calendars and address books that are direct
# children of the principal collection # children of the principal collection
[calendars] [calendars]
user: .+ user: .+
collection: %(login)s/[^/]+ collection: {user}/[^/]+
permissions: rw permissions: rw
``` ```
@ -955,16 +955,18 @@ users).
The path of the collection is separated by `/` and has no leading or trailing The path of the collection is separated by `/` and has no leading or trailing
`/`. Therefore, the path of the root collection is empty. `/`. Therefore, the path of the root collection is empty.
`%(login)s` gets replaced by the user name and `%(path)s` by the path of In the `collection` regex you can use `{user}` and get groups from the `user`
the collection. You can also use groups from the `user` regex in the regex with `{0}`, `{1}`, etc.
`collection` regex with `{1}`, `{2}`, etc.
In consequence of the parameter subsitution you have to write `{{` and `}}`
if you want to use regular curly braces in the `user` and `collection` regexes.
The following `permissions` are recognized: The following `permissions` are recognized:
* **R**: read a collection (excluding address book or calendar collections) * **R:** read a collection (excluding address book or calendar collections)
* **r**: read an address book or calendar collection * **r:** read an address book or calendar collection
* **W**: write a collection (excluding address book or calendar collections) * **W:** write a collection (excluding address book or calendar collections)
* **w**: write an address book or calendar collection * **w:** write an address book or calendar collection
## Storage ## Storage

23
radicale/rights/from_file.py
View File

@ -17,12 +17,13 @@
""" """
Rights backend based on a regex-based file whose name is specified in the Rights backend based on a regex-based file whose name is specified in the
config (section "right", key "file"). config (section "rights", key "file").
Authentication login is matched against the "user" key, and collection's path The login is matched against the "user" key, and the collection path
is matched against the "collection" key. You can use Python's ConfigParser is matched against the "collection" key. In the "collection" regex you can use
interpolation values %(login)s and %(path)s. You can also get groups from the `{user}` and get groups from the "user" regex with `{0}`, `{1}`, etc.
user regex in the collection with {0}, {1}, etc. In consequence of the parameter subsitution you have to write `{{` and `}}`
if you want to use regular curly braces in the "user" and "collection" regexes.
For example, for the "user" key, ".+" means "authenticated user" and ".*" For example, for the "user" key, ".+" means "authenticated user" and ".*"
means "anybody" (including anonymous users). means "anybody" (including anonymous users).
@ -49,10 +50,8 @@ class Rights(rights.BaseRights):
user = user or "" user = user or ""
sane_path = pathutils.strip_path(path) sane_path = pathutils.strip_path(path)
# Prevent "regex injection" # Prevent "regex injection"
user_escaped = re.escape(user) escaped_user = re.escape(user)
sane_path_escaped = re.escape(sane_path) rights_config = configparser.ConfigParser()
rights_config = configparser.ConfigParser(
{"login": user_escaped, "path": sane_path_escaped})
try: try:
if not rights_config.read(self._filename): if not rights_config.read(self._filename):
raise RuntimeError("No such file: %r" % raise RuntimeError("No such file: %r" %
@ -64,10 +63,12 @@ class Rights(rights.BaseRights):
try: try:
user_pattern = rights_config.get(section, "user") user_pattern = rights_config.get(section, "user")
collection_pattern = rights_config.get(section, "collection") collection_pattern = rights_config.get(section, "collection")
user_match = re.fullmatch(user_pattern, user) # Use empty format() for harmonized handling of curly braces
user_match = re.fullmatch(user_pattern.format(), user)
collection_match = user_match and re.fullmatch( collection_match = user_match and re.fullmatch(
collection_pattern.format( collection_pattern.format(
*map(re.escape, user_match.groups())), sane_path) *map(re.escape, user_match.groups()),
user=escaped_user), sane_path)
except Exception as e: except Exception as e:
raise RuntimeError("Error in section %r of rights file %r: " raise RuntimeError("Error in section %r of rights file %r: "
"%s" % (section, self._filename, e)) from e "%s" % (section, self._filename, e)) from e

2
radicale/tests/test_rights.py
View File

@ -125,7 +125,7 @@ class TestBaseRightsRequests(BaseTest):
f.write("""\ f.write("""\
[owner] [owner]
user: .+ user: .+
collection: %(login)s(/.*)? collection: {user}(/.*)?
permissions: RrWw permissions: RrWw
[custom] [custom]
user: .* user: .*

4
rights
View File

@ -21,14 +21,14 @@
# Allow reading and writing principal collection (same as user name) # Allow reading and writing principal collection (same as user name)
#[principal] #[principal]
#user: .+ #user: .+
#collection: %(login)s #collection: {user}
#permissions: RW #permissions: RW
# Allow reading and writing calendars and address books that are direct # Allow reading and writing calendars and address books that are direct
# children of the principal collection # children of the principal collection
#[calendars] #[calendars]
#user: .+ #user: .+
#collection: %(login)s/[^/]+ #collection: {user}/[^/]+
#permissions: rw #permissions: rw