Fixed partially anonymous authentication

radicale/__init__.py

@@ -278,30 +278,21 @@ class Application(object):
         else:
             user = password = None
 
-        if not items or function == self.options or \
+        read_allowed_items, write_allowed_items = \
-                auth.is_authenticated(user, password) if user else True:
+            self.collect_allowed_items(items, user)
 
-            read_allowed_items, write_allowed_items = \
+        if ((read_allowed_items or write_allowed_items)
-                self.collect_allowed_items(items, user)
+            and auth.is_authenticated(user, password)) or \
-
+                function == self.options or not items:
-            if read_allowed_items or write_allowed_items or \
+            # Collections found, or OPTIONS request, or no items at all
-                    function == self.options or not items:
+            status, headers, answer = function(
-                # Collections found, or OPTIONS request, or no items at all
+                environ, read_allowed_items, write_allowed_items, content,
-                status, headers, answer = function(
+                user)
-                    environ, read_allowed_items, write_allowed_items, content,
-                    user)
-            elif not user:
-                # Unknown or unauthorized user
-                log.LOGGER.info("%s refused" % (user or "Anonymous user"))
-                status = client.UNAUTHORIZED
-                headers = {
-                    "WWW-Authenticate":
-                    "Basic realm=\"%s\"" % config.get("server", "realm")}
-                answer = None
-            else:
-                # Good user but has no rights to any of the given collections
-                status, headers, answer = NOT_ALLOWED
         else:
+            status, headers, answer = NOT_ALLOWED
+
+        if (status, headers, answer) == NOT_ALLOWED and \
+                not auth.is_authenticated(user, password):
             # Unknown or unauthorized user
             log.LOGGER.info("%s refused" % (user or "Anonymous user"))
             status = client.UNAUTHORIZED

radicale/rights.py

@@ -91,9 +91,10 @@ def _read_from_sections(user, collection, permission):
 
 
 def authorized(user, collection, right):
-    """Check if the user is allowed to read or write the collection."""
+    """Check if the user is allowed to read or write the collection.
+
+       If the user is empty it checks for anonymous rights
+    """
     rights_type = config.get("rights", "type").lower()
-    return rights_type == "none" or (
+    return rights_type == "none" or (_read_from_sections(
-        (True if not user else user) and _read_from_sections(
+        user or "", collection.url.rstrip("/") or "/", right))
-            user if user else "", collection.url.rstrip("/") or "/", right)
-    )