Commit Graph

39 Commits

Author SHA1 Message Date
50d3d01ea3 Uses absoulte imports as recommended in PEP-8 2018-04-20 16:03:36 +02:00
276de4fd3a Allow additional config options for external plugins 2017-06-21 09:54:33 +02:00
070a39a51d Improve documentation 2017-06-16 23:28:15 +02:00
ded660df07 Don't leak existing user in owner_only rights plugin
If a user didn't exist the error message for the principal collection was 404.
2017-06-16 23:28:15 +02:00
5669433f58 Let rights plugins decide if access to item is granted 2017-06-16 23:28:15 +02:00
75605b5f03 Catch all exceptions when loading plugins 2017-06-15 23:54:32 +02:00
eba6621f17 Rename backends from None to none
All other backend names are lower case.
2017-05-31 12:02:29 +02:00
c9664137a5 Improve error handling
* Check the configuration file for errors (check option names and basic type checking).
  * Perform basic type checking on command line arguments.
  * Only print stack traces in debug mode.
  * Include much more information in error messages (e.g. include the path of invalid files).
  * Send Bad Request to clients for invalid XML requests or iCalendar data.
  * Change the log level of some messages.
2017-05-31 11:31:54 +02:00
5ce2c62402 Implement rights types directly
This is faster and easier to understand.
2017-05-31 00:43:07 +02:00
3e0c8cf285 Update copyright years 2017-05-27 17:28:07 +02:00
b47505d5bd Don't set rights management when no authentication is set 2017-03-04 14:15:46 +01:00
9e27d4e2a8 Emulate fullmatch with match
re.fullmatch was introduced in Python 3.4
2016-09-02 15:06:32 +02:00
e2b87d145f Cosmetics: Don't use % for logging 2016-08-10 23:43:32 +02:00
8ac3ce1a89 Clean many, many things 2016-08-05 02:14:49 +02:00
066b5994d1 Improve rights checking and request handlers
* Access rights are checked before the storage is locked and
    collections are loaded.
  * DELETE sends 410 instead of doing nothing or crashing if the target
    doesn't exist.
  * GET always returns 404 if the target doesn't exist.
  * GET doesn't crash if a collection without tag property is requested.
  * MKCOL and MKCALENDAR send 409 if the target already exists.
  * MOVE checks if the target collection of an item actually exists and
    sends 409 otherwise.
  * PUT doesn't crash if a whole collection that doesn't exist yet is
    uploaded and ``content-type`` is ``text/vcard`` or
    ``text/calendar``.
  * PUT distinguishes between simple items and whole collections by the
    following criteria: Target is a collection; Parent exists; Parent
    has the tag property set; Parent contains other items. Before only
    the first two criteria where used, which was very unrelieable. #384
  * PROPPATCH is only allowed on collections and 409 is send otherwise.
  * ``Rights.authorized`` takes a path instead of a collection.
  * ``Collection.discover`` only returns items in ``path``, that
    actually exist. #442
2016-08-04 06:08:08 +02:00
b517818749 Don't reject everybody from "/" with owner_only
Fix 407.
2016-08-01 18:59:47 +02:00
6bfdcbafec Cosmetics 2016-08-01 12:50:51 +02:00
9d3086427d Merge pull request #450 from Unrud/safeusernames
Prevent unsafe usernames
2016-08-01 12:14:40 +02:00
9dd8c65d65 Always match full username/collection with regex
It's easy to forget $ at the end of a regex and it's counter-intuitive that ^ is implicit but $ is not.
2016-08-01 10:07:21 +02:00
da1a693620 Prevent unsafe usernames
If an attacker is able to create an account with a username like "user/calendar.ics", he can access collections of other users.
2016-08-01 09:10:23 +02:00
221379ef85 Sort imports 2016-07-04 14:32:33 +02:00
0de3ad36be Fixes to Rights
- BaseRights expects the config and logger params
- user may be None, which leads to errors when trying to use it with
  regexes.
2016-04-22 20:30:40 +02:00
2f97d7d1e1 Remove global state about configuration and logs
Many things have been changed to make this possible, probably leading to
many hidden bugs waiting to be found.

Related to #122.
2016-04-22 11:37:02 +09:00
e586569b31 Fix a lot of details 2016-04-12 18:21:18 +02:00
1001bcb676 Remove extra auth, rights and storage modules 2016-04-07 19:02:52 +02:00
dca10fa14e Different rights management backends
Initially only one backend - regular expressions based
2013-12-25 03:44:24 +04:00
0e566e4c97 Merge branch 'apple' 2013-12-24 11:22:57 +01:00
ce8e86af63 Allow read-only access to .well-known/ca(l|rd)av (related to #32) 2013-10-31 13:57:37 +01:00
92b3cf41bc Simple try/except import trick 2013-10-29 14:09:46 +01:00
fb784c28c4 Fix python 3 problem: 'str' does not support the buffer interface 2013-10-27 22:36:56 +01:00
e2512b12fb Fixed partially anonymous authentication 2013-09-13 15:05:02 +02:00
58faf725b0 Fixed authentication for anonymous users 2013-09-12 17:39:20 +02:00
43785e48a9 Get configuration keys at runtime, not when module is imported (fixes #64) 2013-09-12 13:48:49 +02:00
8c3cf6bccd Fix built-in owner_only right 2013-08-28 00:56:45 +03:00
c0c652b3f8 Add documentation and example for rights management 2013-08-27 11:05:54 +02:00
07a9ce8296 Fix owner_* rights with python2 (fix #49) 2013-08-21 06:58:30 +02:00
f7f26afd6b Fix rights type "None" 2013-08-14 11:58:08 +02:00
d1379e349a Don't check the file twice for rights 2013-08-14 10:52:50 +02:00
586773148e Use a more simple rights manager 2013-08-14 10:50:59 +02:00