90d82d044c
under certain conditions it was possible to pass the final access control
if-clause. the master branch granted access if:
if ((read_allowed_items or write_allowed_items)
and (not user or auth.is_authenticated(user, password))) or
function == self.options or not items:
the easy-connect branch from pull request #95 adds:
(is_authenticated and function == self.propfind) or
the last `or not items` condition levers out the previous authentication and
access control. that isn't that big secuity issue because in this case there
are no collection and items at all. but "bad" and anonymous users could gather
data and information which not destined for them.
this commit fixes and simplifies the if-clause.
Radicale is a free and open-source CalDAV and CardDAV server. For complete documentation, please visit the Radicale online documentation (http://www.radicale.org/documentation).