Skip to content

Commit

Permalink
fix: objects must also get the correct ACL
Browse files Browse the repository at this point in the history
  • Loading branch information
tchapi committed Oct 17, 2023
1 parent 7ff5ebd commit 2ed95a4
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 1 deletion.
2 changes: 1 addition & 1 deletion src/Controller/DAVController.php
Original file line number Diff line number Diff line change
Expand Up @@ -230,7 +230,7 @@ private function initServer(string $authMethod, string $authRealm = User::DEFAUL
$this->server->addPlugin(new \Sabre\DAV\Browser\Plugin(false)); // We disable the file creation / upload / sharing in the browser
$this->server->addPlugin(new \Sabre\DAV\Sync\Plugin());

$aclPlugin = new PublicAwareDAVACLPlugin();
$aclPlugin = new PublicAwareDAVACLPlugin($this->em);
$aclPlugin->hideNodesFromListings = true;

// Fetch admins, if any
Expand Down
29 changes: 29 additions & 0 deletions src/Plugins/PublicAwareDAVACLPlugin.php
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,22 @@
namespace App\Plugins;

use App\Entity\CalendarInstance;
use Doctrine\ORM\EntityManagerInterface;
use Sabre\HTTP\RequestInterface;
use Sabre\HTTP\ResponseInterface;

class PublicAwareDAVACLPlugin extends \Sabre\DAVACL\Plugin
{
/**
* @var EntityManagerInterface
*/
protected $em;

public function __construct(EntityManagerInterface $entityManager)
{
$this->em = $entityManager;
}

/**
* We override this method so that public objects can be seen correctly in the browser,
* with the assets (css, images).
Expand All @@ -28,6 +39,24 @@ public function getAcl($node): array

if ($node instanceof \Sabre\CalDAV\Calendar) {
if (CalendarInstance::ACCESS_PUBLIC === $node->getShareAccess()) {
// We must add the ACL on the calendar itself
$acl[] = [
'principal' => '{DAV:}unauthenticated',
'privilege' => '{DAV:}read',
'protected' => false,
];
}
} elseif ($node instanceof \Sabre\CalDAV\CalendarObject) {
// The property is private in \Sabre\CalDAV\CalendarObject and we don't want to create
// a new class just to access it, so we use a closure.
$calendarInfo = (fn () => $this->calendarInfo)->call($node);
// [0] is the calendarId, [1] is the calendarInstanceId
$calendarInstanceId = $calendarInfo['id'][1];

$calendar = $this->em->getRepository(CalendarInstance::class)->findOneById($calendarInstanceId);

if ($calendar && $calendar->isPublic()) {
// We must add the ACL on the object itself
$acl[] = [
'principal' => '{DAV:}unauthenticated',
'privilege' => '{DAV:}read',
Expand Down

0 comments on commit 2ed95a4

Please sign in to comment.