[dev] Adding -system- shares to Caldav (Horde_Dav) commit 87739cc3f4fea269bc488a637f845cac7337c393

Ralf Lang lang at b1-systems.de
Sun Jul 14 08:58:28 UTC 2013 

>>
>> http://git.horde.org/horde-git/-/commit/87739cc3f4fea269bc488a637f845cac7337c393?commit=87739cc3f4fea269bc488a637f845cac7337c393&rt=horde-git
>>
> 
> How, where? AFAICS the only way to add shared calendars on iOS is to add
> a new account from another user's principal URL. But since ACLs for
> principals are hardcoded in SabreDAV to only allow access for the user
> himself, this won't work either. Am I missing something?

Without the principal/-system- answer, you get a a missing DAV Read
permission.


All ACL related stuff calls at some point getNodeForPath
When accessing calendar/-system- or principals/-system-, this retrieves
a Sabre\DavAcl\Principals item with Horde_Dav_Principals backend.

when accessing calendar/-system-/calendar:foo this retrieves a
Sabre\CalDav\Calendar with Horde_Dav_Calendar_Backend calls.

Now look at Plugin::getCurrentUserPrivilegeSet

$this->getACL returns an array of ACLs defined for the calendar node,
most notably:

    [0] => Array
        (
            [privilege] => {DAV:}read
            [principal] => principals/-system-
            [protected] => 1
        )

    [1] => Array
        (
            [privilege] => {DAV:}write
            [principal] => principals/-system-
            [protected] => 1
        )


below,

getCurrentUserPrincipals returns the principal_s_ for the logged in user.

This is the user principal himself (let's call him principal/lang) and
any principals returned by the backend's getGroupMemberships.

Thus, our result would be:

Array ( [0] => principals/lang [1] => principals/-system- )

The rest of the method matches the retrieved ACLs with the user's
principals and returns something like this:

Array
(
    [0] => {urn:ietf:params:xml:ns:caldav}read-free-busy
    [1] => {DAV:}write
    [2] => {DAV:}write-acl
    [3] => {DAV:}write-properties
    [4] => {DAV:}write-content
    [5] => {DAV:}bind
    [6] => {DAV:}unbind
    [7] => {DAV:}unlock
    [8] => {DAV:}read
    [9] => {DAV:}read-acl
    [10] => {DAV:}read-current-user-privilege-set
)

I hope this clarifies how it makes -system-/* accessible to principal/$user



-- 
Ralf Lang
Linux Consultant / Developer
Tel.: +49-170-6381563
Mail: lang at b1-systems.de
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.horde.org/archives/dev/attachments/20130714/df0724a7/attachment.bin>

More information about the dev mailing list