stalwartlabs/mail-server
1
1
Fork 0
mirror of https://github.com/stalwartlabs/mail-server.git synced 2025-09-12 23:14:18 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix WebDAV ACL write permission to allow creating items (fixes #1768)

Browse source
This commit is contained in:
mdecimus 2025-07-14 12:07:05 +02:00
parent 4f3406d449
commit 1035183ec7
4 changed files with 29 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
crates/dav/src/common/acl.rs
View file

@ -315,10 +315,12 @@ impl DavAclHandler for Server {
Privilege::Write => {
acls.insert(Acl::Modify);
acls.insert(Acl::Delete);
acls.insert(Acl::AddItems);
acls.insert(Acl::ModifyItems);
acls.insert(Acl::RemoveItems);
}
Privilege::WriteContent => {
acls.insert(Acl::AddItems);
acls.insert(Acl::Modify);
acls.insert(Acl::ModifyItems);
}

2
crates/dav/src/file/delete.rs
View file

@ -66,7 +66,7 @@ impl FileDeleteRequestHandler for Server {
// Validate ACLs
if !access_token.is_member(account_id) {
let permissions = resources.shared_containers(access_token, [Acl::Delete], false);
if permissions.len() != sorted_ids.len() as u64
if permissions.len() < sorted_ids.len() as u64
|| !sorted_ids.iter().all(|id| permissions.contains(*id))
{
return Err(DavError::Code(StatusCode::FORBIDDEN));

6
crates/dav/src/file/update.rs
View file

@ -265,7 +265,11 @@ impl FileUpdateRequestHandler for Server {
created: now as i64,
modified: now as i64,
dead_properties: Default::default(),
acls: Default::default(),
acls: parent
.as_ref()
.and_then(|p| p.resource.acls())
.map(|acls| acls.to_vec())
.unwrap_or_default(),
};
// Prepare write batch

21
tests/src/webdav/acl.rs
View file

@ -35,6 +35,7 @@ pub async fn test(test: &WebDavTest) {
let owner_file_content = resource_type.generate();
let owner_file_private = format!("{owner_folder_private}test-file-private");
let owner_file_content_private = resource_type.generate();
let sharee_created_file = format!("{owner_folder}test-file-sharee");
for (folder, file, content) in [
(&owner_folder, &owner_file, &owner_file_content),
(
@ -204,6 +205,10 @@ pub async fn test(test: &WebDavTest) {
.request("PUT", &owner_file, resource_type.generate())
.await
.with_status(StatusCode::FORBIDDEN);
sharee_client
.request("PUT", &sharee_created_file, resource_type.generate())
.await
.with_status(StatusCode::FORBIDDEN);
// Test 9: Grant write access to the sharee
owner_client
@ -279,6 +284,10 @@ pub async fn test(test: &WebDavTest) {
.request("PUT", &owner_file, &owner_file_content)
.await
.with_status(StatusCode::NO_CONTENT);
sharee_client
.request("PUT", &sharee_created_file, resource_type.generate())
.await
.with_status(StatusCode::CREATED);
// Test 11: Grant delete access to the sharee and verify
owner_client
@ -290,6 +299,14 @@ pub async fn test(test: &WebDavTest) {
.acl(&owner_file, sharee_principal.as_str(), ["read", "write"])
.await
.with_status(StatusCode::OK);
owner_client
.acl(
&sharee_created_file,
sharee_principal.as_str(),
["read", "write"],
)
.await
.with_status(StatusCode::OK);
}
sharee_client
.request_with_headers(
@ -300,6 +317,10 @@ pub async fn test(test: &WebDavTest) {
)
.await
.with_status(StatusCode::NO_CONTENT);
sharee_client
.request("DELETE", &sharee_created_file, "")
.await
.with_status(StatusCode::NO_CONTENT);
sharee_client
.request("DELETE", &owner_folder, "")
.await