1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: 99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 150: 151: 152: 153: 154: 155: 156: 157: 158: 159: 160: 161: 162: 163: 164: 165: 166: 167: 168: 169: 170: 171: 172: 173: 174: 175: 176: 177: 178: 179: 180: 181: 182: 183: 184: 185: 186: 187: 188: 189: 190: 191: 192: 193: 194: 195: 196: 197: 198: 199: 200: 201: 202: 203: 204: 205: 206: 207: 208: 209: 210: 211: 212: 213: 214: 215: 216: 217: 218: 219: 220: 221:
<?php
dbg_error_log("ACL", "method handler");
require_once('DAVResource.php');
$request->NeedPrivilege('DAV::write-acl');
if ( ! ini_get('open_basedir') && (isset($c->dbg['ALL']) || (isset($c->dbg['put']) && $c->dbg['put'])) ) {
$fh = fopen('/var/log/davical/MOVE.debug','w');
if ( $fh ) {
fwrite($fh,$request->raw_post);
fclose($fh);
}
}
$resource = new DAVResource( $request->path );
$position = 0;
$xmltree = BuildXMLTree( $request->xml_tags, $position);
$aces = $xmltree->GetPath("/DAV::acl/*");
$grantor = new DAVResource($request->path);
if ( ! $grantor->Exists() ) $request->DoResponse( 404 );
if ( ! $grantor->IsCollection() )
$request->PreconditionFailed(403,'not-supported-privilege','ACLs are only supported on Principals or Collections');
$grantor->NeedPrivilege('write-acl');
$cache_delete_list = array();
$qry = new AwlQuery('BEGIN');
$qry->Exec('ACL',__LINE__,__FILE__);
function process_ace( $grantor, $by_principal, $by_collection, $ace ) {
global $cache_delete_list, $request;
$elements = $ace->GetContent();
$principal_node = $elements[0];
$grant = $elements[1];
if ( $principal_node->GetNSTag() != 'DAV::principal' ) $request->MalformedRequest('ACL request must contain a principal, not '.$principal->GetNSTag());
$grant_tag = $grant->GetNSTag();
if ( $grant_tag == 'DAV::deny' ) $request->PreconditionFailed(403,'grant-only');
if ( $grant_tag == 'DAV::invert' ) $request->PreconditionFailed(403,'no-invert');
if ( $grant->GetNSTag() != 'DAV::grant' ) $request->MalformedRequest('ACL request must contain a principal for each ACE');
$privilege_names = array();
$xml_privs = $grant->GetPath("/DAV::grant/DAV::privilege/*");
foreach( $xml_privs AS $k => $priv ) {
$privilege_names[] = $priv->GetNSTag();
}
$privileges = privilege_to_bits($privilege_names);
$principal_content = $principal_node->GetContent();
if ( count($principal_content) != 1 ) $request->MalformedRequest('ACL request must contain exactly one principal per ACE');
$principal_content = $principal_content[0];
switch( $principal_content->GetNSTag() ) {
case 'DAV::property':
$principal_property = $principal_content->GetContent();
if ( $principal_property[0]->GetNSTag() != 'DAV::owner' ) $request->PreconditionFailed(403, 'recognized-principal' );
if ( privilege_to_bits('all') != $privileges ) {
$request->PreconditionFailed(403, 'no-protected-ace-conflict', 'Owner must always have all permissions' );
}
continue;
break;
case 'DAV::unauthenticated':
$request->PreconditionFailed(403, 'allowed-principal', 'May not set privileges for unauthenticated users' );
break;
case 'DAV::href':
$principal_type = 'href';
$grantee = new DAVResource( DeconstructURL($principal_content->GetContent()) );
$grantee_id = $grantee->getProperty('principal_id');
if ( !$grantee->Exists() || !$grantee->IsPrincipal() )
$request->PreconditionFailed(403,'recognized-principal', 'Principal "' + $principal_content->GetContent() + '" not found.');
$sqlparms = array( ':to_principal' => $grantee_id);
$where = 'WHERE to_principal=:to_principal AND ';
if ( isset($by_principal) ) {
$sqlparms[':by_principal'] = $by_principal;
$where .= 'by_principal = :by_principal';
}
else {
$sqlparms[':by_collection'] = $by_collection;
$where .= 'by_collection = :by_collection';
}
$qry = new AwlQuery('SELECT privileges FROM grants '.$where, $sqlparms);
if ( $qry->Exec('ACL',__LINE__,__FILE__) && $qry->rows() == 1 && $current = $qry->Fetch() ) {
$sql = 'UPDATE grants SET privileges=:privileges::INT::BIT(24) '.$where;
}
else {
$sqlparms[':by_principal'] = $by_principal;
$sqlparms[':by_collection'] = $by_collection;
$sql = 'INSERT INTO grants (by_principal, by_collection, to_principal, privileges) VALUES(:by_principal, :by_collection, :to_principal, :privileges::INT::BIT(24))';
}
$sqlparms[':privileges'] = $privileges;
$qry = new AwlQuery($sql, $sqlparms);
if ( $qry->Exec('ACL',__LINE__,__FILE__) ) {
Principal::cacheDelete('dav_name',$grantee->dav_name());
Principal::cacheFlush('principal_id IN (SELECT member_id FROM group_member WHERE group_id = ?)', array($grantee_id));
}
break;
case 'DAV::authenticated':
$principal_type = 'authenticated';
if ( bindec($grantor->GetProperty('default_privileges')) == $privileges ) continue;
$sqlparms = array( ':privileges' => $privileges );
if ( isset($by_collection) ) {
$sql = 'UPDATE collection SET default_privileges=:privileges::INT::BIT(24) WHERE collection_id=:by_collection';
$sqlparms[':by_collection'] = $by_collection;
}
else {
$sql = 'UPDATE principal SET default_privileges=:privileges::INT::BIT(24) WHERE principal_id=:by_principal';
$sqlparms[':by_principal'] = $by_principal;
}
$qry = new AwlQuery($sql, $sqlparms);
if ( $qry->Exec('ACL',__LINE__,__FILE__) ) {
Principal::cacheFlush('TRUE');
}
break;
case 'DAV::all':
$request->PreconditionFailed(403, 'allowed-principal', 'May not set privileges for unauthenticated users' );
break;
default:
$request->PreconditionFailed(403, 'recognized-principal' );
break;
}
}
$by_principal = ($grantor->IsPrincipal() ? $grantor->GetProperty('principal_id') : null);
$by_collection = ($grantor->IsPrincipal() ? null : $grantor->GetProperty('collection_id'));
foreach( $aces AS $k => $ace ) {
process_ace($grantor, $by_principal, $by_collection, $ace);
}
$qry = new AwlQuery('COMMIT');
$qry->Exec('ACL',__LINE__,__FILE__);
$request->DoResponse( 200 );