From 3b5735faaf4d32abca31aaaeaf478ef2fc1218e2 Mon Sep 17 00:00:00 2001 From: Andrew McMillan Date: Sat, 18 Nov 2006 23:08:45 +1300 Subject: [PATCH] Much stricter implementation of the OPTIONS command. It is possible that this will make Evolution and Mozilla fail, which I will need to fix before this can be released. --- inc/caldav-OPTIONS.php | 53 ++++++++++++++++--- .../regression-suite/001-Mulberry-1.result | 4 +- .../regression-suite/101-Evo-OPTIONS-1.result | 2 +- .../regression-suite/201-Moz-OPTIONS-2.result | 2 +- .../302-Chandler-OPTIONS-2.result | 2 +- .../305-Chandler-OPTIONS-3.result | 4 +- 6 files changed, 54 insertions(+), 13 deletions(-) diff --git a/inc/caldav-OPTIONS.php b/inc/caldav-OPTIONS.php index 4ffad1df..09c15bc4 100644 --- a/inc/caldav-OPTIONS.php +++ b/inc/caldav-OPTIONS.php @@ -10,6 +10,46 @@ */ dbg_error_log("OPTIONS", "method handler"); +if ( ! isset($permissions['read']) ) { + header("HTTP/1.1 403 Forbidden"); + header("Content-type: text/plain"); + echo "You may not access that calendar."; + dbg_error_log("OPTIONS", "Access denied for User: %d, Path: %s", $session->user_no, $request_path); + return; +} + +$exists = false; +$is_calendar = false; + +if ( $request_path == '/' ) { + $exists = true; +} +else { + if ( preg_match( '#^/[^/]+/$#', $request_path) ) { + $sql = "SELECT user_no, '/' || username || '/' AS dav_name, md5( '/' || username || '/') AS dav_etag, "; + $sql .= "updated AS created, fullname AS dav_displayname, FALSE AS is_calendar FROM usr WHERE user_no = $path_user_no ; "; + } + else { + $sql = "SELECT user_no, dav_name, dav_etag, created, dav_displayname, is_calendar FROM collection WHERE user_no = $path_user_no AND dav_name = ".qpg($request_path); + } + $qry = new PgQuery($sql ); + if( $qry->Exec("OPTIONS",__LINE__,__FILE__) && $qry->rows > 0 && $collection = $qry->Fetch() ) { + $is_calendar = ($collection->is_calendar == 't'); + $exists = true; + } + elseif ( $c->collections_always_exist ) { + $exists = true; + } +} + +if ( !exists ) { + header("HTTP/1.1 404 Not Found"); + header("Content-type: text/plain"); + echo "No collection found at that location."; + dbg_error_log("OPTIONS", "No collection found for User: %d, Path: %s", $session->user_no, $request_path); + return; +} + header( "Content-type: text/plain" ); header( "Content-length: 0" ); @@ -19,7 +59,9 @@ * PROPPATCH, because I suspect that will be used. Also HEAD and POST being fairly standard * should be handled. COPY and MOVE would seem to be easy also. */ - header( "Allow: OPTIONS, GET, PUT, DELETE, PROPFIND, REPORT, MKCALENDAR, MKCOL"); + $allowed = "OPTIONS, GET, PUT, DELETE, PROPFIND, MKCOL, MKCALENDAR"; + if ( $is_calendar ) $allowed .= ", REPORT"; + header( "Allow: $allowed"); // header( "Allow: ACL, COPY, DELETE, GET, HEAD, LOCK, MKCALENDAR, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PUT, REPORT, SCHEDULE, TRACE, UNLOCK"); /** @@ -29,11 +71,10 @@ * access-control is rfc3744, so we will say we do it, but I doubt if we do it * in all it's glory really. */ - header( "DAV: 1, 2, access-control, calendar-access"); + $dav = "1, 2, access-control"; + if ( $is_calendar ) $dav .= ", calendar-access"; + header( "Allow: $allowed"); + header( "DAV: $dav"); // header( "DAV: 1, 2, access-control, calendar-access, calendar-schedule"); - /** - * FIXME: We should only return the 'calendar-access' and 'calendar-schedule' DAV headers for calendar collections. - * We should only "Allow" the REPORT method against calendar collections. - */ ?> \ No newline at end of file diff --git a/testing/tests/regression-suite/001-Mulberry-1.result b/testing/tests/regression-suite/001-Mulberry-1.result index 71204932..f7e7d7bd 100644 --- a/testing/tests/regression-suite/001-Mulberry-1.result +++ b/testing/tests/regression-suite/001-Mulberry-1.result @@ -2,7 +2,7 @@ HTTP/1.1 200 OK Date: Dow, 01 Jan 2000 00:00:00 GMT Server: Apache/2.2.3 (Debian) DAV/2 Content-length: 0 -Allow: OPTIONS, GET, PUT, DELETE, PROPFIND, REPORT, MKCALENDAR, MKCOL -DAV: 1, 2, access-control, calendar-access +Allow: OPTIONS, GET, PUT, DELETE, PROPFIND, MKCOL, MKCALENDAR +DAV: 1, 2, access-control Content-Type: text/plain; charset=UTF-8 diff --git a/testing/tests/regression-suite/101-Evo-OPTIONS-1.result b/testing/tests/regression-suite/101-Evo-OPTIONS-1.result index 71204932..8ffbd8c6 100644 --- a/testing/tests/regression-suite/101-Evo-OPTIONS-1.result +++ b/testing/tests/regression-suite/101-Evo-OPTIONS-1.result @@ -2,7 +2,7 @@ HTTP/1.1 200 OK Date: Dow, 01 Jan 2000 00:00:00 GMT Server: Apache/2.2.3 (Debian) DAV/2 Content-length: 0 -Allow: OPTIONS, GET, PUT, DELETE, PROPFIND, REPORT, MKCALENDAR, MKCOL +Allow: OPTIONS, GET, PUT, DELETE, PROPFIND, MKCOL, MKCALENDAR, REPORT DAV: 1, 2, access-control, calendar-access Content-Type: text/plain; charset=UTF-8 diff --git a/testing/tests/regression-suite/201-Moz-OPTIONS-2.result b/testing/tests/regression-suite/201-Moz-OPTIONS-2.result index 71204932..8ffbd8c6 100644 --- a/testing/tests/regression-suite/201-Moz-OPTIONS-2.result +++ b/testing/tests/regression-suite/201-Moz-OPTIONS-2.result @@ -2,7 +2,7 @@ HTTP/1.1 200 OK Date: Dow, 01 Jan 2000 00:00:00 GMT Server: Apache/2.2.3 (Debian) DAV/2 Content-length: 0 -Allow: OPTIONS, GET, PUT, DELETE, PROPFIND, REPORT, MKCALENDAR, MKCOL +Allow: OPTIONS, GET, PUT, DELETE, PROPFIND, MKCOL, MKCALENDAR, REPORT DAV: 1, 2, access-control, calendar-access Content-Type: text/plain; charset=UTF-8 diff --git a/testing/tests/regression-suite/302-Chandler-OPTIONS-2.result b/testing/tests/regression-suite/302-Chandler-OPTIONS-2.result index 71204932..8ffbd8c6 100644 --- a/testing/tests/regression-suite/302-Chandler-OPTIONS-2.result +++ b/testing/tests/regression-suite/302-Chandler-OPTIONS-2.result @@ -2,7 +2,7 @@ HTTP/1.1 200 OK Date: Dow, 01 Jan 2000 00:00:00 GMT Server: Apache/2.2.3 (Debian) DAV/2 Content-length: 0 -Allow: OPTIONS, GET, PUT, DELETE, PROPFIND, REPORT, MKCALENDAR, MKCOL +Allow: OPTIONS, GET, PUT, DELETE, PROPFIND, MKCOL, MKCALENDAR, REPORT DAV: 1, 2, access-control, calendar-access Content-Type: text/plain; charset=UTF-8 diff --git a/testing/tests/regression-suite/305-Chandler-OPTIONS-3.result b/testing/tests/regression-suite/305-Chandler-OPTIONS-3.result index 71204932..f7e7d7bd 100644 --- a/testing/tests/regression-suite/305-Chandler-OPTIONS-3.result +++ b/testing/tests/regression-suite/305-Chandler-OPTIONS-3.result @@ -2,7 +2,7 @@ HTTP/1.1 200 OK Date: Dow, 01 Jan 2000 00:00:00 GMT Server: Apache/2.2.3 (Debian) DAV/2 Content-length: 0 -Allow: OPTIONS, GET, PUT, DELETE, PROPFIND, REPORT, MKCALENDAR, MKCOL -DAV: 1, 2, access-control, calendar-access +Allow: OPTIONS, GET, PUT, DELETE, PROPFIND, MKCOL, MKCALENDAR +DAV: 1, 2, access-control Content-Type: text/plain; charset=UTF-8