From 900439acc8f8a70a3a3256fc1e043d0d2d28d7d0 Mon Sep 17 00:00:00 2001
From: Andrew McMillan <debian@mcmillan.net.nz>
Date: Wed, 8 Nov 2006 12:48:19 +1300
Subject: [PATCH] Enforce basic permissions on calendar / collection creation.

---
 inc/caldav-MKCALENDAR.php | 24 +++++++++++++++---------
 inc/caldav-MKCOL.php      | 35 +++++++++++++++++++++++++----------
 2 files changed, 40 insertions(+), 19 deletions(-)

diff --git a/inc/caldav-MKCALENDAR.php b/inc/caldav-MKCALENDAR.php
index 18a8a528..bf00dec6 100644
--- a/inc/caldav-MKCALENDAR.php
+++ b/inc/caldav-MKCALENDAR.php
@@ -10,37 +10,43 @@
 */
 dbg_error_log("MKCALENDAR", "method handler");
 
-$make_path = $_SERVER['PATH_INFO'];
+if ( ! isset($permissions['write']) ) {
+  header("HTTP/1.1 403 Forbidden");
+  header("Content-type: text/plain");
+  echo "You may not create a calendar there.";
+  dbg_error_log("ERROR", "MKCALENDAR Access denied for User: %d, Path: %s", $session->user_no, $get_path);
+  return;
+}
 
-$displayname = $make_path;
+$displayname = $request_path;
 $parent_container = '/';
-if ( preg_match( '#^(.*/)([^/]+)(/)?$#', $make_path, $matches ) ) {
+if ( preg_match( '#^(.*/)([^/]+)(/)?$#', $request_path, $matches ) ) {
   $parent_container = $matches[1];
   $displayname = $matches[2];
 }
 $sql = "SELECT * FROM collection WHERE user_no = ? AND dav_name = ?;";
-$qry = new PgQuery( $sql, $session->user_no, $make_path );
+$qry = new PgQuery( $sql, $session->user_no, $request_path );
 if ( ! $qry->Exec("MKCALENDAR") ) {
   header("HTTP/1.1 500 Infernal Server Error");
-  dbg_error_log( "ERROR", " MKCALENDAR Failed (database error) for '%s' named '%s', user '%d' in parent '%s'", $make_path, $displayname, $session->user_no, $parent_container);
+  dbg_error_log( "ERROR", " MKCALENDAR Failed (database error) for '%s' named '%s', user '%d' in parent '%s'", $request_path, $displayname, $session->user_no, $parent_container);
   exit(0);
 }
 if ( $qry->rows != 0 ) {
   header("HTTP/1.1 412 Calendar Already Exists");
-  dbg_error_log( "ERROR", " MKCALENDAR Failed (already exists) for '%s' named '%s', user '%d' in parent '%s'", $make_path, $displayname, $session->user_no, $parent_container);
+  dbg_error_log( "ERROR", " MKCALENDAR Failed (already exists) for '%s' named '%s', user '%d' in parent '%s'", $request_path, $displayname, $session->user_no, $parent_container);
   exit(0);
 }
 
 $sql = "INSERT INTO collection ( user_no, parent_container, dav_name, dav_etag, dav_displayname, is_calendar, created, modified ) VALUES( ?, ?, ?, ?, ?, TRUE, current_timestamp, current_timestamp );";
-$qry = new PgQuery( $sql, $session->user_no, $parent_container, $make_path, md5($session->user_no. $make_path), $displayname );
+$qry = new PgQuery( $sql, $session->user_no, $parent_container, $request_path, md5($session->user_no. $request_path), $displayname );
 
 if ( $qry->Exec("MKCALENDAR",__LINE__,__FILE__) ) {
   header("HTTP/1.1 200 Created");
-  dbg_error_log( "MKCALENDAR", "New calendar '%s' created named '%s' for user '%d' in parent '%s'", $make_path, $displayname, $session->user_no, $parent_container);
+  dbg_error_log( "MKCALENDAR", "New calendar '%s' created named '%s' for user '%d' in parent '%s'", $request_path, $displayname, $session->user_no, $parent_container);
 }
 else {
   header("HTTP/1.1 500 Infernal Server Error");
-  dbg_error_log( "ERROR", " MKCALENDAR Failed for '%s' named '%s', user '%d' in parent '%s'", $make_path, $displayname, $session->user_no, $parent_container);
+  dbg_error_log( "ERROR", " MKCALENDAR Failed for '%s' named '%s', user '%d' in parent '%s'", $request_path, $displayname, $session->user_no, $parent_container);
   exit(0);
 }
 
diff --git a/inc/caldav-MKCOL.php b/inc/caldav-MKCOL.php
index 3e76399a..d421881e 100644
--- a/inc/caldav-MKCOL.php
+++ b/inc/caldav-MKCOL.php
@@ -10,29 +10,44 @@
 */
 dbg_error_log("MKCOL", "method handler");
 
-dbg_log_array( "MKCOL", 'HEADERS', $raw_headers );
-dbg_log_array( "MKCOL", '_SERVER', $_SERVER, true );
-dbg_error_log( "MKCOL", "RAW: %s", str_replace("\n", "",str_replace("\r", "", $raw_post)) );
+if ( ! isset($permissions['write']) ) {
+  header("HTTP/1.1 403 Forbidden");
+  header("Content-type: text/plain");
+  echo "You may not create a calendar there.";
+  dbg_error_log("ERROR", "MKCOL Access denied for User: %d, Path: %s", $session->user_no, $get_path);
+  return;
+}
 
-$make_path = $_SERVER['PATH_INFO'];
-
-$displayname = $make_path;
+$displayname = $request_path;
 $parent_container = '/';
-if ( preg_match( '#^(.*/)([^/]+)(/)?$#', $make_path, $matches ) ) {
+if ( preg_match( '#^(.*/)([^/]+)(/)?$#', $request_path, $matches ) ) {
   $parent_container = $matches[1];
   $displayname = $matches[2];
 }
 
+$sql = "SELECT * FROM collection WHERE user_no = ? AND dav_name = ?;";
+$qry = new PgQuery( $sql, $session->user_no, $request_path );
+if ( ! $qry->Exec("MKCOL") ) {
+  header("HTTP/1.1 500 Infernal Server Error");
+  dbg_error_log( "ERROR", " MKCOL Failed (database error) for '%s' named '%s', user '%d' in parent '%s'", $request_path, $displayname, $session->user_no, $parent_container);
+  exit(0);
+}
+if ( $qry->rows != 0 ) {
+  header("HTTP/1.1 412 Collection Already Exists");
+  dbg_error_log( "ERROR", " MKCOL Failed (already exists) for '%s' named '%s', user '%d' in parent '%s'", $request_path, $displayname, $session->user_no, $parent_container);
+  exit(0);
+}
+
 $sql = "INSERT INTO collection ( user_no, parent_container, dav_name, dav_etag, dav_displayname, is_calendar, created, modified ) VALUES( ?, ?, ?, ?, ?, FALSE, current_timestamp, current_timestamp );";
-$qry = new PgQuery( $sql, $session->user_no, $parent_container, $make_path, md5($session->user_no. $make_path), $displayname );
+$qry = new PgQuery( $sql, $session->user_no, $parent_container, $request_path, md5($session->user_no. $request_path), $displayname );
 
 if ( $qry->Exec("MKCOL",__LINE__,__FILE__) ) {
   header("HTTP/1.1 200 Created");
-  dbg_error_log( "MKCOL", "New collection '%s' created named '%s' for user '%d' in parent '%s'", $make_path, $displayname, $session->user_no, $parent_container);
+  dbg_error_log( "MKCOL", "New collection '%s' created named '%s' for user '%d' in parent '%s'", $request_path, $displayname, $session->user_no, $parent_container);
 }
 else {
   header("HTTP/1.1 500 Infernal Server Error");
-  dbg_error_log( "ERROR", " MKCOL Failed for '%s' named '%s', user '%d' in parent '%s'", $make_path, $displayname, $session->user_no, $parent_container);
+  dbg_error_log( "ERROR", " MKCOL Failed for '%s' named '%s', user '%d' in parent '%s'", $request_path, $displayname, $session->user_no, $parent_container);
 }
 
 ?>
\ No newline at end of file