From b4bcc6cc2570b0fccd53b72152afff023d769dbe Mon Sep 17 00:00:00 2001
From: Andrew Ruthven <andrew@etc.gen.nz>
Date: Fri, 13 Dec 2024 23:03:07 +1300
Subject: [PATCH] Fix DAV:current-user-principal for iPhone devices

iPhone devices incorrectly implement DAV:current-user-principal from
RFC 5397. They assume that current-user-principal is the href for the
resource being queried. The RFC says it should be the current resource.

See: https://gitlab.com/davical-project/davical/-/issues/335
---
 ChangeLog                                     |  3 ++
 inc/DAVResource.php                           |  9 +++-
 .../2800-iPhone-shared-addresses.result       | 15 ++++++
 .../2800-iPhone-shared-addresses.test         | 47 +++++++++++++++++
 .../2801-iPhone-shared-addresses.result       | 50 +++++++++++++++++++
 .../2801-iPhone-shared-addresses.test         | 16 ++++++
 .../2802-correct-shared-addresses.result      | 50 +++++++++++++++++++
 .../2802-correct-shared-addresses.test        | 16 ++++++
 8 files changed, 205 insertions(+), 1 deletion(-)
 create mode 100644 testing/tests/regression-suite/2800-iPhone-shared-addresses.result
 create mode 100644 testing/tests/regression-suite/2800-iPhone-shared-addresses.test
 create mode 100644 testing/tests/regression-suite/2801-iPhone-shared-addresses.result
 create mode 100644 testing/tests/regression-suite/2801-iPhone-shared-addresses.test
 create mode 100644 testing/tests/regression-suite/2802-correct-shared-addresses.result
 create mode 100644 testing/tests/regression-suite/2802-correct-shared-addresses.test

diff --git a/ChangeLog b/ChangeLog
index f9765ad3..59bf442c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,9 @@
 2025-01-22 Andrew Ruthven <andrew@etc.gen.nz>
 	* Using a Ticket ID requires public.php
 
+2024-12-13 Andrew Ruthven <andrew@etc.gen.nz>
+        * Fix iPhone's accessing other principal's collections.
+
 2024-04-15 Andrew Ruthven <andrew@etc.gen.nz>
 	* Add caching of user credential success/failure
 
diff --git a/inc/DAVResource.php b/inc/DAVResource.php
index f15bfc6f..78c7d7a0 100644
--- a/inc/DAVResource.php
+++ b/inc/DAVResource.php
@@ -1881,8 +1881,15 @@ EOQRY;
         $prop->NewElement( 'principal-collection-set', $reply->href( ConstructURL('/') ) );
         break;
 
+      # iPhone devices incorrectly implement DAV:current-user-principal from
+      # RFC 5397. They assume that current-user-principal is the href for the
+      # resource being queried. The RFC says it should be the current resource.
+      # See: https://gitlab.com/davical-project/davical/-/issues/335
       case 'DAV::current-user-principal':
-        $prop->NewElement('current-user-principal', $reply->href( ConstructURL(DeconstructURL($session->principal->url())) ) );
+        if ( preg_match('/iPhone/', $_SERVER['HTTP_USER_AGENT']) )
+            $prop->NewElement('current-user-principal', $reply->href( ConstructURL(DeconstructURL($request->principal->url())) ) );
+        else
+            $prop->NewElement('current-user-principal', $reply->href( ConstructURL(DeconstructURL($session->principal->url())) ) );
         break;
 
       case 'SOME-DENIED-PROPERTY':  /** indicating the style for future expansion */
diff --git a/testing/tests/regression-suite/2800-iPhone-shared-addresses.result b/testing/tests/regression-suite/2800-iPhone-shared-addresses.result
new file mode 100644
index 00000000..46bb27ea
--- /dev/null
+++ b/testing/tests/regression-suite/2800-iPhone-shared-addresses.result
@@ -0,0 +1,15 @@
+HTTP/1.1 200 OK
+Date: Dow, 01 Jan 2000 00:00:00 GMT
+DAV: 1, 2, 3, access-control, calendar-access, calendar-schedule
+DAV: extended-mkcol, bind, addressbook, calendar-auto-schedule, calendar-proxy
+Content-Length: 0
+Content-Type: text/plain; charset="utf-8"
+
+
+SQL Query 1 Result:
+    by_collection: >1609<
+     by_principal: >NULL<
+      displayname: >User 4<
+       privileges: >000000000000000000100001<
+     to_principal: >1005<
+
diff --git a/testing/tests/regression-suite/2800-iPhone-shared-addresses.test b/testing/tests/regression-suite/2800-iPhone-shared-addresses.test
new file mode 100644
index 00000000..f6140ffb
--- /dev/null
+++ b/testing/tests/regression-suite/2800-iPhone-shared-addresses.test
@@ -0,0 +1,47 @@
+# Test for iPhone devices which incorrectly implement
+# DAV:current-user-principal from RFC 5397. They assume that
+# current-user-principal is the href for the resource being queried. The
+# RFC says it should be the current resource. #Sigh.
+#
+# See: https://gitlab.com/davical-project/davical/-/issues/335
+#
+# Ensure that user4 can access user1's address book.
+TYPE=ACL
+HEADER=User-Agent: RFC3744 Spec Tests
+HEADER=Content-Type: text/xml; charset="UTF-8"
+HEAD
+
+BEGINDATA
+<?xml version="1.0" encoding="utf-8" ?>
+<acl xmlns="DAV:" xmlns:CalDAV="urn:ietf:params:xml:ns:caldav">
+  <ace>
+    <principal>
+      <href>/caldav.php/user4/</href>
+    </principal>
+    <grant>
+      <privilege><read/></privilege>
+      <privilege><read-current-user-privilege-set/></privilege>
+    </grant>
+  </ace>
+  <ace>
+    <principal><authenticated/></principal>
+    <grant>
+      <privilege/>
+    </grant>
+  </ace>
+</acl>
+ENDDATA
+
+URL=http://regression.host/caldav.php/user1/
+
+# This is by_collection, and by_principal isn't set, shouldn't it be set?
+#  WHERE p_by.dav_name = '/user1/'
+QUERY
+SELECT by_principal, by_collection, privileges, p_to.displayname, to_principal
+   FROM grants JOIN dav_principal p_to ON (to_principal=principal_id)
+          LEFT JOIN collection ON (by_collection=collection.collection_id)
+          LEFT JOIN dav_principal p_by ON (by_principal=p_by.principal_id)
+  WHERE by_collection = 1609
+    AND p_to.dav_name = '/user4/'
+  ORDER BY by_principal, to_principal
+ENDQUERY
diff --git a/testing/tests/regression-suite/2801-iPhone-shared-addresses.result b/testing/tests/regression-suite/2801-iPhone-shared-addresses.result
new file mode 100644
index 00000000..be6afe76
--- /dev/null
+++ b/testing/tests/regression-suite/2801-iPhone-shared-addresses.result
@@ -0,0 +1,50 @@
+HTTP/1.1 207 Multi-Status
+Date: Dow, 01 Jan 2000 00:00:00 GMT
+Content-Location: /caldav.php/user1/addresses/
+DAV: 1, 2, 3, access-control, calendar-access, calendar-schedule
+DAV: extended-mkcol, bind, addressbook, calendar-auto-schedule, calendar-proxy
+ETag: "43765875e20eef2d841725645b2f3c95"
+Content-Length: 1129
+Content-Type: text/xml; charset="utf-8"
+
+<?xml version="1.0" encoding="utf-8" ?>
+<multistatus xmlns="DAV:" xmlns:C="urn:ietf:params:xml:ns:carddav">
+ <response>
+  <href>/caldav.php/user1/addresses/</href>
+  <propstat>
+   <prop>
+    <getcontenttype>httpd/unix-directory</getcontenttype>
+    <resourcetype>
+     <collection/>
+     <C:addressbook/>
+    </resourcetype>
+    <displayname>user1 addresses</displayname>
+    <getlastmodified>Sun, 15 Mar 1998 12:00:00 GMT</getlastmodified>
+    <creationdate>19570725T120000Z</creationdate>
+    <getcontentlanguage/>
+    <supportedlock>
+     <lockentry>
+      <lockscope>
+       <exclusive/>
+      </lockscope>
+      <locktype>
+       <write/>
+      </locktype>
+     </lockentry>
+    </supportedlock>
+    <owner>
+     <href>/caldav.php/user1/</href>
+    </owner>
+    <current-user-principal>
+     <href>/caldav.php/user1/</href>
+    </current-user-principal>
+    <C:max-resource-size>6550000</C:max-resource-size>
+    <C:supported-address-data>
+     <C:address-data content-type="text/vcard" version="3.0"/>
+    </C:supported-address-data>
+   </prop>
+   <status>HTTP/1.1 200 OK</status>
+  </propstat>
+ </response>
+</multistatus>
+
diff --git a/testing/tests/regression-suite/2801-iPhone-shared-addresses.test b/testing/tests/regression-suite/2801-iPhone-shared-addresses.test
new file mode 100644
index 00000000..2e778c8e
--- /dev/null
+++ b/testing/tests/regression-suite/2801-iPhone-shared-addresses.test
@@ -0,0 +1,16 @@
+# Test for iPhone devices which incorrectly implement
+# DAV:current-user-principal from RFC 5397. They assume that
+# current-user-principal is the href for the resource being queried. The
+# RFC says it should be the current resource. #Sigh.
+#
+# See: https://gitlab.com/davical-project/davical/-/issues/335
+#
+# Ensure that user4 has user1 as the current-user-principal as we're an
+# 'iPhone'.
+TYPE=PROPFIND
+AUTH=user4:user4
+HEADER=Content-Type: text/xml; charset="UTF-8"
+HEADER=User-Agent: DAVKit/4.0 (728.3); iCalendar/1 (34); iPhone/3.0
+HEAD
+
+URL=http://regression.host/caldav.php/user1/addresses
diff --git a/testing/tests/regression-suite/2802-correct-shared-addresses.result b/testing/tests/regression-suite/2802-correct-shared-addresses.result
new file mode 100644
index 00000000..15aaaaf8
--- /dev/null
+++ b/testing/tests/regression-suite/2802-correct-shared-addresses.result
@@ -0,0 +1,50 @@
+HTTP/1.1 207 Multi-Status
+Date: Dow, 01 Jan 2000 00:00:00 GMT
+Content-Location: /caldav.php/user1/addresses/
+DAV: 1, 2, 3, access-control, calendar-access, calendar-schedule
+DAV: extended-mkcol, bind, addressbook, calendar-auto-schedule, calendar-proxy
+ETag: "3f9506c10fe5b434f966d4c82f026c40"
+Content-Length: 1129
+Content-Type: text/xml; charset="utf-8"
+
+<?xml version="1.0" encoding="utf-8" ?>
+<multistatus xmlns="DAV:" xmlns:C="urn:ietf:params:xml:ns:carddav">
+ <response>
+  <href>/caldav.php/user1/addresses/</href>
+  <propstat>
+   <prop>
+    <getcontenttype>httpd/unix-directory</getcontenttype>
+    <resourcetype>
+     <collection/>
+     <C:addressbook/>
+    </resourcetype>
+    <displayname>user1 addresses</displayname>
+    <getlastmodified>Sun, 15 Mar 1998 12:00:00 GMT</getlastmodified>
+    <creationdate>19570725T120000Z</creationdate>
+    <getcontentlanguage/>
+    <supportedlock>
+     <lockentry>
+      <lockscope>
+       <exclusive/>
+      </lockscope>
+      <locktype>
+       <write/>
+      </locktype>
+     </lockentry>
+    </supportedlock>
+    <owner>
+     <href>/caldav.php/user1/</href>
+    </owner>
+    <current-user-principal>
+     <href>/caldav.php/user4/</href>
+    </current-user-principal>
+    <C:max-resource-size>6550000</C:max-resource-size>
+    <C:supported-address-data>
+     <C:address-data content-type="text/vcard" version="3.0"/>
+    </C:supported-address-data>
+   </prop>
+   <status>HTTP/1.1 200 OK</status>
+  </propstat>
+ </response>
+</multistatus>
+
diff --git a/testing/tests/regression-suite/2802-correct-shared-addresses.test b/testing/tests/regression-suite/2802-correct-shared-addresses.test
new file mode 100644
index 00000000..419d9630
--- /dev/null
+++ b/testing/tests/regression-suite/2802-correct-shared-addresses.test
@@ -0,0 +1,16 @@
+# Test for iPhone devices which incorrectly implement
+# DAV:current-user-principal from RFC 5397. They assume that
+# current-user-principal is the href for the resource being queried. The
+# RFC says it should be the current resource. #Sigh.
+#
+# See: https://gitlab.com/davical-project/davical/-/issues/335
+#
+# Ensure that user4 has user4 as the current-user-principal as we're not an
+# 'iPhone'.
+TYPE=PROPFIND
+AUTH=user4:user4
+HEADER=Content-Type: text/xml; charset="UTF-8"
+HEADER=User-Agent: Evolution/1.8.1
+HEAD
+
+URL=http://regression.host/caldav.php/user1/addresses