11dbg_error_log(
"ACL",
"method handler");
13require_once(
'DAVResource.php');
15$request->NeedPrivilege(
'DAV::write-acl');
17if ( ! ini_get(
'open_basedir') && (isset($c->dbg[
'ALL']) || (isset($c->dbg[
'put']) && $c->dbg[
'put'])) ) {
18 $fh = fopen(
'/var/log/davical/MOVE.debug',
'w');
20 fwrite($fh,$request->raw_post);
91$xmltree = BuildXMLTree( $request->xml_tags );
92$aces = $xmltree->GetPath(
"/DAV::acl/*");
95if ( ! $grantor->Exists() ) $request->DoResponse( 404 );
96if ( ! $grantor->IsCollection() )
97 $request->PreconditionFailed(403,
'not-supported-privilege',
'ACLs are only supported on Principals or Collections');
99$grantor->NeedPrivilege(
'write-acl');
101$cache_delete_list = array();
103$qry =
new AwlQuery(
'BEGIN');
104$qry->Exec(
'ACL',__LINE__,__FILE__);
106function process_ace( $grantor, $by_principal, $by_collection, $ace ) {
107 global $cache_delete_list, $request;
109 $elements = $ace->GetContent();
110 $principal_node = $elements[0];
111 $grant = $elements[1];
112 if ( $principal_node->GetNSTag() !=
'DAV::principal' ) $request->MalformedRequest(
'ACL request must contain a principal, not '.$principal->GetNSTag());
113 $grant_tag = $grant->GetNSTag();
114 if ( $grant_tag ==
'DAV::deny' ) $request->PreconditionFailed(403,
'grant-only');
115 if ( $grant_tag ==
'DAV::invert' ) $request->PreconditionFailed(403,
'no-invert');
116 if ( $grant->GetNSTag() !=
'DAV::grant' ) $request->MalformedRequest(
'ACL request must contain a principal for each ACE');
118 $privilege_names = array();
119 $xml_privs = $grant->GetPath(
"/DAV::grant/DAV::privilege/*");
120 foreach( $xml_privs AS $k => $priv ) {
121 $privilege_names[] = $priv->GetNSTag();
123 $privileges = privilege_to_bits($privilege_names);
125 $principal_content = $principal_node->GetContent();
126 if ( count($principal_content) != 1 ) $request->MalformedRequest(
'ACL request must contain exactly one principal per ACE');
127 $principal_content = $principal_content[0];
129 dbg_error_log(
'ACE',
'NSTag: "%s", by_collection: %s, by_principal: %s', $principal_content->GetNSTag(), $by_collection ??
'Null', $by_principal ??
'Null');
131 switch( $principal_content->GetNSTag() ) {
132 case 'DAV::property':
133 $principal_property = $principal_content->GetContent();
134 if ( $principal_property[0]->GetNSTag() !=
'DAV::owner' ) $request->PreconditionFailed(403,
'recognized-principal' );
135 if ( privilege_to_bits(
'all') != $privileges ) {
136 $request->PreconditionFailed(403,
'no-protected-ace-conflict',
'Owner must always have all permissions' );
140 case 'DAV::unauthenticated':
141 $request->PreconditionFailed(403,
'allowed-principal',
'May not set privileges for unauthenticated users' );
145 $principal_type =
'href';
146 $grantee =
new DAVResource( DeconstructURL($principal_content->GetContent()) );
147 $grantee_id = $grantee->getProperty(
'principal_id');
149 if ( !$grantee->Exists() || !$grantee->IsPrincipal() )
150 $request->PreconditionFailed(403,
'recognized-principal',
'Principal "' . $principal_content->GetContent() .
'" not found.');
152 $sqlparms = array(
':to_principal' => $grantee_id);
153 $where =
'WHERE to_principal=:to_principal AND ';
154 if ( isset($by_principal) ) {
155 $sqlparms[
':by_principal'] = $by_principal;
156 $where .=
'by_principal = :by_principal';
159 $sqlparms[
':by_collection'] = $by_collection;
160 $where .=
'by_collection = :by_collection';
163 $qry =
new AwlQuery(
'SELECT privileges FROM grants '.$where, $sqlparms);
164 if ( $qry->Exec(
'ACL',__LINE__,__FILE__) && $qry->rows() == 1 && $current = $qry->Fetch() ) {
165 $sql =
'UPDATE grants SET privileges=:privileges::INT::BIT(24) '.$where;
168 $sqlparms[
':by_principal'] = $by_principal;
169 $sqlparms[
':by_collection'] = $by_collection;
170 $sql =
'INSERT INTO grants (by_principal, by_collection, to_principal, privileges) VALUES(:by_principal, :by_collection, :to_principal, :privileges::INT::BIT(24))';
172 $sqlparms[
':privileges'] = $privileges;
173 $qry =
new AwlQuery($sql, $sqlparms);
174 if ( $qry->Exec(
'ACL',__LINE__,__FILE__) ) {
175 Principal::cacheDelete(
'dav_name',$grantee->dav_name());
176 Principal::cacheFlush(
'principal_id IN (SELECT member_id FROM group_member WHERE group_id = ?)', array($grantee_id));
182 $cache = getCacheInstance();
185 #Principal::cacheFlush('TRUE');
189 case 'DAV::authenticated':
190 $principal_type =
'authenticated';
191 $grant_default_privs = $grantor->GetProperty(
'default_privileges');
192 if ( isset($grant_default_privs) && bindec($grant_default_privs) == $privileges )
break;
193 $sqlparms = array(
':privileges' => $privileges );
194 if ( isset($by_collection) ) {
195 $sql =
'UPDATE collection SET default_privileges=:privileges::INT::BIT(24) WHERE collection_id=:by_collection';
196 $sqlparms[
':by_collection'] = $by_collection;
199 $sql =
'UPDATE principal SET default_privileges=:privileges::INT::BIT(24) WHERE principal_id=:by_principal';
200 $sqlparms[
':by_principal'] = $by_principal;
202 $qry =
new AwlQuery($sql, $sqlparms);
203 if ( $qry->Exec(
'ACL',__LINE__,__FILE__) ) {
207 Principal::cacheFlush(
'TRUE');
213 $request->PreconditionFailed(403,
'allowed-principal',
'May not set privileges for unauthenticated users' );
217 $request->PreconditionFailed(403,
'recognized-principal' );
223$by_principal = ($grantor->IsPrincipal() ? $grantor->GetProperty(
'principal_id') :
null);
224$by_collection = ($grantor->IsPrincipal() ?
null : $grantor->GetProperty(
'collection_id'));
226foreach( $aces AS $k => $ace ) {
227 process_ace($grantor, $by_principal, $by_collection, $ace);
230$qry =
new AwlQuery(
'COMMIT');
231$qry->Exec(
'ACL',__LINE__,__FILE__);
234$request->DoResponse( 200 );
1.15.0