Merge pull request #22236 from nextcloud/bugfix/noid/dav_sharing_backend_canWrite_isOwner

CalDAV: Add ability to limit sharing to owner

Author: MorrisJobke

apps/dav/lib/CalDAV/Publishing/PublishPlugin.php

@@ -133,7 +133,12 @@ public function propFind(PropFind $propFind, INode $node) {
 				$canShare = (!$node->isSubscription() && $node->canWrite());
 				$canPublish = (!$node->isSubscription() && $node->canWrite());
 
-				return new AllowedSharingModes($canShare, $canPublish);
+				if ($this->config->getAppValue('dav', 'limitAddressBookAndCalendarSharingToOwner', 'no') === 'yes') {
+					$canShare &= ($node->getOwner() === $node->getPrincipalURI());
+					$canPublish &= ($node->getOwner() === $node->getPrincipalURI());
+				}
+
+				return new AllowedSharingModes((bool)$canShare, (bool)$canPublish);
 			});
 		}
 	}
@@ -190,7 +195,14 @@ public function httpPost(RequestInterface $request, ResponseInterface $response)
 
 			// If there's no ACL support, we allow everything
 			if ($acl) {
+				/** @var \Sabre\DAVACL\Plugin $acl */
 				$acl->checkPrivileges($path, '{DAV:}write');
+
+				$limitSharingToOwner = $this->config->getAppValue('dav', 'limitAddressBookAndCalendarSharingToOwner', 'no') === 'yes';
+				$isOwner = $acl->getCurrentUserPrincipal() === $node->getOwner();
+				if ($limitSharingToOwner && !$isOwner) {
+					return;
+				}
 			}
 
 			$node->setPublishStatus(true);
@@ -218,7 +230,14 @@ public function httpPost(RequestInterface $request, ResponseInterface $response)
 
 			// If there's no ACL support, we allow everything
 			if ($acl) {
+				/** @var \Sabre\DAVACL\Plugin $acl */
 				$acl->checkPrivileges($path, '{DAV:}write');
+
+				$limitSharingToOwner = $this->config->getAppValue('dav', 'limitAddressBookAndCalendarSharingToOwner', 'no') === 'yes';
+				$isOwner = $acl->getCurrentUserPrincipal() === $node->getOwner();
+				if ($limitSharingToOwner && !$isOwner) {
+					return;
+				}
 			}
 
 			$node->setPublishStatus(false);

apps/dav/lib/DAV/Sharing/Plugin.php

@@ -27,6 +27,7 @@
 use OCA\DAV\Connector\Sabre\Auth;
 use OCA\DAV\DAV\Sharing\Xml\Invite;
 use OCA\DAV\DAV\Sharing\Xml\ShareRequest;
+use OCP\IConfig;
 use OCP\IRequest;
 use Sabre\DAV\Exception\NotFound;
 use Sabre\DAV\INode;
@@ -46,15 +47,20 @@ class Plugin extends ServerPlugin {
 	/** @var IRequest */
 	private $request;
 
+	/** @var IConfig */
+	private $config;
+
 	/**
 	 * Plugin constructor.
 	 *
 	 * @param Auth $authBackEnd
 	 * @param IRequest $request
+	 * @param IConfig $config
 	 */
-	public function __construct(Auth $authBackEnd, IRequest $request) {
+	public function __construct(Auth $authBackEnd, IRequest $request, IConfig $config) {
 		$this->auth = $authBackEnd;
 		$this->request = $request;
+		$this->config = $config;
 	}
 
 	/**
@@ -164,6 +170,12 @@ public function httpPost(RequestInterface $request, ResponseInterface $response)
 				if ($acl) {
 					/** @var \Sabre\DAVACL\Plugin $acl */
 					$acl->checkPrivileges($path, '{DAV:}write');
+
+					$limitSharingToOwner = $this->config->getAppValue('dav', 'limitAddressBookAndCalendarSharingToOwner', 'no') === 'yes';
+					$isOwner = $acl->getCurrentUserPrincipal() === $node->getOwner();
+					if ($limitSharingToOwner && !$isOwner) {
+						return;
+					}
 				}
 
 				$node->updateShares($message->set, $message->remove);

apps/dav/lib/Server.php

@@ -162,7 +162,7 @@ public function __construct(IRequest $request, $baseUri) {
 			$this->server->addPlugin(new \Sabre\CalDAV\Subscriptions\Plugin());
 
 			$this->server->addPlugin(new \Sabre\CalDAV\Notifications\Plugin());
-			$this->server->addPlugin(new DAV\Sharing\Plugin($authBackend, \OC::$server->getRequest()));
+			$this->server->addPlugin(new DAV\Sharing\Plugin($authBackend, \OC::$server->getRequest(), \OC::$server->getConfig()));
 			$this->server->addPlugin(new \OCA\DAV\CalDAV\Publishing\PublishPlugin(
 				\OC::$server->getConfig(),
 				\OC::$server->getURLGenerator()
@@ -171,7 +171,7 @@ public function __construct(IRequest $request, $baseUri) {
 
 		// addressbook plugins
 		if ($this->requestIsForSubtree(['addressbooks', 'principals'])) {
-			$this->server->addPlugin(new DAV\Sharing\Plugin($authBackend, \OC::$server->getRequest()));
+			$this->server->addPlugin(new DAV\Sharing\Plugin($authBackend, \OC::$server->getRequest(), \OC::$server->getConfig()));
 			$this->server->addPlugin(new \OCA\DAV\CardDAV\Plugin());
 			$this->server->addPlugin(new VCFExportPlugin());
 			$this->server->addPlugin(new MultiGetExportPlugin());

apps/dav/tests/unit/CardDAV/Sharing/PluginTest.php

@@ -30,6 +30,7 @@
 use OCA\DAV\Connector\Sabre\Auth;
 use OCA\DAV\DAV\Sharing\IShareable;
 use OCA\DAV\DAV\Sharing\Plugin;
+use OCP\IConfig;
 use OCP\IRequest;
 use Sabre\DAV\Server;
 use Sabre\DAV\SimpleCollection;
@@ -55,7 +56,8 @@ protected function setUp(): void {
 
 		/** @var IRequest $request */
 		$request = $this->getMockBuilder(IRequest::class)->disableOriginalConstructor()->getMock();
-		$this->plugin = new Plugin($authBackend, $request);
+		$config = $this->createMock(IConfig::class);
+		$this->plugin = new Plugin($authBackend, $request, $config);
 
 		$root = new SimpleCollection('root');
 		$this->server = new \Sabre\DAV\Server($root);

apps/dav/tests/unit/DAV/Sharing/PluginTest.php

@@ -30,6 +30,7 @@
 use OCA\DAV\Connector\Sabre\Auth;
 use OCA\DAV\DAV\Sharing\IShareable;
 use OCA\DAV\DAV\Sharing\Plugin;
+use OCP\IConfig;
 use OCP\IRequest;
 use Sabre\DAV\Server;
 use Sabre\DAV\SimpleCollection;
@@ -55,7 +56,8 @@ protected function setUp(): void {
 
 		/** @var IRequest $request */
 		$request = $this->getMockBuilder(IRequest::class)->disableOriginalConstructor()->getMock();
-		$this->plugin = new Plugin($authBackend, $request);
+		$config = $this->createMock(IConfig::class);
+		$this->plugin = new Plugin($authBackend, $request, $config);
 
 		$root = new SimpleCollection('root');
 		$this->server = new \Sabre\DAV\Server($root);