fix(CalDAV): check birthday calendar owner

Signed-off-by: Anna Larch <anna@nextcloud.com>

diff --git a/apps/dav/lib/CalDAV/BirthdayCalendar/EnablePlugin.php b/apps/dav/lib/CalDAV/BirthdayCalendar/EnablePlugin.php
index b736d9432bd14ddbb932e511217eb5a32767a16d..f7d68e4ec1d3f4cf1e517a22f0ff8e9a3977a286 100644 (file)
--- a/apps/dav/lib/CalDAV/BirthdayCalendar/EnablePlugin.php
+++ b/apps/dav/lib/CalDAV/BirthdayCalendar/EnablePlugin.php
@@ -27,6 +27,7 @@ namespace OCA\DAV\CalDAV\BirthdayCalendar;
 use OCA\DAV\CalDAV\BirthdayService;
 use OCA\DAV\CalDAV\CalendarHome;
 use OCP\IConfig;
+use OCP\IUser;
 use Sabre\DAV\Server;
 use Sabre\DAV\ServerPlugin;
 use Sabre\HTTP\RequestInterface;
@@ -56,15 +57,20 @@ class EnablePlugin extends ServerPlugin {
         */
        protected $server;
 
+       /** @var IUser */
+       private $user;
+
        /**
         * PublishPlugin constructor.
         *
         * @param IConfig $config
         * @param BirthdayService $birthdayService
+        * @param IUser $user
         */
-       public function __construct(IConfig $config, BirthdayService $birthdayService) {
+       public function __construct(IConfig $config, BirthdayService $birthdayService, IUser $user) {
                $this->config = $config;
                $this->birthdayService = $birthdayService;
+               $this->user = $user;
        }
 
        /**
@@ -127,11 +133,14 @@ class EnablePlugin extends ServerPlugin {
                        return;
                }
 
-               $principalUri = $node->getOwner();
-               $userId = substr($principalUri, 17);
+               $owner = substr($node->getOwner(), 17);
+               if($owner !== $this->user->getUID()) {
+                       $this->server->httpResponse->setStatus(403);
+                       return false;
+               }
 
-               $this->config->setUserValue($userId, 'dav', 'generateBirthdayCalendar', 'yes');
-               $this->birthdayService->syncUser($userId);
+               $this->config->setUserValue($this->user->getUID(), 'dav', 'generateBirthdayCalendar', 'yes');
+               $this->birthdayService->syncUser($this->user->getUID());
 
                $this->server->httpResponse->setStatus(204);
 

diff --git a/apps/dav/lib/Server.php b/apps/dav/lib/Server.php
index 909bcaa71e8f98ae69beae644395701c60dadb57..37b5eb3b70b1a60c512b4a148cd45273cc6284fc 100644 (file)
--- a/apps/dav/lib/Server.php
+++ b/apps/dav/lib/Server.php
@@ -325,7 +325,8 @@ class Server {
                                }
                                $this->server->addPlugin(new \OCA\DAV\CalDAV\BirthdayCalendar\EnablePlugin(
                                        \OC::$server->getConfig(),
-                                       \OC::$server->query(BirthdayService::class)
+                                       \OC::$server->query(BirthdayService::class),
+                                       $user
                                ));
                                $this->server->addPlugin(new AppleProvisioningPlugin(
                                        \OC::$server->getUserSession(),

diff --git a/apps/dav/tests/unit/CalDAV/BirthdayCalendar/EnablePluginTest.php b/apps/dav/tests/unit/CalDAV/BirthdayCalendar/EnablePluginTest.php
index ec27dc89aa1f2e3599039fe3d6e8a26af99513b9..cb89f1bf88c4a998799e63adf9f010e198c19496 100644 (file)
--- a/apps/dav/tests/unit/CalDAV/BirthdayCalendar/EnablePluginTest.php
+++ b/apps/dav/tests/unit/CalDAV/BirthdayCalendar/EnablePluginTest.php
@@ -31,6 +31,7 @@ use OCA\DAV\CalDAV\BirthdayService;
 use OCA\DAV\CalDAV\Calendar;
 use OCA\DAV\CalDAV\CalendarHome;
 use OCP\IConfig;
+use OCP\IUser;
 use Test\TestCase;
 
 class EnablePluginTest extends TestCase {
@@ -44,6 +45,9 @@ class EnablePluginTest extends TestCase {
        /** @var BirthdayService |\PHPUnit\Framework\MockObject\MockObject */
        protected $birthdayService;
 
+       /** @var IUser|\PHPUnit\Framework\MockObject\MockObject  */
+       protected $user;
+
        /** @var \OCA\DAV\CalDAV\BirthdayCalendar\EnablePlugin $plugin */
        protected $plugin;
 
@@ -61,8 +65,9 @@ class EnablePluginTest extends TestCase {
 
                $this->config = $this->createMock(IConfig::class);
                $this->birthdayService = $this->createMock(BirthdayService::class);
+               $this->user = $this->createMock(IUser::class);
 
-               $this->plugin = new EnablePlugin($this->config, $this->birthdayService);
+               $this->plugin = new EnablePlugin($this->config, $this->birthdayService, $this->user);
                $this->plugin->initialize($this->server);
 
                $this->request = $this->createMock(\Sabre\HTTP\RequestInterface::class);
@@ -80,7 +85,7 @@ class EnablePluginTest extends TestCase {
        public function testInitialize(): void {
                $server = $this->createMock(\Sabre\DAV\Server::class);
 
-               $plugin = new EnablePlugin($this->config, $this->birthdayService);
+               $plugin = new EnablePlugin($this->config, $this->birthdayService, $this->user);
 
                $server->expects($this->once())
                        ->method('on')
@@ -143,6 +148,55 @@ class EnablePluginTest extends TestCase {
                $this->plugin->httpPost($this->request, $this->response);
        }
 
+       public function testHttpPostNotAuthorized(): void {
+               $calendarHome = $this->createMock(CalendarHome::class);
+
+               $this->server->expects($this->once())
+                       ->method('getRequestUri')
+                       ->willReturn('/bar/foo');
+               $this->server->tree->expects($this->once())
+                       ->method('getNodeForPath')
+                       ->with('/bar/foo')
+                       ->willReturn($calendarHome);
+
+               $calendarHome->expects($this->once())
+                       ->method('getOwner')
+                       ->willReturn('principals/users/BlaBlub');
+
+               $this->request->expects($this->once())
+                       ->method('getBodyAsString')
+                       ->willReturn('<nc:enable-birthday-calendar xmlns:nc="http://nextcloud.com/ns"/>');
+
+               $this->request->expects($this->once())
+                       ->method('getUrl')
+                       ->willReturn('url_abc');
+
+               $this->server->xml->expects($this->once())
+                       ->method('parse')
+                       ->willReturnCallback(function ($requestBody, $url, &$documentType): void {
+                               $documentType = '{http://nextcloud.com/ns}enable-birthday-calendar';
+                       });
+
+               $this->user->expects(self::once())
+                       ->method('getUID')
+                       ->willReturn('admin');
+
+               $this->server->httpResponse->expects($this->once())
+                       ->method('setStatus')
+                       ->with(403);
+
+               $this->config->expects($this->never())
+                       ->method('setUserValue');
+
+               $this->birthdayService->expects($this->never())
+                       ->method('syncUser');
+
+
+               $result = $this->plugin->httpPost($this->request, $this->response);
+
+               $this->assertEquals(false, $result);
+       }
+
        public function testHttpPost(): void {
                $calendarHome = $this->createMock(CalendarHome::class);
 
@@ -172,6 +226,10 @@ class EnablePluginTest extends TestCase {
                                $documentType = '{http://nextcloud.com/ns}enable-birthday-calendar';
                        });
 
+               $this->user->expects(self::exactly(3))
+                       ->method('getUID')
+                       ->willReturn('BlaBlub');
+
                $this->config->expects($this->once())
                        ->method('setUserValue')
                        ->with('BlaBlub', 'dav', 'generateBirthdayCalendar', 'yes');