Fix acls for calendar objects and cards - fixes #23273

3 files changed, 32 insertions, 74 deletions

diff --git a/apps/dav/lib/carddav/addressbook.php b/apps/dav/lib/carddav/addressbook.php
index bb9d13b981e..8b1b600ec3d 100644
--- a/apps/dav/lib/carddav/addressbook.php
+++ b/apps/dav/lib/carddav/addressbook.php
@@ -21,6 +21,7 @@
 namespace OCA\DAV\CardDAV;
 
 use OCA\DAV\DAV\Sharing\IShareable;
+use Sabre\CardDAV\Card;
 use Sabre\DAV\Exception\Forbidden;
 use Sabre\DAV\Exception\NotFound;
 use Sabre\DAV\PropPatch;
@@ -70,39 +71,31 @@ class AddressBook extends \Sabre\CardDAV\AddressBook implements IShareable {
 	}
 
 	function getACL() {
-		$acl = parent::getACL();
-		if ($this->getOwner() === 'principals/system/system') {
-			$acl[] = [
-					'privilege' => '{DAV:}read',
-					'principal' => '{DAV:}authenticated',
-					'protected' => true,
+		$acl =  [
+			[
+				'privilege' => '{DAV:}read',
+				'principal' => $this->getOwner(),
+				'protected' => true,
+			]];
+		$acl[] = [
+				'privilege' => '{DAV:}write',
+				'principal' => $this->getOwner(),
+				'protected' => true,
 			];
-		}
-
-		// add the current user
-		if (isset($this->addressBookInfo['{http://owncloud.org/ns}owner-principal'])) {
-			$owner = $this->addressBookInfo['{http://owncloud.org/ns}owner-principal'];
-			$acl[] = [
+		if ($this->getOwner() !== parent::getOwner()) {
+			$acl[] =  [
 					'privilege' => '{DAV:}read',
-					'principal' => $owner,
+					'principal' => parent::getOwner(),
 					'protected' => true,
 				];
-			if ($this->addressBookInfo['{http://owncloud.org/ns}read-only']) {
+			if ($this->canWrite()) {
 				$acl[] = [
 					'privilege' => '{DAV:}write',
-					'principal' => $owner,
+					'principal' => parent::getOwner(),
 					'protected' => true,
 				];
 			}
 		}
-
-		/** @var CardDavBackend $carddavBackend */
-		$carddavBackend = $this->carddavBackend;
-		return $carddavBackend->applyShareAcl($this->getResourceId(), $acl);
-	}
-
-	function getChildACL() {
-		$acl = parent::getChildACL();
 		if ($this->getOwner() === 'principals/system/system') {
 			$acl[] = [
 					'privilege' => '{DAV:}read',
@@ -116,12 +109,19 @@ class AddressBook extends \Sabre\CardDAV\AddressBook implements IShareable {
 		return $carddavBackend->applyShareAcl($this->getResourceId(), $acl);
 	}
 
+	function getChildACL() {
+		return $this->getACL();
+	}
+
 	function getChild($name) {
-		$obj = $this->carddavBackend->getCard($this->getResourceId(), $name);
+
+		$obj = $this->carddavBackend->getCard($this->addressBookInfo['id'], $name);
 		if (!$obj) {
 			throw new NotFound('Card not found');
 		}
+		$obj['acl'] = $this->getChildACL();
 		return new Card($this->carddavBackend, $this->addressBookInfo, $obj);
+
 	}
 
 	/**
@@ -172,4 +172,11 @@ class AddressBook extends \Sabre\CardDAV\AddressBook implements IShareable {
 
 		return $cardDavBackend->collectCardProperties($this->getResourceId(), 'CATEGORIES');
 	}
+
+	private function canWrite() {
+		if (isset($this->addressBookInfo['{http://owncloud.org/ns}read-only'])) {
+			return !$this->addressBookInfo['{http://owncloud.org/ns}read-only'];
+		}
+		return true;
+	}
 }
diff --git a/apps/dav/lib/carddav/card.php b/apps/dav/lib/carddav/card.php
deleted file mode 100644
index d848f2e28ec..00000000000
--- a/apps/dav/lib/carddav/card.php
+++ /dev/null
@@ -1,45 +0,0 @@
-<?php
-/**
- * @author Thomas Müller <thomas.mueller@tmit.eu>
- *
- * @copyright Copyright (c) 2016, ownCloud, Inc.
- * @license AGPL-3.0
- *
- * This code is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License, version 3,
- * as published by the Free Software Foundation.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License, version 3,
- * along with this program.  If not, see <http://www.gnu.org/licenses/>
- *
- */
-
-namespace OCA\DAV\CardDAV;
-
-class Card extends \Sabre\CardDAV\Card {
-
-	function getACL() {
-		$acl = parent::getACL();
-		if ($this->getOwner() === 'principals/system/system') {
-			$acl[] = [
-				'privilege' => '{DAV:}read',
-				'principal' => '{DAV:}authenticated',
-				'protected' => true,
-			];
-		}
-
-		/** @var CardDavBackend $carddavBackend */
-		$carddavBackend = $this->carddavBackend;
-		return $carddavBackend->applyShareAcl($this->getBookId(), $acl);
-	}
-
-	private function getBookId() {
-		return $this->addressBookInfo['id'];
-	}
-
-}
diff --git a/apps/dav/lib/carddav/carddavbackend.php b/apps/dav/lib/carddav/carddavbackend.php
index ccf0f4fbe06..650623225e3 100644
--- a/apps/dav/lib/carddav/carddavbackend.php
+++ b/apps/dav/lib/carddav/carddavbackend.php
@@ -62,10 +62,6 @@ class CardDavBackend implements BackendInterface, SyncSupport {
 			'BDAY', 'UID', 'N', 'FN', 'TITLE', 'ROLE', 'NOTE', 'NICKNAME',
 			'ORG', 'CATEGORIES', 'EMAIL', 'TEL', 'IMPP', 'ADR', 'URL', 'GEO', 'CLOUD');
 
-	const ACCESS_OWNER = 1;
-	const ACCESS_READ_WRITE = 2;
-	const ACCESS_READ = 3;
-
 	/** @var EventDispatcherInterface */
 	private $dispatcher;
 
@@ -153,7 +149,7 @@ class CardDavBackend implements BackendInterface, SyncSupport {
 					'{http://calendarserver.org/ns/}getctag' => $row['synctoken'],
 					'{http://sabredav.org/ns}sync-token' => $row['synctoken']?$row['synctoken']:'0',
 					'{' . \OCA\DAV\DAV\Sharing\Plugin::NS_OWNCLOUD . '}owner-principal' => $row['principaluri'],
-					'{' . \OCA\DAV\DAV\Sharing\Plugin::NS_OWNCLOUD . '}read-only' => $row['access'] === self::ACCESS_READ,
+					'{' . \OCA\DAV\DAV\Sharing\Plugin::NS_OWNCLOUD . '}read-only' => (int)$row['access'] === Backend::ACCESS_READ,
 				];
 			}
 		}