perf: skip request without read permission

Signed-off-by: Richard Steinmetz <richard@steinmetz.cloud>
author: Richard Steinmetz <richard@steinmetz.cloud> 2024-02-19 09:39:26 +0100
committer: backportbot[bot] <backportbot[bot]@users.noreply.github.com> 2024-02-21 12:48:30 +0000
commit: 8e67575a71fa76988b907e1af8beaf7077fdb34d (patch)
tree: b3a4fda62196842f92796d90bc2c0b93c32ed1dd /apps/dav
parent: dd291e1a167e25f3c94874715f0d5d756da64194 (diff)
download: nextcloud-server-8e67575a71fa76988b907e1af8beaf7077fdb34d.tar.gz
nextcloud-server-8e67575a71fa76988b907e1af8beaf7077fdb34d.zip
1 files changed, 9 insertions, 4 deletions
diff --git a/apps/dav/lib/Connector/Sabre/DavAclPlugin.php b/apps/dav/lib/Connector/Sabre/DavAclPlugin.php
index f574cec00c6..236ca3da7fa 100644
--- a/apps/dav/lib/Connector/Sabre/DavAclPlugin.php
+++ b/apps/dav/lib/Connector/Sabre/DavAclPlugin.php
@@ -8,6 +8,7 @@
  * @author Robin Appelman <robin@icewind.nl>
  * @author Roeland Jago Douma <roeland@famdouma.nl>
  * @author Thomas Müller <thomas.mueller@tmit.eu>
+ * @author Richard Steinmetz <richard@steinmetz.cloud>
  *
  * @license AGPL-3.0
  *
@@ -105,11 +106,15 @@ class DavAclPlugin extends \Sabre\DAVACL\Plugin {
 
 		parent::beforeMethod($request, $response);
 
-		$createAddressbookOrCalendarRequest = ($request->getMethod() === 'MKCALENDAR' || $request->getMethod() === 'MKCOL')
-			&& (str_starts_with($path, 'addressbooks/') || str_starts_with($path, 'calendars/'));
+		if (!str_starts_with($path, 'addressbooks/') && !str_starts_with($path, 'calendars/')) {
+			return;
+		}
 
-		if ($createAddressbookOrCalendarRequest) {
-			[$parentName] = \Sabre\Uri\split($path);
+		[$parentName] = \Sabre\Uri\split($path);
+		if ($request->getMethod() === 'REPORT') {
+			// is calendars/users/bob or addressbooks/users/bob readable?
+			$this->checkPrivileges($parentName, '{DAV:}read');
+		} elseif ($request->getMethod() === 'MKCALENDAR' || $request->getMethod() === 'MKCOL') {
 			// is calendars/users/bob or addressbooks/users/bob writeable?
 			$this->checkPrivileges($parentName, '{DAV:}write');
 		}
author	Richard Steinmetz <richard@steinmetz.cloud>	2024-02-19 09:39:26 +0100
committer	backportbot[bot] <backportbot[bot]@users.noreply.github.com>	2024-02-21 12:48:30 +0000
commit	8e67575a71fa76988b907e1af8beaf7077fdb34d (patch)
tree	b3a4fda62196842f92796d90bc2c0b93c32ed1dd /apps/dav
parent	dd291e1a167e25f3c94874715f0d5d756da64194 (diff)
download	nextcloud-server-8e67575a71fa76988b907e1af8beaf7077fdb34d.tar.gz nextcloud-server-8e67575a71fa76988b907e1af8beaf7077fdb34d.zip