4 files changed, 34 insertions, 3 deletions

diff --git a/apps/dav/lib/CalDAV/Calendar.php b/apps/dav/lib/CalDAV/Calendar.php
index 9c56398b14c..c03bf98ee38 100644
--- a/apps/dav/lib/CalDAV/Calendar.php
+++ b/apps/dav/lib/CalDAV/Calendar.php
@@ -122,7 +122,14 @@ class Calendar extends \Sabre\CalDAV\Calendar implements IShareable {
 				'principal' => $this->getOwner(),
 				'protected' => true,
 			];
+		} else {
+			$acl[] = [
+				'privilege' => '{DAV:}write-properties',
+				'principal' => $this->getOwner(),
+				'protected' => true,
+			];
 		}
+
 		if ($this->getOwner() !== parent::getOwner()) {
 			$acl[] =  [
 					'privilege' => '{DAV:}read',
diff --git a/apps/dav/lib/Connector/Sabre/BearerAuth.php b/apps/dav/lib/Connector/Sabre/BearerAuth.php
index f0e0f389c33..b7fd9116f21 100644
--- a/apps/dav/lib/Connector/Sabre/BearerAuth.php
+++ b/apps/dav/lib/Connector/Sabre/BearerAuth.php
@@ -25,6 +25,8 @@ use OCP\IRequest;
 use OCP\ISession;
 use OCP\IUserSession;
 use Sabre\DAV\Auth\Backend\AbstractBearer;
+use Sabre\HTTP\RequestInterface;
+use Sabre\HTTP\ResponseInterface;
 
 class BearerAuth extends AbstractBearer {
 	/** @var IUserSession */
@@ -77,4 +79,16 @@ class BearerAuth extends AbstractBearer {
 
 		return false;
 	}
+
+	/**
+	 * \Sabre\DAV\Auth\Backend\AbstractBearer::challenge sets an WWW-Authenticate
+	 * header which some DAV clients can't handle. Thus we override this function
+	 * and make it simply return a 401.
+	 *
+	 * @param RequestInterface $request
+	 * @param ResponseInterface $response
+	 */
+	public function challenge(RequestInterface $request, ResponseInterface $response) {
+		$response->setStatus(401);
+	}
 }
diff --git a/apps/dav/tests/unit/CalDAV/CalendarTest.php b/apps/dav/tests/unit/CalDAV/CalendarTest.php
index cf295f01065..fd74da0214b 100644
--- a/apps/dav/tests/unit/CalDAV/CalendarTest.php
+++ b/apps/dav/tests/unit/CalDAV/CalendarTest.php
@@ -191,6 +191,10 @@ class CalendarTest extends TestCase {
 				'privilege' => '{DAV:}read',
 				'principal' => $hasOwnerSet ? 'user1' : 'user2',
 				'protected' => true
+			], [
+				'privilege' => '{DAV:}write-properties',
+				'principal' => $hasOwnerSet ? 'user1' : 'user2',
+				'protected' => true
 			]];
 		}
 		if ($hasOwnerSet) {
diff --git a/apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php b/apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php
index 5eae75eb8e9..04bb035a635 100644
--- a/apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php
+++ b/apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php
@@ -21,9 +21,6 @@
 
 namespace OCA\DAV\Tests\unit\Connector\Sabre;
 
-use OC\Authentication\TwoFactorAuth\Manager;
-use OC\Security\Bruteforce\Throttler;
-use OC\User\Session;
 use OCA\DAV\Connector\Sabre\BearerAuth;
 use OCP\IRequest;
 use OCP\ISession;
@@ -85,4 +82,13 @@ class BearerAuthTest extends TestCase {
 
 		$this->assertSame('principals/users/admin', $this->bearerAuth->validateBearerToken('Token'));
 	}
+
+	public function testChallenge() {
+		/** @var \PHPUnit_Framework_MockObject_MockObject|RequestInterface $request */
+		$request = $this->createMock(RequestInterface::class);
+		/** @var \PHPUnit_Framework_MockObject_MockObject|ResponseInterface $response */
+		$response = $this->createMock(ResponseInterface::class);
+		$result = $this->bearerAuth->challenge($request, $response);
+		$this->assertEmpty($result);
+	}
 }