diff --git a/apps/dav/lib/CalDAV/BirthdayCalendar/EnablePlugin.php b/apps/dav/lib/CalDAV/BirthdayCalendar/EnablePlugin.php index b736d9432bd14..f7d68e4ec1d3f 100644 --- a/apps/dav/lib/CalDAV/BirthdayCalendar/EnablePlugin.php +++ b/apps/dav/lib/CalDAV/BirthdayCalendar/EnablePlugin.php @@ -27,6 +27,7 @@ use OCA\DAV\CalDAV\BirthdayService; use OCA\DAV\CalDAV\CalendarHome; use OCP\IConfig; +use OCP\IUser; use Sabre\DAV\Server; use Sabre\DAV\ServerPlugin; use Sabre\HTTP\RequestInterface; @@ -56,15 +57,20 @@ class EnablePlugin extends ServerPlugin { */ protected $server; + /** @var IUser */ + private $user; + /** * PublishPlugin constructor. * * @param IConfig $config * @param BirthdayService $birthdayService + * @param IUser $user */ - public function __construct(IConfig $config, BirthdayService $birthdayService) { + public function __construct(IConfig $config, BirthdayService $birthdayService, IUser $user) { $this->config = $config; $this->birthdayService = $birthdayService; + $this->user = $user; } /** @@ -127,11 +133,14 @@ public function httpPost(RequestInterface $request, ResponseInterface $response) return; } - $principalUri = $node->getOwner(); - $userId = substr($principalUri, 17); + $owner = substr($node->getOwner(), 17); + if($owner !== $this->user->getUID()) { + $this->server->httpResponse->setStatus(403); + return false; + } - $this->config->setUserValue($userId, 'dav', 'generateBirthdayCalendar', 'yes'); - $this->birthdayService->syncUser($userId); + $this->config->setUserValue($this->user->getUID(), 'dav', 'generateBirthdayCalendar', 'yes'); + $this->birthdayService->syncUser($this->user->getUID()); $this->server->httpResponse->setStatus(204); diff --git a/apps/dav/lib/Server.php b/apps/dav/lib/Server.php index f98dba229256d..19057d0a7e09c 100644 --- a/apps/dav/lib/Server.php +++ b/apps/dav/lib/Server.php @@ -321,7 +321,8 @@ public function __construct(IRequest $request, string $baseUri) { } $this->server->addPlugin(new \OCA\DAV\CalDAV\BirthdayCalendar\EnablePlugin( \OC::$server->getConfig(), - \OC::$server->query(BirthdayService::class) + \OC::$server->query(BirthdayService::class), + $user )); $this->server->addPlugin(new AppleProvisioningPlugin( \OC::$server->getUserSession(), diff --git a/apps/dav/tests/unit/CalDAV/BirthdayCalendar/EnablePluginTest.php b/apps/dav/tests/unit/CalDAV/BirthdayCalendar/EnablePluginTest.php index 99e5f2e8e542c..880b78a5b1d7c 100644 --- a/apps/dav/tests/unit/CalDAV/BirthdayCalendar/EnablePluginTest.php +++ b/apps/dav/tests/unit/CalDAV/BirthdayCalendar/EnablePluginTest.php @@ -31,6 +31,7 @@ use OCA\DAV\CalDAV\Calendar; use OCA\DAV\CalDAV\CalendarHome; use OCP\IConfig; +use OCP\IUser; use Test\TestCase; class EnablePluginTest extends TestCase { @@ -44,6 +45,9 @@ class EnablePluginTest extends TestCase { /** @var BirthdayService |\PHPUnit\Framework\MockObject\MockObject */ protected $birthdayService; + /** @var IUser|\PHPUnit\Framework\MockObject\MockObject */ + protected $user; + /** @var \OCA\DAV\CalDAV\BirthdayCalendar\EnablePlugin $plugin */ protected $plugin; @@ -61,8 +65,9 @@ protected function setUp(): void { $this->config = $this->createMock(IConfig::class); $this->birthdayService = $this->createMock(BirthdayService::class); + $this->user = $this->createMock(IUser::class); - $this->plugin = new EnablePlugin($this->config, $this->birthdayService); + $this->plugin = new EnablePlugin($this->config, $this->birthdayService, $this->user); $this->plugin->initialize($this->server); $this->request = $this->createMock(\Sabre\HTTP\RequestInterface::class); @@ -80,7 +85,7 @@ public function testGetName() { public function testInitialize() { $server = $this->createMock(\Sabre\DAV\Server::class); - $plugin = new EnablePlugin($this->config, $this->birthdayService); + $plugin = new EnablePlugin($this->config, $this->birthdayService, $this->user); $server->expects($this->once()) ->method('on') @@ -143,6 +148,55 @@ public function testHttpPostWrongRequest() { $this->plugin->httpPost($this->request, $this->response); } + public function testHttpPostNotAuthorized(): void { + $calendarHome = $this->createMock(CalendarHome::class); + + $this->server->expects($this->once()) + ->method('getRequestUri') + ->willReturn('/bar/foo'); + $this->server->tree->expects($this->once()) + ->method('getNodeForPath') + ->with('/bar/foo') + ->willReturn($calendarHome); + + $calendarHome->expects($this->once()) + ->method('getOwner') + ->willReturn('principals/users/BlaBlub'); + + $this->request->expects($this->once()) + ->method('getBodyAsString') + ->willReturn(''); + + $this->request->expects($this->once()) + ->method('getUrl') + ->willReturn('url_abc'); + + $this->server->xml->expects($this->once()) + ->method('parse') + ->willReturnCallback(function ($requestBody, $url, &$documentType): void { + $documentType = '{http://nextcloud.com/ns}enable-birthday-calendar'; + }); + + $this->user->expects(self::once()) + ->method('getUID') + ->willReturn('admin'); + + $this->server->httpResponse->expects($this->once()) + ->method('setStatus') + ->with(403); + + $this->config->expects($this->never()) + ->method('setUserValue'); + + $this->birthdayService->expects($this->never()) + ->method('syncUser'); + + + $result = $this->plugin->httpPost($this->request, $this->response); + + $this->assertEquals(false, $result); + } + public function testHttpPost() { $calendarHome = $this->createMock(CalendarHome::class); @@ -172,6 +226,10 @@ public function testHttpPost() { $documentType = '{http://nextcloud.com/ns}enable-birthday-calendar'; }); + $this->user->expects(self::exactly(3)) + ->method('getUID') + ->willReturn('BlaBlub'); + $this->config->expects($this->once()) ->method('setUserValue') ->with('BlaBlub', 'dav', 'generateBirthdayCalendar', 'yes');