diff options
author | redmatrix <git@macgirvin.com> | 2016-07-28 19:58:05 -0700 |
---|---|---|
committer | redmatrix <git@macgirvin.com> | 2016-07-28 19:58:05 -0700 |
commit | ae5c10a71cd29722f63b379b62801dea52a9ab8f (patch) | |
tree | 5c9c0c6668369f5ffbd4f5c7b635c9c1ec96b996 /Zotlabs/Storage | |
parent | 2d4b75428a87038b9a637bf49fc0a91c91b392fb (diff) | |
parent | 4d5202353fbce12f19fbe578205259d2a7bd3f04 (diff) | |
download | volse-hubzilla-1.10.tar.gz volse-hubzilla-1.10.tar.bz2 volse-hubzilla-1.10.zip |
Merge branch '1.10RC'1.10
Diffstat (limited to 'Zotlabs/Storage')
-rw-r--r-- | Zotlabs/Storage/BasicAuth.php | 93 | ||||
-rw-r--r-- | Zotlabs/Storage/Browser.php | 4 | ||||
-rw-r--r-- | Zotlabs/Storage/CalDAVClient.php | 738 | ||||
-rw-r--r-- | Zotlabs/Storage/Directory.php | 288 | ||||
-rw-r--r-- | Zotlabs/Storage/File.php | 4 |
5 files changed, 1094 insertions, 33 deletions
diff --git a/Zotlabs/Storage/BasicAuth.php b/Zotlabs/Storage/BasicAuth.php index 121a9c3a1..2325a614b 100644 --- a/Zotlabs/Storage/BasicAuth.php +++ b/Zotlabs/Storage/BasicAuth.php @@ -3,6 +3,8 @@ namespace Zotlabs\Storage; use Sabre\DAV; +use Sabre\HTTP\RequestInterface; +use Sabre\HTTP\ResponseInterface; /** * @brief Authentication backend class for DAV. @@ -89,33 +91,20 @@ class BasicAuth extends DAV\Auth\Backend\AbstractBasic { require_once('include/auth.php'); $record = account_verify_password($username, $password); - if ($record && $record['account_default_channel']) { - $r = q("SELECT * FROM channel WHERE channel_account_id = %d AND channel_id = %d LIMIT 1", - intval($record['account_id']), - intval($record['account_default_channel']) - ); - if($r && $this->check_module_access($r[0]['channel_id'])) { - return $this->setAuthenticated($r[0]); + if($record && $record['account']) { + if($record['channel']) + $channel = $record['channel']; + else { + $r = q("SELECT * FROM channel WHERE channel_account_id = %d AND channel_id = %d LIMIT 1", + intval($record['account']['account_id']), + intval($record['account']['account_default_channel']) + ); + if($r) + $channel = $r[0]; } } - $r = q("SELECT * FROM channel WHERE channel_address = '%s' LIMIT 1", - dbesc($username) - ); - if ($r) { - $x = q("SELECT account_flags, account_salt, account_password FROM account WHERE account_id = %d LIMIT 1", - intval($r[0]['channel_account_id']) - ); - if ($x) { - // @fixme this foreach should not be needed? - foreach ($x as $record) { - if ((($record['account_flags'] == ACCOUNT_OK) || ($record['account_flags'] == ACCOUNT_UNVERIFIED)) - && (hash('whirlpool', $record['account_salt'] . $password) === $record['account_password'])) { - logger('password verified for ' . $username); - if($this->check_module_access($r[0]['channel_id'])) - return $this->setAuthenticated($r[0]); - } - } - } + if($channel && $this->check_module_access($channel['channel_id'])) { + return $this->setAuthenticated($channel); } if($this->module_disabled) @@ -145,6 +134,58 @@ class BasicAuth extends DAV\Auth\Backend\AbstractBasic { return true; } + /** + * When this method is called, the backend must check if authentication was + * successful. + * + * The returned value must be one of the following + * + * [true, "principals/username"] + * [false, "reason for failure"] + * + * If authentication was successful, it's expected that the authentication + * backend returns a so-called principal url. + * + * Examples of a principal url: + * + * principals/admin + * principals/user1 + * principals/users/joe + * principals/uid/123457 + * + * If you don't use WebDAV ACL (RFC3744) we recommend that you simply + * return a string such as: + * + * principals/users/[username] + * + * @param RequestInterface $request + * @param ResponseInterface $response + * @return array + */ + function check(RequestInterface $request, ResponseInterface $response) { + + if(local_channel()) { + $this->setAuthenticated(\App::get_channel()); + return [ true, $this->principalPrefix . $this->channel_name ]; + } + + $auth = new \Sabre\HTTP\Auth\Basic( + $this->realm, + $request, + $response + ); + + $userpass = $auth->getCredentials(); + if (!$userpass) { + return [false, "No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured"]; + } + if (!$this->validateUserPass($userpass[0], $userpass[1])) { + return [false, "Username or password was incorrect"]; + } + return [true, $this->principalPrefix . $userpass[0]]; + + } + protected function check_module_access($channel_id) { if($channel_id && \App::$module === 'cdav') { $x = get_pconfig($channel_id,'cdav','enabled'); @@ -222,4 +263,4 @@ class BasicAuth extends DAV\Auth\Backend\AbstractBasic { logger('owner_id ' . $this->owner_id, LOGGER_DATA); logger('owner_nick ' . $this->owner_nick, LOGGER_DATA); } -}
\ No newline at end of file +} diff --git a/Zotlabs/Storage/Browser.php b/Zotlabs/Storage/Browser.php index f875cbf33..713d75108 100644 --- a/Zotlabs/Storage/Browser.php +++ b/Zotlabs/Storage/Browser.php @@ -219,7 +219,7 @@ class Browser extends DAV\Browser\Plugin { $output = ''; if ($this->enablePost) { - $this->server->emit('onHTMLActionsPanel', array($parent, &$output)); + $this->server->emit('onHTMLActionsPanel', array($parent, &$output, $path)); } $html .= replace_macros(get_markup_template('cloud.tpl'), array( @@ -266,7 +266,7 @@ class Browser extends DAV\Browser\Plugin { * @param \Sabre\DAV\INode $node * @param string &$output */ - public function htmlActionsPanel(DAV\INode $node, &$output) { + public function htmlActionsPanel(DAV\INode $node, &$output, $path) { if (! $node instanceof DAV\ICollection) return; diff --git a/Zotlabs/Storage/CalDAVClient.php b/Zotlabs/Storage/CalDAVClient.php new file mode 100644 index 000000000..c1a8db932 --- /dev/null +++ b/Zotlabs/Storage/CalDAVClient.php @@ -0,0 +1,738 @@ +<?php + +namespace Zotlabs\Storage; + +// The Hubzilla CalDAV client will store calendar information in the 'cal' DB table. +// Event information will remain in the 'event' table. In order to implement CalDAV on top of our +// existing system, there is an event table column called vdata. This will hold the "one true record" +// of the event in VCALENDAR format. When we receive a foreign event, we will pick out the fields +// of this entry that are important to us and use it to populate the other event table fields. +// When we make an event change, it is required that we load this entry as a vobject, make the changes on the +// vobject, and then store the result back in event.vdata. This will preserve foreign keys which we +// know nothing about. Then we sync this back to the DAV server. + +// We still need a DB update to create a 'cal' table entry for our existing events and link these together. +// I'm currently anticipating separating tasks/to-do items from events, so each new account wil get two default calendars. + +// We will eventually provide for magic-auth or cookie login of the CURL process so we won't be required to +// store our hubzilla password. Currently for testing we are using HTTP BASIC-AUTH and must initialise the +// username/password correctly to make the connection. + +// Repeating events will be awkward because every instance has the same UUID. This would make it difficult to +// search for upcoming events if the initial instance was created (for instance) a few years ago. So the current plan is +// to create event instances for a prescribed time limit from now (perhaps 5-10 years for annual events). +// This plan may change. The repurcussions of this decision mean that an edit to a recurring event must +// edit all existing instances of the event, and only one unique instance can be used for sync. +// Sabre vobject provides a function to automatically expand recurring events into individual event instances. + + + +class CalDAVClient { + + private $username; + private $password; + + private $url; + + public $filepos = 0; + public $request_data = ''; + + function __construct($user,$pass,$url) { + $this->username = $user; + $this->password = $pass; + $this->url = $url; + + } + + private function set_data($s) { + $this->request_data = $s; + $this->filepos = 0; + } + + public function curl_read($ch,$fh,$size) { + + if($this->filepos < 0) { + unset($fh); + return ''; + } + + $s = substr($this->request_data,$this->filepos,$size); + + if(strlen($s) < $size) + $this->filepos = (-1); + else + $this->filepos = $this->filepos + $size; + + return $s; + } + + function ctag_fetch() { + $headers = [ 'Depth: 0', 'Prefer: return-minimal', 'Content-Type: application/xml; charset=utf-8']; + + // recommended ctag fetch by sabre + + $this->set_data('<?xml version="1.0"?> +<d:propfind xmlns:d="DAV:" xmlns:cs="http://calendarserver.org/ns/"> + <d:prop> + <d:displayname /> + <cs:getctag /> + <d:sync-token /> + </d:prop> +</d:propfind>'); + + // thunderbird uses this - it's a bit more verbose on what capabilities + // are provided by the server + + $this->set_data('<?xml version="1.0" encoding="UTF-8"?> +<D:propfind xmlns:D="DAV:" xmlns:CS="http://calendarserver.org/ns/" xmlns:C="urn:ietf:params:xml:ns:caldav"> +<D:prop> + <D:resourcetype/> + <D:owner/> + <D:current-user-principal/> + <D:supported-report-set/> + <C:supported-calendar-component-set/> + <CS:getctag/> +</D:prop> +</D:propfind>'); + + + + $auth = $this->username . ':' . $this->password; + + $recurse = 0; + + $x = z_fetch_url($this->url,true,$recurse, + [ 'headers' => $headers, + 'http_auth' => $auth, + 'custom' => 'PROPFIND', + 'upload' => true, + 'infile' => 3, + 'infilesize' => strlen($this->request_data), + 'readfunc' => [ $this, 'curl_read' ] + ]); + + return $x; + + } + + + function detail_fetch() { + $headers = [ 'Depth: 1', 'Prefer: return-minimal', 'Content-Type: application/xml; charset=utf-8']; + + // this query should return all objects in the given calendar, you can filter it appropriately + // using filter options + + $this->set_data('<?xml version="1.0"?> +<c:calendar-query xmlns:d="DAV:" xmlns:c="urn:ietf:params:xml:ns:caldav" xmlns:cs="http://calendarserver.org/ns/"> + <d:prop> + <d:getetag /> + <c:calendar-data /> + </d:prop> + <c:filter> + <c:comp-filter name="VCALENDAR" /> + </c:filter> +</c:calendar-query>'); + + $auth = $this->username . ':' . $this->password; + + $recurse = 0; + $x = z_fetch_url($this->url,true,$recurse, + [ 'headers' => $headers, + 'http_auth' => $auth, + 'custom' => 'REPORT', + 'upload' => true, + 'infile' => 3, + 'infilesize' => strlen($this->request_data), + 'readfunc' => [ $this, 'curl_read' ] + ]); + + + return $x; + + } + + +} + + + +/* + +PROPFIND /calendars/johndoe/home/ HTTP/1.1 +Depth: 0 +Prefer: return-minimal +Content-Type: application/xml; charset=utf-8 + +<d:propfind xmlns:d="DAV:" xmlns:cs="http://calendarserver.org/ns/"> + <d:prop> + <d:displayname /> + <cs:getctag /> + </d:prop> +</d:propfind> + +// Responses: success + +HTTP/1.1 207 Multi-status +Content-Type: application/xml; charset=utf-8 + +<d:multistatus xmlns:d="DAV:" xmlns:cs="http://calendarserver.org/ns/"> + <d:response> + <d:href>/calendars/johndoe/home/</d:href> + <d:propstat> + <d:prop> + <d:displayname>Home calendar</d:displayname> + <cs:getctag>3145</cs:getctag> + </d:prop> + <d:status>HTTP/1.1 200 OK</d:status> + </d:propstat> + </d:response> +</d:multistatus> + +// Responses: fail + +HTTP/1.1 207 Multi-status +Content-Type: application/xml; charset=utf-8 + +<d:multistatus xmlns:d="DAV:" xmlns:cs="http://calendarserver.org/ns/"> + <d:response> + <d:href>/calendars/johndoe/home/</d:href> + <d:propstat> + <d:prop> + <d:displayname /> + <cs:getctag /> + </d:prop> + <d:status>HTTP/1.1 403 Forbidden</d:status> + </d:propstat> + </d:response> +</d:multistatus> + + +// sample request body in DOM +// prepare request body +$doc = new DOMDocument('1.0', 'utf-8'); +$doc->formatOutput = true; + +$query = $doc->createElement('c:calendar-query'); +$query->setAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:c', 'urn:ietf:params:xml:ns:caldav'); +$query->setAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:d', 'DAV:'); + +$prop = $doc->createElement('d:prop'); +$prop->appendChild($doc->createElement('d:getetag')); +$prop->appendChild($doc->createElement('c:calendar-data')); +$query->appendChild($prop); +$doc->appendChild($query); +$body = $doc->saveXML(); + +echo "Body: " . $body . "<br>"; + + +Now we download every single object in this calendar. To do this, we use a REPORT method. + +REPORT /calendars/johndoe/home/ HTTP/1.1 +Depth: 1 +Prefer: return-minimal +Content-Type: application/xml; charset=utf-8 + +<c:calendar-query xmlns:d="DAV:" xmlns:c="urn:ietf:params:xml:ns:caldav"> + <d:prop> + <d:getetag /> + <c:calendar-data /> + </d:prop> + <c:filter> + <c:comp-filter name="VCALENDAR" /> + </c:filter> +</c:calendar-query> + +This request will give us every object that's a VCALENDAR object, and its etag. + +If you're only interested in VTODO (because you're writing a todo app) you can also filter for just those: + +REPORT /calendars/johndoe/home/ HTTP/1.1 +Depth: 1 +Prefer: return-minimal +Content-Type: application/xml; charset=utf-8 + +<c:calendar-query xmlns:d="DAV:" xmlns:c="urn:ietf:params:xml:ns:caldav"> + <d:prop> + <d:getetag /> + <c:calendar-data /> + </d:prop> + <c:filter> + <c:comp-filter name="VCALENDAR"> + <c:comp-filter name="VTODO" /> + </c:comp-filter> + </c:filter> +</c:calendar-query> + +Similarly it's also possible to filter to just events, or only get events within a specific time-range. + +This report will return a multi-status object again: + +HTTP/1.1 207 Multi-status +Content-Type: application/xml; charset=utf-8 + +<d:multistatus xmlns:d="DAV:" xmlns:cs="http://calendarserver.org/ns/"> + <d:response> + <d:href>/calendars/johndoe/home/132456762153245.ics</d:href> + <d:propstat> + <d:prop> + <d:getetag>"2134-314"</d:getetag> + <c:calendar-data>BEGIN:VCALENDAR + VERSION:2.0 + CALSCALE:GREGORIAN + BEGIN:VTODO + UID:132456762153245 + SUMMARY:Do the dishes + DUE:20121028T115600Z + END:VTODO + END:VCALENDAR + </c:calendar-data> + </d:prop> + <d:status>HTTP/1.1 200 OK</d:status> + </d:propstat> + </d:response> + <d:response> + <d:href>/calendars/johndoe/home/132456-34365.ics</d:href> + <d:propstat> + <d:prop> + <d:getetag>"5467-323"</d:getetag> + <c:calendar-data>BEGIN:VCALENDAR + VERSION:2.0 + CALSCALE:GREGORIAN + BEGIN:VEVENT + UID:132456-34365 + SUMMARY:Weekly meeting + DTSTART:20120101T120000 + DURATION:PT1H + RRULE:FREQ=WEEKLY + END:VEVENT + END:VCALENDAR + </c:calendar-data> + </d:prop> + <d:status>HTTP/1.1 200 OK</d:status> + </d:propstat> + </d:response> +</d:multistatus> + +This calendar only contained 2 objects. A todo and a weekly event. + +So after you retrieved and processed these, for each object you must retain: + + The calendar data itself + The url + The etag + +In this case all urls ended with .ics. This is often the case, but you must not rely on this. In this case the UID in the calendar object was also identical to a part of the url. This too is often the case, but again not something you can rely on, so don't make any assumptions. + +The url and the UID have no meaningful relationship, so treat both those items as separate unique identifiers. +Finding out if anything changed + +To see if anything in a calendar changed, we simply request the ctag again on the calendar. If the ctag did not change, you still have the latest copy. + +If it did change, you must request all the etags in the entire calendar again: + +REPORT /calendars/johndoe/home/ HTTP/1.1 +Depth: 1 +Prefer: return-minimal +Content-Type: application/xml; charset=utf-8 + +<c:calendar-query xmlns:d="DAV:" xmlns:c="urn:ietf:params:xml:ns:caldav"> + <d:prop> + <d:getetag /> + </d:prop> + <c:filter> + <c:comp-filter name="VCALENDAR"> + <c:comp-filter name="VTODO" /> + </c:comp-filter> + </c:filter> +</c:calendar-query> + +Note that this last request is extremely similar to a previous one, but we are only asking fo the etag, not the calendar-data. + +The reason for this, is that calendars can be rather huge. It will save a TON of bandwidth to only check the etag first. + +HTTP/1.1 207 Multi-status +Content-Type: application/xml; charset=utf-8 + +<d:multistatus xmlns:d="DAV:" xmlns:cs="http://calendarserver.org/ns/"> + <d:response> + <d:href>/calendars/johndoe/home/132456762153245.ics</d:href> + <d:propstat> + <d:prop> + <d:getetag>"xxxx-xxx"</d:getetag> + </d:prop> + <d:status>HTTP/1.1 200 OK</d:status> + </d:propstat> + </d:response> + <d:response> + <d:href>/calendars/johndoe/home/fancy-caldav-client-1234253678.ics</d:href> + <d:propstat> + <d:prop> + <d:getetag>"5-12"</d:getetag> + </d:prop> + <d:status>HTTP/1.1 200 OK</d:status> + </d:propstat> + </d:response> +</d:multistatus> + +Judging from this last request, 3 things have changed: + + The etag for the task has changed, so the contents must be different + There's a new url, some other client must have added an object + One object is missing, something must have deleted it. + +So based on those 3 items we know that we need to delete an object from our local list, and fetch the contents for the new item, and the updated one. + +To fetch the data for these, you can simply issue GET requests: + +GET /calendars/johndoe/home/132456762153245.ics HTTP/1.1 + +But, because in a worst-case scenario this could result in a LOT of GET requests we can do a 'multiget'. + +REPORT /calendars/johndoe/home/ HTTP/1.1 +Depth: 1 +Prefer: return-minimal +Content-Type: application/xml; charset=utf-8 + +<c:calendar-multiget xmlns:d="DAV:" xmlns:c="urn:ietf:params:xml:ns:caldav"> + <d:prop> + <d:getetag /> + <c:calendar-data /> + </d:prop> + <d:href>/calendars/johndoe/home/132456762153245.ics</d:href> + <d:href>/calendars/johndoe/home/fancy-caldav-client-1234253678.ics</d:href> +</c:calendar-multiget> + +This request will simply return a multi-status again with the calendar-data and etag. +A small note about application design + +If you read this far and understood what's been said, you may have realized that it's a bit cumbersome to have a separate step for the initial sync, and subsequent updates. + +It would totally be possible to skip the 'initial sync', and just use calendar-query and calendar-multiget REPORTS for the initial sync as well. +Updating a calendar object + +Updating a calendar object is rather simple: + +PUT /calendars/johndoe/home/132456762153245.ics HTTP/1.1 +Content-Type: text/calendar; charset=utf-8 +If-Match: "2134-314" + +BEGIN:VCALENDAR +.... +END:VCALENDAR + +A response to this will be something like this: + +HTTP/1.1 204 No Content +ETag: "2134-315" + +The update gave us back the new ETag. SabreDAV gives this ETag on updates back most of the time, but not always. + +There are cases where the caldav server must modify the iCalendar object right after storage. In those cases an ETag will not be returned, and you should issue a GET request immediately to get the correct object. + +A few notes: + + You must not change the UID of the original object + Every object should hold only 1 event or task. + You cannot change an VEVENT into a VTODO. + +Creating a calendar object + +Creating a calendar object is almost identical, except that you don't have a url yet to a calendar object. + +Instead, it is up to you to determine the new url. + +PUT /calendars/johndoe/home/somerandomstring.ics HTTP/1.1 +Content-Type: text/calendar; charset=utf-8 + +BEGIN:VCALENDAR +.... +END:VCALENDAR + +A response to this will be something like this: + +HTTP/1.1 201 Created +ETag: "21345-324" + +Similar to updating, an ETag is often returned, but there are cases where this is not true. +Deleting a calendar object + +Deleting is simple enough: + +DELETE /calendars/johndoe/home/132456762153245.ics HTTP/1.1 +If-Match: "2134-314" + +Speeding up Sync with WebDAV-Sync + +WebDAV-Sync is a protocol extension that is defined in rfc6578. Because this extension was defined later, some servers may not support this yet. + +SabreDAV supports this since 2.0. + +WebDAV-Sync allows a client to ask just for calendars that have changed. The process on a high-level is as follows: + + Client requests sync-token from server. + Server reports token 15. + Some time passes. + Client does a Sync REPORT on an calendar, and supplied token 15. + Server returns vcard urls that have changed or have been deleted and returns token 17. + +As you can see, after the initial sync, only items that have been created, modified or deleted will ever be sent. + +This has a lot of advantages. The transmitted xml bodies can generally be a lot shorter, and is also easier on both client and server in terms of memory and CPU usage, because only a limited set of items will have to be compared. + +It's important to note, that a client should only do Sync operations, if the server reports that it has support for it. The quickest way to do so, is to request {DAV}sync-token on the calendar you wish to sync. + +Technically, a server may support 'sync' on one calendar, and it may not support it on another, although this is probably rare. +Getting the first sync-token + +Initially, we just request a sync token when asking for calendar information: + +PROPFIND /calendars/johndoe/home/ HTTP/1.1 +Depth: 0 +Content-Type: application/xml; charset=utf-8 + +<d:propfind xmlns:d="DAV:" xmlns:cs="http://calendarserver.org/ns/"> + <d:prop> + <d:displayname /> + <cs:getctag /> + <d:sync-token /> + </d:prop> +</d:propfind> + +This would return something as follows: + +<d:multistatus xmlns:d="DAV:" xmlns:cs="http://calendarserver.org/ns/"> + <d:response> + <d:href>/calendars/johndoe/home/</d:href> + <d:propstat> + <d:prop> + <d:displayname>My calendar</d:displayname> + <cs:getctag>3145</cs:getctag> + <d:sync-token>http://sabredav.org/ns/sync-token/3145</d:sync-token> + </d:prop> + <d:status>HTTP/1.1 200 OK</d:status> + </d:propstat> + </d:response> +</d:multistatus> + +As you can see, the sync-token is a url. It always should be a url. Even though a number appears in the url, you are not allowed to attach any meaning to that url. Some servers may have use an increasing number, another server may use a completely random string. +Receiving changes + +After a sync token has been obtained, and the client already has the initial copy of the calendar, the client is able to request all changes since the token was issued. + +This is done with a REPORT request that may look like this: + +REPORT /calendars/johndoe/home/ HTTP/1.1 +Host: dav.example.org +Content-Type: application/xml; charset="utf-8" + +<?xml version="1.0" encoding="utf-8" ?> +<d:sync-collection xmlns:d="DAV:"> + <d:sync-token>http://sabredav.org/ns/sync/3145</d:sync-token> + <d:sync-level>1</d:sync-level> + <d:prop> + <d:getetag/> + </d:prop> +</d:sync-collection> + +This requests all the changes since sync-token identified by http://sabredav.org/ns/sync/3145, and for the calendar objects that have been added or modified, we're requesting the etag. + +The response to a query like this is another multistatus xml body. Example: + +HTTP/1.1 207 Multi-Status +Content-Type: application/xml; charset="utf-8" + +<?xml version="1.0" encoding="utf-8" ?> +<d:multistatus xmlns:d="DAV:"> + <d:response> + <d:href>/calendars/johndoe/home/newevent.ics</d:href> + <d:propstat> + <d:prop> + <d:getetag>"33441-34321"</d:getetag> + </d:prop> + <d:status>HTTP/1.1 200 OK</d:status> + </d:propstat> + </d:response> + <d:response> + <d:href>/calendars/johndoe/home/updatedevent.ics</d:href> + <d:propstat> + <d:prop> + <d:getetag>"33541-34696"</d:getetag> + </d:prop> + <d:status>HTTP/1.1 200 OK</d:status> + </d:propstat> + </d:response> + <d:response> + <d:href>/calendars/johndoe/home/deletedevent.ics</d:href> + <d:status>HTTP/1.1 404 Not Found</d:status> + </d:response> + <d:sync-token>http://sabredav.org/ns/sync/5001</d:sync-token> + </d:multistatus> + +The last response reported two changes: newevent.ics and updatedevent.ics. There's no way to tell from the response wether those cards got created or updated, you, as a client can only infer this based on the vcards you are already aware of. + +The entry with name deletedevent.ics got deleted as indicated by the 404 status. Note that the status element is here a child of d:response when in all previous examples it has been a child of d:propstat. + +The other difference with the other multi-status examples, is that this one has a sync-token element with the latest sync-token. +Caveats + +Note that a server is free to 'forget' any sync-tokens that have been previously issued. In this case it may be needed to do a full-sync again. + +In case the supplied sync-token is not recognized by the server, a HTTP error is emitted. SabreDAV emits a 403. +Discovery + +Ideally you will want to make sure that all the calendars in an account are automatically discovered. The best user interface would be to just have to ask for three items: + + Username + Password + Server + +And the server should be as short as possible. This is possible with most servers. + +If, for example a user specified 'dav.example.org' for the server, the first thing you should do is attempt to send a PROPFIND request to https://dav.example.org/. Note that you SHOULD try the https url before the http url. + +This PROPFIND request looks as follows: + +PROPFIND / HTTP/1.1 +Depth: 0 +Prefer: return-minimal +Content-Type: application/xml; charset=utf-8 + +<d:propfind xmlns:d="DAV:"> + <d:prop> + <d:current-user-principal /> + </d:prop> +</d:propfind> + +This will return a response such as the following: + +HTTP/1.1 207 Multi-status +Content-Type: application/xml; charset=utf-8 + +<d:multistatus xmlns:d="DAV:" xmlns:cs="http://calendarserver.org/ns/"> + <d:response> + <d:href>/</d:href> + <d:propstat> + <d:prop> + <d:current-user-principal> + <d:href>/principals/users/johndoe/</d:href> + </d:current-user-principal> + </d:prop> + <d:status>HTTP/1.1 200 OK</d:status> + </d:propstat> + </d:response> +</d:multistatus> + +A 'principal' is a user. The url that's being returned, is a url that refers to the current user. On this url you can request additional information about the user. + +What we need from this url, is their 'calendar home'. The calendar home is a collection that contains all of the users' calendars. + +To request that, issue the following request: + +PROPFIND /principals/users/johndoe/ HTTP/1.1 +Depth: 0 +Prefer: return-minimal +Content-Type: application/xml; charset=utf-8 + +<d:propfind xmlns:d="DAV:" xmlns:c="urn:ietf:params:xml:ns:caldav"> + <d:prop> + <c:calendar-home-set /> + </d:prop> +</d:propfind> + +This will return a response such as the following: + +HTTP/1.1 207 Multi-status +Content-Type: application/xml; charset=utf-8 + +<d:multistatus xmlns:d="DAV:" xmlns:c="urn:ietf:params:xml:ns:caldav"> + <d:response> + <d:href>/principals/users/johndoe/</d:href> + <d:propstat> + <d:prop> + <c:calendar-home-set> + <d:href>/calendars/johndoe/</d:href> + </c:calendar-home-set> + </d:prop> + <d:status>HTTP/1.1 200 OK</d:status> + </d:propstat> + </d:response> +</d:multistatus> + +Lastly, to list all the calendars for the user, issue a PROPFIND request with Depth: 1. + +PROPFIND /calendars/johndoe/ HTTP/1.1 +Depth: 1 +Prefer: return-minimal +Content-Type: application/xml; charset=utf-8 + +<d:propfind xmlns:d="DAV:" xmlns:cs="http://calendarserver.org/ns/" xmlns:c="urn:ietf:params:xml:ns:caldav"> + <d:prop> + <d:resourcetype /> + <d:displayname /> + <cs:getctag /> + <c:supported-calendar-component-set /> + </d:prop> +</d:propfind> + +In that last request, we asked for 4 properties. + +The resourcetype tells us what type of object we're getting back. You must read out the resourcetype and ensure that it contains at least a calendar element in the CalDAV namespace. Other items may be returned, including non- calendar, which your application should ignore. + +The displayname is a human-readable string for the calendarname, the ctag was already covered in an earlier section. + +Lastly, supported-calendar-component-set. This gives us a list of components that the calendar accepts. This could be just VTODO, VEVENT, VJOURNAL or a combination of these three. + +If you are just creating a todo-list application, this means you should only list the calendars that support the VTODO component. + +HTTP/1.1 207 Multi-status +Content-Type: application/xml; charset=utf-8 + +<d:multistatus xmlns:d="DAV:" xmlns:cs="http://calendarserver.org/ns/" xmlns:c="urn:ietf:params:xml:ns:caldav"> + <d:response> + <d:href>/calendars/johndoe/</d:href> + <d:propstat> + <d:prop> + <d:resourcetype> + <d:collection/> + </d:resourcetype> + </d:prop> + <d:status>HTTP/1.1 200 OK</d:status> + </d:propstat> + </d:response> + <d:response> + <d:href>/calendars/johndoe/home/</d:href> + <d:propstat> + <d:prop> + <d:resourcetype> + <d:collection/> + <c:calendar/> + </d:resourcetype> + <d:displayname>Home calendar</d:displayname> + <cs:getctag>3145</cs:getctag> + <c:supported-calendar-component-set> + <c:comp name="VEVENT" /> + </c:supported-calendar-component-set> + </d:prop> + <d:status>HTTP/1.1 200 OK</d:status> + </d:propstat> + </d:response> + <d:response> + <d:href>/calendars/johndoe/tasks/</d:href> + <d:propstat> + <d:prop> + <d:resourcetype> + <d:collection/> + <c:calendar/> + </d:resourcetype> + <d:displayname>My TODO list</d:displayname> + <cs:getctag>3345</cs:getctag> + <c:supported-calendar-component-set> + <c:comp name="VTODO" /> + </c:supported-calendar-component-set> + </d:prop> + <d:status>HTTP/1.1 200 OK</d:status> + </d:propstat> + </d:response> +</d:multistatus> +*/ diff --git a/Zotlabs/Storage/Directory.php b/Zotlabs/Storage/Directory.php index 0ccd9da47..15e06e28f 100644 --- a/Zotlabs/Storage/Directory.php +++ b/Zotlabs/Storage/Directory.php @@ -3,6 +3,7 @@ namespace Zotlabs\Storage; use Sabre\DAV; +use Sabre\HTTP; /** * @brief RedDirectory class. @@ -91,7 +92,7 @@ class Directory extends DAV\Node implements DAV\ICollection, DAV\IQuota { throw new DAV\Exception\Forbidden('Permission denied.'); } - $contents = RedCollectionData($this->red_path, $this->auth); + $contents = $this->CollectionData($this->red_path, $this->auth); return $contents; } @@ -119,7 +120,7 @@ class Directory extends DAV\Node implements DAV\ICollection, DAV\IQuota { return new Directory('/' . $modulename, $this->auth); } - $x = RedFileData($this->ext_path . '/' . $name, $this->auth); + $x = $this->FileData($this->ext_path . '/' . $name, $this->auth); if ($x) { return $x; } @@ -159,7 +160,7 @@ class Directory extends DAV\Node implements DAV\ICollection, DAV\IQuota { throw new DAV\Exception\Forbidden('Permission denied.'); } - list($parent_path, ) = DAV\URLUtil::splitPath($this->red_path); + list($parent_path, ) = HTTP\URLUtil::splitPath($this->red_path); $new_path = $parent_path . '/' . $name; $r = q("UPDATE attach SET filename = '%s' WHERE hash = '%s' AND uid = %d", @@ -206,6 +207,7 @@ class Directory extends DAV\Node implements DAV\ICollection, DAV\IQuota { throw new DAV\Exception\Forbidden('Permission denied.'); } + $mimetype = z_mime_content_type($name); $c = q("SELECT * FROM channel WHERE channel_id = %d AND channel_removed = 0 LIMIT 1", @@ -432,8 +434,8 @@ class Directory extends DAV\Node implements DAV\ICollection, DAV\IQuota { return true; } - $x = RedFileData($this->ext_path . '/' . $name, $this->auth, true); - //logger('RedFileData returns: ' . print_r($x, true), LOGGER_DATA); + $x = $this->FileData($this->ext_path . '/' . $name, $this->auth, true); + //logger('FileData returns: ' . print_r($x, true), LOGGER_DATA); if ($x) return true; @@ -566,4 +568,280 @@ class Directory extends DAV\Node implements DAV\ICollection, DAV\IQuota { $free ); } + + + /** + * @brief Array with all Directory and File DAV\Node items for the given path. + * + * + * @param string $file path to a directory + * @param \Zotlabs\Storage\BasicAuth &$auth + * @returns null|array \Sabre\DAV\INode[] + * @throw \Sabre\DAV\Exception\Forbidden + * @throw \Sabre\DAV\Exception\NotFound + */ + + function CollectionData($file, &$auth) { + $ret = array(); + + $x = strpos($file, '/cloud'); + if ($x === 0) { + $file = substr($file, 6); + } + + // return a list of channel if we are not inside a channel + if ((! $file) || ($file === '/')) { + return $this->ChannelList($auth); + } + + $file = trim($file, '/'); + $path_arr = explode('/', $file); + + if (! $path_arr) + return null; + + $channel_name = $path_arr[0]; + + $r = q("SELECT channel_id FROM channel WHERE channel_address = '%s' LIMIT 1", + dbesc($channel_name) + ); + + if (! $r) + return null; + + $channel_id = $r[0]['channel_id']; + $perms = permissions_sql($channel_id); + + $auth->owner_id = $channel_id; + + $path = '/' . $channel_name; + + $folder = ''; + $errors = false; + $permission_error = false; + + for ($x = 1; $x < count($path_arr); $x++) { + $r = q("SELECT id, hash, filename, flags, is_dir FROM attach WHERE folder = '%s' AND filename = '%s' AND uid = %d AND is_dir != 0 $perms LIMIT 1", + dbesc($folder), + dbesc($path_arr[$x]), + intval($channel_id) + ); + if (! $r) { + // path wasn't found. Try without permissions to see if it was the result of permissions. + $errors = true; + $r = q("select id, hash, filename, flags, is_dir from attach where folder = '%s' and filename = '%s' and uid = %d and is_dir != 0 limit 1", + dbesc($folder), + basename($path_arr[$x]), + intval($channel_id) + ); + if ($r) { + $permission_error = true; + } + break; + } + + if ($r && intval($r[0]['is_dir'])) { + $folder = $r[0]['hash']; + $path = $path . '/' . $r[0]['filename']; + } + } + + if ($errors) { + if ($permission_error) { + throw new DAV\Exception\Forbidden('Permission denied.'); + } + else { + throw new DAV\Exception\NotFound('A component of the request file path could not be found.'); + } + } + + // This should no longer be needed since we just returned errors for paths not found + if ($path !== '/' . $file) { + logger("Path mismatch: $path !== /$file"); + return NULL; + } + if(ACTIVE_DBTYPE == DBTYPE_POSTGRES) { + $prefix = 'DISTINCT ON (filename)'; + $suffix = 'ORDER BY filename'; + } + else { + $prefix = ''; + $suffix = 'GROUP BY filename'; + } + $r = q("select $prefix id, uid, hash, filename, filetype, filesize, revision, folder, flags, is_dir, created, edited from attach where folder = '%s' and uid = %d $perms $suffix", + dbesc($folder), + intval($channel_id) + ); + + foreach ($r as $rr) { + //logger('filename: ' . $rr['filename'], LOGGER_DEBUG); + if (intval($rr['is_dir'])) { + $ret[] = new Directory($path . '/' . $rr['filename'], $auth); + } + else { + $ret[] = new File($path . '/' . $rr['filename'], $rr, $auth); + } + } + + return $ret; + } + + + /** + * @brief Returns an array with viewable channels. + * + * Get a list of Directory objects with all the channels where the visitor + * has <b>view_storage</b> perms. + * + * + * @param BasicAuth &$auth + * @return array Directory[] + */ + + function ChannelList(&$auth) { + $ret = array(); + + $r = q("SELECT channel_id, channel_address FROM channel WHERE channel_removed = 0 + AND channel_system = 0 AND NOT (channel_pageflags & %d)>0", + intval(PAGE_HIDDEN) + ); + + if ($r) { + foreach ($r as $rr) { + if (perm_is_allowed($rr['channel_id'], $auth->observer, 'view_storage')) { + logger('found channel: /cloud/' . $rr['channel_address'], LOGGER_DATA); + // @todo can't we drop '/cloud'? It gets stripped off anyway in RedDirectory + $ret[] = new Directory('/cloud/' . $rr['channel_address'], $auth); + } + } + } + return $ret; + } + + + /** + * @brief + * + * + * @param string $file + * path to file or directory + * @param BasicAuth &$auth + * @param boolean $test (optional) enable test mode + * @return File|Directory|boolean|null + * @throw \Sabre\DAV\Exception\Forbidden + */ + + function FileData($file, &$auth, $test = false) { + logger($file . (($test) ? ' (test mode) ' : ''), LOGGER_DATA); + + $x = strpos($file, '/cloud'); + if ($x === 0) { + $file = substr($file, 6); + } + else { + $x = strpos($file,'/dav'); + if($x === 0) + $file = substr($file,4); + } + + + if ((! $file) || ($file === '/')) { + return new Directory('/', $auth); + } + + $file = trim($file, '/'); + + $path_arr = explode('/', $file); + + if (! $path_arr) + return null; + + $channel_name = $path_arr[0]; + + $r = q("select channel_id from channel where channel_address = '%s' limit 1", + dbesc($channel_name) + ); + + if (! $r) + return null; + + $channel_id = $r[0]['channel_id']; + + $path = '/' . $channel_name; + + $auth->owner_id = $channel_id; + + $permission_error = false; + + $folder = ''; + + require_once('include/security.php'); + $perms = permissions_sql($channel_id); + + $errors = false; + + for ($x = 1; $x < count($path_arr); $x++) { + $r = q("select id, hash, filename, flags, is_dir from attach where folder = '%s' and filename = '%s' and uid = %d and is_dir != 0 $perms", + dbesc($folder), + dbesc($path_arr[$x]), + intval($channel_id) + ); + + if ($r && intval($r[0]['is_dir'])) { + $folder = $r[0]['hash']; + $path = $path . '/' . $r[0]['filename']; + } + if (! $r) { + $r = q("select id, uid, hash, filename, filetype, filesize, revision, folder, flags, is_dir, os_storage, created, edited from attach + where folder = '%s' and filename = '%s' and uid = %d $perms order by filename limit 1", + dbesc($folder), + dbesc(basename($file)), + intval($channel_id) + ); + } + if (! $r) { + $errors = true; + $r = q("select id, uid, hash, filename, filetype, filesize, revision, folder, flags, is_dir, os_storage, created, edited from attach + where folder = '%s' and filename = '%s' and uid = %d order by filename limit 1", + dbesc($folder), + dbesc(basename($file)), + intval($channel_id) + ); + if ($r) + $permission_error = true; + } + } + + if ($path === '/' . $file) { + if ($test) + return true; + // final component was a directory. + return new Directory($file, $auth); + } + + if ($errors) { + logger('not found ' . $file); + if ($test) + return false; + if ($permission_error) { + logger('permission error ' . $file); + throw new DAV\Exception\Forbidden('Permission denied.'); + } + return; + } + + if ($r) { + if ($test) + return true; + + if (intval($r[0]['is_dir'])) { + return new Directory($path . '/' . $r[0]['filename'], $auth); + } + else { + return new File($path . '/' . $r[0]['filename'], $r[0], $auth); + } + } + return false; + } + } diff --git a/Zotlabs/Storage/File.php b/Zotlabs/Storage/File.php index ecd15cc55..5a70a99f1 100644 --- a/Zotlabs/Storage/File.php +++ b/Zotlabs/Storage/File.php @@ -337,6 +337,10 @@ class File extends DAV\Node implements DAV\IFile { } } + if(get_pconfig($this->auth->owner_id,'system','os_delete_prohibit') && \App::$module == 'dav') { + throw new DAV\Exception\Forbidden('Permission denied.'); + } + attach_delete($this->auth->owner_id, $this->data['hash']); $ch = channelx_by_n($this->auth->owner_id); |