如何在CalDAV服务器中实现SabreDAV的自定义ACL

Question

到目前为止，我还无法在SabreDAV中成功地实现ACL(权限)。

我已经用我自己的八月，主体和CalDAV后端在代码点火器中实现了CalDAV。这是来自控制器的实际代码：

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

class CalDAV extends CI_Controller {

    public function _remap() {
        $this->load->library('SabreDAV');

        $authBackend = new SabreDAV_DAV_Auth_Backend_Tank_Auth;
        $principalBackend = new Sabre_DAVACL_PrincipalBackend_Click4Time;
        $calendarBackend = new Sabre_CalDAV_Backend_Click4Time;

        // Directory tree
        $tree = array(
            new Sabre_DAVACL_PrincipalCollection($principalBackend),
            new Sabre_CalDAV_CalendarRootNode($principalBackend, $calendarBackend)
        );      

        // The object tree needs in turn to be passed to the server class
        $server = new Sabre_DAV_Server($tree);

        // You are highly encouraged to set your WebDAV server base url. Without it,
        // SabreDAV will guess, but the guess is not always correct. Putting the
        // server on the root of the domain will improve compatibility. 
        $server->setBaseUri('/caldav/');

        // Authentication plugin
        $authPlugin = new Sabre_DAV_Auth_Plugin($authBackend, 'SabreDAV');
        $server->addPlugin($authPlugin);

        // CalDAV plugin
        $caldavPlugin = new Sabre_CalDAV_Plugin();
        $server->addPlugin($caldavPlugin);

        // ACL plugin
        $aclPlugin = new Sabre_DAVACL_Custom;
        $server->addPlugin($aclPlugin);

        // Support for html frontend
        $browser = new Sabre_DAV_Browser_Plugin();
        $server->addPlugin($browser);

        $server->exec();
    }
}

我当前实现权限的尝试是通过我的自定义ACL插件实现的：

<?php

class Sabre_DAVACL_Custom extends Sabre_DAVACL_Plugin {

    public $allowAccessToNodesWithoutACL = false;

    private function _getCurrentUserName() {
        $authPlugin = $this->server->getPlugin('auth');
        if (is_null($authPlugin)) return null;

        return $authPlugin->getCurrentUser();
    }

    public function getACL($node) {
        $user = $this->_getCurrentUserName();
        $path = $node->getName();

        if ($path == 'calendars' || $path == 'principals' || $path == 'root') {
            return array(
                array(
                    'privilege' => '{DAV:}read',
                    'principal' => 'principals/' . $user,
                    'protected' => true,
                )
            );
        }
        else if ($path == 'calendars/' . $user) {
            return array(
                array(
                    'privilege' => '{DAV:}read',
                    'principal' => 'principals/' . $user,
                    'protected' => true,
                )
            );
        }

        return array();
    }
}

除了第二次检查外，这段代码几乎可以工作，第二次检查应该授权用户查看他或她自己的日历。我无法获得$node的完整路径名。

这可能是实现的错误方式，但我无法找到任何文档来确认这是实现ACL的方式。

Answer 1

我使用了一种不同的尝试，我扩展了插件，就像你一样，但是后来我代替了getSupportedPrivilegeSet($node)。

在sabredav 1.8.6中，如下所示：

public function getSupportedPrivilegeSet($node) {

    if (is_string($node)) {
        $node = $this->server->tree->getNodeForPath($node);
    }

    if ($node instanceof IACL) {
        $result = $node->getSupportedPrivilegeSet();

        if ($result)
            return $result;
    }

    return self::getDefaultSupportedPrivilegeSet();

}

现在，您可以使用类而不是我发现更有用的路径，即：

class DavCalAcl extends \Sabre\DAVACL\Plugin {

public function getSupportedPrivilegeSet($node) {       
    if (is_string($node)) {
        $node = $this->server->tree->getNodeForPath($node);
    }

    if($node instanceof \Sabre\CalDAV\Calendar || $node instanceof \Sabre\CalDAV\CalendarObject) {
        return array(
            array(
                'privilege'  => '{DAV:}read',
                'aggregates' => array(
                    array(
                        'privilege' => '{DAV:}read-acl',
                        'abstract'  => true,
                    ),
                    array(
                        'privilege' => '{DAV:}read-current-user-privilege-set',
                        'abstract'  => true,
                    ),
                ),
            )
        );
    }

    if ($node instanceof \Sabre\DAVACL\IACL) {
        $result = $node->getSupportedPrivilegeSet();
        if ($result)
            return $result;
    }

    return self::getDefaultSupportedPrivilegeSet();
}

}

这是我目前试图让iCal识别一个日历为只读.我还不太清楚，但也许这能帮助你更好地识别物体

如果你想要一个节点的绝对路径，我想你总是可以去根目录，搜索你的当前节点，这样就可以记录下带你去的路径。在我检查sabredav中的节点时，不要支持父属性或根属性。

更新

最好的方法似乎是在插件中覆盖getACL。在这里，您可以测试节点的类，并返回真正想要的内容，而不是默认对象返回的内容(例如，查看UserCalendars->getACL() )。

下面是基于对象类型的只读强制执行的工作解决方案：

class DavCalAcl extends \Sabre\DAVACL\Plugin {

    /**
     * Returns the full ACL list.
     *
     * Either a uri or a DAV\INode may be passed.
     *
     * null will be returned if the node doesn't support ACLs.
     *
     * @param string|DAV\INode $node
     * @return array
     */
    public function getACL($node) {

        if (is_string($node)) {
            $node = $this->server->tree->getNodeForPath($node);
        }
        if (!$node instanceof \Sabre\DAVACL\IACL) {
            return null;
        }

        if( $node instanceof \Sabre\CalDAV\Calendar ||
            $node instanceof \Sabre\CalDAV\CalendarObject ||
            $node instanceof \Sabre\CalDAV\UserCalendars
        ) {
            $acl = array(
                array(
                    'privilege' => '{DAV:}read',
                    'principal' => $node->getOwner(),
                    'protected' => true,
                ),
            );
        } else {
            $acl = $node->getACL();         
        }

        foreach($this->adminPrincipals as $adminPrincipal) {
            $acl[] = array(
                'principal' => $adminPrincipal,
                'privilege' => '{DAV:}all',
                'protected' => true,
            );
        }
        return $acl;

    }
}