如何在SabreDAV PHP Server中为CalDAV实现自定义ACL

Question

到目前为止，我无法在SabreDAV中成功实现ACL（权限）。

我已经使用我自己的Auth，Principal和CalDAV后端在Code Igniter中实现了SabreDAV。这是来自控制器的实际代码：

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

class CalDAV extends CI_Controller {

    public function _remap() {
        $this->load->library('SabreDAV');

        $authBackend = new SabreDAV_DAV_Auth_Backend_Tank_Auth;
        $principalBackend = new Sabre_DAVACL_PrincipalBackend_Click4Time;
        $calendarBackend = new Sabre_CalDAV_Backend_Click4Time;

        // Directory tree
        $tree = array(
            new Sabre_DAVACL_PrincipalCollection($principalBackend),
            new Sabre_CalDAV_CalendarRootNode($principalBackend, $calendarBackend)
        );      

        // The object tree needs in turn to be passed to the server class
        $server = new Sabre_DAV_Server($tree);

        // You are highly encouraged to set your WebDAV server base url. Without it,
        // SabreDAV will guess, but the guess is not always correct. Putting the
        // server on the root of the domain will improve compatibility. 
        $server->setBaseUri('/caldav/');

        // Authentication plugin
        $authPlugin = new Sabre_DAV_Auth_Plugin($authBackend, 'SabreDAV');
        $server->addPlugin($authPlugin);

        // CalDAV plugin
        $caldavPlugin = new Sabre_CalDAV_Plugin();
        $server->addPlugin($caldavPlugin);

        // ACL plugin
        $aclPlugin = new Sabre_DAVACL_Custom;
        $server->addPlugin($aclPlugin);

        // Support for html frontend
        $browser = new Sabre_DAV_Browser_Plugin();
        $server->addPlugin($browser);

        $server->exec();
    }
}

我目前尝试实现权限的方法是通过我的自定义ACL插件：

<?php

class Sabre_DAVACL_Custom extends Sabre_DAVACL_Plugin {

    public $allowAccessToNodesWithoutACL = false;

    private function _getCurrentUserName() {
        $authPlugin = $this->server->getPlugin('auth');
        if (is_null($authPlugin)) return null;

        return $authPlugin->getCurrentUser();
    }

    public function getACL($node) {
        $user = $this->_getCurrentUserName();
        $path = $node->getName();

        if ($path == 'calendars' || $path == 'principals' || $path == 'root') {
            return array(
                array(
                    'privilege' => '{DAV:}read',
                    'principal' => 'principals/' . $user,
                    'protected' => true,
                )
            );
        }
        else if ($path == 'calendars/' . $user) {
            return array(
                array(
                    'privilege' => '{DAV:}read',
                    'principal' => 'principals/' . $user,
                    'protected' => true,
                )
            );
        }

        return array();
    }
}

除了第二张检查应该授权用户查看他或她自己的日历之外，此代码几乎可以使用。我无法获取 $ node 的完整路径名。

这可能是错误的实现方式，但我无法找到任何文档来确认这是实现ACL的方法。

Answer 1

我正在使用不同的尝试，我扩展了插件，就像你一样，但后来我替换了getSupportedPrivilegeSet($node)。

在sabredav 1.8.6中它看起来像这样：

public function getSupportedPrivilegeSet($node) {

    if (is_string($node)) {
        $node = $this->server->tree->getNodeForPath($node);
    }

    if ($node instanceof IACL) {
        $result = $node->getSupportedPrivilegeSet();

        if ($result)
            return $result;
    }

    return self::getDefaultSupportedPrivilegeSet();

}

现在您可以使用类而不是我发现更有用的路径，即：

class DavCalAcl extends \Sabre\DAVACL\Plugin {

public function getSupportedPrivilegeSet($node) {       
    if (is_string($node)) {
        $node = $this->server->tree->getNodeForPath($node);
    }

    if($node instanceof \Sabre\CalDAV\Calendar || $node instanceof \Sabre\CalDAV\CalendarObject) {
        return array(
            array(
                'privilege'  => '{DAV:}read',
                'aggregates' => array(
                    array(
                        'privilege' => '{DAV:}read-acl',
                        'abstract'  => true,
                    ),
                    array(
                        'privilege' => '{DAV:}read-current-user-privilege-set',
                        'abstract'  => true,
                    ),
                ),
            )
        );
    }

    if ($node instanceof \Sabre\DAVACL\IACL) {
        $result = $node->getSupportedPrivilegeSet();
        if ($result)
            return $result;
    }

    return self::getDefaultSupportedPrivilegeSet();
}

}

这是我目前试图让iCal将日历识别为只读...我还没到那里但也许这会帮助你更好地识别对象

如果你想要一个节点的绝对路径我猜你总是可以去根目录搜索当前节点，并记录你带路的路径。据我检查sabredav中的节点不支持父属或root属性。

<强> [UPDATE]

最好的方法似乎是覆盖插件中的getACL。在这里，您可以测试节点的类并返回您真正想要的内容而不是默认对象返回的内容（例如，查看UserCalendars-＆gt; getACL（）。

这是我基于对象类型的只读强制执行解决方案：

class DavCalAcl extends \Sabre\DAVACL\Plugin {

    /**
     * Returns the full ACL list.
     *
     * Either a uri or a DAV\INode may be passed.
     *
     * null will be returned if the node doesn't support ACLs.
     *
     * @param string|DAV\INode $node
     * @return array
     */
    public function getACL($node) {

        if (is_string($node)) {
            $node = $this->server->tree->getNodeForPath($node);
        }
        if (!$node instanceof \Sabre\DAVACL\IACL) {
            return null;
        }

        if( $node instanceof \Sabre\CalDAV\Calendar ||
            $node instanceof \Sabre\CalDAV\CalendarObject ||
            $node instanceof \Sabre\CalDAV\UserCalendars
        ) {
            $acl = array(
                array(
                    'privilege' => '{DAV:}read',
                    'principal' => $node->getOwner(),
                    'protected' => true,
                ),
            );
        } else {
            $acl = $node->getACL();         
        }

        foreach($this->adminPrincipals as $adminPrincipal) {
            $acl[] = array(
                'principal' => $adminPrincipal,
                'privilege' => '{DAV:}all',
                'protected' => true,
            );
        }
        return $acl;

    }
}