fix(CalDAV): check birthday calendar owner

Signed-off-by: Anna Larch <[email protected]>

Author: miaulalala

apps/dav/lib/CalDAV/BirthdayCalendar/EnablePlugin.php

@@ -27,6 +27,7 @@
 use OCA\DAV\CalDAV\BirthdayService;
 use OCA\DAV\CalDAV\CalendarHome;
 use OCP\IConfig;
+use OCP\IUser;
 use Sabre\DAV\Server;
 use Sabre\DAV\ServerPlugin;
 use Sabre\HTTP\RequestInterface;
@@ -56,15 +57,20 @@ class EnablePlugin extends ServerPlugin {
 	 */
 	protected $server;
 
+	/** @var IUser */
+	private $user;
+
 	/**
 	 * PublishPlugin constructor.
 	 *
 	 * @param IConfig $config
 	 * @param BirthdayService $birthdayService
+	 * @param IUser $user
 	 */
-	public function __construct(IConfig $config, BirthdayService $birthdayService) {
+	public function __construct(IConfig $config, BirthdayService $birthdayService, IUser $user) {
 		$this->config = $config;
 		$this->birthdayService = $birthdayService;
+		$this->user = $user;
 	}
 
 	/**
@@ -127,11 +133,14 @@ public function httpPost(RequestInterface $request, ResponseInterface $response)
 			return;
 		}
 
-		$principalUri = $node->getOwner();
-		$userId = substr($principalUri, 17);
+		$owner = substr($node->getOwner(), 17);
+		if($owner !== $this->user->getUID()) {
+			$this->server->httpResponse->setStatus(403);
+			return false;
+		}
 
-		$this->config->setUserValue($userId, 'dav', 'generateBirthdayCalendar', 'yes');
-		$this->birthdayService->syncUser($userId);
+		$this->config->setUserValue($this->user->getUID(), 'dav', 'generateBirthdayCalendar', 'yes');
+		$this->birthdayService->syncUser($this->user->getUID());
 
 		$this->server->httpResponse->setStatus(204);
 

apps/dav/lib/Server.php

@@ -325,7 +325,8 @@ public function __construct(IRequest $request, string $baseUri) {
 				}
 				$this->server->addPlugin(new \OCA\DAV\CalDAV\BirthdayCalendar\EnablePlugin(
 					\OC::$server->getConfig(),
-					\OC::$server->query(BirthdayService::class)
+					\OC::$server->query(BirthdayService::class),
+					$user
 				));
 				$this->server->addPlugin(new AppleProvisioningPlugin(
 					\OC::$server->getUserSession(),

apps/dav/tests/unit/CalDAV/BirthdayCalendar/EnablePluginTest.php

@@ -31,6 +31,7 @@
 use OCA\DAV\CalDAV\Calendar;
 use OCA\DAV\CalDAV\CalendarHome;
 use OCP\IConfig;
+use OCP\IUser;
 use Test\TestCase;
 
 class EnablePluginTest extends TestCase {
@@ -44,6 +45,9 @@ class EnablePluginTest extends TestCase {
 	/** @var BirthdayService |\PHPUnit\Framework\MockObject\MockObject */
 	protected $birthdayService;
 
+	/** @var IUser|\PHPUnit\Framework\MockObject\MockObject  */
+	protected $user;
+
 	/** @var \OCA\DAV\CalDAV\BirthdayCalendar\EnablePlugin $plugin */
 	protected $plugin;
 
@@ -61,8 +65,9 @@ protected function setUp(): void {
 
 		$this->config = $this->createMock(IConfig::class);
 		$this->birthdayService = $this->createMock(BirthdayService::class);
+		$this->user = $this->createMock(IUser::class);
 
-		$this->plugin = new EnablePlugin($this->config, $this->birthdayService);
+		$this->plugin = new EnablePlugin($this->config, $this->birthdayService, $this->user);
 		$this->plugin->initialize($this->server);
 
 		$this->request = $this->createMock(\Sabre\HTTP\RequestInterface::class);
@@ -80,7 +85,7 @@ public function testGetName(): void {
 	public function testInitialize(): void {
 		$server = $this->createMock(\Sabre\DAV\Server::class);
 
-		$plugin = new EnablePlugin($this->config, $this->birthdayService);
+		$plugin = new EnablePlugin($this->config, $this->birthdayService, $this->user);
 
 		$server->expects($this->once())
 			->method('on')
@@ -143,6 +148,55 @@ public function testHttpPostWrongRequest(): void {
 		$this->plugin->httpPost($this->request, $this->response);
 	}
 
+	public function testHttpPostNotAuthorized(): void {
+		$calendarHome = $this->createMock(CalendarHome::class);
+
+		$this->server->expects($this->once())
+			->method('getRequestUri')
+			->willReturn('/bar/foo');
+		$this->server->tree->expects($this->once())
+			->method('getNodeForPath')
+			->with('/bar/foo')
+			->willReturn($calendarHome);
+
+		$calendarHome->expects($this->once())
+			->method('getOwner')
+			->willReturn('principals/users/BlaBlub');
+
+		$this->request->expects($this->once())
+			->method('getBodyAsString')
+			->willReturn('<nc:enable-birthday-calendar xmlns:nc="http://nextcloud.com/ns"/>');
+
+		$this->request->expects($this->once())
+			->method('getUrl')
+			->willReturn('url_abc');
+
+		$this->server->xml->expects($this->once())
+			->method('parse')
+			->willReturnCallback(function ($requestBody, $url, &$documentType): void {
+				$documentType = '{http://nextcloud.com/ns}enable-birthday-calendar';
+			});
+
+		$this->user->expects(self::once())
+			->method('getUID')
+			->willReturn('admin');
+
+		$this->server->httpResponse->expects($this->once())
+			->method('setStatus')
+			->with(403);
+
+		$this->config->expects($this->never())
+			->method('setUserValue');
+
+		$this->birthdayService->expects($this->never())
+			->method('syncUser');
+
+
+		$result = $this->plugin->httpPost($this->request, $this->response);
+
+		$this->assertEquals(false, $result);
+	}
+
 	public function testHttpPost(): void {
 		$calendarHome = $this->createMock(CalendarHome::class);
 
@@ -172,6 +226,10 @@ public function testHttpPost(): void {
 				$documentType = '{http://nextcloud.com/ns}enable-birthday-calendar';
 			});
 
+		$this->user->expects(self::exactly(3))
+			->method('getUID')
+			->willReturn('BlaBlub');
+
 		$this->config->expects($this->once())
 			->method('setUserValue')
 			->with('BlaBlub', 'dav', 'generateBirthdayCalendar', 'yes');