3

到目前为止,我一直无法在 SabreDAV 中成功实施 ACL(权限)。

我已经用我自己的 Auth、Principal 和 CalDAV 后端在 Code Igniter 中实现了 SabreDAV。这是来自控制器的实际代码:

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

class CalDAV extends CI_Controller {

    public function _remap() {
        $this->load->library('SabreDAV');

        $authBackend = new SabreDAV_DAV_Auth_Backend_Tank_Auth;
        $principalBackend = new Sabre_DAVACL_PrincipalBackend_Click4Time;
        $calendarBackend = new Sabre_CalDAV_Backend_Click4Time;

        // Directory tree
        $tree = array(
            new Sabre_DAVACL_PrincipalCollection($principalBackend),
            new Sabre_CalDAV_CalendarRootNode($principalBackend, $calendarBackend)
        );      

        // The object tree needs in turn to be passed to the server class
        $server = new Sabre_DAV_Server($tree);

        // You are highly encouraged to set your WebDAV server base url. Without it,
        // SabreDAV will guess, but the guess is not always correct. Putting the
        // server on the root of the domain will improve compatibility. 
        $server->setBaseUri('/caldav/');

        // Authentication plugin
        $authPlugin = new Sabre_DAV_Auth_Plugin($authBackend, 'SabreDAV');
        $server->addPlugin($authPlugin);

        // CalDAV plugin
        $caldavPlugin = new Sabre_CalDAV_Plugin();
        $server->addPlugin($caldavPlugin);

        // ACL plugin
        $aclPlugin = new Sabre_DAVACL_Custom;
        $server->addPlugin($aclPlugin);

        // Support for html frontend
        $browser = new Sabre_DAV_Browser_Plugin();
        $server->addPlugin($browser);

        $server->exec();
    }
}

我目前实现权限的尝试是通过我的自定义 ACL 插件:

<?php

class Sabre_DAVACL_Custom extends Sabre_DAVACL_Plugin {

    public $allowAccessToNodesWithoutACL = false;

    private function _getCurrentUserName() {
        $authPlugin = $this->server->getPlugin('auth');
        if (is_null($authPlugin)) return null;

        return $authPlugin->getCurrentUser();
    }

    public function getACL($node) {
        $user = $this->_getCurrentUserName();
        $path = $node->getName();

        if ($path == 'calendars' || $path == 'principals' || $path == 'root') {
            return array(
                array(
                    'privilege' => '{DAV:}read',
                    'principal' => 'principals/' . $user,
                    'protected' => true,
                )
            );
        }
        else if ($path == 'calendars/' . $user) {
            return array(
                array(
                    'privilege' => '{DAV:}read',
                    'principal' => 'principals/' . $user,
                    'protected' => true,
                )
            );
        }

        return array();
    }
}

除了第二个检查应该授权用户查看他或她自己的日历之外,此代码几乎可以工作。我无法获得$node的完整路径名。

这可能是错误的实现方式,但我无法找到任何文档来确认这是实现 ACL 的方式。

4

1 回答 1

4

我正在使用不同的尝试,我扩展了插件,就像你一样,但后来我替换getSupportedPrivilegeSet($node)了。

在 sabredav 1.8.6 中,它看起来像这样:

public function getSupportedPrivilegeSet($node) {

    if (is_string($node)) {
        $node = $this->server->tree->getNodeForPath($node);
    }

    if ($node instanceof IACL) {
        $result = $node->getSupportedPrivilegeSet();

        if ($result)
            return $result;
    }

    return self::getDefaultSupportedPrivilegeSet();

}

现在您可以使用类而不是我发现更有用的路径,即:

class DavCalAcl extends \Sabre\DAVACL\Plugin {

public function getSupportedPrivilegeSet($node) {       
    if (is_string($node)) {
        $node = $this->server->tree->getNodeForPath($node);
    }

    if($node instanceof \Sabre\CalDAV\Calendar || $node instanceof \Sabre\CalDAV\CalendarObject) {
        return array(
            array(
                'privilege'  => '{DAV:}read',
                'aggregates' => array(
                    array(
                        'privilege' => '{DAV:}read-acl',
                        'abstract'  => true,
                    ),
                    array(
                        'privilege' => '{DAV:}read-current-user-privilege-set',
                        'abstract'  => true,
                    ),
                ),
            )
        );
    }

    if ($node instanceof \Sabre\DAVACL\IACL) {
        $result = $node->getSupportedPrivilegeSet();
        if ($result)
            return $result;
    }

    return self::getDefaultSupportedPrivilegeSet();
}

}

这是我目前尝试让 iCal 将日历识别为只读...

如果你想要一个节点的绝对路径,我想你总是可以去根目录搜索你当前的节点,并通过这样做记录带你到那里的路径。据我检查 sabredav 中的节点不支持父或根属性。

[更新]

最好的方法似乎是getACL在插件中覆盖。在这里,您可以测试节点的类并返回您真正想要的内容,而不是默认对象返回的内容(例如查看 UserCalendars->getACL()。

这是我基于对象类型进行只读强制的工作解决方案:

class DavCalAcl extends \Sabre\DAVACL\Plugin {

    /**
     * Returns the full ACL list.
     *
     * Either a uri or a DAV\INode may be passed.
     *
     * null will be returned if the node doesn't support ACLs.
     *
     * @param string|DAV\INode $node
     * @return array
     */
    public function getACL($node) {

        if (is_string($node)) {
            $node = $this->server->tree->getNodeForPath($node);
        }
        if (!$node instanceof \Sabre\DAVACL\IACL) {
            return null;
        }

        if( $node instanceof \Sabre\CalDAV\Calendar ||
            $node instanceof \Sabre\CalDAV\CalendarObject ||
            $node instanceof \Sabre\CalDAV\UserCalendars
        ) {
            $acl = array(
                array(
                    'privilege' => '{DAV:}read',
                    'principal' => $node->getOwner(),
                    'protected' => true,
                ),
            );
        } else {
            $acl = $node->getACL();         
        }

        foreach($this->adminPrincipals as $adminPrincipal) {
            $acl[] = array(
                'principal' => $adminPrincipal,
                'privilege' => '{DAV:}all',
                'protected' => true,
            );
        }
        return $acl;

    }
}
于 2013-07-10T09:56:47.177 回答