fix(CalDAV): check birthday calendar owner

Signed-off-by: Anna Larch <anna@nextcloud.com>
2026-02-15 16:59:47 -05:00 · 2023-08-18 09:02:59 +02:00 · 2023-08-18 09:02:59 +02:00 · 7eee1de65b
commit 7eee1de65b
parent 8ac768c584
3 changed files with 76 additions and 8 deletions
--- a/apps/dav/lib/CalDAV/BirthdayCalendar/EnablePlugin.php
+++ b/apps/dav/lib/CalDAV/BirthdayCalendar/EnablePlugin.php
@ -27,6 +27,7 @@ namespace OCA\DAV\CalDAV\BirthdayCalendar;
 use OCA\DAV\CalDAV\BirthdayService;
 use OCA\DAV\CalDAV\CalendarHome;
 use OCP\IConfig;
+use OCP\IUser;
 use Sabre\DAV\Server;
 use Sabre\DAV\ServerPlugin;
 use Sabre\HTTP\RequestInterface;
@ -56,15 +57,20 @@ class EnablePlugin extends ServerPlugin {
 	 */
 	protected $server;

+	/** @var IUser */
+	private $user;
+
 	/**
 	 * PublishPlugin constructor.
 	 *
 	 * @param IConfig $config
 	 * @param BirthdayService $birthdayService
+	 * @param IUser $user
 	 */
-	public function __construct(IConfig $config, BirthdayService $birthdayService) {
+	public function __construct(IConfig $config, BirthdayService $birthdayService, IUser $user) {
 		$this->config = $config;
 		$this->birthdayService = $birthdayService;
+		$this->user = $user;
 	}

 	/**
@ -127,11 +133,14 @@ class EnablePlugin extends ServerPlugin {
 			return;
 		}

-		$principalUri = $node->getOwner();
-		$userId = substr($principalUri, 17);
+		$owner = substr($node->getOwner(), 17);
+		if($owner !== $this->user->getUID()) {
+			$this->server->httpResponse->setStatus(403);
+			return false;
+		}

-		$this->config->setUserValue($userId, 'dav', 'generateBirthdayCalendar', 'yes');
-		$this->birthdayService->syncUser($userId);
+		$this->config->setUserValue($this->user->getUID(), 'dav', 'generateBirthdayCalendar', 'yes');
+		$this->birthdayService->syncUser($this->user->getUID());

 		$this->server->httpResponse->setStatus(204);

--- a/apps/dav/lib/Server.php
+++ b/apps/dav/lib/Server.php
@ -327,7 +327,8 @@ class Server {
 				}
 				$this->server->addPlugin(new \OCA\DAV\CalDAV\BirthdayCalendar\EnablePlugin(
 					\OC::$server->getConfig(),
-					\OC::$server->query(BirthdayService::class)
+					\OC::$server->query(BirthdayService::class),
+					$user
 				));
 				$this->server->addPlugin(new AppleProvisioningPlugin(
 					\OC::$server->getUserSession(),
--- a/apps/dav/tests/unit/CalDAV/BirthdayCalendar/EnablePluginTest.php
+++ b/apps/dav/tests/unit/CalDAV/BirthdayCalendar/EnablePluginTest.php
@ -31,6 +31,7 @@ use OCA\DAV\CalDAV\BirthdayService;
 use OCA\DAV\CalDAV\Calendar;
 use OCA\DAV\CalDAV\CalendarHome;
 use OCP\IConfig;
+use OCP\IUser;
 use Test\TestCase;

 class EnablePluginTest extends TestCase {
@ -44,6 +45,9 @@ class EnablePluginTest extends TestCase {
 	/** @var BirthdayService |\PHPUnit\Framework\MockObject\MockObject */
 	protected $birthdayService;

+	/** @var IUser|\PHPUnit\Framework\MockObject\MockObject  */
+	protected $user;
+
 	/** @var \OCA\DAV\CalDAV\BirthdayCalendar\EnablePlugin $plugin */
 	protected $plugin;

@ -61,8 +65,9 @@ class EnablePluginTest extends TestCase {

 		$this->config = $this->createMock(IConfig::class);
 		$this->birthdayService = $this->createMock(BirthdayService::class);
+		$this->user = $this->createMock(IUser::class);

-		$this->plugin = new EnablePlugin($this->config, $this->birthdayService);
+		$this->plugin = new EnablePlugin($this->config, $this->birthdayService, $this->user);
 		$this->plugin->initialize($this->server);

 		$this->request = $this->createMock(\Sabre\HTTP\RequestInterface::class);
@ -80,7 +85,7 @@ class EnablePluginTest extends TestCase {
 	public function testInitialize(): void {
 		$server = $this->createMock(\Sabre\DAV\Server::class);

-		$plugin = new EnablePlugin($this->config, $this->birthdayService);
+		$plugin = new EnablePlugin($this->config, $this->birthdayService, $this->user);

 		$server->expects($this->once())
 			->method('on')
@ -143,6 +148,55 @@ class EnablePluginTest extends TestCase {
 		$this->plugin->httpPost($this->request, $this->response);
 	}

+	public function testHttpPostNotAuthorized(): void {
+		$calendarHome = $this->createMock(CalendarHome::class);
+
+		$this->server->expects($this->once())
+			->method('getRequestUri')
+			->willReturn('/bar/foo');
+		$this->server->tree->expects($this->once())
+			->method('getNodeForPath')
+			->with('/bar/foo')
+			->willReturn($calendarHome);
+
+		$calendarHome->expects($this->once())
+			->method('getOwner')
+			->willReturn('principals/users/BlaBlub');
+
+		$this->request->expects($this->once())
+			->method('getBodyAsString')
+			->willReturn('<nc:enable-birthday-calendar xmlns:nc="http://nextcloud.com/ns"/>');
+
+		$this->request->expects($this->once())
+			->method('getUrl')
+			->willReturn('url_abc');
+
+		$this->server->xml->expects($this->once())
+			->method('parse')
+			->willReturnCallback(function ($requestBody, $url, &$documentType): void {
+				$documentType = '{http://nextcloud.com/ns}enable-birthday-calendar';
+			});
+
+		$this->user->expects(self::once())
+			->method('getUID')
+			->willReturn('admin');
+
+		$this->server->httpResponse->expects($this->once())
+			->method('setStatus')
+			->with(403);
+
+		$this->config->expects($this->never())
+			->method('setUserValue');
+
+		$this->birthdayService->expects($this->never())
+			->method('syncUser');
+
+
+		$result = $this->plugin->httpPost($this->request, $this->response);
+
+		$this->assertEquals(false, $result);
+	}
+
 	public function testHttpPost(): void {
 		$calendarHome = $this->createMock(CalendarHome::class);

@ -172,6 +226,10 @@ class EnablePluginTest extends TestCase {
 				$documentType = '{http://nextcloud.com/ns}enable-birthday-calendar';
 			});

+		$this->user->expects(self::exactly(3))
+			->method('getUID')
+			->willReturn('BlaBlub');
+
 		$this->config->expects($this->once())
 			->method('setUserValue')
 			->with('BlaBlub', 'dav', 'generateBirthdayCalendar', 'yes');