Skip to content

fix: add proper ACLs for trashbin proxys#60211

Open
hamza221 wants to merge 1 commit into
masterfrom
fix/trashbin-proxy-acls
Open

fix: add proper ACLs for trashbin proxys#60211
hamza221 wants to merge 1 commit into
masterfrom
fix/trashbin-proxy-acls

Conversation

@hamza221
Copy link
Copy Markdown
Contributor

@hamza221 hamza221 commented May 7, 2026
edited
Loading

Summary

Add proper ACLs for proxys

How I tested

  1. Delegate User1 calendar to admin
curl -X PROPPATCH 'http://nextcloud.local/remote.php/dav/principals/users/user2/calendar-proxy-write' \
  -u 'user2:user2' \
  -H 'Content-Type: application/xml' \
  -b 'XDEBUG_SESSION=PHPSTORM' \
  --data-binary @- <<'EOF'
<?xml version="1.0" encoding="utf-8" ?>
<D:propertyupdate xmlns:D="DAV:">
	<D:set>
		<D:prop>
			<D:group-member-set>
				<D:href>/remote.php/dav/principals/users/admin</D:href>
			</D:group-member-set>
		</D:prop>
	</D:set>
</D:propertyupdate>
  1. enable delegation on the client
image
  1. Connect admin to an external client that supports delegation (Apple calendar)
image
  1. apply patch
image

Checklist

AI (if applicable)

  • The content of this PR was partly or fully generated using AI

@hamza221 hamza221 force-pushed the fix/trashbin-proxy-acls branch from 16206b0 to 69b7f74 Compare May 7, 2026 11:19
@hamza221 hamza221 added this to the Nextcloud 34 milestone May 7, 2026
@hamza221 hamza221 self-assigned this May 7, 2026
@hamza221 hamza221 added bug 3. to review Waiting for reviews feature: caldav Related to CalDAV internals labels May 7, 2026
@hamza221 hamza221 requested review from GVodyanov and kesselb May 7, 2026 11:19
@ChristophWurst
Copy link
Copy Markdown
Member

ChristophWurst commented May 7, 2026

/backport to stable33

@ChristophWurst
Copy link
Copy Markdown
Member

ChristophWurst commented May 7, 2026

/backport to stable32

@hamza221
Copy link
Copy Markdown
Contributor Author

hamza221 commented May 7, 2026

/backport to stable33

@hamza221
Copy link
Copy Markdown
Contributor Author

hamza221 commented May 7, 2026

/backport to stable32

@hamza221
Copy link
Copy Markdown
Contributor Author

hamza221 commented May 7, 2026

@ChristophWurst didn't see your comments :'(

@hamza221 hamza221 enabled auto-merge May 7, 2026 11:26
@hamza221
Copy link
Copy Markdown
Contributor Author

hamza221 commented May 7, 2026
edited
Loading

reuse unrelated #60205

The following files have no copyright and licensing information:
* apps/appstore/l10n/bg.js
* apps/appstore/l10n/bg.json
* apps/appstore/l10n/cs.js
* apps/appstore/l10n/cs.json
* apps/appstore/l10n/cy_GB.js
* apps/appstore/l10n/cy_GB.json
* apps/appstore/l10n/es_419.js
* apps/appstore/l10n/es_419.json
* apps/appstore/l10n/es_CO.js
* apps/appstore/l10n/es_CO.json
* apps/appstore/l10n/es_CR.js
* apps/appstore/l10n/es_CR.json
* apps/appstore/l10n/es_DO.js
* apps/appstore/l10n/es_DO.json
* apps/appstore/l10n/es_EC.js
* apps/appstore/l10n/es_EC.json
* apps/appstore/l10n/es_GT.js
* apps/appstore/l10n/es_GT.json
* apps/appstore/l10n/es_HN.js
* apps/appstore/l10n/es_HN.json
* apps/appstore/l10n/es_NI.js
* apps/appstore/l10n/es_NI.json
* apps/appstore/l10n/es_PA.js
* apps/appstore/l10n/es_PA.json
* apps/appstore/l10n/es_PE.js
* apps/appstore/l10n/es_PE.json
* apps/appstore/l10n/es_PY.js
* apps/appstore/l10n/es_PY.json
* apps/appstore/l10n/es_SV.js
* apps/appstore/l10n/es_SV.json
* apps/appstore/l10n/es_UY.js
* apps/appstore/l10n/es_UY.json
* apps/appstore/l10n/et_EE.js
* apps/appstore/l10n/et_EE.json
* apps/appstore/l10n/fi.js
* apps/appstore/l10n/fi.json
* apps/appstore/l10n/hu.js
* apps/appstore/l10n/hu.json
* apps/appstore/l10n/ja.js
* apps/appstore/l10n/ja.json
* apps/appstore/l10n/ka_GE.js
* apps/appstore/l10n/ka_GE.json
* apps/appstore/l10n/lt_LT.js
* apps/appstore/l10n/lt_LT.json
* apps/appstore/l10n/nb.js
* apps/appstore/l10n/nb.json
* apps/appstore/l10n/pt_PT.js
* apps/appstore/l10n/pt_PT.json
* apps/appstore/l10n/sc.js
* apps/appstore/l10n/sc.json
* apps/appstore/l10n/sk.js
* apps/appstore/l10n/sk.json

@ChristophWurst ChristophWurst added 4. to release Ready to be released and/or waiting for tests to finish and removed 3. to review Waiting for reviews labels May 7, 2026
@hamza221
fix: add proper ACLs for trashbin proxys
8350e96 
Signed-off-by: Hamza <hamzamahjoubi221@gmail.com>
@hamza221 hamza221 force-pushed the fix/trashbin-proxy-acls branch from 69b7f74 to 8350e96 Compare May 8, 2026 08:20
@hamza221
Copy link
Copy Markdown
Contributor Author

hamza221 commented May 8, 2026

rebased for green CI

kesselb
kesselb reviewed May 12, 2026
View reviewed changes
Comment thread apps/dav/lib/CalDAV/Trashbin/TrashbinHome.php
'protected' => true,
],
[
'privilege' => '{DAV:}read',
Copy link
Copy Markdown
Contributor

@kesselb kesselb May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using read intentionally with proxy-write?

@kesselb
Copy link
Copy Markdown
Contributor

kesselb commented May 12, 2026

Looks good 👍

I didn't test with an Apple device, but some http request and would like to double-check the expected outcome.

We are adding the permission for the trashbin home, and hence the the delgatee should be able to read the owner's trashbin?

Alice: Owner
Bob: Delegatee (proxy-write)

Bob can read alice personal calendar

PROPFIND https://server99.internal/remote.php/dav/calendars/alice/personal/
Authorization: Basic bob bob
Content-Type: application/xml; charset=UTF-8
Cookie: XDEBUG_SESSION=PHPSTORM

<x0:propfind xmlns:x0="DAV:">
	<x0:prop>
		<x0:current-user-privilege-set/>
		<x0:displayname/>
		<x0:getcontenttype/>
		<x0:getetag/>
		<x0:owner/>
		<x0:resourcetype/>
	</x0:prop>
</x0:propfind>

Bob can read alice home

PROPFIND https://server99.internal/remote.php/dav/calendars/alice/
Authorization: Basic bob bob
Content-Type: application/xml; charset=UTF-8
Cookie: XDEBUG_SESSION=PHPSTORM

<x0:propfind xmlns:x0="DAV:">
	<x0:prop>
		<x0:current-user-privilege-set/>
		<x0:displayname/>
		<x0:getcontenttype/>
		<x0:getetag/>
		<x0:owner/>
		<x0:resourcetype/>
	</x0:prop>
</x0:propfind>

Bob can read alice trash bin

PROPFIND https://server99.internal/remote.php/dav/calendars/alice/trashbin/
Authorization: Basic bob bob
Content-Type: application/xml; charset=UTF-8
Cookie: XDEBUG_SESSION=PHPSTORM

<x0:propfind xmlns:x0="DAV:">
	<x0:prop>
		<x0:current-user-privilege-set/>
		<x0:displayname/>
		<x0:getcontenttype/>
		<x0:getetag/>
		<x0:owner/>
		<x0:resourcetype/>
	</x0:prop>
</x0:propfind>
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
	<s:exception>Sabre\DAV\Exception\NotFound</s:exception>
	<s:message>Node with name 'objects' could not be found</s:message>
</d:error>

If accessing the owner's calendar trash is supposed to work, then we need to add the acls also to deleted calendar objects and collection like below, otherwise we the trashbin object must be filtered out before checking access.

Index: apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObject.php
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObject.php b/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObject.php
--- a/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObject.php	(revision 8350e960603763cc4baf57d08a38761acb0d7cd2)
+++ b/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObject.php	(date 1778618679377)
@@ -105,7 +105,17 @@
 			],
 			[
 				'privilege' => '{DAV:}unbind', // For moving and deletion
-				'principal' => '{DAV:}owner',
+				'principal' => $this->getOwner(),
+				'protected' => true,
+			],
+			[
+				'privilege' => '{DAV:}read',
+				'principal' => $this->getOwner() . '/calendar-proxy-write',
+				'protected' => true,
+			],
+			[
+				'privilege' => '{DAV:}read',
+				'principal' => $this->getOwner() . '/calendar-proxy-read',
 				'protected' => true,
 			],
 		];
Index: apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObjectsCollection.php
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObjectsCollection.php b/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObjectsCollection.php
--- a/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObjectsCollection.php	(revision 8350e960603763cc4baf57d08a38761acb0d7cd2)
+++ b/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObjectsCollection.php	(date 1778618679378)
@@ -137,9 +137,19 @@
 			],
 			[
 				'privilege' => '{DAV:}unbind',
-				'principal' => '{DAV:}owner',
+				'principal' => $this->getOwner(),
+				'protected' => true,
+			],
+			[
+				'privilege' => '{DAV:}read',
+				'principal' => $this->getOwner() . '/calendar-proxy-write',
+				'protected' => true,
+			],
+			[
+				'privilege' => '{DAV:}read',
+				'principal' => $this->getOwner() . '/calendar-proxy-read',
 				'protected' => true,
-			]
+			],
 		];
 	}
 }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kesselb kesselb kesselb left review comments

@ChristophWurst ChristophWurst ChristophWurst approved these changes

@GVodyanov GVodyanov GVodyanov approved these changes

@SebastianKrupinski SebastianKrupinski Awaiting requested review from SebastianKrupinski SebastianKrupinski is a code owner

@tcitworld tcitworld Awaiting requested review from tcitworld tcitworld is a code owner

Assignees

@hamza221 hamza221

Labels

4. to release Ready to be released and/or waiting for tests to finish backport-request bug feature: caldav Related to CalDAV internals

Projects

None yet

Milestone

Nextcloud 34

Development

Successfully merging this pull request may close these issues.

[Bug]: Delegated calendars - Node with name 'trashbin' could not be found

4 participants

@hamza221 @ChristophWurst @kesselb @GVodyanov