search

personium / personium-core

Core module of Personium
https://personium.io
Apache License 2.0
88 stars 16 forks source link

Display of Box is incorrect when PROPFIND of Cell level is executed with Depth:1. #366

Closed SawamiWataru closed 5 years ago

SawamiWataru commented 5 years ago

sample

<multistatus xmlns="DAV:">
    <response>
        <href>https://sawami.demo.personium.io</href>
        <propstat>
            <prop>
                <creationdate>2017-11-22T00:01:09.340+0000</creationdate>
                <getlastmodified>Thu, 21 Feb 2019 09:19:47 GMT</getlastmodified>
                <resourcetype>
                    <collection/>
                </resourcetype>
                <p:cellstatus xmlns:p="urn:x-personium:xmlns">normal</p:cellstatus>
                <acl xml:base="https://sawami.demo.personium.io/__role/__/" xmlns:p="urn:x-personium:xmlns">
                    <ace>
                        <principal>
                            <href>admin</href>
                        </principal>
                        <grant>
                            <privilege>
                                <root xmlns="" xmlns:ns3="DAV:"/>
                            </privilege>
                        </grant>
                    </ace>
                </acl>
            </prop>
            <status>HTTP/1.1 200 OK</status>
        </propstat>
    </response>
    <response>
        <href>https://sawami.demo.personium.io/KfA3Vt9VSfydg8FTDnbixg</href>
        <propstat>
            <prop>
                <creationdate>2019-02-21T11:49:02.906+0000</creationdate>
                <getlastmodified>Thu, 21 Feb 2019 11:49:02 GMT</getlastmodified>
                <resourcetype>
                    <collection/>
                </resourcetype>
                <acl xml:base="https://sawami.demo.personium.io/__role/__/" xmlns:p="urn:x-personium:xmlns">
                    <ace>
                        <principal>
                            <all/>
                        </principal>
                        <grant>
                            <privilege>
                                <D:read xmlns:D="DAV:"/>
                            </privilege>
                        </grant>
                    </ace>
                </acl>
                <Z:Author xmlns:p="urn:x-dcl:xmlns" xmlns:D="DAV:" xmlns:Z="http://www.w3.com/standards/z39.50/">Test User1</Z:Author>
            </prop>
            <status>HTTP/1.1 200 OK</status>
        </propstat>
    </response>
    <response>
        <href>https://sawami.demo.personium.io/GvIrdknqQK2-5m-cc917Dw</href>
        <propstat>
            <prop>
......
ghost commented 5 years ago 
<response>
        <href>https://sawami.demo.personium.io/KfA3Vt9VSfydg8FTDnbixg</href>

sampleの上記箇所の"KfA3Vt9VSfydg8FTDnbixg"だが、BoxのIDではなくBox名が表示されるべきである。

ghost commented 5 years ago

Since "key file storage directory (.pkeys)" exists in the same hierarchy, an empty response tag is output. To exclude this.

ghost commented 5 years ago

Disable Depth (fix 0) for PROPFIND of Cell(290_Cell_Get_Property).

The authority required for PROPFIND of Cell (and ACL reference authority), The required permissions (and ACL reference permissions) for PROPFIND of Box are different. If you acquire resources directly under Cell, it is possible to reference an unauthorized Box.

CellのPROPFIND(290_Cell_Get_Property)について、Depthを無効化(0固定)とします。

CellのPROPFINDに必要な権限(およびACL参照権限)と、 BoxのPROPFINDに必要な権限(およびACL参照権限)は異なります。 Cell直下のリソースを取得すると、権限のないBoxが参照されてしまう可能性があります。