Sabre_DAVACL_Plugin

SabreDAV ACL Plugin

This plugin provides funcitonality to enforce ACL permissions. ACL is defined in RFC3744.

In addition it also provides support for the {DAV:}current-user-principal property, defined in RFC5397 and the {DAV:}expand-property report, as defined in RFC3253.

• Parent class: Sabre_DAV_ServerPlugin

Properties

server

protected Sabre_DAVACL_Plugin::$server

Reference to server object.

• This property is protected.

principalCollectionSet

public Sabre_DAVACL_Plugin::$principalCollectionSet

List of urls containing principal collections. Modify this if your principals are located elsewhere.

allowAccessToNodesWithoutACL

public Sabre_DAVACL_Plugin::$allowAccessToNodesWithoutACL

By default ACL is only enforced for nodes that have ACL support (the ones that implement Sabre_DAVACL_IACL). For any other node, access is always granted.

To override this behaviour you can turn this setting off. This is useful if you plan to fully support ACL in the entire tree.

hideNodesFromListings

public Sabre_DAVACL_Plugin::$hideNodesFromListings

By default nodes that are inaccessible by the user, can still be seen in directory listings (PROPFIND on parent with Depth: 1)

In certain cases it's desirable to hide inaccessible nodes. Setting this to true will cause these nodes to be hidden from directory listings.

defaultUsernamePath

public Sabre_DAVACL_Plugin::$defaultUsernamePath

This string is prepended to the username of the currently logged in user. This allows the plugin to determine the principal path based on the username.

principalSearchPropertySet

public Sabre_DAVACL_Plugin::$principalSearchPropertySet

This list of properties are the properties a client can search on using the {DAV:}principal-property-search report.

The keys are the property names, values are descriptions.

adminPrincipals

public Sabre_DAVACL_Plugin::$adminPrincipals

Any principal uri's added here, will automatically be added to the list of ACL's. They will effectively receive {DAV:}all privileges, as a protected privilege.

Methods

getFeatures

array Sabre_DAVACL_Plugin::getFeatures()

Returns a list of features added by this plugin.

This list is used in the response of a HTTP OPTIONS request.

getMethods

array Sabre_DAVACL_Plugin::getMethods(string $uri)

Returns a list of available methods for a given url

getPluginName

string Sabre_DAVACL_Plugin::getPluginName()

Returns a plugin name.

Using this name other plugins will be able to access other plugins using Sabre_DAV_Server::getPlugin

getSupportedReportSet

array Sabre_DAVACL_Plugin::getSupportedReportSet(string $uri)

Returns a list of reports this plugin supports.

This will be used in the {DAV:}supported-report-set property. Note that you still need to subscribe to the 'report' event to actually implement them

checkPrivileges

bool Sabre_DAVACL_Plugin::checkPrivileges(string $uri, array|string $privileges, int $recursion = 1, bool $throwExceptions = true)

Checks if the current user has the specified privilege(s).

You can specify a single privilege, or a list of privileges. This method will throw an exception if the privilege is not available and return true otherwise.

getCurrentUserPrincipal

string|null Sabre_DAVACL_Plugin::getCurrentUserPrincipal()

Returns the standard users' principal.

This is one authorative principal url for the current user. This method will return null if the user wasn't logged in.

getCurrentUserPrincipals

array Sabre_DAVACL_Plugin::getCurrentUserPrincipals()

Returns a list of principals that's associated to the current user, either directly or through group membership.

getSupportedPrivilegeSet

array Sabre_DAVACL_Plugin::getSupportedPrivilegeSet(string|Sabre_DAV_INode $node)

Returns the supported privilege structure for this ACL plugin.

See RFC3744 for more details. Currently we default on a simple, standard structure.

You can either get the list of privileges by a uri (path) or by specifying a Node.

getDefaultSupportedPrivilegeSet

array Sabre_DAVACL_Plugin::getDefaultSupportedPrivilegeSet()

Returns a fairly standard set of privileges, which may be useful for other systems to use as a basis.

getFlatPrivilegeSet

array Sabre_DAVACL_Plugin::getFlatPrivilegeSet(string|Sabre_DAV_INode $node)

Returns the supported privilege set as a flat list

This is much easier to parse.

The returned list will be index by privilege name. The value is a struct containing the following properties: - aggregates - abstract - concrete

getACL

array Sabre_DAVACL_Plugin::getACL(string|Sabre_DAV_INode $node)

Returns the full ACL list.

Either a uri or a Sabre_DAV_INode may be passed.

null will be returned if the node doesn't support ACLs.

getCurrentUserPrivilegeSet

array Sabre_DAVACL_Plugin::getCurrentUserPrivilegeSet(string|Sabre_DAV_INode $node)

Returns a list of privileges the current user has on a particular node.

Either a uri or a Sabre_DAV_INode may be passed.

null will be returned if the node doesn't support ACLs.

principalSearch

array     This method returns an array structure similar to Sabre_DAVACL_Plugin::principalSearch(array $searchProperties, array $requestedProperties, string $collectionUri = NULL)

Principal property search

This method can search for principals matching certain values in properties.

This method will return a list of properties for the matched properties.

key-value list. The keys are property names, and the values the strings to match them on. return for every match. If this is ommitted, the standard principal collection-set will be used. Sabre_DAV_Server::getPropertiesForPath. Returned properties are index by a HTTP status code.

initialize

void Sabre_DAVACL_Plugin::initialize(Sabre_DAV_Server $server)

Sets up the plugin

This method is automatically called by the server class.

beforeMethod

void Sabre_DAVACL_Plugin::beforeMethod(string $method, string $uri)

Triggered before any method is handled

beforeBind

void Sabre_DAVACL_Plugin::beforeBind(string $uri)

Triggered before a new node is created.

This allows us to check permissions for any operation that creates a new node, such as PUT, MKCOL, MKCALENDAR, LOCK, COPY and MOVE.

beforeUnbind

void Sabre_DAVACL_Plugin::beforeUnbind(string $uri)

Triggered before a node is deleted

This allows us to check permissions for any operation that will delete an existing node.

beforeUnlock

void Sabre_DAVACL_Plugin::beforeUnlock(string $uri, Sabre_DAV_Locks_LockInfo $lock)

Triggered before a node is unlocked.

beforeGetProperties

void Sabre_DAVACL_Plugin::beforeGetProperties(string $uri, Sabre_DAV_INode $node, array $requestedProperties, array $returnedProperties)

Triggered before properties are looked up in specific nodes.

updateProperties

bool Sabre_DAVACL_Plugin::updateProperties(array $propertyDelta, array $result, Sabre_DAV_INode $node)

This method intercepts PROPPATCH methods and make sure the group-member-set is updated correctly.

report

bool Sabre_DAVACL_Plugin::report(string $reportName, DOMNode $dom)

This method handels HTTP REPORT requests

unknownMethod

bool Sabre_DAVACL_Plugin::unknownMethod(string $method, string $uri)

This event is triggered for any HTTP method that is not known by the webserver.

httpACL

void Sabre_DAVACL_Plugin::httpACL(string $uri)

This method is responsible for handling the 'ACL' event.

expandPropertyReport

void Sabre_DAVACL_Plugin::expandPropertyReport(DOMElement $dom)

The expand-property report is defined in RFC3253 section 3-8.

This report is very similar to a standard PROPFIND. The difference is that it has the additional ability to look at properties containing a {DAV:}href element, follow that property and grab additional elements there.

Other rfc's, such as ACL rely on this report, so it made sense to put it in this plugin.

• This method is protected.

parseExpandPropertyReportRequest

array Sabre_DAVACL_Plugin::parseExpandPropertyReportRequest(DOMElement $node)

This method is used by expandPropertyReport to parse out the entire HTTP request.

• This method is protected.

expandProperties

array Sabre_DAVACL_Plugin::expandProperties(array $path, array $requestedProperties, int $depth)

This method expands all the properties and returns a list with property values

• This method is protected.

principalSearchPropertySetReport

void Sabre_DAVACL_Plugin::principalSearchPropertySetReport(DOMDocument $dom)

principalSearchPropertySetReport

This method responsible for handing the {DAV:}principal-search-property-set report. This report returns a list of properties the client may search on, using the {DAV:}principal-property-search report.

• This method is protected.

principalPropertySearchReport

void Sabre_DAVACL_Plugin::principalPropertySearchReport(DOMDocument $dom)

principalPropertySearchReport

This method is responsible for handing the {DAV:}principal-property-search report. This report can be used for clients to search for groups of principals, based on the value of one or more properties.

• This method is protected.

parsePrincipalPropertySearchReportRequest

array Sabre_DAVACL_Plugin::parsePrincipalPropertySearchReportRequest(DOMDocument $dom)

parsePrincipalPropertySearchReportRequest

This method parses the request body from a {DAV:}principal-property-search report.

This method returns an array with two elements: 1. an array with properties to search on, and their values 2. a list of propertyvalues that should be returned for the request.

• This method is protected.

getHTTPMethods

array Sabre_DAV_ServerPlugin::getHTTPMethods(string $uri)

Use this method to tell the server this plugin defines additional HTTP methods.

This method is passed a uri. It should only return HTTP methods that are available for the specified uri.

• Defined in Sabre_DAV_ServerPlugin