PageRenderTime 93ms CodeModel.GetById 23ms RepoModel.GetById 1ms app.codeStats 0ms

/inc/caldav-PROPPATCH.php

https://gitlab.com/tiggerben/davical
PHP | 351 lines | 246 code | 43 blank | 62 comment | 58 complexity | 9c98cabae7224ab478ea5b6516d614d0 MD5 | raw file
    

  1. <?php
    2. 

  2. /**
    3. 

  3. * CalDAV Server - handle PROPPATCH method
    4. 

  4. *
    5. 

  5. * @package   davical
    6. 

  6. * @subpackage   caldav
    7. 

  7. * @author    Andrew McMillan <andrew@mcmillan.net.nz>
    8. 

  8. * @copyright Morphoss Ltd - http://www.morphoss.com/
    9. 

  9. * @license   http://gnu.org/copyleft/gpl.html GNU GPL v2
    10. 

  10. */
    11. 

  11. dbg_error_log("PROPPATCH", "method handler");
    12. 

  12. 

  13. require_once('vCalendar.php');
    14. 

  14. require_once('DAVResource.php');
    15. 

  15. 

  16. $dav_resource = new DAVResource($request->path);
    17. 

  17. if ( !$dav_resource->HavePrivilegeTo('DAV::write-properties') ) {
    18. 

  18.   $parent = $dav_resource->GetParentContainer();
    19. 

  19.   if ( !$dav_resource->IsBinding() || !$parent->HavePrivilegeTo('DAV::write') ) {
    20. 

  20.     $request->PreconditionFailed(403, 'DAV::write-properties', 'You do not have permission to write properties to that resource' );
    21. 

  21.   }
    22. 

  22. }
    23. 

  23. 

  24. $position = 0;
    25. 

  25. $xmltree = BuildXMLTree( $request->xml_tags, $position);
    26. 

  26. 

  27. // echo $xmltree->Render();
    28. 

  28. 

  29. if ( $xmltree->GetNSTag() != "DAV::propertyupdate" ) {
    30. 

  30.   $request->PreconditionFailed( 403, 'DAV::propertyupdate', 'XML request did not contain a &lt;propertyupdate&gt; tag' );
    31. 

  31. }
    32. 

  32. 

  33. /**
    34. 

  34. * Find the properties being set, and the properties being removed
    35. 

  35. */
    36. 

  36. $setprops = $xmltree->GetPath("/DAV::propertyupdate/DAV::set/DAV::prop/*");
    37. 

  37. $rmprops  = $xmltree->GetPath("/DAV::propertyupdate/DAV::remove/DAV::prop/*");
    38. 

  38. 

  39. /**
    40. 

  40. * We build full status responses for failures.  For success we just record
    41. 

  41. * it, since the multistatus response only applies to failure.  While it is
    42. 

  42. * not explicitly stated in RFC2518, from reading between the lines (8.2.1)
    43. 

  43. * a success will return 200 OK [with an empty response].
    44. 

  44. */
    45. 

  45. $failure   = array();
    46. 

  46. $success   = array();
    47. 

  47. 

  48. $reply = new XMLDocument( array( 'DAV:' => '') );
    49. 

  49. 

  50. /**
    51. 

  51.  * Small utility function to add propstat for one failure
    52. 

  52.  * @param unknown_type $tag
    53. 

  53.  * @param unknown_type $status
    54. 

  54.  * @param unknown_type $description
    55. 

  55.  * @param unknown_type $error_tag
    56. 

  56.  */
    57. 

  57. function add_failure( $type, $tag, $status, $description=null, $error_tag = null) {
    58. 

  58.   global $failure, $reply;
    59. 

  59.   $prop = new XMLElement('prop');
    60. 

  60.   $reply->NSElement($prop, $tag);
    61. 

  61.   $propstat = array($prop,new XMLElement( 'status', $status ));
    62. 

  62. 

  63.   if ( isset($description))
    64. 

  64.     $propstat[] = new XMLElement( 'responsedescription', $description );
    65. 

  65.   if ( isset($error_tag) )
    66. 

  66.     $propstat[] = new XMLElement( 'error', new XMLElement( $error_tag ) );
    67. 

  67. 

  68.   $failure[$type.'-'.$tag] = new XMLElement('propstat', $propstat ); 
    69. 

  69. }
    70. 

  70. 

  71. 

  72. /**
    73. 

  73. * Not much for it but to process the incoming settings in a big loop, doing
    74. 

  74. * the special-case stuff as needed and falling through to a default which
    75. 

  75. * stuffs the property somewhere we will be able to retrieve it from later.
    76. 

  76. */
    77. 

  77. $qry = new AwlQuery();
    78. 

  78. $qry->Begin();
    79. 

  79. $setcalendar = count($xmltree->GetPath('/DAV::propertyupdate/DAV::set/DAV::prop/DAV::resourcetype/urn:ietf:params:xml:ns:caldav:calendar'));
    80. 

  80. foreach( $setprops AS $k => $setting ) {
    81. 

  81.   $tag = $setting->GetNSTag();
    82. 

  82.   $content = $setting->RenderContent(0,null,true);
    83. 

  83. 

  84.   switch( $tag ) {
    85. 

  85. 

  86.     case 'DAV::displayname':
    87. 

  87.       /**
    88. 

  88.       * Can't set displayname on resources - only collections or principals
    89. 

  89.       */
    90. 

  90.       if ( $dav_resource->IsCollection() || $dav_resource->IsPrincipal() ) {
    91. 

  91.         if ( $dav_resource->IsBinding() ) {
    92. 

  92.           $qry->QDo('UPDATE dav_binding SET dav_displayname = :displayname WHERE dav_name = :dav_name',
    93. 

  93.                                             array( ':displayname' => $content, ':dav_name' => $dav_resource->dav_name()) );
    94. 

  94.         }
    95. 

  95.         else if ( $dav_resource->IsPrincipal() ) {
    96. 

  96.           $qry->QDo('UPDATE dav_principal SET fullname = :displayname, displayname = :displayname, modified = current_timestamp WHERE user_no = :user_no',
    97. 

  97.                                             array( ':displayname' => $content, ':user_no' => $request->user_no) );
    98. 

  98.         }
    99. 

  99.         else {
    100. 

  100.           $qry->QDo('UPDATE collection SET dav_displayname = :displayname, modified = current_timestamp WHERE dav_name = :dav_name',
    101. 

  101.                                             array( ':displayname' => $content, ':dav_name' => $dav_resource->dav_name()) );
    102. 

  102.         }
    103. 

  103.         $success[$tag] = 1;
    104. 

  104.       }
    105. 

  105.       else {
    106. 

  106.         add_failure('set', $tag, 'HTTP/1.1 403 Forbidden',
    107. 

  107.              translate("The displayname may only be set on collections, principals or bindings."), 'cannot-modify-protected-property');
    108. 

  108.       }
    109. 

  109.       break;
    110. 

  110. 

  111.     case 'DAV::resourcetype':
    112. 

  112.       /**
    113. 

  113.       * We only allow resourcetype setting on a normal collection, and not on a resource, a principal or a bind.
    114. 

  114.       * Only collections may be CalDAV calendars or addressbooks, and they may not be both.
    115. 

  115.       */
    116. 

  116.       $resourcetypes = $setting->GetPath('DAV::resourcetype/*');
    117. 

  117.       $setcollection = false;
    118. 

  118.       $setcalendar = false;
    119. 

  119.       $setaddressbook = false;
    120. 

  120.       $setother = false;
    121. 

  121.       foreach( $resourcetypes AS $xnode ) {
    122. 

  122.         switch( $xnode->GetNSTag() ) {
    123. 

  123.           case 'urn:ietf:params:xml:ns:caldav:calendar':      $setcalendar = true;      break;
    124. 

  124.           case 'urn:ietf:params:xml:ns:carddav:addressbook':  $setaddressbook = true;   break;
    125. 

  125.           case 'DAV::collection': $setcollection = true; break;
    126. 

  126.           default:
    127. 

  127.             $setother = true;
    128. 

  128.         }
    129. 

  129.       }
    130. 

  130.       if ( $dav_resource->IsCollection() && $setcollection && ! $dav_resource->IsPrincipal() && ! $dav_resource->IsBinding()
    131. 

  131.           && !($setcalendar && $setaddressbook) && !$setother ) {
    132. 

  132.         $resourcetypes = '<collection xmlns="DAV:"/>';
    133. 

  133.         if ( $setcalendar ) $resourcetypes .= '<calendar xmlns="urn:ietf:params:xml:ns:caldav"/>';
    134. 

  134.         else if ( $setaddressbook ) $resourcetypes .= '<addressbook xmlns="urn:ietf:params:xml:ns:carddav"/>';
    135. 

  135.         $qry->QDo('UPDATE collection SET is_calendar = :is_calendar::boolean, is_addressbook = :is_addressbook::boolean,
    136. 

  136.                      resourcetypes = :resourcetypes WHERE dav_name = :dav_name',
    137. 

  137.                     array( ':dav_name' => $dav_resource->dav_name(), ':resourcetypes' => $resourcetypes,
    138. 

  138.                            ':is_calendar' => $setcalendar, ':is_addressbook' => $setaddressbook ) );
    139. 

  139.         $success[$tag] = 1;
    140. 

  140.       }
    141. 

  141.       else if ( $setcalendar && $setaddressbook ) {
    142. 

  142.         add_failure('set', $tag, 'HTTP/1.1 409 Conflict',
    143. 

  143.             translate("A collection may not be both a calendar and an addressbook."));
    144. 

  144.       }
    145. 

  145.       else if ( $setother ) {
    146. 

  146.         add_failure('set', $tag, 'HTTP/1.1 403 Forbidden',
    147. 

  147.              translate("Unsupported resourcetype modification."), 'cannot-modify-protected-property');
    148. 

  148.       }
    149. 

  149.       else {
    150. 

  150.         add_failure('set', $tag, 'HTTP/1.1 403 Forbidden',
    151. 

  151.              translate("Resources may not be changed to / from collections."), 'cannot-modify-protected-property');
    152. 

  152.       }
    153. 

  153.       break;
    154. 

  154. 

  155.     case 'urn:ietf:params:xml:ns:caldav:schedule-calendar-transp':
    156. 

  156.       if ( $dav_resource->IsCollection() && ( $dav_resource->IsCalendar() || $setcalendar ) && !$dav_resource->IsBinding() ) {
    157. 

  157.         $transparency = $setting->GetPath('urn:ietf:params:xml:ns:caldav:schedule-calendar-transp/*');
    158. 

  158.         $transparency = preg_replace( '{^.*:}', '', $transparency[0]->GetNSTag());
    159. 

  159.         $qry->QDo('UPDATE collection SET schedule_transp = :transparency WHERE dav_name = :dav_name',
    160. 

  160.                     array( ':dav_name' => $dav_resource->dav_name(), ':transparency' => $transparency ) );
    161. 

  161.         $success[$tag] = 1;
    162. 

  162.       }
    163. 

  163.       else {
    164. 

  164.         add_failure('set', $tag, 'HTTP/1.1 409 Conflict',
    165. 

  165.               translate("The CalDAV:schedule-calendar-transp property may only be set on calendars."));
    166. 

  166.       }
    167. 

  167.       break;
    168. 

  168. 

  169.     case 'urn:ietf:params:xml:ns:caldav:calendar-free-busy-set':
    170. 

  170.       add_failure('set', $tag, 'HTTP/1.1 409 Conflict',
    171. 

  171.             translate("The calendar-free-busy-set is superseded by the  schedule-calendar-transp property of a calendar collection.") );
    172. 

  172.       break;
    173. 

  173. 

  174.     case 'urn:ietf:params:xml:ns:caldav:calendar-timezone':
    175. 

  175.       if ( $dav_resource->IsCollection() && $dav_resource->IsCalendar() && ! $dav_resource->IsBinding() ) {
    176. 

  176.         $tzcomponent = $setting->GetPath('urn:ietf:params:xml:ns:caldav:calendar-timezone');
    177. 

  177.         $tzstring = $tzcomponent[0]->GetContent();
    178. 

  178.         $calendar = new vCalendar( $tzstring );
    179. 

  179.         $timezones = $calendar->GetComponents('VTIMEZONE');
    180. 

  180.         if ( count($timezones) == 0 ) break;
    181. 

  181.         $tz = $timezones[0];  // Backward compatibility
    182. 

  182.         $tzid = $tz->GetPValue('TZID');
    183. 

  183.         $params = array( ':tzid' => $tzid );
    184. 

  184.         $qry = new AwlQuery('SELECT 1 FROM timezones WHERE tzid = :tzid', $params );
    185. 

  185.         if ( $qry->Exec('PUT',__LINE__,__FILE__) && $qry->rows() == 0 ) {
    186. 

  186.           $params[':olson_name'] = $calendar->GetOlsonName($tz);
    187. 

  187.           $params[':vtimezone'] = (isset($tz) ? $tz->Render() : null );
    188. 

  188.           $qry->QDo('INSERT INTO timezones (tzid, olson_name, active, vtimezone) VALUES(:tzid,:olson_name,false,:vtimezone)', $params );
    189. 

  189.         }
    190. 

  190.         
    191. 

  191.         $qry->QDo('UPDATE collection SET timezone = :tzid WHERE dav_name = :dav_name',
    192. 

  192.                                        array( ':tzid' => $tzid, ':dav_name' => $dav_resource->dav_name()) );
    193. 

  193.       }
    194. 

  194.       else {
    195. 

  195.         add_failure('set', $tag, 'HTTP/1.1 409 Conflict', translate("calendar-timezone property is only valid for a calendar."));
    196. 

  196.       }
    197. 

  197.       break;
    198. 

  198. 

  199.     /**
    200. 

  200.     * The following properties are read-only, so they will cause the request to fail
    201. 

  201.     */
    202. 

  202.     case 'http://calendarserver.org/ns/:getctag':
    203. 

  203.     case 'DAV::owner':
    204. 

  204.     case 'DAV::principal-collection-set':
    205. 

  205.     case 'urn:ietf:params:xml:ns:caldav:calendar-user-address-set':
    206. 

  206.     case 'urn:ietf:params:xml:ns:caldav:schedule-inbox-URL':
    207. 

  207.     case 'urn:ietf:params:xml:ns:caldav:schedule-outbox-URL':
    208. 

  208.     case 'DAV::getetag':
    209. 

  209.     case 'DAV::getcontentlength':
    210. 

  210.     case 'DAV::getcontenttype':
    211. 

  211.     case 'DAV::getlastmodified':
    212. 

  212.     case 'DAV::creationdate':
    213. 

  213.     case 'DAV::lockdiscovery':
    214. 

  214.     case 'DAV::supportedlock':
    215. 

  215.       add_failure('set', $tag, 'HTTP/1.1 409 Conflict', translate("Property is read-only"), new XMLElement( 'cannot-modify-protected-property'));
    216. 

  216.       break;
    217. 

  217. 

  218.     /**
    219. 

  219.     * If we don't have any special processing for the property, we just store it verbatim (which will be an XML fragment).
    220. 

  220.     */
    221. 

  221.     default:
    222. 

  222.       $qry->QDo('SELECT set_dav_property( :dav_name, :user_no::integer, :tag::text, :value::text)',
    223. 

  223.             array( ':dav_name' => $dav_resource->dav_name(), ':user_no' => $request->user_no, ':tag' => $tag, ':value' => $content) );
    224. 

  224.       $success[$tag] = 1;
    225. 

  225.       break;
    226. 

  226.   }
    227. 

  227. }
    228. 

  228. 

  229. foreach( $rmprops AS $k => $setting ) {
    230. 

  230.   $tag = $setting->GetNSTag();
    231. 

  231.   $content = $setting->RenderContent();
    232. 

  232. 

  233.   switch( $tag ) {
    234. 

  234. 

  235.     case 'DAV::resourcetype':
    236. 

  236.       add_failure('rm', $tag, 'HTTP/1.1 409 Conflict',
    237. 

  237.             translate("DAV::resourcetype may only be set to a new value, it may not be removed."), 'cannot-modify-protected-property');
    238. 

  238.       break;
    239. 

  239. 

  240.     case 'urn:ietf:params:xml:ns:caldav:calendar-timezone':
    241. 

  241.       if ( $dav_resource->IsCollection() && $dav_resource->IsCalendar() && ! $dav_resource->IsBinding() ) {
    242. 

  242.         $qry->QDo('UPDATE collection SET timezone = NULL WHERE dav_name = :dav_name', array( ':dav_name' => $dav_resource->dav_name()) );
    243. 

  243.       }
    244. 

  244.       else {
    245. 

  245.         add_failure('rm', $tag, 'HTTP/1.1 409 Conflict',
    246. 

  246.               translate("calendar-timezone property is only valid for a calendar."), 'cannot-modify-protected-property');
    247. 

  247.       }
    248. 

  248.       break;
    249. 

  249. 

  250.     /**
    251. 

  251.     * The following properties are read-only, so they will cause the request to fail
    252. 

  252.     */
    253. 

  253.     case 'http://calendarserver.org/ns/:getctag':
    254. 

  254.     case 'DAV::owner':
    255. 

  255.     case 'DAV::principal-collection-set':
    256. 

  256.     case 'urn:ietf:params:xml:ns:caldav:CALENDAR-USER-ADDRESS-SET':
    257. 

  257.     case 'urn:ietf:params:xml:ns:caldav:schedule-inbox-URL':
    258. 

  258.     case 'urn:ietf:params:xml:ns:caldav:schedule-outbox-URL':
    259. 

  259.     case 'DAV::getetag':
    260. 

  260.     case 'DAV::getcontentlength':
    261. 

  261.     case 'DAV::getcontenttype':
    262. 

  262.     case 'DAV::getlastmodified':
    263. 

  263.     case 'DAV::creationdate':
    264. 

  264.     case 'DAV::displayname':
    265. 

  265.     case 'DAV::lockdiscovery':
    266. 

  266.     case 'DAV::supportedlock':
    267. 

  267.       add_failure('rm', $tag, 'HTTP/1.1 409 Conflict', translate("Property is read-only"));
    268. 

  268.       dbg_error_log( 'PROPPATCH', ' RMProperty %s is read only and cannot be removed', $tag);
    269. 

  269.       break;
    270. 

  270. 

  271.     /**
    272. 

  272.     * If we don't have any special processing then we must have to just delete it.  Nonexistence is not failure.
    273. 

  273.     */
    274. 

  274.     default:
    275. 

  275.       $qry->QDo('DELETE FROM property WHERE dav_name=:dav_name AND property_name=:property_name',
    276. 

  276.                   array( ':dav_name' => $dav_resource->dav_name(), ':property_name' => $tag) );
    277. 

  277.       $success[$tag] = 1;
    278. 

  278.       break;
    279. 

  279.   }
    280. 

  280. }
    281. 

  281. 

  282. 

  283. /**
    284. 

  284. * If we have encountered any instances of failure, the whole damn thing fails.
    285. 

  285. */
    286. 

  286. if ( count($failure) > 0 ) {
    287. 

  287. 

  288.   $qry->Rollback();
    289. 

  289.   
    290. 

  290.   $url = ConstructURL($request->path);
    291. 

  291.   $multistatus = new XMLElement('multistatus');
    292. 

  292.   array_unshift($failure,new XMLElement('responsedescription', translate("Some properties were not able to be changed.") ));
    293. 

  293.   array_unshift($failure,new XMLElement('href', $url));
    294. 

  294.   $response = $reply->DAVElement($multistatus,'response', $failure);
    295. 

  295.   
    296. 

  296.   if ( !empty($success) ) { 
    297. 

  297.     $prop = new XMLElement('prop');
    298. 

  298.     foreach( $success AS $tag => $v ) {
    299. 

  299.       $reply->NSElement($prop, $tag);
    300. 

  300.     }
    301. 

  301.     $reply->DAVElement($response, 'propstat', array( $prop, new XMLElement( 'status', 'HTTP/1.1 424 Failed Dependency' )) );
    302. 

  302.   }  
    303. 

  303.   $request->DoResponse( 207, $reply->Render($multistatus), 'text/xml; charset="utf-8"' );
    304. 

  304. 

  305. }
    306. 

  306. 

  307. /**
    308. 

  308. * Otherwise we will try and do the SQL. This is inside a transaction, so PostgreSQL guarantees the atomicity
    309. 

  309. */
    310. 

  310. if ( $qry->Commit() ) {
    311. 

  311. 

  312.   $cache = getCacheInstance();
    313. 

  313.   $cache_ns = null;
    314. 

  314.   if ( $dav_resource->IsPrincipal() ) {
    315. 

  315.     $cache_ns = 'principal-'.$dav_resource->dav_name();
    316. 

  316.   }
    317. 

  317.   else if ( $dav_resource->IsCollection() ) {
    318. 

  318.     // Uncache anything to do with the collection
    319. 

  319.     $cache_ns = 'collection-'.$dav_resource->dav_name();
    320. 

  320.   }
    321. 

  321. 

  322.   if ( isset($cache_ns) ) $cache->delete( $cache_ns, null );
    323. 

  323. 

  324.   if ( $request->PreferMinimal() ) {
    325. 

  325.     $request->DoResponse(200); // Does not return.
    326. 

  326.   }
    327. 

  327. 

  328.   $url = ConstructURL($request->path);
    329. 

  329.   $multistatus = new XMLElement('multistatus');
    330. 

  330.   $response = $multistatus->NewElement('response');
    331. 

  331.   $reply->DAVElement($response,'href', $url);
    332. 

  332.   $reply->DAVElement($response,'responsedescription', translate("All requested changes were made.") );
    333. 

  333. 

  334.   $prop = new XMLElement('prop');
    335. 

  335.   foreach( $success AS $tag => $v ) {
    336. 

  336.     $reply->NSElement($prop, $tag);
    337. 

  337.   }
    338. 

  338.   $reply->DAVElement($response, 'propstat', array( $prop, new XMLElement( 'status', 'HTTP/1.1 200 OK' )) );
    339. 

  339.   
    340. 

  340.   $url = ConstructURL($request->path);
    341. 

  341.   array_unshift( $failure, new XMLElement('href', $url ) );
    342. 

  342.   
    343. 

  343.   $request->DoResponse( 207, $reply->Render($multistatus), 'text/xml; charset="utf-8"' );
    344. 

  344. }
    345. 

  345. 

  346. /**
    347. 

  347. * Or it was all crap.
    348. 

  348. */
    349. 

  349. $request->DoResponse( 500 );
    350. 

  350. exit(0); // unneccessary
    351. 

  351. 

  352.