rewriting grants to allow and/or grants, added required read for PATCH request when the resource exists

ylebre · ylebre · commit 004dfe8930b1 · 2021-02-13T14:09:17.000+01:00
diff --git a/src/WAC.php b/src/WAC.php
@@ -54,15 +54,27 @@ public function isAllowed($request, $webId, $origin=false) {
 		$uri = $request->getUri();
 		$parentUri = $this->getParentUri($uri);
 
-		if (
-			$this->isUserGranted($requestedGrants['resource'], $uri, $webId) &&
-			$this->isUserGranted($requestedGrants['parent'], $parentUri, $webId) &&
-			$this->isOriginGranted($requestedGrants['resource'], $uri, $origin) &&
-			$this->isOriginGranted($requestedGrants['parent'], $parentUri, $origin)
-		) {
-			return true;
+		foreach ($requestedGrants as $requestedGrant) {
+			switch ($requestedGrant['type']) {
+				case "resource":
+					if (!$this->isUserGranted($requestedGrant['grants'], $uri, $webId)) {
+						return false;
+					}
+					if (!$this->isOriginGranted($requestedGrant['grants'], $uri, $origin)) {
+						return false;
+					}
+				break;
+				case "parent":
+					if (!$this->isUserGranted($requestedGrant['grants'], $parentUri, $webId)) {
+						return false;
+					}
+					if (!$this->isOriginGranted($requestedGrant['grants'], $parentUri, $origin)) {
+						return false;
+					}
+				break;
+			}
 		}
-		return false;
+		return true;
 	}
 
 	private function isUserGranted($requestedGrants, $uri, $webId) {
@@ -250,6 +262,30 @@ private function getParentAcl($path) {
 	}
 
 	public function getRequestedGrants($request) {
+		/*
+			Build up the grants that are accepted as valid. The structure is as follows:
+			- Each entry of the result is treated as an 'and'.
+			- Each entry want a grant for either 'resource' or 'parent'
+			- Each entry contains a list of grants that can satisfy the request, treated as an 'or';
+
+			Examples:
+			A request that requires 'read' and 'write' on the targeted resource:
+			[
+				["type" => "resource", "grants" => ["http://www.w3.org/ns/auth/acl#Read"]],
+				["type" => "resource", "grants" => ["http://www.w3.org/ns/auth/acl#Write"]]
+			]
+
+			A request that requires 'write' on the resource and 'append' on the parent:
+			[
+				["type" => "resource", "grants" => ["http://www.w3.org/ns/auth/acl#Write"]],
+				["type" => "parent", "grants" => ["http://www.w3.org/ns/auth/acl#Append"]]
+			]
+
+			A request that requires 'append' or 'write' on the resource
+			[
+				["type" => "resource", "grants" => ["http://www.w3.org/ns/auth/acl#Append", "http://www.w3.org/ns/auth/acl#Write"]]
+			]
+		*/
 		$method = strtoupper($request->getMethod());
 		$path = $request->getUri()->getPath();
 		if ($this->basePath) {
@@ -261,67 +297,114 @@ public function getRequestedGrants($request) {
 		// having Control allows all operations.
 		if (preg_match('/.acl$/', $path)) {
 			return array(
-				"resource" => array('http://www.w3.org/ns/auth/acl#Control')
+				array(
+					"type" => "resource",
+					"grants" => array('http://www.w3.org/ns/auth/acl#Control')
+				)
 			);
 		}
 
 		switch ($method) {
 			case "GET":
 			case "HEAD":
 				return array(
-					"resource" => array('http://www.w3.org/ns/auth/acl#Read')
+					array(
+						"type" => "resource",
+						"grants" => array('http://www.w3.org/ns/auth/acl#Read')
+					)
 				);
 			break;
 			case "DELETE":
 				return array(
-					"resource" => array('http://www.w3.org/ns/auth/acl#Write')
+					array(
+						"type" => "resource",
+						"grants" => array('http://www.w3.org/ns/auth/acl#Write')
+					)
 				);
 			break;
 			case "PUT":
 				if ($this->filesystem->has($path)) {
 					return array(
-						"resource" => array('http://www.w3.org/ns/auth/acl#Write')
+						array(
+							"type" => "resource",
+							"grants" => array('http://www.w3.org/ns/auth/acl#Write')
+						)
 					);
 				} else {
 					// FIXME: to add a new file, Append is needed on the parent container;
 					return array(
-						"resource" => array('http://www.w3.org/ns/auth/acl#Write'),
-						"parent"   => array('http://www.w3.org/ns/auth/acl#Append', 'http://www.w3.org/ns/auth/acl#Write')
+						array(
+							"type" => "resource",
+							"grants" => array('http://www.w3.org/ns/auth/acl#Write')
+						),
+						array(
+							"type" => "parent",
+							"grants" => array(
+								'http://www.w3.org/ns/auth/acl#Append',
+								'http://www.w3.org/ns/auth/acl#Write'
+							)
+						)
 					);
 				}
 			break;
 			case "POST":
 				return array(
-					"resource" => array(
-						'http://www.w3.org/ns/auth/acl#Write', // We need 'append' for this, but because Write trumps Append, also allow it when we have Write;
-						'http://www.w3.org/ns/auth/acl#Append'
+					array(
+						"type" => "resource",
+						"grants" => array(
+							'http://www.w3.org/ns/auth/acl#Write', // We need 'append' for this, but because Write trumps Append, also allow it when we have Write;
+							'http://www.w3.org/ns/auth/acl#Append'
+						)
 					)
 				);
 			break;
 			case "PATCH";
 				$grants = array();
+				if ($this->filesystem->has($path)) {
+					$grants[] = array(
+						"type" => "resource",
+						"grants" => array(
+							'http://www.w3.org/ns/auth/acl#Read'
+						)
+					);
+				} else {
+					$grants[] = array(
+						"type" => "parent",
+						"grants" => array(
+							'http://www.w3.org/ns/auth/acl#Append',
+							'http://www.w3.org/ns/auth/acl#Write'
+						)
+					);
+				}
+
 				$body = $request->getBody()->getContents();
+				$request->getBody()->rewind();
+
 				if (strstr($body, "DELETE")) {
-					$grants[] = 'http://www.w3.org/ns/auth/acl#Write';
+					$grants[] = array(
+						"type" => "resource",
+						"grants" => array('http://www.w3.org/ns/auth/acl#Write')
+					);
 				}
 				if (strstr($body, "INSERT")) {
 					if ($this->filesystem->has($path)) {
-						$grants[] = 'http://www.w3.org/ns/auth/acl#Append';
+						$grants[] = array(
+							"type" => "resource",
+							"grants" => array(
+								'http://www.w3.org/ns/auth/acl#Append',
+								'http://www.w3.org/ns/auth/acl#Write'
+							)
+						);
+					} else {
+						$grants[] = array(
+							"type" => "resource",
+							"grants" => array(
+								'http://www.w3.org/ns/auth/acl#Write'
+							)
+						);
 					}
-					$grants[] = 'http://www.w3.org/ns/auth/acl#Write';
-				}
-				// error_log($body);
-				$request->getBody()->rewind();
-				if ($this->filesystem->has($path)) {
-					return array(
-						"resource" => $grants
-					);
-				} else {
-					return array(
-						"resource" => $grants,
-						"parent"   => array('http://www.w3.org/ns/auth/acl#Append', 'http://www.w3.org/ns/auth/acl#Write')
-					);
 				}
+				return $grants;
 			break;
 		}
 	}
