fix: webdav only see public folder even logging in (#231)

2024-10-01 13:35:00 +00:00 · 2023-06-05 11:40:31 +08:00 · 2023-06-05 11:40:31 +08:00 · 6be36b8e51
parent 8be545d3da
commit 6be36b8e51
3 changed files with 30 additions and 16 deletions
--- a/src/auth.rs
+++ b/src/auth.rs
@ -80,8 +80,8 @@ impl AccessControl {
        Ok(Self { users, anony })
    }

-    pub fn valid(&self) -> bool {
-        !self.users.is_empty() || self.anony.is_some()
+    pub fn exist(&self) -> bool {
+        !self.users.is_empty()
    }

    pub fn guard(
@ -257,18 +257,14 @@ pub enum AuthMethod {
 }

 impl AuthMethod {
-    pub fn www_auth(&self, stale: bool) -> Result<String> {
+    pub fn www_auth(&self) -> Result<String> {
        match self {
            AuthMethod::Basic => Ok(format!("Basic realm=\"{REALM}\"")),
-            AuthMethod::Digest => {
-                let str_stale = if stale { "stale=true," } else { "" };
-                Ok(format!(
-                    "Digest realm=\"{}\",nonce=\"{}\",{}qop=\"auth\"",
-                    REALM,
-                    create_nonce()?,
-                    str_stale
-                ))
-            }
+            AuthMethod::Digest => Ok(format!(
+                "Digest realm=\"{}\",nonce=\"{}\",qop=\"auth\"",
+                REALM,
+                create_nonce()?,
+            )),
        }
    }

--- a/src/server.rs
+++ b/src/server.rs
@ -1,6 +1,6 @@
 #![allow(clippy::too_many_arguments)]

-use crate::auth::AccessPaths;
+use crate::auth::{AccessPaths, AccessPerm};
 use crate::streamer::Streamer;
 use crate::utils::{
    decode_uri, encode_uri, get_file_mtime_and_mode, get_file_name, glob, try_get_file_name,
@ -340,6 +340,12 @@ impl Server {
            method => match method.as_str() {
                "PROPFIND" => {
                    if is_dir {
+                        let access_paths = if access_paths.perm().indexonly() {
+                            // see https://github.com/sigoden/dufs/issues/229
+                            AccessPaths::new(AccessPerm::ReadOnly)
+                        } else {
+                            access_paths
+                        };
                        self.handle_propfind_dir(path, headers, access_paths, &mut res)
                            .await?;
                    } else if is_file {
@ -759,7 +765,7 @@ impl Server {
            uri_prefix: self.args.uri_prefix.clone(),
            allow_upload: self.args.allow_upload,
            allow_delete: self.args.allow_delete,
-            auth: self.args.auth.valid(),
+            auth: self.args.auth.exist(),
            user,
            editable,
        };
@ -974,7 +980,7 @@ impl Server {
            allow_search: self.args.allow_search,
            allow_archive: self.args.allow_archive,
            dir_exists: exist,
-            auth: self.args.auth.valid(),
+            auth: self.args.auth.exist(),
            user,
            paths,
        };
@ -999,7 +1005,7 @@ impl Server {
    }

    fn auth_reject(&self, res: &mut Response) -> Result<()> {
-        let value = self.args.auth_method.www_auth(false)?;
+        let value = self.args.auth_method.www_auth()?;
        set_webdav_headers(res);
        res.headers_mut().insert(WWW_AUTHENTICATE, value.parse()?);
        // set 401 to make the browser pop up the login box
--- a/tests/auth.rs
+++ b/tests/auth.rs
@ -201,3 +201,15 @@ fn auth_partial_index(
    );
    Ok(())
 }
+
+#[rstest]
+fn no_auth_propfind_dir(
+    #[with(&["--auth", "user:pass@/:rw", "--auth", "@/dir-assets", "-A"])] server: TestServer,
+) -> Result<(), Error> {
+    let resp = fetch!(b"PROPFIND", server.url()).send()?;
+    assert_eq!(resp.status(), 207);
+    let body = resp.text()?;
+    assert!(body.contains("<D:href>/dir-assets/</D:href>"));
+    assert!(body.contains("<D:href>/dir1/</D:href>"));
+    Ok(())
+}