Merge pull request #59760 from nextcloud/backport/59693/stable30

Altahrim · web-flow · commit 64cb8ac5ce56 · 2026-04-30T15:32:51.000+02:00
diff --git a/apps/dav/composer/composer/autoload_classmap.php b/apps/dav/composer/composer/autoload_classmap.php
@@ -73,6 +73,8 @@
     'OCA\\DAV\\CalDAV\\Outbox' => $baseDir . '/../lib/CalDAV/Outbox.php',
     'OCA\\DAV\\CalDAV\\Plugin' => $baseDir . '/../lib/CalDAV/Plugin.php',
     'OCA\\DAV\\CalDAV\\Principal\\Collection' => $baseDir . '/../lib/CalDAV/Principal/Collection.php',
+    'OCA\\DAV\\CalDAV\\Principal\\ProxyRead' => $baseDir . '/../lib/CalDAV/Principal/ProxyRead.php',
+    'OCA\\DAV\\CalDAV\\Principal\\ProxyWrite' => $baseDir . '/../lib/CalDAV/Principal/ProxyWrite.php',
     'OCA\\DAV\\CalDAV\\Principal\\User' => $baseDir . '/../lib/CalDAV/Principal/User.php',
     'OCA\\DAV\\CalDAV\\Proxy\\Proxy' => $baseDir . '/../lib/CalDAV/Proxy/Proxy.php',
     'OCA\\DAV\\CalDAV\\Proxy\\ProxyMapper' => $baseDir . '/../lib/CalDAV/Proxy/ProxyMapper.php',
diff --git a/apps/dav/composer/composer/autoload_static.php b/apps/dav/composer/composer/autoload_static.php
@@ -88,6 +88,8 @@ class ComposerStaticInitDAV
         'OCA\\DAV\\CalDAV\\Outbox' => __DIR__ . '/..' . '/../lib/CalDAV/Outbox.php',
         'OCA\\DAV\\CalDAV\\Plugin' => __DIR__ . '/..' . '/../lib/CalDAV/Plugin.php',
         'OCA\\DAV\\CalDAV\\Principal\\Collection' => __DIR__ . '/..' . '/../lib/CalDAV/Principal/Collection.php',
+        'OCA\\DAV\\CalDAV\\Principal\\ProxyRead' => __DIR__ . '/..' . '/../lib/CalDAV/Principal/ProxyRead.php',
+        'OCA\\DAV\\CalDAV\\Principal\\ProxyWrite' => __DIR__ . '/..' . '/../lib/CalDAV/Principal/ProxyWrite.php',
         'OCA\\DAV\\CalDAV\\Principal\\User' => __DIR__ . '/..' . '/../lib/CalDAV/Principal/User.php',
         'OCA\\DAV\\CalDAV\\Proxy\\Proxy' => __DIR__ . '/..' . '/../lib/CalDAV/Proxy/Proxy.php',
         'OCA\\DAV\\CalDAV\\Proxy\\ProxyMapper' => __DIR__ . '/..' . '/../lib/CalDAV/Proxy/ProxyMapper.php',
diff --git a/apps/dav/lib/CalDAV/Principal/ProxyRead.php b/apps/dav/lib/CalDAV/Principal/ProxyRead.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\DAV\CalDAV\Principal;
+
+use Sabre\DAVACL;
+
+class ProxyRead extends \Sabre\CalDAV\Principal\ProxyRead implements DAVACL\IACL {
+	use DAVACL\ACLTrait;
+
+	/**
+	 * @inheritDoc
+	 */
+	public function getOwner() {
+		return $this->principalInfo['uri'];
+	}
+}
diff --git a/apps/dav/lib/CalDAV/Principal/ProxyWrite.php b/apps/dav/lib/CalDAV/Principal/ProxyWrite.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\DAV\CalDAV\Principal;
+
+use Sabre\DAVACL;
+
+class ProxyWrite extends \Sabre\CalDAV\Principal\ProxyWrite implements DAVACL\IACL {
+	use DAVACL\ACLTrait;
+
+	/**
+	 * @inheritDoc
+	 */
+	public function getOwner() {
+		return $this->principalInfo['uri'];
+	}
+}
diff --git a/apps/dav/lib/CalDAV/Principal/User.php b/apps/dav/lib/CalDAV/Principal/User.php
@@ -34,4 +34,44 @@ public function getACL() {
 		];
 		return $acl;
 	}
+
+	/**
+	 * Returns a specific child node, referenced by its name.
+	 *
+	 * @param string $name
+	 *
+	 * @return \Sabre\DAV\INode
+	 */
+	public function getChild($name) {
+		$principal = $this->principalBackend->getPrincipalByPath($this->getPrincipalURL() . '/' . $name);
+		if (!$principal) {
+			throw new \Sabre\DAV\Exception\NotFound("Node with name $name was not found");
+		}
+		if ($name === 'calendar-proxy-read') {
+			return new ProxyRead($this->principalBackend, $this->principalProperties);
+		}
+
+		if ($name === 'calendar-proxy-write') {
+			return new ProxyWrite($this->principalBackend, $this->principalProperties);
+		}
+
+		throw new \Sabre\DAV\Exception\NotFound("Node with name $name was not found");
+	}
+
+	/**
+	 * Returns an array with all the child nodes.
+	 *
+	 * @return \Sabre\DAV\INode[]
+	 */
+	public function getChildren() {
+		$r = [];
+		if ($this->principalBackend->getPrincipalByPath($this->getPrincipalURL() . '/calendar-proxy-read')) {
+			$r[] = new ProxyRead($this->principalBackend, $this->principalProperties);
+		}
+		if ($this->principalBackend->getPrincipalByPath($this->getPrincipalURL() . '/calendar-proxy-write')) {
+			$r[] = new ProxyWrite($this->principalBackend, $this->principalProperties);
+		}
+
+		return $r;
+	}
 }
diff --git a/build/integration/dav_features/caldav-delegation.feature b/build/integration/dav_features/caldav-delegation.feature
@@ -0,0 +1,30 @@
+# SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+# SPDX-License-Identifier: AGPL-3.0-or-later
+Feature: calendar delegation
+  Calendar delegation grants another user/principal control of a calendar account,
+  including all calendars the delegator can access.
+
+  @caldav-delegation
+  Scenario: admin grants user0 read access to her calendar account
+    Given user "admin" exists
+    And user "user0" exists
+    When "admin" updates property "{DAV:}group-member-set" to href "/remote.php/dav/principals/users/user0" of principal "users/admin/calendar-proxy-read" on the endpoint "/remote.php/dav/principals/"
+    Then The CalDAV response should be multi status
+    And The CalDAV response should contain an href "/remote.php/dav/principals/users/admin/calendar-proxy-read"
+    And The CalDAV response should contain a property "{DAV:}group-member-set"
+
+  @caldav-delegation
+  Scenario: admin grants write access to her calendar account
+    Given user "admin" exists
+    And user "user0" exists
+    When "admin" updates property "{DAV:}group-member-set" to href "/remote.php/dav/principals/users/user0" of principal "users/admin/calendar-proxy-write" on the endpoint "/remote.php/dav/principals/"
+    Then The CalDAV response should be multi status
+    And The CalDAV response should contain an href "/remote.php/dav/principals/users/admin/calendar-proxy-write"
+    And The CalDAV response should contain a property "{DAV:}group-member-set"
+  
+  Scenario: Admin cannot grant User1 access to User0's calendar account
+    Given user "admin" exists
+    And user "user0" exists
+    And user "user1" exists
+    When "admin" updates property "{DAV:}group-member-set" to href "/remote.php/dav/principals/users/user1" of principal "users/user0/calendar-proxy-write" on the endpoint "/remote.php/dav/principals/"
+    Then The CalDAV HTTP status code should be "404"
diff --git a/build/integration/features/bootstrap/CalDavContext.php b/build/integration/features/bootstrap/CalDavContext.php
@@ -42,21 +42,39 @@ public function setUpScenario() {
 
 	/** @AfterScenario */
 	public function afterScenario() {
-		$davUrl = $this->baseUrl. '/remote.php/dav/calendars/admin/MyCalendar';
-		try {
-			$this->client->delete(
-				$davUrl,
-				[
-					'auth' => [
-						'admin',
-						'admin',
-					],
-					'headers' => [
-						'X-NC-CalDAV-No-Trashbin' => '1',
+		foreach (['MyCalendar', 'MyCalendar2'] as $calendarName) {
+			try {
+				$this->client->delete(
+					$this->baseUrl . '/remote.php/dav/calendars/admin/' . $calendarName,
+					[
+						'auth' => ['admin', 'admin'],
+						'headers' => ['X-NC-CalDAV-No-Trashbin' => '1'],
 					]
-				]
-			);
-		} catch (\GuzzleHttp\Exception\ClientException $e) {
+				);
+			} catch (\GuzzleHttp\Exception\ClientException $e) {
+			}
+		}
+	}
+
+	/** @AfterScenario @caldav-delegation */
+	public function afterDelegationScenario() {
+		foreach (['calendar-proxy-read', 'calendar-proxy-write'] as $proxyType) {
+			try {
+				$propPatch = new \Sabre\DAV\Xml\Request\PropPatch();
+				$propPatch->properties = ['{DAV:}group-member-set' => new \Sabre\DAV\Xml\Property\Href([])];
+				$xml = new \Sabre\Xml\Service();
+				$body = $xml->write('{DAV:}propertyupdate', $propPatch, '/');
+				$this->client->request(
+					'PROPPATCH',
+					$this->baseUrl . '/remote.php/dav/principals/users/admin/' . $proxyType,
+					[
+						'headers' => ['Content-Type' => 'application/xml; charset=UTF-8'],
+						'body' => $body,
+						'auth' => ['admin', 'admin'],
+					]
+				);
+			} catch (\GuzzleHttp\Exception\ClientException $e) {
+			}
 		}
 	}
 
@@ -174,6 +192,26 @@ public function theCaldavResponseShouldContainAPropertyWithHrefValue(
 		}
 	}
 
+	/**
+	 * @Then The CalDAV response should contain an href :href
+	 * @throws \Exception
+	 */
+	public function theCaldavResponseShouldContainAnHref(string $href): void {
+		/** @var \Sabre\DAV\Xml\Response\MultiStatus $multiStatus */
+		$multiStatus = $this->responseXml['value'];
+		foreach ($multiStatus->getResponses() as $response) {
+			if ($response->getHref() === $href) {
+				return;
+			}
+		}
+		throw new \Exception(
+			sprintf(
+				'Expected href %s not found in response',
+				$href,
+			)
+		);
+	}
+
 	/**
 	 * @Then The CalDAV response should be multi status
 	 * @throws \Exception
@@ -372,19 +410,23 @@ public function updatesHrefPropertyOfPrincipal(
 		$xml = new \Sabre\Xml\Service();
 		$body = $xml->write('{DAV:}propertyupdate', $propPatch, '/');
 
-		$this->response = $this->client->request(
-			'PROPPATCH',
-			$davUrl,
-			[
-				'headers' => [
-					'Content-Type' => 'application/xml; charset=UTF-8',
-				],
-				'body' => $body,
-				'auth' => [
-					$user,
-					$password,
-				],
-			]
-		);
+		try {
+			$this->response = $this->client->request(
+				'PROPPATCH',
+				$davUrl,
+				[
+					'headers' => [
+						'Content-Type' => 'application/xml; charset=UTF-8',
+					],
+					'body' => $body,
+					'auth' => [
+						$user,
+						$password,
+					],
+				]
+			);
+		} catch (\GuzzleHttp\Exception\ClientException $e) {
+			$this->response = $e->getResponse();
+		}
 	}
 }
