Merge pull request #60602 from nextcloud/backport/60211/stable32

[stable32] fix: add proper ACLs for trashbin proxys
2026-05-28 04:32:30 -04:00 · 2026-05-21 10:30:59 +02:00 · 2026-05-21 10:30:59 +02:00 · 83a6b2f4d0
commit 83a6b2f4d0
parent b357c51db8 ad45d6b8a2
3 changed files with 49 additions and 3 deletions
--- a/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObject.php
+++ b/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObject.php
@ -94,7 +94,17 @@ class DeletedCalendarObject implements IACL, ICalendarObject, IRestorable {
 			],
 			[
 				'privilege' => '{DAV:}unbind', // For moving and deletion
-				'principal' => '{DAV:}owner',
+				'principal' => $this->getOwner(),
+				'protected' => true,
+			],
+			[
+				'privilege' => '{DAV:}all',
+				'principal' => $this->getOwner() . '/calendar-proxy-write',
+				'protected' => true,
+			],
+			[
+				'privilege' => '{DAV:}read',
+				'principal' => $this->getOwner() . '/calendar-proxy-read',
 				'protected' => true,
 			],
 		];
--- a/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObjectsCollection.php
+++ b/apps/dav/lib/CalDAV/Trashbin/DeletedCalendarObjectsCollection.php
@ -125,9 +125,24 @@ class DeletedCalendarObjectsCollection implements ICalendarObjectContainer, IACL
 			],
 			[
 				'privilege' => '{DAV:}unbind',
-				'principal' => '{DAV:}owner',
+				'principal' => $this->getOwner(),
 				'protected' => true,
-			]
+			],
+			[
+				'privilege' => '{DAV:}read',
+				'principal' => $this->getOwner() . '/calendar-proxy-write',
+				'protected' => true,
+			],
+			[
+				'privilege' => '{DAV:}unbind',
+				'principal' => $this->getOwner() . '/calendar-proxy-write',
+				'protected' => true,
+			],
+			[
+				'privilege' => '{DAV:}read',
+				'principal' => $this->getOwner() . '/calendar-proxy-read',
+				'protected' => true,
+			],
 		];
 	}
 }
--- a/apps/dav/lib/CalDAV/Trashbin/TrashbinHome.php
+++ b/apps/dav/lib/CalDAV/Trashbin/TrashbinHome.php
@ -36,6 +36,27 @@ class TrashbinHome implements IACL, ICollection, IProperties {
 		return $this->principalInfo['uri'];
 	}

+	#[\Override]
+	public function getACL(): array {
+		return [
+			[
+				'privilege' => '{DAV:}all',
+				'principal' => $this->getOwner(),
+				'protected' => true,
+			],
+			[
+				'privilege' => '{DAV:}all',
+				'principal' => $this->getOwner() . '/calendar-proxy-write',
+				'protected' => true,
+			],
+			[
+				'privilege' => '{DAV:}read',
+				'principal' => $this->getOwner() . '/calendar-proxy-read',
+				'protected' => true,
+			],
+		];
+	}
+
 	public function createFile($name, $data = null) {
 		throw new Forbidden('Permission denied to create files in the trashbin');
 	}