Now rights can be add to user groups too.

radicale/app/__init__.py

@@ -237,6 +237,11 @@ class Application(ApplicationPartDelete, ApplicationPartHead,
                     authorization.encode("ascii"))).split(":", 1)
 
         user = self._auth.login(login, password) or "" if login else ""
+        try:
+            logger.debug("Groups %r",",".join(self._auth._ldap_groups))
+            self._rights._user_groups = self._auth._ldap_groups
+        except AttributeError:
+            pass
         if user and login == user:
             logger.info("Successful login: %r", user)
         elif user:

radicale/auth/__init__.py

@@ -44,6 +44,8 @@ def load(configuration: "config.Configuration") -> "BaseAuth":
 
 class BaseAuth:
 
+    _ldap_groups: set
+
     def __init__(self, configuration: "config.Configuration") -> None:
         """Initialize BaseAuth.
 

radicale/auth/ldap.py

@@ -35,7 +35,6 @@ class Auth(auth.BaseAuth):
     _ldap_secret: str
     _ldap_filter: str
     _ldap_load_groups: bool
-    _ldap_groups = set
 
     def __init__(self, configuration: config.Configuration) -> None:
         super().__init__(configuration)
@@ -88,5 +87,3 @@ class Auth(auth.BaseAuth):
             return login
         except ldap.INVALID_CREDENTIALS:
             return ""
-
-

radicale/rights/from_file.py

@@ -34,7 +34,7 @@ Leading or ending slashes are trimmed from collection's path.
 
 """
 
-import configparser
+from configparser import ConfigParser
 import re
 
 from radicale import config, pathutils, rights
@@ -44,15 +44,17 @@ from radicale.log import logger
 class Rights(rights.BaseRights):
 
     _filename: str
-    _rights_config
+    _rights_config: ConfigParser
+    _user_groups: set
 
     def __init__(self, configuration: config.Configuration) -> None:
         super().__init__(configuration)
         self._filename = configuration.get("rights", "file")
-        _rights_config = configparser.ConfigParser()
+        self._rights_config = ConfigParser()
         try:
             with open(self._filename, "r") as f:
-                _rights_config.read_file(f)
+                self._rights_config.read_file(f)
+                logger.debug("Rights were read")
         except Exception as e:
             raise RuntimeError("Failed to load rights file %r: %s" %
                                (self._filename, e)) from e
@@ -62,40 +64,40 @@ class Rights(rights.BaseRights):
         sane_path = pathutils.strip_path(path)
         # Prevent "regex injection"
         escaped_user = re.escape(user)
+        logger.debug("authorization called %r %r",user,path)
 
-        for section in _rights_config.sections():
-            user_match       = False
+        for section in self._rights_config.sections():
             group_match      = []
-            collection_match = False
             try:
-                collection_pattern = _rights_config.get(section, "collection")
-                user_pattern = _rights_config.get(section, "user", fallback = "")
-                groups = _rights_config.get(section, "groups", fallback = "").split(",")
-
+                collection_pattern = self._rights_config.get(section, "collection")
+                user_pattern = self._rights_config.get(section, "user", fallback = "")
+                groups = self._rights_config.get(section, "groups", fallback = "").split(",")
                 try:
-                    group_match = self._auth._ldap_groups & set(groups)
-                except NameError:
+                    group_match = self._user_groups & set(groups)
+                    logger.debug("Groups %r, %r",",".join(group_match),";".join(groups))
+                except:
                     pass
 
                 # Use empty format() for harmonized handling of curly braces
                 user_match = re.fullmatch(user_pattern.format(), user)
-                collection_match = re.fullmatch(
+                u_collection_match = user_match and re.fullmatch(
                     collection_pattern.format(
                         *(re.escape(s) for s in user_match.groups()),
                         user=escaped_user), sane_path)
+                g_collection_match = re.fullmatch( collection_pattern.format(user=escaped_user), sane_path)
             except Exception as e:
                 raise RuntimeError("Error in section %r of rights file %r: "
                                    "%s" % (section, self._filename, e)) from e
-            if user_match and collection_match:
+            if user_match and u_collection_match:
                 logger.debug("User rule %r:%r matches %r:%r from section %r",
                              user, sane_path, user_pattern,
                              collection_pattern, section)
-                return _rights_config.get(section, "permissions")
-            if len(group_match) > 0 and collection_match:
+                return self._rights_config.get(section, "permissions")
+            if len(group_match) > 0 and g_collection_match:
                 logger.debug("Group rule %r:%r matches %r from section %r",
                              group_match, sane_path,
                              collection_pattern, section)
-                return _rights_config.get(section, "permissions")
+                return self._rights_config.get(section, "permissions")
             logger.debug("Rule %r:%r doesn't match %r:%r from section %r",
                          user, sane_path, user_pattern, collection_pattern,
                          section)