Don't leak existing user in owner_only rights plugin

If a user didn't exist the error message for the principal collection was 404.
2025-08-25 19:30:54 +00:00 · 2017-06-16 23:13:45 +02:00 · 2017-06-16 23:13:45 +02:00 · ded660df07
commit ded660df07
parent 5669433f58
1 changed files with 6 additions and 0 deletions
--- a/radicale/rights.py
+++ b/radicale/rights.py
@ -116,6 +116,12 @@ class OwnerOnlyRights(BaseRights):
            permission == "r" and not sane_path or
            user == sane_path.split("/", maxsplit=1)[0])

+    def authorized_item(self, user, path, permission):
+        sane_path = storage.sanitize_path(path).strip("/")
+        if "/" not in sane_path:
+            return False
+        return super().authorized_item(user, path, permission)
+

 class Rights(BaseRights):
    def __init__(self, configuration, logger):