From c1b0a008191af24f1de04b6902526d668e27f1e2 Mon Sep 17 00:00:00 2001
From: tchapi <cyril.chapellier@alan.eu>
Date: Sun, 10 Sep 2023 22:19:41 +0200
Subject: [PATCH] fix: objects must also get the correct ACL

---
 src/Controller/DAVController.php        |  2 +-
 src/Plugins/PublicAwareDAVACLPlugin.php | 29 +++++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/src/Controller/DAVController.php b/src/Controller/DAVController.php
index cb60005..0fb6ea0 100644
--- a/src/Controller/DAVController.php
+++ b/src/Controller/DAVController.php
@@ -230,7 +230,7 @@ private function initServer(string $authMethod, string $authRealm = User::DEFAUL
         $this->server->addPlugin(new \Sabre\DAV\Browser\Plugin(false)); // We disable the file creation / upload / sharing in the browser
         $this->server->addPlugin(new \Sabre\DAV\Sync\Plugin());
 
-        $aclPlugin = new PublicAwareDAVACLPlugin();
+        $aclPlugin = new PublicAwareDAVACLPlugin($this->em);
         $aclPlugin->hideNodesFromListings = true;
 
         // Fetch admins, if any
diff --git a/src/Plugins/PublicAwareDAVACLPlugin.php b/src/Plugins/PublicAwareDAVACLPlugin.php
index 6b32c5f..fb35074 100644
--- a/src/Plugins/PublicAwareDAVACLPlugin.php
+++ b/src/Plugins/PublicAwareDAVACLPlugin.php
@@ -3,11 +3,22 @@
 namespace App\Plugins;
 
 use App\Entity\CalendarInstance;
+use Doctrine\ORM\EntityManagerInterface;
 use Sabre\HTTP\RequestInterface;
 use Sabre\HTTP\ResponseInterface;
 
 class PublicAwareDAVACLPlugin extends \Sabre\DAVACL\Plugin
 {
+    /**
+     * @var EntityManagerInterface
+     */
+    protected $em;
+
+    public function __construct(EntityManagerInterface $entityManager)
+    {
+        $this->em = $entityManager;
+    }
+
     /**
      * We override this method so that public objects can be seen correctly in the browser,
      * with the assets (css, images).
@@ -28,6 +39,24 @@ public function getAcl($node): array
 
         if ($node instanceof \Sabre\CalDAV\Calendar) {
             if (CalendarInstance::ACCESS_PUBLIC === $node->getShareAccess()) {
+                // We must add the ACL on the calendar itself
+                $acl[] = [
+                    'principal' => '{DAV:}unauthenticated',
+                    'privilege' => '{DAV:}read',
+                    'protected' => false,
+                ];
+            }
+        } elseif ($node instanceof \Sabre\CalDAV\CalendarObject) {
+            // The property is private in \Sabre\CalDAV\CalendarObject and we don't want to create
+            // a new class just to access it, so we use a closure.
+            $calendarInfo = (fn () => $this->calendarInfo)->call($node);
+            // [0] is the calendarId, [1] is the calendarInstanceId
+            $calendarInstanceId = $calendarInfo['id'][1];
+
+            $calendar = $this->em->getRepository(CalendarInstance::class)->findOneById($calendarInstanceId);
+
+            if ($calendar && $calendar->isPublic()) {
+                // We must add the ACL on the object itself
                 $acl[] = [
                     'principal' => '{DAV:}unauthenticated',
                     'privilege' => '{DAV:}read',