From 916c9db3c811e1cc2697aea2474944c7401922a5 Mon Sep 17 00:00:00 2001
From: TownCube <15699466+TownCube@users.noreply.github.com>
Date: Sat, 7 Dec 2024 18:24:29 +0000
Subject: [PATCH 1/2] Skip group collection match when groups are not used

---
 DOCUMENTATION.md              |  2 +-
 radicale/rights/from_file.py  |  3 ++-
 radicale/tests/__init__.py    |  3 ++-
 radicale/tests/test_rights.py | 18 ++++++++++++++----
 4 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md
index ab28c6ce4..ac7d2d714 100644
--- a/DOCUMENTATION.md
+++ b/DOCUMENTATION.md
@@ -888,7 +888,7 @@ Default: `(cn={0})`
 Load the ldap groups of the authenticated user. These groups can be used later on to define rights. This also gives you access to the group calendars, if they exist.
 * The group calendar will be placed under collection_root_folder/GROUPS
 * The name of the calendar directory is the base64 encoded group name.
-* The group calneder folders will not be created automaticaly. This must be created manualy. [Here](https://github.com/Kozea/Radicale/wiki/LDAP-authentication) you can find a script to create group calneder folders https://github.com/Kozea/Radicale/wiki/LDAP-authentication
+* The group calendar folders will not be created automaticaly. This must be created manualy. [Here](https://github.com/Kozea/Radicale/wiki/LDAP-authentication) you can find a script to create group calendar folders https://github.com/Kozea/Radicale/wiki/LDAP-authentication
 
 Default: False
 
diff --git a/radicale/rights/from_file.py b/radicale/rights/from_file.py
index 6d63c801d..7ebe38cf8 100644
--- a/radicale/rights/from_file.py
+++ b/radicale/rights/from_file.py
@@ -84,7 +84,8 @@ def authorization(self, user: str, path: str) -> str:
                     collection_pattern.format(
                         *(re.escape(s) for s in user_match.groups()),
                         user=escaped_user), sane_path)
-                group_collection_match = re.fullmatch(collection_pattern.format(user=escaped_user), sane_path)
+                group_collection_match = group_match and re.fullmatch(
+                    collection_pattern.format(user=escaped_user), sane_path)
             except Exception as e:
                 raise RuntimeError("Error in section %r of rights file %r: "
                                    "%s" % (section, self._filename, e)) from e
diff --git a/radicale/tests/__init__.py b/radicale/tests/__init__.py
index ceb155b4c..e5ecb1f98 100644
--- a/radicale/tests/__init__.py
+++ b/radicale/tests/__init__.py
@@ -29,6 +29,7 @@
 import xml.etree.ElementTree as ET
 from io import BytesIO
 from typing import Any, Dict, List, Optional, Tuple, Union
+from urllib.parse import quote
 
 import defusedxml.ElementTree as DefusedET
 import vobject
@@ -167,7 +168,7 @@ def propfind(self, path: str, data: Optional[str] = None,
         assert answer is not None
         responses = self.parse_responses(answer)
         if kwargs.get("HTTP_DEPTH", "0") == "0":
-            assert len(responses) == 1 and path in responses
+            assert len(responses) == 1 and quote(path) in responses
         return status, responses
 
     def proppatch(self, path: str, data: Optional[str] = None,
diff --git a/radicale/tests/test_rights.py b/radicale/tests/test_rights.py
index c8efa4b5e..896c910e9 100644
--- a/radicale/tests/test_rights.py
+++ b/radicale/tests/test_rights.py
@@ -30,10 +30,10 @@ class TestBaseRightsRequests(BaseTest):
     def _test_rights(self, rights_type: str, user: str, path: str, mode: str,
                      expected_status: int, with_auth: bool = True) -> None:
         assert mode in ("r", "w")
-        assert user in ("", "tmp")
+        assert user in ("", "tmp", "user@domain.test")
         htpasswd_file_path = os.path.join(self.colpath, ".htpasswd")
         with open(htpasswd_file_path, "w") as f:
-            f.write("tmp:bepo\nother:bepo")
+            f.write("tmp:bepo\nother:bepo\nuser@domain.test:bepo")
         self.configure({
             "rights": {"type": rights_type},
             "auth": {"type": "htpasswd" if with_auth else "none",
@@ -42,8 +42,9 @@ def _test_rights(self, rights_type: str, user: str, path: str, mode: str,
         for u in ("tmp", "other"):
             # Indirect creation of principal collection
             self.propfind("/%s/" % u, login="%s:bepo" % u)
+        os.makedirs(os.path.join(self.colpath, "collection-root", "domain.test"), exist_ok=True)
         (self.propfind if mode == "r" else self.proppatch)(
-            path, check=expected_status, login="tmp:bepo" if user else None)
+            path, check=expected_status, login="%s:bepo" % user if user else None)
 
     def test_owner_only(self) -> None:
         self._test_rights("owner_only", "", "/", "r", 401)
@@ -110,14 +111,23 @@ def test_from_file(self) -> None:
 [custom]
 user: .*
 collection: custom(/.*)?
-permissions: Rr""")
+permissions: Rr
+[read-domain-principal]
+user: .+@([^@]+)
+collection: {0}
+permissions: R""")
         self.configure({"rights": {"file": rights_file_path}})
         self._test_rights("from_file", "", "/other/", "r", 401)
+        self._test_rights("from_file", "tmp", "/tmp/", "r", 207)
         self._test_rights("from_file", "tmp", "/other/", "r", 403)
         self._test_rights("from_file", "", "/custom/sub", "r", 404)
         self._test_rights("from_file", "tmp", "/custom/sub", "r", 404)
         self._test_rights("from_file", "", "/custom/sub", "w", 401)
         self._test_rights("from_file", "tmp", "/custom/sub", "w", 403)
+        self._test_rights("from_file", "tmp", "/custom/sub", "w", 403)
+        self._test_rights("from_file", "user@domain.test", "/domain.test/", "r", 207)
+        self._test_rights("from_file", "user@domain.test", "/tmp/", "r", 403)
+        self._test_rights("from_file", "user@domain.test", "/other/", "r", 403)
 
     def test_from_file_limited_get(self):
         rights_file_path = os.path.join(self.colpath, "rights")

From 05c349a15f94db1a38321349a9f2e21c0b4bb67e Mon Sep 17 00:00:00 2001
From: Peter Bieringer <pb@bieringer.de>
Date: Sun, 8 Dec 2024 09:46:50 +0100
Subject: [PATCH 2/2] Update DOCUMENTATION.md

fix typo
---
 DOCUMENTATION.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md
index ac7d2d714..a7c13fed0 100644
--- a/DOCUMENTATION.md
+++ b/DOCUMENTATION.md
@@ -888,7 +888,7 @@ Default: `(cn={0})`
 Load the ldap groups of the authenticated user. These groups can be used later on to define rights. This also gives you access to the group calendars, if they exist.
 * The group calendar will be placed under collection_root_folder/GROUPS
 * The name of the calendar directory is the base64 encoded group name.
-* The group calendar folders will not be created automaticaly. This must be created manualy. [Here](https://github.com/Kozea/Radicale/wiki/LDAP-authentication) you can find a script to create group calendar folders https://github.com/Kozea/Radicale/wiki/LDAP-authentication
+* The group calendar folders will not be created automaticaly. This must be created manually. [Here](https://github.com/Kozea/Radicale/wiki/LDAP-authentication) you can find a script to create group calendar folders https://github.com/Kozea/Radicale/wiki/LDAP-authentication
 
 Default: False