One of the patches from chrysn is very simple, and I had a closer look to see if it could be correct too. RFC 4791 section 5.1 indicate that the OPTION request should work without access control (and always report calendar-access for CalDAV, which calypso already does).
This make me suggest the patch is merged. From 955568e6b08efd369fc23577c50e72961ff1e8fe Mon Sep 17 00:00:00 2001 From: chrysn <[email protected]> Date: Tue, 15 Apr 2014 23:17:37 +0200 Subject: disable permission checks for OPTIONS a CORS request (eg as issued in chromium) needs a pre-flight OPTIONS request on the resource, which can't use credentials yet it's the point of CORS not to send requests from the browser anywhere without that particular anywhere's consent. the code behind OPTIONS does not reveal any data (not even presence of a collection). --- calypso/__init__.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/calypso/__init__.py b/calypso/__init__.py index 8f1625f..5306a83 100644 --- a/calypso/__init__.py +++ b/calypso/__init__.py @@ -405,8 +405,7 @@ class CollectionHTTPHandler(server.BaseHTTPRequestHandler): self.send_calypso_response(client.CREATED, 0) self.end_headers() - @check_rights - def do_OPTIONS(self, context): + def do_OPTIONS(self): """Manage OPTIONS request.""" self.send_calypso_response(client.OK, 0) self.send_header( -- 2.7.0.rc3 -- Happy hacking Petter Reinholdtsen _______________________________________________ Calypso mailing list [email protected] http://keithp.com/mailman/listinfo/calypso
