Disallow webdav "write" HTTP methods for certain user

Help
1

1. The problem I’m having:

I have two users against caddy + webdav.

One user (guest) can only read files in webdav, The other can read/write/delete.

I am trying to follow the suggestion from this suggestion

2. Error messages and/or full log output:

No errors, the behavior I want is not working though: the guest user can still DELETE files (an instance of a write operation).

3. Caddy version:

v2.7.4-0.20230809174037-d8135505d38c h1:9yGJZ2/UFjpIam+/KTBzeI2945MTuA2SveXjfG4KK1U=

4. How I installed and ran Caddy:

Built locally and running as per the wiki.

a. System environment:

Arch, systemd.

b. Command:

systemctl start caddy

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

{
    http_port 8080
    order webdav before file_server
}

:8080 {
    rewrite /dav /dav/

    @noGuestWrite {
        expression {http.auth.user.id} == "guest"
        not method GET HEAD OPTIONS PROPFIND
    }
    handle @noGuestWrite {
        respond 403
    }
    handle {
        basicauth /dav/media {
            guest <psw1>
            shared <psw2>
        }

        webdav /dav/* {
            root /srv/http/dav/All
            prefix /dav/media
        }
        file_server
    }
}
3

I have now found a solution that works - here it is!

{
	http_port 8080
	order webdav before file_server
	order handle before webdav
}

:8080 {
    rewrite /dav/media /dav/media/
    
    route /dav/media* {
		basicauth {
			alba-guest <psw>
			alba-shared <psw>
		}

		# Thank you mholt for hinting at a solution
		#   https://github.com/mholt/caddy-webdav/issues/27
		#   https://caddy.community/t/disallow-webdav-write-http-methods-for-certain-user/20781
		@webdavAccess2 {
			not {
				not {
					vars {http.auth.user.id} "alba-shared"
					method GET HEAD OPTIONS PROPFIND TRACE DELETE POST PUT PROPPATCH MKCOL MOVE LOCK UNLOCK COPY
				}
				not {
					vars {http.auth.user.id} "alba-guest"
					method GET HEAD OPTIONS PROPFIND
				}
			}
		}

		@guestUnauthorized {
			expression {http.auth.user.id} == "alba-guest"
			not method GET HEAD OPTIONS PROPFIND
		}

		handle @guestUnauthorized {
			respond 403
		}

		webdav @webdavAccess2 {
			root /srv/http/dav/All
			prefix /dav/media
		}
		file_server
	}   
}

I am not sure I need the order directives at the top but I fiddled enough with this for now so I’ll leave them :slight_smile:

1 Like
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.