fix: webdav only see public folder even logging in (#231)

src/auth.rs

@@ -80,8 +80,8 @@ impl AccessControl {
         Ok(Self { users, anony })
     }
 
-    pub fn valid(&self) -> bool {
-        !self.users.is_empty() || self.anony.is_some()
+    pub fn exist(&self) -> bool {
+        !self.users.is_empty()
     }
 
     pub fn guard(
@@ -257,18 +257,14 @@ pub enum AuthMethod {
 }
 
 impl AuthMethod {
-    pub fn www_auth(&self, stale: bool) -> Result<String> {
+    pub fn www_auth(&self) -> Result<String> {
         match self {
             AuthMethod::Basic => Ok(format!("Basic realm=\"{REALM}\"")),
-            AuthMethod::Digest => {
-                let str_stale = if stale { "stale=true," } else { "" };
-                Ok(format!(
-                    "Digest realm=\"{}\",nonce=\"{}\",{}qop=\"auth\"",
-                    REALM,
-                    create_nonce()?,
-                    str_stale
-                ))
-            }
+            AuthMethod::Digest => Ok(format!(
+                "Digest realm=\"{}\",nonce=\"{}\",qop=\"auth\"",
+                REALM,
+                create_nonce()?,
+            )),
         }
     }
 

src/server.rs

@@ -1,6 +1,6 @@
 #![allow(clippy::too_many_arguments)]
 
-use crate::auth::AccessPaths;
+use crate::auth::{AccessPaths, AccessPerm};
 use crate::streamer::Streamer;
 use crate::utils::{
     decode_uri, encode_uri, get_file_mtime_and_mode, get_file_name, glob, try_get_file_name,
@@ -340,6 +340,12 @@ impl Server {
             method => match method.as_str() {
                 "PROPFIND" => {
                     if is_dir {
+                        let access_paths = if access_paths.perm().indexonly() {
+                            // see https://github.com/sigoden/dufs/issues/229
+                            AccessPaths::new(AccessPerm::ReadOnly)
+                        } else {
+                            access_paths
+                        };
                         self.handle_propfind_dir(path, headers, access_paths, &mut res)
                             .await?;
                     } else if is_file {
@@ -759,7 +765,7 @@ impl Server {
             uri_prefix: self.args.uri_prefix.clone(),
             allow_upload: self.args.allow_upload,
             allow_delete: self.args.allow_delete,
-            auth: self.args.auth.valid(),
+            auth: self.args.auth.exist(),
             user,
             editable,
         };
@@ -974,7 +980,7 @@ impl Server {
             allow_search: self.args.allow_search,
             allow_archive: self.args.allow_archive,
             dir_exists: exist,
-            auth: self.args.auth.valid(),
+            auth: self.args.auth.exist(),
             user,
             paths,
         };
@@ -999,7 +1005,7 @@ impl Server {
     }
 
     fn auth_reject(&self, res: &mut Response) -> Result<()> {
-        let value = self.args.auth_method.www_auth(false)?;
+        let value = self.args.auth_method.www_auth()?;
         set_webdav_headers(res);
         res.headers_mut().insert(WWW_AUTHENTICATE, value.parse()?);
         // set 401 to make the browser pop up the login box

tests/auth.rs

@@ -201,3 +201,15 @@ fn auth_partial_index(
     );
     Ok(())
 }
+
+#[rstest]
+fn no_auth_propfind_dir(
+    #[with(&["--auth", "user:pass@/:rw", "--auth", "@/dir-assets", "-A"])] server: TestServer,
+) -> Result<(), Error> {
+    let resp = fetch!(b"PROPFIND", server.url()).send()?;
+    assert_eq!(resp.status(), 207);
+    let body = resp.text()?;
+    assert!(body.contains("<D:href>/dir-assets/</D:href>"));
+    assert!(body.contains("<D:href>/dir1/</D:href>"));
+    Ok(())
+}