[Calypso] [PATCH] disable permission checks for OPTIONS

Petter Reinholdtsen pere at hungry.com
Wed Jan 27 03:58:46 PST 2016

One of the patches from chrysn is very simple, and I had a closer look
to see if it could be correct too.  RFC 4791 section 5.1 indicate that
the OPTION request should work without access control (and always report
calendar-access for CalDAV, which calypso already does).

This make me suggest the patch is merged.

>From 955568e6b08efd369fc23577c50e72961ff1e8fe Mon Sep 17 00:00:00 2001
From: chrysn <chrysn at fsfe.org>
Date: Tue, 15 Apr 2014 23:17:37 +0200
Subject: disable permission checks for OPTIONS

a CORS request (eg as issued in chromium) needs a pre-flight OPTIONS
request on the resource, which can't use credentials yet it's the point
of CORS not to send requests from the browser anywhere without that
particular anywhere's consent.

the code behind OPTIONS does not reveal any data (not even presence of a
 calypso/__init__.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/calypso/__init__.py b/calypso/__init__.py
index 8f1625f..5306a83 100644
--- a/calypso/__init__.py
+++ b/calypso/__init__.py
@@ -405,8 +405,7 @@ class CollectionHTTPHandler(server.BaseHTTPRequestHandler):
         self.send_calypso_response(client.CREATED, 0)
-    @check_rights
-    def do_OPTIONS(self, context):
+    def do_OPTIONS(self):
         """Manage OPTIONS request."""
         self.send_calypso_response(client.OK, 0)

Happy hacking
Petter Reinholdtsen

More information about the Calypso mailing list