caldav port lists DELETE in http OPTIONS command, even when user is not yet authenticated

[niol]

from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030688

Normally this should only be available for users that are authenticated. However, this is not the case:

$ alain@ceres:~$ openssl s_client -connect localhost:2443 OPTIONS / HTTP/1.0

HTTP/1.1 200 OK Server: DavMail Gateway 5.5.1-trunk DAV: 1, calendar-access, calendar-auto-schedule, calendarserver-private-events, addressbook Date: Mon, 06 Feb 2023 13:47:07 +0000 Expires: Mon, 06 Feb 2023 13:47:07 +0000 Cache-Control: private, max-age=0 Allow: OPTIONS, PROPFIND, HEAD, GET, REPORT, PROPPATCH, PUT, DELETE, POST Connection: keep-alive Content-Length: 0

Methods that imply write operations should only be listed if a valid Authorization header has been sent by client.

The fix may be as simple as adding a condition in CaldavConnection.sendOptions().