View Issue Details

IDProjectCategoryView StatusLast Update
0002104SOGoBackend Calendarpublic2013-01-15 13:36
Reporterwimmer Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status closedResolutionfixed 
Product Version2.0.2 
Target Version2.0.4Fixed in Version2.0.4 
Summary0002104: Setting of Calendar Default Access rights for Public Access
Description

It looks SOGo uses the same SOGoCalendarDefaultRoles for both authenticated and unauthenticated users.
I would like to use:
"SOGoCalendarDefaultRoles=PublicDAndTViewer" for "Any Authenticated User"
and
"SOGoCalendarDefaultRoles=None" for "Public Access".

Maybe some new "SOGoCalendarPublicDefaultRoles" parameter could be used for this...
It would be very useful considering different access policy for authenticated and all unauthenticated users respects privacy of our users.

I can sponsor this feature.
Milos

TagsNo tags attached.

Activities

ivit

ivit

2012-11-23 04:52

reporter   ~0004969

I would like just to clarify this issue so to be more obvious for other users.

This issue explains behavior only when you configure SOGoEnablePublicAccess in your sogo config.

So, if if you enable SOGo public access with SOGoEnablePublicAccess config item, it should be up to users to select if they really want to share their calendars publicly (for anonymous users) or not. In any case, such anonymous access should have entry in ACL.

Bottom line is that SOGoEnablePublicAccess should only give possibility that some (e.g Public and/or Confidential and/or Private) events from user's calendar could be accessible for anonymous users. But, by default, for anonymous access following should be in place "SOGoCalendarDefaultRoles=None".

For the time being, it would be good if SOGo team puts "Anonymous access" ACL entry in case SOGoEnablePublicAccess is configured in sogo config. In this way, it will prevent accidental publishing of users calendars in case SOGo admin accidentally (?) adds SOGoEnablePublicAccess.

Personally, I am not using SOGoEnablePublicAccess, but since there is such option, lets see how we can improve it.

ludovic

ludovic

2013-01-11 15:42

administrator   ~0005150

Here's what we suggest.

When you enable SOGoEnablePublicAccess, it won't inherit the SOGoCalendarDefaultRoles for "public accesses". The default role will be "None" unless the user has specified otherwise.

ludovic

ludovic

2013-01-11 15:42

administrator   ~0005151

We won't introduce yet an other configuration parameter, there's already too many in SOGo!

wimmer

wimmer

2013-01-11 17:46

reporter   ~0005158

It sounds good for me.

Please consider still this possibility - to use the same configuration parameter SOGoCalendarDefaultRoles and to implement new strings for PublicAccess.
Here is an example:
SOGoCalendarDefaultRoles = ("PublicViewer", "ConfidentialDAndTViewer", "PublicAccess_PublicDAndTViewer")

It would be understandable for all and it gives good sense - users can set their own rules for Authenticated Users and for Public Access, and administrator can set default rules for Authenticated Users and for Public Access.

ludovic

ludovic

2013-01-15 13:36

administrator   ~0005195

Fix pushed and doc updated: https://github.com/inverse-inc/sogo/commit/2370ecb089e9824eeb55a8e92a6007bd0219e034

Issue History

Date Modified Username Field Change
2012-11-13 14:53 wimmer New Issue
2012-11-23 04:52 ivit Note Added: 0004969
2013-01-11 15:42 ludovic Note Added: 0005150
2013-01-11 15:42 ludovic Note Added: 0005151
2013-01-11 17:46 wimmer Note Added: 0005158
2013-01-14 15:27 ludovic Target Version => 2.0.4
2013-01-15 13:36 ludovic Note Added: 0005195
2013-01-15 13:36 ludovic Status new => closed
2013-01-15 13:36 ludovic Resolution open => fixed
2013-01-15 13:36 ludovic Fixed in Version => 2.0.4