View Issue Details

IDProjectCategoryView StatusLast Update
0003118SOGoActiveSyncpublic2016-11-21 10:50
ReporterMathias Roland Assigned Toludovic  
PriorityurgentSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version2.2.16 
Fixed in Version3.2.2 
Summary0003118: ActiveSync does not enforce permissions
Description
  1. Other user's calendars are automatically synchronized.

  2. ActiveSync does not respect the "Synchronize" flag in permissions.

    • Calendars from other users are synchronized when the flag is disabled.
  3. ActiveSync does not enforce permission while synchronizing calendars from other users.

    • While synchronizing a calendar from another user the permission to only view the time and date of an event and not the content is not enforced. On the Windows Phone are all events visible including those which should be not visible and the whole contents of the event and not only the time.
TagsNo tags attached.

Relationships

has duplicate 0003440 closedludovic Permission issues with Shared Calendars on iOS 
related to 0003180 resolvedludovic Subscribed addressbooks are synchronized via EAS only if user has all permissions on it 

Activities

ludovic

ludovic

2015-03-18 10:55

administrator   ~0008302

Just for your information, we have a patch for this. But we're still polishing it.

Mathias Roland

Mathias Roland

2015-07-09 03:26

reporter   ~0008715

How long do you need to publish the patch?

ludovic

ludovic

2015-10-20 15:35

administrator   ~0009016

1 and 2 are fixed with: https://github.com/inverse-inc/sogo/commit/fc9b175f25460b870335c397b03086e347e1af5a

tfu

tfu

2015-10-24 04:43

reporter   ~0009059

Personal folders (calendar/contacts) are no longer synced with above fix.

ludovic

ludovic

2015-11-05 11:12

administrator   ~0009074

Try this fix:

https://github.com/inverse-inc/sogo/commit/9d310237246ba79a316a4cb006368ddd53c20a87

McMichaeli

McMichaeli

2016-05-12 15:55

reporter   ~0010132

Case 3 observed here with Android 6 native EAS. A private calendar event in my calendar is sync'd to another user with "Private: None" access. The event is not displayed in the other user's calendar in webmail or via CalDAV in Thunderbird.

The record sent to the Android device contains all the details along with the tag:

<Sensitivity xmlns="Calendar:">2</Sensitivity>

I personally would prefer the back-end to no rely on the client failing to display something and implement the security during sync, if this is possible?

Related Changesets

sogo: master f7c44863

2016-11-21 10:45:27

ludovic

Details Diff
(feat) relaxed permission requirements for subscription synchronizations (fixes 0003118 and 0003180) Affected Issues
0003118
mod - ActiveSync/SOGoActiveSyncDispatcher+Sync.m Diff File
mod - ActiveSync/SOGoActiveSyncDispatcher.m Diff File
mod - NEWS Diff File

sogo: v2 73d663fe

2016-11-21 10:45:27

ludovic

Details Diff
(feat) relaxed permission requirements for subscription synchronizations (fixes 0003118 and 0003180)

Conflicts:

NEWS
Affected Issues
0003118
mod - ActiveSync/SOGoActiveSyncDispatcher+Sync.m Diff File
mod - ActiveSync/SOGoActiveSyncDispatcher.m Diff File
mod - NEWS Diff File

Issue History

Date Modified Username Field Change
2015-02-27 05:33 Mathias Roland New Issue
2015-03-18 10:55 ludovic Note Added: 0008302
2015-07-09 03:26 Mathias Roland Note Added: 0008715
2015-10-20 15:35 ludovic Note Added: 0009016
2015-10-24 04:43 tfu Note Added: 0009059
2015-11-05 11:12 ludovic Note Added: 0009074
2016-01-18 05:59 Christian Mack Relationship added has duplicate 0003440
2016-05-12 15:55 McMichaeli Note Added: 0010132
2016-11-21 10:46 ludovic Changeset attached => sogo master f7c44863
2016-11-21 10:46 ludovic Assigned To => ludovic
2016-11-21 10:46 ludovic Resolution open => fixed
2016-11-21 10:47 ludovic Status new => resolved
2016-11-21 10:47 ludovic Fixed in Version => 3.2.2
2016-11-21 10:47 ludovic Relationship added related to 0003180
2016-11-21 10:50 ludovic Changeset attached => sogo v2 73d663fe