View Issue Details

IDProjectCategoryView StatusLast Update
0004344SOGoBackend Calendarpublic2017-12-18 15:32
Reporterrp_ocram Assigned Tofrancis  
PriorityhighSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Platform[Server] LinuxOSDebianOS Version8 (Jessie)
Product Version3.2.10 
Fixed in Version4.0.0 
Summary0004344: Public Access to Calendar via iCal url can not be revoked.
Description

I set SOGoEnablePublicAccess to true to use a Calendar via iCal to access without Authorization. After I switched user rights for public user to "Modifier" I could not go back to "None". It always stays "Modifier" and I was still able to see all the events in File downloaded by the public iCal URL.

Steps To Reproduce
  • Enable Public Access to Calendars by setting SOGoEnablePublicAccess=true
  • Set User Rights for public user to "Modifier" (e.g. for Public Events)
  • Download .ics file via the public url
  • Set back User rights to None
  • You are still able to download the .ics file via the public access url and still see all the events with all the details
TagsNo tags attached.

Activities

Christian Mack

Christian Mack

2017-11-28 04:59

developer   ~0012444

SOGoEnablePublicAccess = TRUE; means everyone has read access.
That is independant from privileges set on the calendar level.
Therefore this works as intended.

rp_ocram

rp_ocram

2017-11-28 05:09

reporter   ~0012445

Ok, i am a little bit confused. Unless I grant Modifier Access to my Calendar i can go back and forth granting DAndT Access and then No Access again. Only when I grant Modifier Access I can not go back to fewer rights.

And the Documentation for SOGoEnablePublicAccess = true also reads a little bit different.

"Parameter used to allow or not your users to
share publicly (ie.,requiring not authentication)
their calendars and addressbooks.
Possible values are:
? YES–toallowthem
? NO–topreventthemfromdoingso
"

Christian Mack

Christian Mack

2017-11-28 07:37

developer   ~0012450

Sorry I did not get your problem.
As you were talking about "Modify" privilege, I assumed you added additional privileges for one user.

Now I see, that you actually can set "Respond To" and "Modify" privileges to "Public Access" in the current V3 SOGo version.
That is wrong!
And wasn't possible before.
For "Public Access" you only should be able to give "None", "View Date and Time" and "View All" privileges.

I assume that is the heart of your problem.
As you should not be able to give that privilege, in code it is not possible to revoke it either.

Can you remove that bogus ACL with the following command?
/usr/sbin/sogo-tool manage-acl remove ${USER} Calendar/${CALENDAR_ID} anonymous

Hint:
You have to restart memcached afterwards.

rp_ocram

rp_ocram

2017-11-28 09:03

reporter   ~0012454

That is exactly my Problem.
Your Command cleaned up my ACL again. Thank you for that.

Related Changesets

sogo: master de91b578

2017-12-18 15:31:43

francis

Details Diff
Fix handling of public access rights of Calendars

Fixes 0004344
Affected Issues
0004344
mod - UI/Common/UIxUserRightsEditor.m Diff File
mod - UI/Scheduler/UIxCalUserRightsEditor.m Diff File
mod - UI/Templates/ContactsUI/UIxContactFoldersView.wox Diff File
mod - UI/Templates/SchedulerUI/UIxCalMainView.wox Diff File
mod - UI/Templates/UIxAclEditor.wox Diff File
mod - UI/WebServerResources/js/Common/AclController.js Diff File

Issue History

Date Modified Username Field Change
2017-11-27 15:10 rp_ocram New Issue
2017-11-28 04:59 Christian Mack Note Added: 0012444
2017-11-28 05:09 rp_ocram Note Added: 0012445
2017-11-28 07:37 Christian Mack Note Added: 0012450
2017-11-28 09:03 rp_ocram Note Added: 0012454
2017-12-18 15:32 francis Changeset attached => sogo master de91b578
2017-12-18 15:32 francis Assigned To => francis
2017-12-18 15:32 francis Resolution open => fixed
2017-12-18 15:32 francis Status new => resolved
2017-12-18 15:32 francis Fixed in Version => 4.0.0