View Issue Details

IDProjectCategoryView StatusLast Update
0004331SOGoWeb Calendarpublic2018-01-17 19:51
ReporterPif Assigned Tofrancis  
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version3.2.10 
Fixed in Version4.0.0 
Summary0004331: Web calendars shared to everybody by defaults
Description

Once a user subsribe to a web calendar, it seems the web calendars can be subscribed by everybody (read access) and can't be modify.

I tried to play with SOGoCalendarDefaultRoles ('None') and SOGoEnablePublicAccess
('NO') with no luck. Bug ?

Steps To Reproduce
  • user A add a web calendar by subscribing in SOGo to his own Google Agenda (for example) entering Google private link.

  • no rights management for web calendars, only 'Properties'.

  • user B go to subscriptions, clic (+), search "user A", and can subcribe to the private Google Agenda of "user A" (read access only).

TagsNo tags attached.

Activities

Christian Mack

Christian Mack

2017-11-06 08:11

developer   ~0012409

Do you have to provide authentication in order to subscribe the webcalendar?

Pif

Pif

2017-11-06 08:50

reporter   ~0012412

No, that's a private URL from Google Agenda which looks like this :

https://calendar.google.com/calendar/ical/test%40gmail.com/private-9bgb59c8d9363ab12af4a9d561b37/basic.ics

Once entered in SOGo, it's appear active on 'Web Calendars'.

Christian Mack

Christian Mack

2017-11-06 10:51

developer   ~0012413

Then this URL (and the calendar) is world readable anyway.

Pif

Pif

2017-11-06 13:44

reporter   ~0012414

Sure, but nobody can guess the link... So unless you give the link, nobody can read your private calendar....

Totally different from «Let search on SOGo the name of the nice girl on the next desk to see her private calendar»... See what i mean ? ;)

So maybe it's not a bug, but it's not a feature anybody wants enabled by default...

Christian Mack

Christian Mack

2017-11-06 17:02

developer   ~0012415

Last edited: 2017-11-06 17:03

It is not that secure, as you can brute force the search for that link.
But I agree, that it seems easier to get it, when used via SOGo (you also need the account, which means the name of that girl :-)

Perhaps web calendars shouldn't be shareable in SOGo at all.
As the owner of such a web calendar can decide for him/herself whom to provide access.
With that each SOGo user would have to subscribe the original calendar, instead of a shared one inside SOGo.
That way looks cleaner to me.

Pif

Pif

2017-11-09 13:01

reporter   ~0012418

Last edited: 2017-11-09 13:06

Bruteforce the search of the link ? You are kidding right ?

Even if you know the gmail adress, there is 36^30 possibility between «private» and «basic.ics», and no doubt google would already permanently banned you after your fifth try... :)

Waaay more easy to search in SOGo for private web calendars shared by default...

I agreed web calendars shouldn't be shareable in SOGo at all...Or need a better way to manage access...

Related Changesets

sogo: master 3c30997b

2017-11-16 11:41

francis


Details Diff
Don't expose Web calendars to other users

Fixes 0004331
Affected Issues
0004331
mod - NEWS Diff File
mod - SoObjects/Appointments/SOGoAppointmentFolders.m Diff File

sogo: v2 4e04d895

2017-11-16 11:41

francis


Details Diff
Don't expose Web calendars to other users

Fixes 0004331
Affected Issues
0004331
mod - NEWS Diff File
mod - SoObjects/Appointments/SOGoAppointmentFolders.m Diff File

Issue History

Date Modified Username Field Change
2017-11-03 11:20 Pif New Issue
2017-11-06 08:11 Christian Mack Note Added: 0012409
2017-11-06 08:50 Pif Note Added: 0012412
2017-11-06 10:51 Christian Mack Note Added: 0012413
2017-11-06 13:44 Pif Note Added: 0012414
2017-11-06 17:02 Christian Mack Note Added: 0012415
2017-11-06 17:03 Christian Mack Note Edited: 0012415
2017-11-09 13:01 Pif Note Added: 0012418
2017-11-09 13:03 Pif Note Edited: 0012418
2017-11-09 13:04 Pif Note Edited: 0012418
2017-11-09 13:05 Pif Note Edited: 0012418
2017-11-09 13:06 Pif Note Edited: 0012418
2017-11-16 16:43 francis Changeset attached => sogo master 3c30997b
2017-11-16 16:43 francis Assigned To => francis
2017-11-16 16:43 francis Resolution open => fixed
2017-11-16 16:44 francis Status new => resolved
2017-11-16 16:44 francis Fixed in Version => 4.0.0
2018-01-17 19:51 francis Changeset attached => sogo v2 4e04d895