View Issue Details
0004331SOGoWeb Calendarpublic2017-11-03 07:202018-01-17 14:51
0004331: Web calendars shared to everybody by defaults
Once a user subsribe to a web calendar, it seems the web calendars can be subscribed by everybody (read access) and can't be modify.

I tried to play with SOGoCalendarDefaultRoles ('None') and SOGoEnablePublicAccess
('NO') with no luck. Bug ?
- user A add a web calendar by subscribing in SOGo to his own Google Agenda (for example) entering Google private link.

- no rights management for web calendars, only 'Properties'.

- user B go to subscriptions, clic (+), search "user A", and can subcribe to the private Google Agenda of "user A" (read access only).
No tags attached.
Issue History
2017-11-03 07:20PifNew Issue
2017-11-06 03:11Christian MackNote Added: 0012409
2017-11-06 03:50PifNote Added: 0012412
2017-11-06 05:51Christian MackNote Added: 0012413
2017-11-06 08:44PifNote Added: 0012414
2017-11-06 12:02Christian MackNote Added: 0012415
2017-11-06 12:03Christian MackNote Edited: 0012415bug_revision_view_page.php?bugnote_id=12415#r1045
2017-11-09 08:01PifNote Added: 0012418
2017-11-09 08:03PifNote Edited: 0012418bug_revision_view_page.php?bugnote_id=12418#r1047
2017-11-09 08:04PifNote Edited: 0012418bug_revision_view_page.php?bugnote_id=12418#r1048
2017-11-09 08:05PifNote Edited: 0012418bug_revision_view_page.php?bugnote_id=12418#r1049
2017-11-09 08:06PifNote Edited: 0012418bug_revision_view_page.php?bugnote_id=12418#r1050
2017-11-16 11:43francisChangeset attached => sogo master 3c30997b
2017-11-16 11:43francisAssigned To => francis
2017-11-16 11:43francisResolutionopen => fixed
2017-11-16 11:44francisStatusnew => resolved
2017-11-16 11:44francisFixed in Version => 4.0.0
2018-01-17 14:51francisChangeset attached => sogo v2 4e04d895

Christian Mack   
2017-11-06 03:11   
Do you have to provide authentication in order to subscribe the webcalendar?
2017-11-06 03:50   
No, that's a private URL from Google Agenda which looks like this : [^]

Once entered in SOGo, it's appear active on 'Web Calendars'.
Christian Mack   
2017-11-06 05:51   
Then this URL (and the calendar) is world readable anyway.
2017-11-06 08:44   
Sure, but nobody can guess the link... So unless you give the link, nobody can read your private calendar....

Totally different from «Let search on SOGo the name of the nice girl on the next desk to see her private calendar»... See what i mean ? ;)

So maybe it's not a bug, but it's not a feature anybody wants enabled by default...
Christian Mack   
2017-11-06 12:02   
(edited on: 2017-11-06 12:03)
It is not that secure, as you can brute force the search for that link.
But I agree, that it seems easier to get it, when used via SOGo (you also need the account, which means the name of that girl :-)

Perhaps web calendars shouldn't be shareable in SOGo at all.
As the owner of such a web calendar can decide for him/herself whom to provide access.
With that each SOGo user would have to subscribe the original calendar, instead of a shared one inside SOGo.
That way looks cleaner to me.

2017-11-09 08:01   
(edited on: 2017-11-09 08:06)
Bruteforce the search of the link ? You are kidding right ?

Even if you know the gmail adress, there is 36^30 possibility between «private» and «basic.ics», and no doubt google would already permanently banned you after your fifth try... :)

Waaay more easy to search in SOGo for private web calendars shared by default...

I agreed web calendars shouldn't be shareable in SOGo at all...Or need a better way to manage access...