View Issue Details

IDProjectCategoryView StatusLast Update
0004050SOGoActiveSyncpublic2017-03-02 08:36
Reporterrci Assigned To 
PriorityimmediateSeverityminorReproducibilityalways
Status newResolutionopen 
Platform[Server] LinuxOSDebianOS Version8 (Jessie)
Product Version3.2.7 
Summary0004050: Confidential and private entries exposed in Outlook (ActiveSync)
Description

Confidential entries are handled well in web interface and Thunderbird but are fully visable in Outlook (connected with ActiveSync). In our case it's Outlook 2013.

Steps To Reproduce

Enter an event and make it either confidential (only time and date visable) or private (same permissions).
Log in with another user account not involved in this event using Outlook.

Additional Information

Also see issue 0003888

TagsNo tags attached.

Activities

ludovic

ludovic

2017-02-22 13:45

administrator   ~0011352

I've just tried it and it does work.

That code has NOT changed in a long time.

So either your SOGoCalendarDefaultRoles is wrong, you're using a SOGoSuperUsernames or the calendar permissions are wrong.

Provide more evidence if you want.

robert.k

robert.k

2017-02-22 14:05

reporter   ~0011355

User is not included in SuperUsers and the permisssions weren't changed for a long time. I checked it right now.
In TB and SogoWeb everything is fine. just in Outlook you see all details.

rci

rci

2017-02-22 14:20

reporter   ~0011356

Last edited: 2017-02-23 07:22

/ General /
[other entries]
SOGoCalendarDefaultRoles = ( PublicViewer, ConfidentialDAndTViewer, PrivateDAndTViewer );
SOGoSuperUsernames = ([our admin accounts]); // This is an array - keep the parens!

[] marks removed information; the admin accounts are not involved in the events in question.

robert.k

robert.k

2017-02-23 07:12

reporter  

rights_auth.png (18,393 bytes)   
rights_auth.png (18,393 bytes)   
robert.k

robert.k

2017-02-23 07:12

reporter  

rights_public.png (12,585 bytes)   
rights_public.png (12,585 bytes)   
robert.k

robert.k

2017-02-23 07:13

reporter  

event_details_in_outlook.png (44,790 bytes)   
event_details_in_outlook.png (44,790 bytes)   
robert.k

robert.k

2017-02-23 07:13

reporter  

ou_cal_user1.png (31,637 bytes)   
ou_cal_user1.png (31,637 bytes)   
robert.k

robert.k

2017-02-23 07:13

reporter  

tb_cal_user1.png (31,422 bytes)   
tb_cal_user1.png (31,422 bytes)   
robert.k

robert.k

2017-02-23 07:17

reporter   ~0011363

i subscribe the calender of user1. i use the same user to subscribe in outlook and thunderbird. The rights in SOGoWeb are the same for every user but i post the rights direct from the user wich i subscribed.
In SogoWeb and TB everything is as expected. In OU i could see the private event.

ludovic

ludovic

2017-02-23 13:41

administrator   ~0011367

Tested again.

sogo1 shares his personal calendar with sogo3:

public: view all
confidential: view date and time
private: none

Created 3 events from SOGo's web interface, each with a different access level.

sogo3 subscribes to sogo1's calendar and active the synchronize flag to have it in Outlook.

Outlook sees 2 events: the public one with all details, and the confidential one with only the title with a swapped value set at "(Confidential event)".

robert.k

robert.k

2017-02-23 14:41

reporter  

sogoweb_view_from_sogo3.png (58,148 bytes)   
sogoweb_view_from_sogo3.png (58,148 bytes)   
robert.k

robert.k

2017-02-23 14:42

reporter  

outlook_view_sogo3.png (30,609 bytes)   
outlook_view_sogo3.png (30,609 bytes)   
robert.k

robert.k

2017-02-23 14:45

reporter  

outlook_sogo3.png (43,740 bytes)   
outlook_sogo3.png (43,740 bytes)   
robert.k

robert.k

2017-02-23 14:49

reporter   ~0011370

Last edited: 2017-02-23 14:51

we reproduce your way. if we do it the same way like you. it works al fine. see screenshot 2017-02-23 15:41

BUT!!!
if we choose in Outlook -> add calendar -> from internet -> and use the webdav-ics url "https://sogo.example.de/SOGo/dav/sogo1/Calendar/personal.ics" in outlook the private rights are lost and you can see every event detail. see screenshot 2017-02-23 15:45
the green one is added with "Synchronize (Microsoft Enterprise ActiveSync) the red one is added with the WebDAV-ICS URL

forget screenshot 2017-02-23 15:42 the event names are to confusing and a i didnt make a sync

ludovic

ludovic

2017-02-23 14:57

administrator   ~0011371

That has nothing to do with ActiveSync.

When you added that ICS subscription in Outlook, it requires authentication to access it. Then, you have provided "sogo1's" credentials and NOT the credentials of "sogo3".

robert.k

robert.k

2017-02-24 06:47

reporter   ~0011375

Last edited: 2017-02-24 08:55

Sorry that i lead you on the wrong track with Outlook EAS. That was our fault.

i dont have to enter credentials if i add the calendar this way.
And it works the whole time we use sogo before and sogo3 dont have the same rights as sogo1 he can't add, modify or delete events in the subscribed calendar.

Now we configure the outlook clients again with the Active Sync way on subscribed calendars. But the option is a newer one. In our roll-out version we didn't had this option.

But it don't fix this security hole and it keep the door open to get information to events thats are private or confidental.

If the calendar has been
subscribed in Thunderbird using the ICS link, rights settings are taken into account

robert.k

robert.k

2017-02-24 08:21

reporter  

tb_ics.png (15,673 bytes)   
tb_ics.png (15,673 bytes)   
ludovic

ludovic

2017-02-28 13:47

administrator   ~0011388

Done a new test again this morning, all is fine.

This ticket would require investigation on the server itself.

rci

rci

2017-03-01 06:51

reporter   ~0011391

What kind of investigation on the server would you suggest?
Do you need log files or sogo.conf? Then I need a less public path to submit it.

ludovic

ludovic

2017-03-02 01:09

administrator   ~0011404

Investigation on the server itself means testing with a test account, debugging the log files, attaching to processes using gdb, reviewing configuration files, etc. That requires a valid support contract.

rci

rci

2017-03-02 08:36

reporter   ~0011406

Thank you for the information.
We are going to renew our support contract (re. priority tickets) in the future.

Prior we have to wait if the decision to work with SOGo remains valid. In my opinion it should. But it's CIO's decision. It depends on the reliability of SOGo with Outlook 2013 as client.

Issue History

Date Modified Username Field Change
2017-02-22 13:36 rci New Issue
2017-02-22 13:42 ludovic Severity major => minor
2017-02-22 13:45 ludovic Note Added: 0011352
2017-02-22 14:05 robert.k Note Added: 0011355
2017-02-22 14:20 rci Note Added: 0011356
2017-02-23 06:55 rci Note Edited: 0011356
2017-02-23 07:12 robert.k File Added: rights_auth.png
2017-02-23 07:12 robert.k File Added: rights_public.png
2017-02-23 07:13 robert.k File Added: event_details_in_outlook.png
2017-02-23 07:13 robert.k File Added: ou_cal_user1.png
2017-02-23 07:13 robert.k File Added: tb_cal_user1.png
2017-02-23 07:17 robert.k Note Added: 0011363
2017-02-23 07:22 rci Note Edited: 0011356
2017-02-23 13:41 ludovic Note Added: 0011367
2017-02-23 14:41 robert.k File Added: sogoweb_view_from_sogo3.png
2017-02-23 14:42 robert.k File Added: outlook_view_sogo3.png
2017-02-23 14:45 robert.k File Added: outlook_sogo3.png
2017-02-23 14:49 robert.k Note Added: 0011370
2017-02-23 14:50 robert.k Note Edited: 0011370
2017-02-23 14:51 robert.k Note Edited: 0011370
2017-02-23 14:57 ludovic Note Added: 0011371
2017-02-24 06:47 robert.k Note Added: 0011375
2017-02-24 07:19 robert.k Note Edited: 0011375
2017-02-24 07:20 robert.k Note Edited: 0011375
2017-02-24 08:21 robert.k File Added: tb_ics.png
2017-02-24 08:44 robert.k Note Edited: 0011375
2017-02-24 08:55 robert.k Note Edited: 0011375
2017-02-28 13:47 ludovic Note Added: 0011388
2017-03-01 06:51 rci Note Added: 0011391
2017-03-02 01:09 ludovic Note Added: 0011404
2017-03-02 08:36 rci Note Added: 0011406