View Issue Details

IDProjectCategoryView StatusLast Update
0004216SOGoBackend Calendarpublic2019-03-13 13:09
ReporterPeter2121 Assigned Tofrancis  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Platform[Server] LinuxOSDebianOS Version8 (Jessie)
Product Version3.2.7 
Fixed in Version4.0.8 
Summary0004216: Modification of event using admin account is impossible
Description

It seems that modification of event with invited person by CalDAV is impossible using SOGoSuperUsernames accounts. One can delete event, but cannot modify it.
The error returned by server is "HTTP/1.1 409 Conflict" :
Not allowed to perform this action. Wrong SENT-BY being used regarding access rights on organizer's calendar.

Steps To Reproduce
  1. Create an event in a user's calendar, invite at least one person (not administrator).
  2. Configure an CalDAV client (Thunderbird/Lightning) to access the calendar, using an account of administrator (mentioned in SOGoSuperUsernames).
  3. Try to modify the event (change the date, for example) - the server returns status 409 ("Wrong SENT-BY...")
  4. Try to delete the event - no problem, the server returns status 204 as expected.
Additional Information

Normally, one don't need additional ACLs in case of SOGoSuperUsernames account to manipulate the events of other users. It seems to be the case for all operations but modification of events with at least one invited person.
It seems to be a bug in ACLs verification - during the verification of roles (on PUT of modified event) the membership of SOGoSuperUsernames is not checked.
BTW, adding permissions using SOGo Web interface does not change the behavior.

TagsNo tags attached.

Activities

ste

ste

2017-08-07 13:48

reporter   ~0012153

Last edited: 2017-08-07 13:49

same here with latest SOGo, Outlook 2013 and caldavsynchronizer 2.22.2.
I belive the affected Calendar events are previously made by an android CALDav client. caldavsynchronizer shows the mentioned error on every sync.

Peter2121

Peter2121

2017-10-26 15:37

reporter   ~0012403

Last edited: 2017-10-26 15:38

Fixed for me, modifying SOGoAppointmentObject.m :

if (![roles containsObject: @"ComponentModifier"])
{
return [NSException exceptionWithHTTPStatus: 409
reason: @"Not allowed to perform this action. Wrong SENT-BY being used regarding access rights on organizer's calendar."];
}

To:

if (![roles containsObject: @"ComponentModifier"] && ![[context activeUser] isSuperUser])
{
return [NSException exceptionWithHTTPStatus: 409
reason: @"Not allowed to perform this action. Wrong SENT-BY being used regarding access rights on organizer's calendar."];
}

Hope to see it fixed in the next release.

Peter2121

Peter2121

2019-03-13 08:56

reporter   ~0013445

Dear developers,
I reported this bug 1.5 years ago and I proposed a fix that works correctly.
What is the reason of ignoring this bug?

Related Changesets

sogo: master 47456c9e

2019-03-13 09:08

francis


Details Diff
Allow super users to modify any event

Fixes 0004216
Affected Issues
0004216
mod - NEWS Diff File
mod - SoObjects/Appointments/SOGoAppointmentObject.m Diff File

Issue History

Date Modified Username Field Change
2017-07-05 15:10 Peter2121 New Issue
2017-07-05 15:14 ludovic Severity major => minor
2017-08-07 13:48 ste Note Added: 0012153
2017-08-07 13:49 ste Note Edited: 0012153
2017-10-26 15:37 Peter2121 Note Added: 0012403
2017-10-26 15:38 Peter2121 Note Edited: 0012403
2019-03-13 08:56 Peter2121 Note Added: 0013445
2019-03-13 13:09 francis Changeset attached => sogo master 47456c9e
2019-03-13 13:09 francis Assigned To => francis
2019-03-13 13:09 francis Resolution open => fixed
2019-03-13 13:09 francis Status new => resolved
2019-03-13 13:09 francis Fixed in Version => 4.0.8