Scalable OGo (SOGo)

View Issue Details Jump to Notes ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004331SOGoWeb Calendarpublic2017-11-03 07:202017-11-16 11:44
Assigned Tofrancis 
PlatformOSOS Version
Product Version3.2.10 
Target VersionFixed in Version3.2.11 
Summary0004331: Web calendars shared to everybody by defaults
DescriptionOnce a user subsribe to a web calendar, it seems the web calendars can be subscribed by everybody (read access) and can't be modify.

I tried to play with SOGoCalendarDefaultRoles ('None') and SOGoEnablePublicAccess
('NO') with no luck. Bug ?
Steps To Reproduce- user A add a web calendar by subscribing in SOGo to his own Google Agenda (for example) entering Google private link.

- no rights management for web calendars, only 'Properties'.

- user B go to subscriptions, clic (+), search "user A", and can subcribe to the private Google Agenda of "user A" (read access only).
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
User avatar (0012409)
Christian Mack (developer)
2017-11-06 03:11

Do you have to provide authentication in order to subscribe the webcalendar?
Pif (reporter)
2017-11-06 03:50

No, that's a private URL from Google Agenda which looks like this : [^]

Once entered in SOGo, it's appear active on 'Web Calendars'.
User avatar (0012413)
Christian Mack (developer)
2017-11-06 05:51

Then this URL (and the calendar) is world readable anyway.
Pif (reporter)
2017-11-06 08:44

Sure, but nobody can guess the link... So unless you give the link, nobody can read your private calendar....

Totally different from «Let search on SOGo the name of the nice girl on the next desk to see her private calendar»... See what i mean ? ;)

So maybe it's not a bug, but it's not a feature anybody wants enabled by default...
User avatar (0012415)
Christian Mack (developer)
2017-11-06 12:02
edited on: 2017-11-06 12:03

It is not that secure, as you can brute force the search for that link.
But I agree, that it seems easier to get it, when used via SOGo (you also need the account, which means the name of that girl :-)

Perhaps web calendars shouldn't be shareable in SOGo at all.
As the owner of such a web calendar can decide for him/herself whom to provide access.
With that each SOGo user would have to subscribe the original calendar, instead of a shared one inside SOGo.
That way looks cleaner to me.

Pif (reporter)
2017-11-09 08:01
edited on: 2017-11-09 08:06

Bruteforce the search of the link ? You are kidding right ?

Even if you know the gmail adress, there is 36^30 possibility between «private» and «basic.ics», and no doubt google would already permanently banned you after your fifth try... :)

Waaay more easy to search in SOGo for private web calendars shared by default...

I agreed web calendars shouldn't be shareable in SOGo at all...Or need a better way to manage access...

- Related Changesets
sogo: master 3c30997b
Timestamp: 2017-11-16 11:41:36
Author: francis
Details ] Diff ]
Don't expose Web calendars to other users

Fixes 0004331
mod - NEWS Diff ] File ]
mod - SoObjects/Appointments/SOGoAppointmentFolders.m Diff ] File ]

- Issue History
Date Modified Username Field Change
2017-11-03 07:20 Pif New Issue
2017-11-06 03:11 Christian Mack Note Added: 0012409
2017-11-06 03:50 Pif Note Added: 0012412
2017-11-06 05:51 Christian Mack Note Added: 0012413
2017-11-06 08:44 Pif Note Added: 0012414
2017-11-06 12:02 Christian Mack Note Added: 0012415
2017-11-06 12:03 Christian Mack Note Edited: 0012415 View Revisions
2017-11-09 08:01 Pif Note Added: 0012418
2017-11-09 08:03 Pif Note Edited: 0012418 View Revisions
2017-11-09 08:04 Pif Note Edited: 0012418 View Revisions
2017-11-09 08:05 Pif Note Edited: 0012418 View Revisions
2017-11-09 08:06 Pif Note Edited: 0012418 View Revisions
2017-11-16 11:43 francis Changeset attached => sogo master 3c30997b
2017-11-16 11:43 francis Assigned To => francis
2017-11-16 11:43 francis Resolution open => fixed
2017-11-16 11:44 francis Status new => resolved
2017-11-16 11:44 francis Fixed in Version => 3.2.11

Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker