View Issue Details Jump to Notes ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004344SOGoBackend Calendarpublic2017-11-27 15:102017-12-18 15:32
Assigned Tofrancis 
Platform[Server] LinuxOSDebianOS Version8 (Jessie)
Product Version3.2.10 
Target VersionFixed in Version4.0.0 
Summary0004344: Public Access to Calendar via iCal url can not be revoked.
DescriptionI set SOGoEnablePublicAccess to true to use a Calendar via iCal to access without Authorization. After I switched user rights for public user to "Modifier" I could not go back to "None". It always stays "Modifier" and I was still able to see all the events in File downloaded by the public iCal URL.
Steps To Reproduce- Enable Public Access to Calendars by setting SOGoEnablePublicAccess=true
- Set User Rights for public user to "Modifier" (e.g. for Public Events)
- Download .ics file via the public url
- Set back User rights to None
- You are still able to download the .ics file via the public access url and still see all the events with all the details
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
User avatar (0012444)
Christian Mack (developer)
2017-11-28 04:59

SOGoEnablePublicAccess = TRUE; means everyone has read access.
That is independant from privileges set on the calendar level.
Therefore this works as intended.
rp_ocram (reporter)
2017-11-28 05:09

Ok, i am a little bit confused. Unless I grant Modifier Access to my Calendar i can go back and forth granting DAndT Access and then No Access again. Only when I grant Modifier Access I can not go back to fewer rights.

And the Documentation for SOGoEnablePublicAccess = true also reads a little bit different.

"Parameter used to allow or not your users to
share publicly (ie.,requiring not authentication)
their calendars and addressbooks.
Possible values are:
? YES–toallowthem
? NO–topreventthemfromdoingso
User avatar (0012450)
Christian Mack (developer)
2017-11-28 07:37

Sorry I did not get your problem.
As you were talking about "Modify" privilege, I assumed you added additional privileges for one user.

Now I see, that you actually can set "Respond To" and "Modify" privileges to "Public Access" in the current V3 SOGo version.
That is wrong!
And wasn't possible before.
For "Public Access" you only should be able to give "None", "View Date and Time" and "View All" privileges.

I assume that is the heart of your problem.
As you should not be able to give that privilege, in code it is not possible to revoke it either.

Can you remove that bogus ACL with the following command?
/usr/sbin/sogo-tool manage-acl remove ${USER} Calendar/${CALENDAR_ID} anonymous

You have to restart memcached afterwards.
rp_ocram (reporter)
2017-11-28 09:03

That is exactly my Problem.
Your Command cleaned up my ACL again. Thank you for that.

- Related Changesets
sogo: master de91b578
Timestamp: 2017-12-18 15:31:43
Author: francis
Details ] Diff ]
Fix handling of public access rights of Calendars

Fixes 0004344
mod - UI/Common/UIxUserRightsEditor.m Diff ] File ]
mod - UI/Scheduler/UIxCalUserRightsEditor.m Diff ] File ]
mod - UI/Templates/ContactsUI/UIxContactFoldersView.wox Diff ] File ]
mod - UI/Templates/SchedulerUI/UIxCalMainView.wox Diff ] File ]
mod - UI/Templates/UIxAclEditor.wox Diff ] File ]
mod - UI/WebServerResources/js/Common/AclController.js Diff ] File ]

- Issue History
Date Modified Username Field Change
2017-11-27 15:10 rp_ocram New Issue
2017-11-28 04:59 Christian Mack Note Added: 0012444
2017-11-28 05:09 rp_ocram Note Added: 0012445
2017-11-28 07:37 Christian Mack Note Added: 0012450
2017-11-28 09:03 rp_ocram Note Added: 0012454
2017-12-18 15:32 francis Changeset attached => sogo master de91b578
2017-12-18 15:32 francis Assigned To => francis
2017-12-18 15:32 francis Resolution open => fixed
2017-12-18 15:32 francis Status new => resolved
2017-12-18 15:32 francis Fixed in Version => 4.0.0

Copyright © 2000 - 2018 MantisBT Team
Powered by Mantis Bugtracker