0005188: group accounts can not set privileges for their members on their own calendars and adressbooks - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0005188	SOGo	Backend General	public	2020-10-20 13:01	2020-10-20 13:01

Reporter	Christian Mack	Assigned To
Priority	normal	Severity	major	Reproducibility	always
Status	new	Resolution	open
Product Version	5.0.1

Summary	0005188: group accounts can not set privileges for their members on their own calendars and adressbooks
Description	You can add groups in SOGoUserSources with "canAuthenticate = YES;". With that they become group accounts. Those group accounts can login to the SOGo web interface, with the password which is set for them in that authentication source. Doing so will automatically create a personal calendar and a personal address book in that group account. Logged into those group accounts you can create additional calendars and address books, as with any other user or resource account. But members of that group can only access these calendars and address books with privileges set for the pseudo Account "All authenticated Users". That is, because members of that group will not authenticate as that group account, but as member of that group. But it is impossible to add the group to its own calendars and address books for sharing. Therefore you can not change the privileges used for those group members. For user and resource accounts that makes sense, as adding their accounts to their own calendars and address books will always lower the privileges they already have. They would lose at least the privilege of changing share privileges and changing the name, if the pseudo Account "All authenticated Users" has all privileges set for those calendars and address books. If it has less, they would lose all privileges not given to that pseudo Account too. Therefore we need a way to set sharing privileges for the group members on the calendars and address books a group account owns, not for the group account itself. Without that possibility group calendars and group address books are impossible.
Steps To Reproduce	1) Create a group "department-A" with password in your authentication source (AD/Database/LDAP). 2) Create user "member-1" in your authentication source for users. 3) Add user "member-1" as member to group "department-A" in your authentication source. 4) Add a new SOGoUserSources entry for that group account e.g. for LDAP: <pre> SOGoUserSources = ( { [...] id = users; displayName = "Users of University"; canAuthenticate = YES; isAddressBook = YES; }, { CNFieldName = description; IDFieldName = cn; UIDFieldName = cn; baseDN = "ou=groups,dc=example-uni,dc=de"; bindDN = "cn=sogoadmin,ou=people,ou=admin,dc=example-uni,dc=de"; bindPassword = "completely_Secret"; hostname = "ldaps://ldap.example-uni.de:636"; id = groups; displayName = "Departments of University"; canAuthenticate = YES; isAddressBook = YES; } ); <pre /> 5) Restart sogo 6) Login as group account "department-A" via SOGo web interface. => "personal" calendar and address book are created. 7) Create an event for today in the "personal" calendar. 8) Set privilege for "All authenticated users" to "Date and Time" only. 9) Logoff as "department-A" 10) Login as "member-1" to SOGo web interface 11) Subscribe "personal" calender of "department-A" => you only see date and time of the event in that calendar. 12) Logoff as "member-1" 13) Logon as "department-A" 14) Try to add group "department-A" for sharing to "personal" calendar. => It is not possible, therefore you can not set privileges for the members of group "department-A".
Additional Information	SOGo released version 5.0.1 on Debian 10 Buster
Tags	acl, addressbook, calendar, group

Date Modified	Username	Field	Change
2020-10-20 13:01	Christian Mack	New Issue
2020-10-20 13:01	Christian Mack	Tag Attached: acl
2020-10-20 13:01	Christian Mack	Tag Attached: addressbook
2020-10-20 13:01	Christian Mack	Tag Attached: calendar
2020-10-20 13:01	Christian Mack	Tag Attached: group