View Issue Details

IDProjectCategoryView StatusLast Update
0005188SOGoBackend Generalpublic2020-10-20 09:01
ReporterChristian Mack Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version5.0.1 
Summary0005188: group accounts can not set privileges for their members on their own calendars and adressbooks
Description

You can add groups in SOGoUserSources with "canAuthenticate = YES;".
With that they become group accounts.
Those group accounts can login to the SOGo web interface, with the password which is set for them in that authentication source.
Doing so will automatically create a personal calendar and a personal address book in that group account.
Logged into those group accounts you can create additional calendars and address books, as with any other user or resource account.
But members of that group can only access these calendars and address books with privileges set for the pseudo Account "All authenticated Users".
That is, because members of that group will not authenticate as that group account, but as member of that group.
But it is impossible to add the group to its own calendars and address books for sharing.
Therefore you can not change the privileges used for those group members.

For user and resource accounts that makes sense, as adding their accounts to their own calendars and address books will always lower the privileges they already have.
They would lose at least the privilege of changing share privileges and changing the name, if the pseudo Account "All authenticated Users" has all privileges set for those calendars and address books.
If it has less, they would lose all privileges not given to that pseudo Account too.

Therefore we need a way to set sharing privileges for the group members on the calendars and address books a group account owns, not for the group account itself.
Without that possibility group calendars and group address books are impossible.

Steps To Reproduce

1) Create a group "department-A" with password in your authentication source (AD/Database/LDAP).
2) Create user "member-1" in your authentication source for users.
3) Add user "member-1" as member to group "department-A" in your authentication source.
4) Add a new SOGoUserSources entry for that group account e.g. for LDAP:
<pre>
SOGoUserSources = (
{
[...]
id = users;
displayName = "Users of University";
canAuthenticate = YES;
isAddressBook = YES;
},
{
CNFieldName = description;
IDFieldName = cn;
UIDFieldName = cn;
baseDN = "ou=groups,dc=example-uni,dc=de";
bindDN = "cn=sogoadmin,ou=people,ou=admin,dc=example-uni,dc=de";
bindPassword = "completely_Secret";
hostname = "ldaps://ldap.example-uni.de:636";
id = groups;
displayName = "Departments of University";
canAuthenticate = YES;
isAddressBook = YES;
}
);
<pre />
5) Restart sogo
6) Login as group account "department-A" via SOGo web interface.
=> "personal" calendar and address book are created.
7) Create an event for today in the "personal" calendar.
8) Set privilege for "All authenticated users" to "Date and Time" only.
9) Logoff as "department-A"
10) Login as "member-1" to SOGo web interface
11) Subscribe "personal" calender of "department-A"
=> you only see date and time of the event in that calendar.
12) Logoff as "member-1"
13) Logon as "department-A"
14) Try to add group "department-A" for sharing to "personal" calendar.
=> It is not possible, therefore you can not set privileges for the members of group "department-A".

Additional Information

SOGo released version 5.0.1 on Debian 10 Buster

Tagsacl, addressbook, calendar, group

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2020-10-20 09:01 Christian Mack New Issue
2020-10-20 09:01 Christian Mack Tag Attached: acl
2020-10-20 09:01 Christian Mack Tag Attached: addressbook
2020-10-20 09:01 Christian Mack Tag Attached: calendar
2020-10-20 09:01 Christian Mack Tag Attached: group