Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

group member can overwrite private appointment #5551

Open
Tracked by #20096
stefanroesler opened this issue Jun 28, 2017 · 5 comments
Open
Tracked by #20096

group member can overwrite private appointment #5551

stefanroesler opened this issue Jun 28, 2017 · 5 comments
Labels
1. to develop Accepted and waiting to be taken care of enhancement feature: caldav Related to CalDAV internals feature: dav

Comments

@stefanroesler
Copy link

Actual behaviour

The admin creates a calendar for group A, group A has read / write permission, User B1 and B2 are members of group A. In case B1 creates a private appointment it will be shown for every group member also for himself as busy (that's okay, cause the information will the shown via caldavsync in Outlook for the creator of this appointment). The problem: every group member with read / write permission can overwrite / delete B1's private appointment, is there no concept of ownership for appointments in shared calendars?

Server configuration

Operating system: Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-042stab120.18 x86_64)

Web server: Apache/2.4.18 (Ubuntu)

Database: mysql 5.7

PHP version: 7.0.18-0ubuntu0.16.04.1 (cli) ( NTS )

Server version: 12.0.0

Calendar version: 1.5.3

Updated from an older installed version or fresh install: fresh install
@nickvergessen
Copy link
Member

No, calendars have ownerships. Everything inside is handled the same way.

@stefanroesler
Copy link
Author

Sorry Joas, the ownership of a calendar is not sufficient.
There is a common shared calendar and it will also include private appointments, which should be only visible for the owner of this appointment. Now it's possible to delete and / or overwrite these appointment for other members of the group.

@plauzenbaer
Copy link

me experiencing the same issue in a similar environment

@nickvergessen nickvergessen reopened this Jun 30, 2017
@nextcloud-bot nextcloud-bot added the stale Ticket or PR with no recent activity label Jun 20, 2018
@skjnldsv skjnldsv added the 1. to develop Accepted and waiting to be taken care of label Jun 12, 2019
@ghost ghost removed the stale Ticket or PR with no recent activity label Jun 12, 2019
@georgehrke
Copy link
Member

Solution: Simply respond with a 403 when the non-owner is editing a non-public event or when a non-owner is creating an event with an access class other than PUBLIC

@georgehrke georgehrke added this to the Nextcloud 18 milestone Sep 11, 2019
@georgehrke georgehrke self-assigned this Sep 11, 2019
This was referenced Sep 11, 2019
Closed
Closed
Closed
@rullzer rullzer removed this from the Nextcloud 18 milestone Dec 9, 2019
@raimund-schluessler
Copy link
Member

Related issues are nextcloud/calendar#519 and nextcloud/tasks#467.

@raimund-schluessler raimund-schluessler mentioned this issue Jan 28, 2020
Closed
@raimund-schluessler raimund-schluessler mentioned this issue Feb 10, 2020
Merged
@georgehrke georgehrke mentioned this issue Mar 22, 2020
Open
19 tasks
@tcitworld tcitworld added the feature: caldav Related to CalDAV internals label Dec 17, 2021
@sparagi sparagi mentioned this issue Apr 8, 2023
Open
8 tasks
@Urmel Urmel mentioned this issue Sep 21, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1. to develop Accepted and waiting to be taken care of enhancement feature: caldav Related to CalDAV internals feature: dav
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@rullzer @nickvergessen @georgehrke @tcitworld @raimund-schluessler @stefanroesler @skjnldsv @nextcloud-bot @plauzenbaer