View Issue Details

IDProjectCategoryView StatusLast Update
0003889SOGoWeb Calendarpublic2016-11-15 02:01
Reporterhkunz Assigned Tofrancis  
PriorityhighSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Platform[Server] LinuxOSDebianOS Version8 (Jessie)
Product Version3.2.1 
Fixed in Version3.2.2 
Summary0003889: Delete events from a read only calendar by doing a move in the web frontent
Description

With the sogo webclient it is possible to move an event from a read only (ViewAll permission) to a different calendar (Modify permission) thereby actually deleting the event from the originating calendar. This should not be possible.

I give a typical example in the "Steps to reproduce"

Steps To Reproduce
  1. user1 shares a calendar cal1 with user2, giving ViewAll permissions (to public events, but that could as well be confident or private events).
  2. user2 uses the web frontent, clicks on the event, choses "move to" from the dialog, and moves the event to another calendar cal2 (where the user has modify permissions, e.g. a calendar owned by user2)
  3. this creates an entry in cal2 (which is fine) BUT is also delete the event from the original calendar cal1, which is clearly a violation of the permissions granted to user2
Additional Information

the describe procedure only works in the web client. with caldav clients it is not possible to move events from a readonly calendar to another one.

TagsNo tags attached.

Activities

There are no notes attached to this issue.

Related Changesets

sogo: master efbf0cc5

2016-11-14 16:41

francis


Details Diff
Fix required rights to move a calendar component

Fixes 0003889
Affected Issues
0003889
mod - NEWS Diff File
mod - UI/Scheduler/product.plist Diff File

Issue History

Date Modified Username Field Change
2016-11-10 09:39 hkunz New Issue
2016-11-14 22:26 francis Changeset attached => sogo master efbf0cc5
2016-11-14 22:26 francis Assigned To => francis
2016-11-14 22:26 francis Resolution open => fixed
2016-11-15 02:01 francis Status new => resolved
2016-11-15 02:01 francis Fixed in Version => 3.2.2