0004361: Unprivileged user causes mail notifications on calendar event change - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0004361	SOGo	ActiveSync	public	2017-12-19 11:16	2017-12-22 10:03

Reporter	mzeedijk	Assigned To
Priority	normal	Severity	major	Reproducibility	always
Status	new	Resolution	open
Platform	[Server] Linux	OS	Ubuntu	OS Version	16.04 LTS
Product Version	3.2.10

Summary	0004361: Unprivileged user causes mail notifications on calendar event change
Description	An unprivileged user causes the sogo backend to send mail notifications when this user changes a read only event.
Steps To Reproduce	I have the following setup: sogo backend 3.2.10 with ActiveSync enabled All users have their calendar setup with 2 main access right Public Access: Public\|View Date and Time Any Authenticated User: Public\|View All, Confidential\|View Date and Time Some user have each other's calendars added and synced through ActiveSync. They use Outlook and iPhones to sync their account and have access to all subscribed calendars according to the right above. UserA: Shared a calendar with the rights above Created an event and invited UserB UserB: Accepts the event UserC: Is subscribed to UserA's calendar Opens the event which he has nothing to do with on Outlook or iPhone Changes eg. the endtime of the event Saves the event UserB: Receives a mail notification of the changed event.
Tags	No tags attached.

mzeedijk 2017-12-20 08:52 reporter ~0012482	Also User C suddenly becomes the organizer in the mail notification.

tfu 2017-12-22 10:00 reporter ~0012486	The problem is that outlook sometimes directly sends emails for meeting updates. This causes confusion for events in read-only calendars. I think we can just avoid that the event is hijacked by using meetingstatus = 0 for events where the users is not the organizer and not an attendee.

tfu 2017-12-22 10:03 reporter	4361.diff (1,105 bytes) diff --git a/ActiveSync/iCalEvent+ActiveSync.m b/ActiveSync/iCalEvent+ActiveSync.m index b33d6fa..c7e33bf 100644 --- a/ActiveSync/iCalEvent+ActiveSync.m +++ b/ActiveSync/iCalEvent+ActiveSync.m @@ -111,6 +111,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. NSTimeZone *userTimeZone; userTimeZone = [[[context activeUser] userDefaults] timeZone]; + meetingStatus = 0; s = [NSMutableString string]; @@ -160,8 +161,10 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // Organizer and other invitations related properties if ((organizer = [self organizer])) { - meetingStatus = 1; // meeting and the user is the meeting organizer. - o = [organizer rfc822Email]; + if ((o = [organizer rfc822Email]) && + ([self userIsOrganizer: [context activeUser]] \|\| [[context activeUser] hasEmail: o])) + meetingStatus = 1; // meeting and the user is the meeting organizer. + if (![self recurrenceId] && [o length]) { [s appendFormat: @"<Organizer_Email xmlns=\"Calendar:\">%@</Organizer_Email>", o]; 4361.diff (1,105 bytes)

Date Modified	Username	Field	Change
2017-12-19 11:16	mzeedijk	New Issue
2017-12-20 08:52	mzeedijk	Note Added: 0012482
2017-12-22 10:00	tfu	Note Added: 0012486
2017-12-22 10:03	tfu	File Added: 4361.diff