View Issue Details

IDProjectCategoryView StatusLast Update
0004361SOGoActiveSyncpublic2017-12-22 10:03
Reportermzeedijk Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Platform[Server] LinuxOSUbuntuOS Version16.04 LTS
Product Version3.2.10 
Summary0004361: Unprivileged user causes mail notifications on calendar event change
Description

An unprivileged user causes the sogo backend to send mail notifications when this user changes a read only event.

Steps To Reproduce

I have the following setup:

  • sogo backend 3.2.10 with ActiveSync enabled
  • All users have their calendar setup with 2 main access right
    • Public Access: Public|View Date and Time
    • Any Authenticated User: Public|View All, Confidential|View Date and Time

Some user have each other's calendars added and synced through ActiveSync. They use Outlook and iPhones to sync their account and have access to all subscribed calendars according to the right above.

UserA:

  • Shared a calendar with the rights above
  • Created an event and invited UserB
    UserB:
  • Accepts the event
    UserC:
  • Is subscribed to UserA's calendar
  • Opens the event which he has nothing to do with on Outlook or iPhone
  • Changes eg. the endtime of the event
  • Saves the event
    UserB:
  • Receives a mail notification of the changed event.
TagsNo tags attached.

Activities

mzeedijk

mzeedijk

2017-12-20 08:52

reporter   ~0012482

Also User C suddenly becomes the organizer in the mail notification.

tfu

tfu

2017-12-22 10:00

reporter   ~0012486

The problem is that outlook sometimes directly sends emails for meeting updates. This causes confusion for events in read-only calendars.

I think we can just avoid that the event is hijacked by using meetingstatus = 0 for events where the users is not the organizer and not an attendee.

tfu

tfu

2017-12-22 10:03

reporter  

4361.diff (1,105 bytes)   
diff --git a/ActiveSync/iCalEvent+ActiveSync.m b/ActiveSync/iCalEvent+ActiveSync.m
index b33d6fa..c7e33bf 100644
--- a/ActiveSync/iCalEvent+ActiveSync.m
+++ b/ActiveSync/iCalEvent+ActiveSync.m
@@ -111,6 +111,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
   NSTimeZone *userTimeZone;
   userTimeZone = [[[context activeUser] userDefaults] timeZone];
+  meetingStatus = 0;
 
   s = [NSMutableString string];
   
@@ -160,8 +161,10 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   // Organizer and other invitations related properties
   if ((organizer = [self organizer]))
     {
-      meetingStatus = 1;  // meeting and the user is the meeting organizer.
-      o = [organizer rfc822Email];
+      if ((o = [organizer rfc822Email]) &&
+          ([self userIsOrganizer: [context activeUser]] || [[context activeUser] hasEmail: o]))
+         meetingStatus = 1;  // meeting and the user is the meeting organizer.
+
       if (![self recurrenceId] && [o length])
         {
           [s appendFormat: @"<Organizer_Email xmlns=\"Calendar:\">%@</Organizer_Email>", o];
4361.diff (1,105 bytes)   

Issue History

Date Modified Username Field Change
2017-12-19 11:16 mzeedijk New Issue
2017-12-20 08:52 mzeedijk Note Added: 0012482
2017-12-22 10:00 tfu Note Added: 0012486
2017-12-22 10:03 tfu File Added: 4361.diff