View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0005579||SOGo||Backend Address Book||public||2022-08-17 15:20||2023-05-04 07:25|
|Summary||0005579: subscribe to shared address books not possible|
at webui users are able to subscribe to other address books
|Steps To Reproduce|
firstname.lastname@example.org: shares address books to user email@example.com , ACL "Any Auth. User" has now right
firstname.lastname@example.org via IOS/Thunderbird/eMule:
logs at webserver (apache) shows following:
"PROPFIND /SOGoemail@example.com/Calendar/139C-62FBF300-5-70FCDF00/ HTTP/1.1" 401
-> deny - login
"PROPFIND /SOGofirstname.lastname@example.org HTTP/1.1" 401
|Tags||No tags attached.|
@MrT2020: I have the same problem. To check if the cause is the same could you please temporarily give the user at least write access and try subscribing again. For me subscribing in Cardbook only works if the user has at least write or delete permission. With only read permission I am also not able to subscribe to any address book. I don't even get to select any other subscribable calendar. Cardbook seems to refuse to talk to SOGo altogether.
One thing I found in searching for the cause is, that if a user has read permissions to an address book, the request (https://some.server.com/SOGoemail@example.com/Contacts/) returns 200 but the XML content is not actually valid. If I validate the XML via PHPStorm it throws an error on <D:current-user-privilege-set xmlns:D="DAV:"></D:current-user-privilege-set> (XML tag has empty body). The XML content for a user with at least write permission has some entries like <D:privilege><D:write/></D:privilege> in between the "current-user-privilege-set" tags. PHPStorm states that it should be <D:current-user-privilege-set xmlns:D="DAV:"/>. Although this is also weird because for a user with read privileges it should at least state a read permission. But I don't enough about carddav so that's just a wild guess.
So maybe Cardbook (and other carddav clients) fails because the XML content is not correctly formatted.
@Choppel: confirm it - giving the user write-access, user can subscribe
CardDAV access control is still completely broken in SOGo 5.8.2 and latest nightly. The
Shared address book for which read-only privileges are granted:
Shared address book for which all privileges are granted: