View Issue Details

IDProjectCategoryView StatusLast Update
0005579SOGoBackend Address Bookpublic2023-05-04 07:25
ReporterMrT2020 Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
OSdebianOS Version11 
Product Version5.7.0 
Summary0005579: subscribe to shared address books not possible
Description

at webui users are able to subscribe to other address books
with caldav devices subscibtion to shared books not possible (read only acl are set for explicit users on shared books)

Steps To Reproduce

test2.test2@test.local: shares address books to user test1.test1@test.local , ACL "Any Auth. User" has now right
test1.test1@test.local: subscribtion on the web interface is functioning

test1.test1@test.local via IOS/Thunderbird/eMule:
shared books of test2.test2@test.local can not be added or be found (even with direct link-url
https://10.28.250.252/SOGo/dav/test2.test2@test.local/Contacts/personal/)

Additional Information

logs at webserver (apache) shows following:

"PROPFIND /SOGo/dav/test2.test2@test.local/Calendar/139C-62FBF300-5-70FCDF00/ HTTP/1.1" 401
"PROPFIND /SOGo/dav/test2.test2@test.local/Calendar/139C-62FBF300-5-70FCDF00/ HTTP/1.1" 207

-> deny - login
-> login test1.test1@test.local for shared book of test2.test2@test.local
but after login only books of test1.test1@test.local are returned non of test2.test2@test.local

"PROPFIND /SOGo/dav/test1.test1@test.local HTTP/1.1" 401
"PROPFIND /SOGo/dav/test1.test1@test.local HTTP/1.1" 207
"PROPFIND /SOGo/dav/test1.test1@test.local/Contacts/ HTTP/1.1" 207
"PROPFIND /SOGo/dav/test1.test1@test.local/Contacts/personal/ HTTP/1.1" 207
"REPORT /SOGo/dav/test1.test1@test.local/Contacts/personal/ HTTP/1.1" 207

TagsNo tags attached.

Activities

Choppel

Choppel

2023-01-22 14:42

reporter   ~0016576

@MrT2020: I have the same problem. To check if the cause is the same could you please temporarily give the user at least write access and try subscribing again. For me subscribing in Cardbook only works if the user has at least write or delete permission. With only read permission I am also not able to subscribe to any address book. I don't even get to select any other subscribable calendar. Cardbook seems to refuse to talk to SOGo altogether.

One thing I found in searching for the cause is, that if a user has read permissions to an address book, the request (https://some.server.com/SOGo/dav/user@some.server.com/Contacts/) returns 200 but the XML content is not actually valid. If I validate the XML via PHPStorm it throws an error on <D:current-user-privilege-set xmlns:D="DAV:"></D:current-user-privilege-set> (XML tag has empty body). The XML content for a user with at least write permission has some entries like <D:privilege><D:write/></D:privilege> in between the "current-user-privilege-set" tags. PHPStorm states that it should be <D:current-user-privilege-set xmlns:D="DAV:"/>. Although this is also weird because for a user with read privileges it should at least state a read permission. But I don't enough about carddav so that's just a wild guess.

So maybe Cardbook (and other carddav clients) fails because the XML content is not correctly formatted.

MrT2020

MrT2020

2023-01-22 15:06

reporter   ~0016577

@Choppel: confirm it - giving the user write-access, user can subscribe

rschuetz

rschuetz

2023-05-04 07:25

reporter   ~0016944

CardDAV access control is still completely broken in SOGo 5.8.2 and latest nightly. The DAV:current-user-privilege-set property is always missing the DAV:read privilege for address books shared with another user:

Shared address book for which read-only privileges are granted:

&lt;D:current-user-privilege-set xmlns:D=&quot;DAV:&quot;>
&lt;/D:current-user-privilege-set>

Shared address book for which all privileges are granted:

&lt;D:current-user-privilege-set xmlns:D=&quot;DAV:&quot;>
    &lt;D:privilege>&lt;D:write/>&lt;/D:privilege>
    &lt;D:privilege>&lt;D:bind/>&lt;/D:privilege>
    &lt;D:privilege>&lt;D:unbind/>&lt;/D:privilege>
    &lt;D:privilege>&lt;D:write-properties/>&lt;/D:privilege>
    &lt;D:privilege>&lt;D:write-content/>&lt;/D:privilege>
&lt;/D:current-user-privilege-set>

Moreover the DAV:all privilege is erroneously included in the privilege set for global address books, which are read-only by design:

&lt;D:current-user-privilege-set xmlns:D=&quot;DAV:&quot;>
    &lt;D:privilege>&lt;D:read/>&lt;/D:privilege>
    &lt;D:privilege>&lt;D:read-current-user-privilege-set/>&lt;/D:privilege>
    &lt;D:privilege>&lt;D:all/>&lt;/D:privilege>
&lt;/D:current-user-privilege-set>

Issue History

Date Modified Username Field Change
2022-08-17 15:20 MrT2020 New Issue
2023-01-22 14:42 Choppel Note Added: 0016576
2023-01-22 15:06 MrT2020 Note Added: 0016577
2023-05-04 07:25 rschuetz Note Added: 0016944