Hi!,
This is a question I was wondering about security. We normally create
.in and .out collections with privileges inherited from the principal
(default_privileges column in collections table as default, to NULL...).
Now, when share an addressbook or calendar, you normally set principal
privileges to read-write, so that Apple devices to be able to read
collection list. Later you restrict at each collection level, the
privileges by doing not to inherit principal privileges and restricting
there the permissions. We do the previously commented permission setup,
except for the .in and .out collections because they are special.
If the .in or .out collections have principal privileges inherited and
in the principal someone has read (or read write really) privileges can
then read another user .in collection?. I know, due to this permissions
required by Apple, at principal level you could delete a collection
without being able to see it (if you don't have permissions), but you
can't see! the content if not allowed. Is the content of .in and .out
served by Davical to another one other than the own user?.
Cheers,
This is a question I was wondering about security. We normally create
.in and .out collections with privileges inherited from the principal
(default_privileges column in collections table as default, to NULL...).
Now, when share an addressbook or calendar, you normally set principal
privileges to read-write, so that Apple devices to be able to read
collection list. Later you restrict at each collection level, the
privileges by doing not to inherit principal privileges and restricting
there the permissions. We do the previously commented permission setup,
except for the .in and .out collections because they are special.
If the .in or .out collections have principal privileges inherited and
in the principal someone has read (or read write really) privileges can
then read another user .in collection?. I know, due to this permissions
required by Apple, at principal level you could delete a collection
without being able to see it (if you don't have permissions), but you
can't see! the content if not allowed. Is the content of .in and .out
served by Davical to another one other than the own user?.
Cheers,