Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. DAViCal>
  3. General
Davical permissions on schedule-inbox (.in) and schedule-outbox (.out)
egoitz at sarenet
Jun 26, 2023, 6:33 AM
Post #1 of 2 (204 views)
Permalink
Hi!,

This is a question I was wondering about security. We normally create
.in and .out collections with privileges inherited from the principal
(default_privileges column in collections table as default, to NULL...).


Now, when share an addressbook or calendar, you normally set principal
privileges to read-write, so that Apple devices to be able to read
collection list. Later you restrict at each collection level, the
privileges by doing not to inherit principal privileges and restricting
there the permissions. We do the previously commented permission setup,
except for the .in and .out collections because they are special.

If the .in or .out collections have principal privileges inherited and
in the principal someone has read (or read write really) privileges can
then read another user .in collection?. I know, due to this permissions
required by Apple, at principal level you could delete a collection
without being able to see it (if you don't have permissions), but you
can't see! the content if not allowed. Is the content of .in and .out
served by Davical to another one other than the own user?.

Cheers,
Re: Davical permissions on schedule-inbox (.in) and schedule-outbox (.out) [ In reply to ]
egoitz at sarenet
Jun 26, 2023, 7:21 AM
Post #2 of 2 (204 views)
Permalink
Perhaps should all scheduling collections be created with
000000001111111000100001 permisions?.

That should made that collections be able to work as usual but not to be
able to read from them, isn't it?.

And perhaps would be useful to set that permissions in all scheduling
collections whose parent principal has given permissions to another
principal or if that parent principal has read or readwrite default
privileges... isn't it?.

Cheers!

El 2023-06-26 15:33, Egoitz Aurrekoetxea escribió:

> Hi!,
>
> This is a question I was wondering about security. We normally create .in and .out collections with privileges inherited from the principal (default_privileges column in collections table as default, to NULL...).
>
> Now, when share an addressbook or calendar, you normally set principal privileges to read-write, so that Apple devices to be able to read collection list. Later you restrict at each collection level, the privileges by doing not to inherit principal privileges and restricting there the permissions. We do the previously commented permission setup, except for the .in and .out collections because they are special.
>
> If the .in or .out collections have principal privileges inherited and in the principal someone has read (or read write really) privileges can then read another user .in collection?. I know, due to this permissions required by Apple, at principal level you could delete a collection without being able to see it (if you don't have permissions), but you can't see! the content if not allowed. Is the content of .in and .out served by Davical to another one other than the own user?.
>
> Cheers,

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal