Hi, i am using Davical 0.9.9
I am not sure if the following is a security problem, or if i have
configured something wrong.
Maybe, someone could test this on his own davical installation.
In the davical web-gui, when you click on a user, you can set the
privileges which are granted to all users.
I have activated "Read Free/Busy Information" and "Scheduling: Query
free/busy". And I did not set any other read or write permissions. I
just wanted to allow all users to see, when my testuser is free or busy.
But now, there is a problem:
When i browse with the webbrowser to: [...]/caldav.php/[mytestuser]/home
and login with any other user, i get all events of my test-user
But as i said, I did not set any other read or write permissions. And i
want to disallow the users to read the calendar of the testuser.
The problem is "solved", when i deactivate "Read Free/Busy Information"
and let "Scheduling: Query free/busy" activated at the page of my
testuser -> now, the other users no longer can see the events of my
testuser.
And the Free/Busy mechanism of Thunderbird still works :-)
Can you reproduce this security problem too?
HELPING HEADS for Hard- and Software
-------------------------------------------------------------------------
Fuer Ihre Projekte entwickeln wir massgeschneiderte Loesungen - schnell,
flexibel und direkt vor Ort. Unser eingespieltes Team an erfahrenen Hard-
und Software-Spezialisten unterstuetzt Sie dort, wo Sie uns brauchen.
--------------------------------------------------------------------------
SysDesign GmbH
Saentisstrasse 25
D-88079 Kressbronn am Bodensee
Geschaeftsfuehrer: Franz Kleiner
Handelsregister: Ulm 632138
--------------------------------------------------------------------------
_______________________________________________
rscds-general mailing list
rscds-general at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rscds-general
I am not sure if the following is a security problem, or if i have
configured something wrong.
Maybe, someone could test this on his own davical installation.
In the davical web-gui, when you click on a user, you can set the
privileges which are granted to all users.
I have activated "Read Free/Busy Information" and "Scheduling: Query
free/busy". And I did not set any other read or write permissions. I
just wanted to allow all users to see, when my testuser is free or busy.
But now, there is a problem:
When i browse with the webbrowser to: [...]/caldav.php/[mytestuser]/home
and login with any other user, i get all events of my test-user
But as i said, I did not set any other read or write permissions. And i
want to disallow the users to read the calendar of the testuser.
The problem is "solved", when i deactivate "Read Free/Busy Information"
and let "Scheduling: Query free/busy" activated at the page of my
testuser -> now, the other users no longer can see the events of my
testuser.
And the Free/Busy mechanism of Thunderbird still works :-)
Can you reproduce this security problem too?
HELPING HEADS for Hard- and Software
-------------------------------------------------------------------------
Fuer Ihre Projekte entwickeln wir massgeschneiderte Loesungen - schnell,
flexibel und direkt vor Ort. Unser eingespieltes Team an erfahrenen Hard-
und Software-Spezialisten unterstuetzt Sie dort, wo Sie uns brauchen.
--------------------------------------------------------------------------
SysDesign GmbH
Saentisstrasse 25
D-88079 Kressbronn am Bodensee
Geschaeftsfuehrer: Franz Kleiner
Handelsregister: Ulm 632138
--------------------------------------------------------------------------
_______________________________________________
rscds-general mailing list
rscds-general at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rscds-general