Do not show under settings Username and Password for addressbooks, loaded over a preset

[dilyanpalauzov]

I use version 4.4.4 and install over a single preset several addressbooks for each user. Under Settings → CardDAV the users see for each addressbook the fields Username (with value %u) and Password (without value).

If the password is %p its value shall be shown in the UI.

If the addressbooks are loaded over a preset, the UI shall not show the fields Username and Password to the user. The users have no impact on the preset and shall not change the username / password.

Currently some of the addressbooks loaded over presets are read-only, others are read-write. While the server can enforce the read-only status for some addressbooks, the user shall be able to mark additional addressbooks as read-only. DAVx⁵ has the option to force read-only for collections, for which the server does not force read-only.

[mstilkerich]

You can set the fixed attributes in the preset config, the user will then see disabled input elements. They cannot change them. I have no intention of changing this.

Read-only addressbooks are a UI tweak in roundcube, and only available for preset addressbooks. If you want to make sure addressbooks are read only, the correct way is server-side ACLs.

In RCMCardDAV 5, you can have one setting for all the discovered addressbooks, and a different setting for extra addressbooks that are specified directly by their URL. The latter is meant to be used for public addressbooks not found by the discovery. I am not aware of any server apart from yours that serves multiple addressbook home URIs, including that of public addressbooks. The servers I am aware of that allow addressbook sharing would not add shared addressbooks to a collection reported as addressbook home. Btw, which server are you using?

[dilyanpalauzov]

Setting 'fixed' => [ 'username', 'password' ], does disable editing of the username and password by the user. The content of the fields is now rendered as text, password is ***. This is good. I would suggest to include in config.php.inc.dist the example 'fixed' => [ 'username', 'password' ] as this is supposed to be often used and the example will suggest to use this actively.

If you want to make sure addressbooks are read only, the correct way is server-side ACLs.

I do have server-side ACL for read-only addressbooks. Does rcmcarddav fetch the ACLs to determine the read-only status? In such a case, why does the system allow me to select a read-only CardDAV AB as Default Addressbook, or Trusted Senders/Collected senders addressbook? Does RoundCube lack the notion of a read-only addressbook?

In RCMCardDAV 5, you can have one setting for all the discovered addressbooks, and a different setting for extra addressbooks that are specified directly by their URL. The latter is meant to be used for public addressbooks not found by the discovery.

Can extra addressbooks overwrite settings of discovered addressbook, like read-only status (if rcmcarddav does not detect this itself)?

I am not aware of any server apart from yours that serves multiple addressbook home URIs, including that of public addressbooks. The servers I am aware of that allow addressbook sharing would not add shared addressbooks to a collection reported as addressbook home. Btw, which server are you using?

I am using a patched version of Cyrus IMAP, upstream Cyrus IMAP does not have anonymous CardDAV access.

The discovery of shared/public addressbooks/calendars has the advantage that in applications as DAVx⁵ or Evolution users can enter only aegee.org as domain, without providing username/password, and the application shows the public data (vCards, events, tasks). With provided username, the applications show public (or shared) and private data. I think this is a very good feature of server and clients.

[dilyanpalauzov]

Please add an option to hide the username, password and URL from the UI for addressbooks from a preset. Showing the users URL http://127.0.0.4/dav/addressbooks/user/cal/bodies/ does not help them anyhow, rendering this URL just irritates.

[mstilkerich]

• username and password are already included in the preset examples in ADMIN_SETTINGS.md.
• RCMCardDAV does not fetch ACLs to determine read-only status.
• Roundcube does have the notion of a readonly addressbook, which is was RCMCardDAV uses when the readonly setting is set by the admin. However, this will only disable the UI elements in the frontend, for example, a readonly addressbook will not be available for selection when creating a new contact. There is no check in the backend, however, if you send a (forged) request to insert a contact to a readonly addressbook.
• RCMCardDAV v5 allows discovered addressbooks and extra (= non-discovered, specified by URL) in a preset. The discovered addressbooks all share the same preset settings, but the extra addressbooks can have different settings.
• As I said, I have no intention to remove the named elements from the UI. I do not think that read-only information presented will confuse the user. I furthermore do not want any additional options for tweaking such details of the UI. All extra options create variants that I have to keep in mind, extra maintenance effort and raised complexity and therefore potential for bugs. I am doing this in my limited spare time and therefore have to focus my available time on what I consider important.

[dilyanpalauzov]

I would be good if RCMCardDAV evaluates the ACLs to determine, if a collection is read-only. This way some discovered addressbooks will be handled as read-only (if the server says so), and others discovered addressbooks will be read-write. My understanding is that currently it is not possible to have some discovered addressbooks as read-only, and others as read-write.