User is able to change (their own) event data as attendee

[brunt82]

Steps to reproduce

1. User A creates an event and invites user B.
2. Open web client as user B and display event details.
3. User B changes location and description.

Expected behaviour

The attendee (user B) should not be able to change properties of events to which he was invited.

Actual behaviour

Calendar app sends a new ics with the (new) properties of the event. The new location / description will be displayed for user B only (in web client and TB). User A will not be informed about any changes.

Therefore it is not clear, which changes are synchronize to other attendees and which not (because it is not transparent enough which events are created by me).

Anyhow when User A updates the event (e.g. the duration), user B will be informed by an e-mail with the new ics (containing the new time and the old other properties). When user B updates the event by Thunderbird, it will be updated the correct event (and not created a new, second one).

Server configuration

Operating system: Ubuntu 16.04.2 LTS

Web server: Apache/2.4.18

Database: sqlite3, Version: 3.11.0

PHP version: 7.0.15

Nextcloud version: 12.0

Updated from an older Nextcloud/ownCloud or fresh install: First install was a 12 beta, which was upgraded to the current version last week.

Where did you install Nextcloud from:

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled: - activity: 2.5.2 - bruteforcesettings: 1.0.2 - calendar: 1.5.3 - comments: 1.2.0 - contacts: 1.5.3 - dav: 1.3.0 - federatedfilesharing: 1.2.0 - files: 1.7.2 - files_pdfviewer: 1.1.1 - files_sharing: 1.4.0 - files_texteditor: 2.4.1 - files_trashbin: 1.2.0 - files_versions: 1.5.0 - files_videoplayer: 1.1.0 - firstrunwizard: 2.1 - gallery: 17.0.0 - logreader: 2.0.0 - lookup_server_connector: 1.0.0 - nextcloud_announcements: 1.1 - notifications: 2.0.0 - oauth2: 1.0.5 - password_policy: 1.2.2 - provisioning_api: 1.2.0 - serverinfo: 1.2.0 - sharebymail: 1.2.0 - survey_client: 1.0.0 - systemtags: 1.2.0 - theming: 1.3.0 - twofactor_backupcodes: 1.1.1 - updatenotification: 1.2.0 - user_ldap: 1.2.1 - workflowengine: 1.2.0 Disabled: - admin_audit - encryption - federation - files_external - spreed - user_external

Nextcloud configuration:

Nextcloud configuration

{ "system": { "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "nextcloud-test.test.de" ], "datadirectory": "\/nextcloud-data", "overwrite.cli.url": "http:\/\/nextcloud-test.test.de", "dbtype": "sqlite3", "version": "12.0.0.29", "dbname": "nextcloud", "dbhost": "127.0.0.1", "dbport": "", "dbtableprefix": "oc_", "instanceid": "och55ujpywqp", "logtimezone": "UTC", "installed": true, "ldapIgnoreNamingRules": false, "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory", "loglevel": 2, "maintenance": false, "updater.release.channel": "stable", "mail_from_address": "no-reply", "mail_smtpmode": "sendmail", "mail_smtpauthtype": "LOGIN", "mail_domain": "test.de", "theme": "" } }

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration

LDAP config

+-------------------------------+-----------------------------------------------------------------------------------------------------+ | Configuration | | +-------------------------------+-----------------------------------------------------------------------------------------------------+ | hasMemberOfFilterSupport | 0 | | hasPagedResultSupport | | | homeFolderNamingRule | | | lastJpegPhotoLookup | 0 | | ldapAgentName | uid=readonly,ou=special-users,dc=test=de | | ldapAgentPassword | *** | | ldapAttributesForGroupSearch | | | ldapAttributesForUserSearch | sn;givenName;uid;mail | | ldapBackupHost | | | ldapBackupPort | | | ldapBase | dc=test,dc=de | | ldapBaseGroups | ou=groups,dc=test,dc=de | | ldapBaseUsers | ou=users,dc=test,dc=de | | ldapCacheTTL | 600 | | ldapConfigurationActive | 1 | | ldapDefaultPPolicyDN | | | ldapDynamicGroupMemberURL | | | ldapEmailAttribute | mail | | ldapExperiencedAdmin | 1 | | ldapExpertUUIDGroupAttr | cn | | ldapExpertUUIDUserAttr | uid | | ldapExpertUsernameAttr | | | ldapGidNumber | gidNumber | | ldapGroupDisplayName | cn | | ldapGroupFilter | (&(|(objectclass=groupOfUniqueNames))(!(cn=studenten*))) | | ldapGroupFilterGroups | | | ldapGroupFilterMode | 0 | | ldapGroupFilterObjectclass | | | ldapGroupMemberAssocAttr | uniqueMember | | ldapHost | ldaps://idm.test.de | | ldapIgnoreNamingRules | | | ldapLoginFilter | (&(&(objectclass=inetOrgPerson)(mail=*)(!(mail=*@domain.edu))(!(mail=*@domain2.de)))(uid=%uid)) | | ldapLoginFilterAttributes | | | ldapLoginFilterEmail | 0 | | ldapLoginFilterMode | 0 | | ldapLoginFilterUsername | 1 | | ldapNestedGroups | 0 | | ldapOverrideMainServer | | | ldapPagingSize | 500 | | ldapPort | 636 | | ldapQuotaAttribute | | | ldapQuotaDefault | | | ldapTLS | 0 | | ldapUserDisplayName | mail | | ldapUserDisplayName2 | | | ldapUserFilter | (&(objectclass=inetOrgPerson)(mail=*)(!(mail=*@domain.edu))(!(mail=*@domain2.de))) | | ldapUserFilterGroups | | | ldapUserFilterMode | 0 | | ldapUserFilterObjectclass | | | ldapUuidGroupAttribute | auto | | ldapUuidUserAttribute | auto | | turnOffCertCheck | 0 | | turnOnPasswordChange | 0 | | useMemberOfToDetectMembership | 1 | +-------------------------------+-----------------------------------------------------------------------------------------------------+

Client configuration

Browser: Chrome, FF, Thunderbird 52

Operating system: Ubuntu 16

Logs

Web server error log

Upload request from gtest1 (=user A)

################# General ################# Request URL:http://nextcloud-test.test.de/remote.php/dav/calendars/gtest1/personal/Nextcloud-E1J4QTNBGGC5NC7K0AV8IS.ics Request Method:PUT Status Code:201 Created Remote Address:192.168.210.159:80 Referrer Policy:no-referrer ################# Response Headers ################# Cache-Control:no-store, no-cache, must-revalidate Connection:Keep-Alive Content-Length:0 Content-Security-Policy:default-src 'none'; Content-Type:text/html; charset=UTF-8 Date:Thu, 01 Jun 2017 09:00:05 GMT Expires:Thu, 19 Nov 1981 08:52:00 GMT Keep-Alive:timeout=5, max=100 Pragma:no-cache Server:Apache/2.4.18 (Ubuntu) X-Content-Type-Options:nosniff X-Download-Options:noopen X-Frame-Options:SAMEORIGIN X-Permitted-Cross-Domain-Policies:none X-Robots-Tag:none X-XSS-Protection:1; mode=block ################# Request Headers ################# Accept:*/* Accept-Encoding:gzip, deflate, sdch Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4 Cache-Control:no-cache Connection:keep-alive Content-Length:977 Content-Type:text/calendar; charset=UTF-8 Cookie:nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; oc_sessionPassphrase=HDSMA%2Bt3YcvhH4DgZng%2Fqap7o%2FqMm46RKHNHMcsfXZJ76im0Q1kD8ktnjsTclDdgsUCn%2BfGZxeBTafuxil8CLRvPUiLBV1IBeNxjuRPbni4QWP7XacPn7anitBqy1kpb; och55ujpywqp=6741gfemrnht28ekermd7ifji5 Host:nextcloud-test.test.de Origin:http://nextcloud-test.test.de Pragma:no-cache requesttoken:z+HPn1E8iyapZH4ruCaaD6xLFvNAgecJuvoMTZZ5GpE=:vZGLxT8I/0L6AjQS8BLsap8PRJEUy4E/3qw9GNlKdPs= User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 ################# Request Payload ################# BEGIN:VCALENDAR PRODID:-//Nextcloud calendar v1.5.3 VERSION:2.0 CALSCALE:GREGORIAN BEGIN:VEVENT CREATED:20170601T105932 DTSTAMP:20170601T105932 LAST-MODIFIED:20170601T105932 UID:P7A3QP6ILH30RUL6EMWWS SUMMARY:Meeting LOCATION:room 1 ATTENDEE;ROLE=REQ-PARTICIPANT;RSVP=TRUE;PARTSTAT=NEEDS-ACTION;CUTYPE=INDIVI DUAL;CN=groupware-test3@test.de:MAILTO:groupware-test3@test.de ORGANIZER;CN=groupware-test1@test.de:MAILTO:groupware-test1@test.de CLASS:PUBLIC DESCRIPTION:this is a test STATUS:CONFIRMED DTSTART;TZID=Europe/Berlin:20170614T090000 DTEND;TZID=Europe/Berlin:20170614T100000 END:VEVENT BEGIN:VTIMEZONE TZID:Europe/Berlin BEGIN:DAYLIGHT TZOFFSETFROM:+0100 TZOFFSETTO:+0200 TZNAME:CEST DTSTART:19700329T020000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:+0200 TZOFFSETTO:+0100 TZNAME:CET DTSTART:19701025T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 END:STANDARD END:VTIMEZONE END:VCALENDAR

Upload request from gtest2 (=user B) after changing the properties of the event created by gtest2

################# General ################# Request URL:http://nextcloud-test.test.de/remote.php/dav/calendars/gtest3/personal/sabredav-c0a75fa4-2423-4b2e-9517-0ca96194dea8.ics Request Method:PUT Status Code: 204 No Content Remote Address:192.168.210.159:80 Referrer Policy:no-referrer ################# Response Headers ################# Cache-Control:no-store, no-cache, must-revalidate Connection:Keep-Alive Content-Security-Policy:default-src 'none'; Content-Type:text/html; charset=UTF-8 Date:Thu, 01 Jun 2017 09:01:50 GMT ETag:"38f7e99b7b2a29261c13c77d5bd98319" Expires:Thu, 19 Nov 1981 08:52:00 GMT Keep-Alive:timeout=5, max=100 OC-ETag:"38f7e99b7b2a29261c13c77d5bd98319" Pragma:no-cache Server:Apache/2.4.18 (Ubuntu) X-Content-Type-Options:nosniff X-Download-Options:noopen X-Frame-Options:SAMEORIGIN X-Permitted-Cross-Domain-Policies:none X-Robots-Tag:none X-XSS-Protection:1; mode=block ################# Request Headers ################# Accept:*/* Accept-Encoding:gzip, deflate, sdch Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4 Cache-Control:max-age=0 Connection:keep-alive Content-Length:1008 Content-Type:text/calendar; charset=UTF-8 Cookie:oc_sessionPassphrase=9KYNohv2BBoBL48n6TTl6smz4oVmb0XBD7o5O%2BBrj00nORyPhA%2FT6yuXfmu%2BNoVaEi4AbYnDhLva7yjhfRD1cJu%2FKM8rUe281ma69e2ZkDotQSCeoYgtCn2RWRwXWBNp; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; och55ujpywqp=o9n4fa4lf7h84hnf03k8d2io22 Host:nextcloud-test.test.de If-Match:"fcfe2de9a22f48d9ff6c86212d467c29" Origin:http://nextcloud-test.test.de requesttoken:njLitYPnKMrdBr0zsmfeeSm1qiSNP+HL7aY688zqYIQ=:xl+J8cStB7y+cPZn9BWrDlHt2mDfXpD6v/9Pg/qbFeY= User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.114 Safari/537.36 Vivaldi/1.9.818.50 ################# Request Payload ################# BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Sabre//Sabre VObject 4.1.2//EN CALSCALE:GREGORIAN BEGIN:VTIMEZONE TZID:Europe/Berlin BEGIN:DAYLIGHT TZOFFSETFROM:+0100 TZOFFSETTO:+0200 TZNAME:CEST DTSTART:19700329T020000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:+0200 TZOFFSETTO:+0100 TZNAME:CET DTSTART:19701025T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 END:STANDARD END:VTIMEZONE BEGIN:VEVENT CREATED:20170601T105932 DTSTAMP:20170601T105932 LAST-MODIFIED:20170601T105932 UID:P7A3QP6ILH30RUL6EMWWS SUMMARY:Meeting LOCATION:changed_room ATTENDEE;ROLE=REQ-PARTICIPANT;RSVP=TRUE;PARTSTAT=NEEDS-ACTION;CUTYPE=INDIVI DUAL;CN=groupware-tesview sourcet3@test.de;X-NC-GROUP-ID=0:MAILTO:groupware-test3@test.de ORGANIZER;CN=groupware-test1@test.de:MAILTO:groupware-test1@test.de CLASS:PUBLIC DESCRIPTION:new description STATUS:CONFIRMED DTSTART;TZID=Europe/Berlin:20170614T090000 DTEND;TZID=Europe/Berlin:20170614T100000 END:VEVENT END:VCALENDAR

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/45781711-user-is-able-to-change-their-own-event-data-as-attendee?utm_campaign=plugin&utm_content=tracker%2F45525646&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F45525646&utm_medium=issues&utm_source=github).

[georgehrke]

To get this right:

• when user B edits the event in the Nextcloud calendar app, no other attendee (nor the organizer) will be informed about changes
• when user B edits the event in another CalDAV-client (e.g. Thunderbird), the other attendees are notified and changes are reflected in their calendars.

Right?

[brunt82]

To 1) Yes: nobody will be informed. To 2) I'm quite sure, that (all) CalDAV-clients are not able to change properties of such events from other users. I'm tested it with Thunderbird (fields are greyed out) and Outlook CalDavSynchronizer (here it will not be synchronized to the server, instead it is stored locally somehow). But Outlook is a bad example here, because of the external addin However: Thunderbird can only update two parameters of this event:

• the status (accepted, rejected)
• the reminder(s)

[georgehrke]

Ah, ok :) Thanks for the clarification!

[georgehrke]

What he have to do now:

• [ ] only allow editing participation status and reminders in the Nextcloud calendar app
• [ ] Check the corresponding standards if there are more properties that may be edited

[Bolli84]

With the integration of mails from the "mail"-app, this behaviour is very likely. Especially, the eventy are changed by accident (moving the entrys on a tablet.) The change will be transfered to each participant.

Correct bahaviour: Import of ICS-file by Caldav PUT is fine as it is. The nextcloud-admin should have the option to set a "confirm Changes to an event" within the web interface. This should prevent accidently mails to participants. Or like Horde does it: "Pop-UP-Box" Do you want to send the updates to the participants?".

[miaulalala]

This is intentional and works according to the RFC. User B should still be able to modify and change an event according to their preference as the copy of the original VEVENT belongs to them - but the scheduling changes (i. e., ATTENDEEs get an updated copy) are only ever triggered when the ORGANIZER changes something.