Open rfc2822 opened 3 years ago
Yes, definitely makes sense as discussed.
We actually already throw a Forbidden exception in the createFile method of our calendar implementation, but maybe there is some additional check on the node existence upfront somewhere in the server dav code. I'll look into that.
I would like to point out that this still affects thousands of /e/os and custom DAVx⁵ installations across the world.
With a 404, some clients keep trying to PUT. At least with a 403, the client knows to give up. I know this issue is probably superseded by #2399, but if you can find a relatively simple way to change that 404 to 403 (it's probably more complex than it looks), please to that in the meantime.
In Deck's defense, the CalDAV implementation came a long way. :)
As I also reported in the DAVx5 forum it's causing the same 404 error but changing the label of a card on the Android device still gets synced back to Nextcloud. Feels like a partial sync?
Hi,
As long as there's no write access to Deck's CalDAV collections, the server restricts write access as expected. However, it returns 404 instead of 403.
Steps to reproduce:
Actual result: Currently, it returns 404 Not found when you try to upload a task.
Expected result: Deck should return 403 Forbidden:
Because the client has read access, it knows which resources exist and thus there's no need for 404.
The response body should contain:
With 403 and
<DAV:need-privileges>
, clients can show a meaningful error message.Tested with: Nextcloud 20, Deck 1.1.0