group member can overwrite private appointment

[stefanroesler]

Actual behaviour

The admin creates a calendar for group A, group A has read / write permission, User B1 and B2 are members of group A. In case B1 creates a private appointment it will be shown for every group member also for himself as busy (that's okay, cause the information will the shown via caldavsync in Outlook for the creator of this appointment). The problem: every group member with read / write permission can overwrite / delete B1's private appointment, is there no concept of ownership for appointments in shared calendars?

Server configuration

Operating system: Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-042stab120.18 x86_64)

Web server: Apache/2.4.18 (Ubuntu)

Database: mysql 5.7

PHP version: 7.0.18-0ubuntu0.16.04.1 (cli) ( NTS )

Server version: 12.0.0

Calendar version: 1.5.3

Updated from an older installed version or fresh install: fresh install

[nickvergessen]

No, calendars have ownerships. Everything inside is handled the same way.

[stefanroesler]

Sorry Joas, the ownership of a calendar is not sufficient. There is a common shared calendar and it will also include private appointments, which should be only visible for the owner of this appointment. Now it's possible to delete and / or overwrite these appointment for other members of the group.

[plauzenbaer]

me experiencing the same issue in a similar environment

[georgehrke]

Solution: Simply respond with a 403 when the non-owner is editing a non-public event or when a non-owner is creating an event with an access class other than PUBLIC

[raimund-schluessler]

Related issues are https://github.com/nextcloud/calendar/issues/519 and https://github.com/nextcloud/tasks/issues/467.