PROPFIND lists calendars which user does not have access to, 1.1.5 regression?
I have a pretty small davical 1.1.5 setup, with two users, a group and a few calendars on each principal.
Both users have No privileges granted to All users. Both users have Principal Grants towards the other user (Read, Read Current User's Access, Read Free/Busy Information, Scheduling: Query free/busy) to access each others calendars. All but one of userA's calendars has Privileges "[from principal]". One calendar has NO privileges, to disallow userB from seeing it and reading it.
Since upgrading from davical 1.1.2 to 1.1.5 (from FreeBSD ports), I've started getting these in my log:
:Response status 403 for PROPFIND /caldav.php/userA/PrivateCalender/
:***************** Response Header ****************
headers:-->X-Powered-By: PHP/5.6.30
headers:-->Server: 1.1
headers:-->DAV: 1, 2, 3, access-control, calendar-access, calendar-schedule
headers:-->DAV: extended-mkcol, bind, addressbook, calendar-auto-schedule, calendar-proxy
headers:-->X-DAViCal-Version: DAViCal/1.1.5; DB/1.2.11
headers:-->Content-type: text/xml; charset="utf-8"
:******************** Response ********************
response:--><?xml version="1.0" encoding="utf-8" ?>
response:--><error xmlns="DAV:">
response:--> <need-privileges>
response:--> <resource>
response:--> <href>/caldav.php/userA/PrivateCalender/</href>
response:--> <privilege>
response:--> <read/>
response:--> </privilege>
response:--> </resource>
response:--> </need-privileges>
response:--></error>
These occur when userB, using iCal, tries to read the PrivateCalendar resource which has "none" permissions.
The problem, as I understand it, is that PROPFIND /caldav.php/userA/
lists this PrivateCalendar which userB does not have access to. The actual access control seems to work fine when it comes to actually fetching the calendar (as shown above), but it shouldn't even be visible in the list of calendars imo.
Should be pretty easy to repeat, setup permissions as above, and use:
# OK, but lists the private calendar
curl -X PROPFIND -v -u userB -H 'Prefer: return-minimal' -H 'Depth: 1' https://cal.stromnet.se/caldav.php/userA/
# Rejected, 403
curl -X PROPFIND -v -u userB -H 'Prefer: return-minimal' -H 'Depth: 1' https://cal.stromnet.se/caldav.php/userA/PrivateCalendar/
As mentioned above, in 1.1.2 I did not get these errors logged. I'm however not sure if userB actually had their access blocked or not, or if they could see it before or not.