Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lack of external event protection against accidental changes #4379

Closed
pboguslawski opened this issue Jul 18, 2022 · 1 comment
Closed

Lack of external event protection against accidental changes #4379

pboguslawski opened this issue Jul 18, 2022 · 1 comment
Labels
0. to triage Pending approval or rejection bug

Comments

@pboguslawski
Copy link
Contributor

Steps to reproduce

  1. Send e-mail invitation to Thunderbird (TB, checked in v91.11.0) and then accept it in TB with storing in CalDAV calendar in NextCloud (NC, checked in server v24.0.3 and calendar v3.4.2).
  2. Try to change event data like date/time, attendees in TB - it won't allow such changes (reasonable - its external organizer stuff and should not be changed locally only).
  3. Try to change event data like date/time, attendees in NC - it allows one to change such settings, without any warning (think of dragging such event in NC UI by accident to other day - event won't match original date set by organizer which may be dangerous).

Expected behavior

NC should disable editing of event details for user that is not event organizer (just allow limited set of operations like approval status change/removal similar to TB).

Actual behaviour

NC allows editing event details of externally organized events saved in NC calendar.

Calendar app version

3.4.2

CalDAV-clients used

Thunderbird

Browser

No response

Client operating system

No response

Server operating system

No response

Web server

No response

Database engine version

No response

PHP engine version

No response

Nextcloud version

24.0.3

Updated from an older installed version or fresh install

No response

List of activated apps

No response

Nextcloud configuration

No response

Web server error log

No response

Log file

No response

Browser log

No response

Additional info

No response
@pboguslawski pboguslawski added 0. to triage Pending approval or rejection bug labels Jul 18, 2022
@pboguslawski pboguslawski mentioned this issue Jul 18, 2022
Closed
@st3iny
Copy link
Member

st3iny commented Jul 19, 2022
edited
Loading

We tried to fix this once and had to revert due to some severe edge case. Unfortunately, we have to stick with this "bug". Nothing is wrong here from a technical/security perspective because you are only ever updating your personal copy of the event.

Please refer to:

@st3iny st3iny closed this as completed Jul 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0. to triage Pending approval or rejection bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@st3iny @pboguslawski