Anyone can become event's organiser and then do anything with event, even cancel it

[maksemuz]

Steps to reproduce

1. User A creates an event, invites mailing list BC@email.domain, this list contains users B and C
2. Calendar C is shared to user B read-only, and both calendars B and C are connected into user B Thunderbird
3. User B receives an invitation email with Thunderbird, there is no buttons "Access" or "Decline" but there is "Details" button instead.
4. User B presses "Details" button and opens event's properties
5. The property "Calendar" contains calendar C. User B changes it to calendar B and suddenly becomes an organiser of event and got it in his calendar.
6. If user B deletes this event from his calendar, it will be deleted from calendars A and C as well.

Expected behaviour

Tell us what should happen
User B must not become the event's organiser and must not have such access.

Actual behaviour

Tell us what happens instead
User B becomes the owner of event and now can delete it.

Server configuration

Operating system:
FreeBSD 11.1-RELEASE-p9
Web server:
apache 2.4
Database:
10.2.14-MariaDB
PHP version:
PHP 7.2.4
Server version: (see your admin page)
14.0.3
Calendar version: (see the apps page)
1.6.3
Updated from an older installed version or fresh install:
updated
Signing status (ownCloud/Nextcloud 9.0 and above):

Login as admin user into your cloud and access
http://example.com/index.php/settings/integrity/failed
paste the results here.

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your instance's installation folder

Nextcloud configuration:

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your instance's installation folder

or

Insert your config.php content here
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption: yes/no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

LDAP configuration (delete this part if not used)

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your instance's installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Be sure to replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser:

Operating system:

CalDAV-clients:

Logs

Web server error log

Insert your webserver log here

Log file (data/nextcloud.log)

Insert your nextcloud.log file here

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[georgehrke]

User B presses "Details" button and opens event's properties
The property "Calendar" contains calendar C. User B changes it to calendar B and suddenly becomes an organiser of event and got it in his calendar.
If user B deletes this event from his calendar, it will be deleted from calendars A and C as well.

This all happens inside Thunderbird?

If yes, what makes you think this is a Nextcloud issue?

[georgehrke]

User B becomes the owner of event and now can delete it.

Is it an email send out by Nextcloud? Sabre/DAV compares the owner of the calendar and the organiser inside the VEvent doesn't send out emails if they don't match.

[maksemuz]

1 - All user B actions are inside Thunderbird.
When user B changes calendar of event to his own, he becomes the organiser instead of user A.
Then user B deletes this event and it disappears in calendars A and C completely.
I checked this on Nextcloud server using "impersonate" to each user of this story.
This makes me think it is Nextcloud issue.
2 - users B and C receives only email and no events in their calendars because the mail group was invited, not them. Groups do not work in Nextcloud Calendar App but we can use group email.

[georgehrke]

When user B changes calendar of event to his own, he becomes the organiser instead of user A.

Can you export the event from the email user B receives and the event user B has after adding it to his own calendar, open it in a text editor and compare the ORGANIZER property please?

The Nextcloud server won't modify any data it receives, so I think it is Thunderbird changing the ORGANIZER.

[maksemuz]

Yes, I compared this, and ORGANIZER has been changed to user B.
Correction: after that ORGANIZER changes and event could be deleted from B and C calendars.
Calendar A contains the same event without changes.

[georgehrke]

Yes, I compared this, and ORGANIZER has been changed to user B.

As I said, the nextcloud server won’t modify your calendar data. That said I’m 99.9999% sure that this modification was done by Thunderbird. Can you please report a bug to them?

[maksemuz]

Again.
User B has READONLY access to calendar C.
After user B action 1 (incorrect saving):

• event in calendar B has changed organizer from A to B
• event in calendar C changed organizer from A to B (it's NOT OK, B can only READ calendar C)
  After user B action 2 (deletion):
• event in calendar B has disappeared (it's OK)
• event in calendar C has disappeared (it's NOT OK, B can only READ calendar C)

Therefore, looks like Nextcloud does modify calendar data at least in calendar C.

[maksemuz]

Correction:
After user B action 2 (deletion):

• event in calendar B has disappeared
• event in calendar C has been cancelled (not disappeared) (maybe it's OK after action 1)

[miaulalala]

Cannot reproduce. Closing.

[miaulalala]

Spoke too early. It's back.

[ChristophWurst]

Fix is at #3424

[ChristophWurst]

Reopened as the fix was reverted.

[miaulalala]

A bit of context: we reverted this fix because it was impossible to edit or delete an event in one's own calendar where one is an attendee. We talked through a few options and the current front runner is showing a warning to the user that, while their calendar entry is going to be edited, the organiser's even will be untouched by those changes, and also giving people the option to delete or delete and decline.

[ChristophWurst]

Example: I received a forwarded email with an event invitation and imported the event. Now it's there, read-only and I'm unable to do anything with it.

Showing the warning must indeed be the best option. It makes the limitations of change propagation transparent to the user, while allowing them of being in full control of the event.

[dumblob]

@ChristophWurst I'd actually prefer to teach the user to understand the concept. Accepting an invitation is a "view" of the event editable by someone else. Any attempt to edit it will be forbidden. But there'll be a button on such an event to "use as template" which simply open a form for event creation but fully pre-filled with the data from the original event.

I think this solution would be much cleaner and much more understandable to the user than anything proposed in this thread.

Just my 2 cents.

[st3iny]

@ChristophWurst I'd actually prefer to teach the user to understand the concept. Accepting an invitation is a "view" of the event editable by someone else. Any attempt to edit it will be forbidden.

The problem with this approach is that it just isn't true from a technical perspective. When you get invited, the underlying CalDAV system will create a copy that exists ONLY in your calendar. You are allowed to edit it freely as you please. The event itself will not be linked to the "real" event from the organizer.

However, most clients/backends support forwarding some changes e.g. your participation status to the "real" event. The limitation of read only invitations is a pure user interface feature. It is neither required nor specified by the standards (from a backend perspective).

[dumblob]

The problem with this approach is that it just isn't true from a technical perspective.

I find this argument a pure strawman. Simply because this "true" perspective is the reason people find the behavior wrong (not just "confusing"). In other words, this whole thread is not about technical perspective but how to design overall user experience (i.e. both behavior and visual concepts).

However, most clients/backends support forwarding some changes e.g. your participation status to the "real" event. The limitation of read only invitations is a pure user interface feature. It is neither required nor specified by the standards (from a backend perspective).

Exactly. And that's why I propose to accept the intuitive understanding as the way forward. And thus introduce new concepts to NC Mail - e.g. a "link/view".

I.e. read-only event "linked" to someone else's event in a way it automatically updates itself and one can't delete nor edit it, but one can only unlink it (by which e.g. a pop-up would ask whether to "convert it to my event - e.g. by prefilling a new event form" or whether to "remove it from my calendar without notifying event participants about it").