[Davical-general] "show only date and time" lightning

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Davical-general] "show only date and time" lightning

Marc Patermann
Hi,

user a gives read access to his calendar to user b. All are using
Thunderbird 10 ESR with Lightning 1.2.3.

user a creates an event and sets the privacy setting to "show only date
and time". (I'm using the German version so it might not be labeled
exactly like that.)

But there is not difference in accessing this event than any other. user
b can see everything.
Is this a bug in Lightning?
(If the setting is right and there is a standard way for this, I think
it is in the responsibility of the server to hide what is not to be seen
by the client.)

If the privacy is set to "private" the event is not even displayed for
user b, so this seem to work.


Marc

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Davical-general mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/davical-general
Reply | Threaded
Open this post in threaded view
|

Re: "show only date and time" lightning

Andrew McMillan
On Thu, 2012-07-19 at 14:09 +0200, Marc Patermann wrote:

> Hi,
>
> user a gives read access to his calendar to user b. All are using
> Thunderbird 10 ESR with Lightning 1.2.3.
>
> user a creates an event and sets the privacy setting to "show only date
> and time". (I'm using the German version so it might not be labeled
> exactly like that.)
>
> But there is not difference in accessing this event than any other. user
> b can see everything.
> Is this a bug in Lightning?
> (If the setting is right and there is a standard way for this, I think
> it is in the responsibility of the server to hide what is not to be seen
> by the client.)
>
> If the privacy is set to "private" the event is not even displayed for
> user b, so this seem to work.
Hi Marc,

The setting in the VEVENT is 'CLASS' and it defaults to 'PUBLIC' but may
be set to 'PRIVATE' (which seems to work for you) or 'CONFIDENTIAL'
which seems not to work for you.

If a user has write access to the calendar, the 'CONFIDENTIAL' event
will still be fully visible to them.  If their permissions do not allow
writing to the calendar then the event should be 'obfuscated' so the
time just appears as 'Busy'.

... and, of course, there could be bugs!

Something that can help you to see the actual VCALENDAR in Lightning is
that when you open an event you can press "Ctrl+C" to copy it's content,
and then paste it into a text editor with "Ctrl+V" where it will be
pasted as it's VCALENDAR data.

Some useful SQL you can use to check the privileges for users against a
particular path is something like this:

SELECT displayname,
 bits_to_privilege( path_privs(principal_id,'/username/calendar/',3) )
 FROM principal;

where you change the path, as appropriate.  The '3' is the depth of
search for expanding privileges but '3' is probably fine.  Expansion can
get expensive, so be careful about increasing that.

Regards,
                                        Andrew McMillan.

--
------------------------------------------------------------------------
andrew (AT) morphoss (DOT) com                            +64(272)DEBIAN
             I base my fashion taste on what doesn't itch.
                            -- Gilda Radner

------------------------------------------------------------------------


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Davical-general mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/davical-general

signature.asc (853 bytes) Download Attachment