[kronolith] Understanding Kronolith's sharing options

Jens Wahnes wahnes at uni-koeln.de
Thu Jul 2 17:31:42 UTC 2015


Hi,

after some experiments trying to figure out how the calendar sharing
system works in detail, I wonder if there is some documentation about
it available. The wiki page <http://wiki.horde.org/KronolithModule>
states that "owners can set fine grained permissions for groups and
individuals on their calendars", but doesn't mention how these
permissions work in detail.

Should I be able to sort it all out, I could of course create an
article in the wiki about this topic, but so far I still don't
understand half of it.

For instance, how do the "Object creator" permissions work? I thought
this would enable one to give permissions to the original creator of an
event in case one created an event in someone else's calendar.  For
instance, userX shares his calendar with userY and userZ, gives both
read, show, and edit permissions but not delete.  Does giving the
delete permission to "Object creator" then enable userY to delete
events that he created in userX's calendar, but not those created by
userZ?  So a bit like the modern meaning of the sticky bit in directory
permissions on Linux?

But then, isn't that kind of moot since one needs "edit" permissions to
add an event to the foreign calendar anyway -- and if one can edit (but
not delete) events in someone else's calendar, a malicious user could
still 'edit' all events to be occuring at "2001-01-01" with title
"foo", location "bar" and desciption "baz", which, from the calendar
owner's point of view, is the same thing as deleting the events?

What I find most irritating is that once a calendar has "Object
creator: show" permissions, it is shown to all users in the "Shared
Calendars" section (giving a red "Permission Denied" message once one
tries to check the box for that calendar), even if they don't have any
events inside that calendar.  Is it intentional that a calendar shows
up like this?  We've had irritations about calendars being shared with
everyone in the past and I thought that this was now gone for good
after we turned off $conf[share][world] in horde.conf.  I've been
thinking about this a bit now and could not come up with any scenario
where giving that permission ("Object creator: show") does actually
make sense?!

Also, I don't understand what the "delegate" permission actually does.
I thought one could use it to give the permission to add permissions to
this calendar to another user, but that's obviously not the case.  Is
delegating the right to set permissions possible at all?  I think that
this could come in handy with calendars without a specific owner, but
as I said "delegate" does not seem to do that trick and I can't figure
out what "delegate" really does.

Any insight into this would be greatly appreciated.

Thanks,
Jens


More information about the kronolith mailing list