Help needed with permissions - docu update suggested
Closed this issue · 3 comments
I want to have users able to read access their own address book via carddav and infcloud webgui and an admin who can read and write all address books (at least via carddav protocol).
So I made this rights file which does what I want in terms of carddav:
[admin]
user: admin
collection: .*
permissions: RrWw
[jederseins]
user: .+
collection: {user}/[^/]+
permissions: Rr
Every user can only access his own address book via carddav, and readonly, and the admin can access all of them and read and write. So far so good.
The problem: the users except admin
cannot login via infcloud.
So I tested with these rights:
[admin]
user: admin
collection: .*
permissions: RrWw
[jederseins]
user: .+
collection: .*
permissions: Rr
Now, everything works as expected in infcloud. But, of couse, the users can access the other user's address books as well via carddav.
So, what's the correct rights to set to achieve the same behaviour for carddav and infcloud?
For infcloud it is important that users can read the root and the user collection.
Try it like this:
[admin]
user: admin
collection: .*
permissions: RrWw
[root]
user: .+
collection:
permissions: R
[user]
user: .+
collection: {user}
permissions: R
[jederseins]
user: .+
collection: {user}/[^/]+
permissions: Rr
Sadly, this doesn't work, with this a tested user can still access a different user's address book via carddav. I think, it's because
[root]
user: .+
collection:
permissions: R
I also tried to put it in the end, doesn't change.
If I leave out this section, the carddav behaviour is fine again (every user only his own address book), but login in infcloud fails again.
Oh, I must correct myself, I had a bad test tool: I used cardBook in thunderbird to check only for login. It shows up, that login on the other users address book url is possible, but retrieveing it fails. There seems to be some automatism, that cardBook looks up the tree, if the full url is not allowed. And if there a login was possible, it gave me this wrong-positive feedback.
So, I tried it with curl and it seems, the behaviour is as wanted now, thank You very much!