calendar icon indicating copy to clipboard operation
calendar copied to clipboard
verified publisher icon nextcloud

Ability to restrict public sharing

Open zertrin opened this issue 5 years ago • 3 comments

Is your feature request related to a problem? Please describe. Using an "admin" NC user, I have set up a calendar shared with a group, allowing group member to edit the calendar. (It is intended that the group members update and add events in the shared calendar). Users can also subscribe to the calendar using their private export link (which is authenticated).

However, it seems that users are allowed to create a public link to the shared calendar, which is a confidentiality issue. (the intended approach is that any access to this shared calendar shall be authenticated for each user)

Describe the solution you'd like When sharing a calendar, in addition to the can edit checkbox, there should be a can share and/or can publish checkbox that controls whether users may or may not reshare the calendar and/or whether user may or may not publicly publish the shared calendar.

Suggest these new checkboxes to be disabled by default (like the can edit one)

Describe alternatives you've considered I did not find an alternative way to forbid users to generate a public sharing link while allowing them to edit events.

Additional context As a user (not the one that initially shared the calendar), the feature would mean that the highlighted element should be disabled if can share and/or can publish are not activated by the user that shared the calendar.

image

zertrin avatar Dec 08 '20 09:12 zertrin

Not sure if I can tag it as security label.

From my point of view, this is a security shortcoming of Nextcloud calendar. Let me know if you agree and tag accordingly.

zertrin avatar Dec 08 '20 09:12 zertrin

Using the exact same scenario for allowing intranet users sharing a group calendar, we are running into the very same issue :

each and every group member can generate a public link, allowing externals to directly access (possibly confidential) information. IMO, this issue certainly deserves a security label.

didierm avatar May 10 '21 14:05 didierm

On our side, I looked into why this is no longer possible and found this thread. We would like users to be able to create public links for calendars so they can use them on their smartphones without the main user (calendar owner) having to create hundreds of links manually. Is there a way to make this possible again?

rkutschi avatar Nov 17 '25 09:11 rkutschi