nextcloud
visibility-Option "When shared show only busy" not working
Steps to reproduce
This is an urgent privacy issue which should be solved soon.
User1: shares calendar with group "example-group"
all Users: are in group "example-group"
User1: sets a new calendar entry with secret title, desc.
User1: sets visibility-option "When shared show only busy"
User1: invites user2
User1: Event data is visible, works
User2: Event data is visible, works
all Users: see all data calendar entry
Expected behavior
all Users: in group "example-group" exept User2 should only see busy, not the calendar data and entry should block time slot
Actual behavior
all Users: see all data calendar entry, inspite visibility-option "When shared show only busy" is set
Calendar app version
5.5.9
CalDAV-clients used
No response
Browser
chrome, firefox, safari newest
Client operating system
linux, mac, windows newest
Server operating system
Ubuntu linux
Web server
Apache
Database engine version
MariaDB
PHP engine version
PHP 8.3
Nextcloud version
30.0.17
Updated from an older installed version or fresh install
Updated from an older version
List of activated apps
Enabled:
- activity: 3.0.0
- app_api: 4.0.6
- bruteforcesettings: 3.0.0
- calendar: 5.5.9
- calendar_resource_management: 0.10.0
- circles: 30.0.0
- cloud_federation_api: 1.13.0
- comments: 1.20.1
- contactsinteraction: 1.11.0
- dashboard: 7.10.0
- dav: 1.31.1
- event_update_notification: 2.6.1
- external: 5.5.2
- federatedfilesharing: 1.20.0
- federation: 1.20.0
- files: 2.2.0
- files_automatedtagging: 1.20.1
- files_downloadlimit: 3.0.0
- files_external: 1.22.0
- files_pdfviewer: 3.0.0
- files_reminders: 1.3.0
- files_retention: 1.19.1
- files_sharing: 1.22.0
- files_trashbin: 1.20.1
- firstrunwizard: 3.0.0
- impersonate: 1.17.1
- jsloader: 2.0.0
- logreader: 3.0.0
- lookup_server_connector: 1.18.0
- nextcloud_announcements: 2.0.0
- notifications: 3.0.0
- oauth2: 1.18.1
- password_policy: 2.0.0
- privacy: 2.0.0
- provisioning_api: 1.20.0
- recommendations: 3.0.0
- related_resources: 1.5.0
- retention-normalize-mtime: 1.2.0
- secrets: 2.1.4
- serverinfo: 2.0.0
- settings: 1.13.0
- sharebymail: 1.20.0
- support: 2.0.0
- survey_client: 2.0.0
- systemtags: 1.20.0
- tasks: 0.16.1
- text: 4.1.0
- theming: 2.6.0
- theming_customcss: 1.19.0
- twofactor_backupcodes: 1.19.0
- updatenotification: 1.20.0
- user_status: 1.10.0
- viewer: 3.0.0
- weather_status: 1.10.0
- webhook_listeners: 1.1.0-dev
- webhooks: 0.4.3
- workflow_script: 1.15.0
- workflowengine: 2.12.0
Disabled:
- admin_audit: 1.20.0
- encryption: 2.18.0 (installed 2.18.0)
- files_rightclick: 0.15.1 (installed 1.6.0)
- files_versions: 1.23.0 (installed 1.1.0)
- keeporsweep: 0.2.1 (installed 0.2.1)
- market: 0.2.4 (installed 0.2.4)
- photos: 3.0.2 (installed 3.0.2)
- polls: 5.4.3 (installed 0.10.2)
- spreed: 16.0.4 (installed 16.0.4)
- suspicious_login: 8.0.0
- templateeditor: 0.3 (installed 0.3)
- theme-example: 1.0.0
- twofactor_nextcloud_notification: 4.0.0
- twofactor_totp: 12.0.0-dev
- user_ldap: 1.21.0
Nextcloud configuration
{
"system": {
"filelocking.enabled": true,
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "30.0.17.2",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"loglevel": 0,
"theme": "",
"maintenance": false,
"trusted_domains": [
"localhost",
"***REMOVED SENSITIVE VALUE***"
],
"default_language": "de",
"defaultapp": "external",
"secret": "***REMOVED SENSITIVE VALUE***",
"share_folder": "\/Shared",
"mail_smtpmode": "smtp",
"mail_smtpauthtype": "LOGIN",
"mail_smtpauth": 1,
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"mail_sendmailmode": "smtp",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "587",
"mail_smtpstreamoptions": {
"ssl": {
"allow_self_signed": true,
"verify_peer": false,
"verify_peer_name": false
}
},
"overwrite.cli.url": "https:\/\/***REMOVED SENSITIVE VALUE***",
"trashbin_retention_obligation": "auto, 7",
"forcessl": true,
"forceSSLforSubdomains": true,
"has_rebuilt_cache": true,
"app_install_overwrite": [
"announcementcenterhh",
"jsloader",
"files_automatedtagging",
"impersonate",
"webhooks"
],
"csrf.optout": [
"\/^WebDAVFS\/",
"\/^Microsoft-WebDAV-MiniRedir\/"
],
"remember_login_cookie_lifetime": 2678400,
"session_lifetime": 2592000,
"session_keepalive": true,
"auto_logout": false,
"integrity.check.disabled": true,
"default_phone_region": "DE",
"mysql.utf8mb4": true,
"allow_user_to_change_display_name": true,
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.distributed": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 0
},
"activity_expire_days": 20,
"maintenance_window_start": 3
}
}
Web server error log
Log file
Browser log
Additional info
tested also with
Nextcloud 32.0.1 Calendar Version 6.0.4
Nextcloud 31.0.10 Calendar Version 5.5.9
same Bug reproduced
Can confirm this behavior in v5.5.9 but tbh I'm not sure if this isn't how it "should" work: when user2 has write access on the calendar the user can see the whole calendar entry. If user2 has read-only access the calendar entry shows only "busy". If I remember correctly this is how CalDAV handles these cases, but I can be wrong too.
