guests icon indicating copy to clipboard operation
guests copied to clipboard
verified publisher icon nextcloud

Public Calendar Embed from Guest Account Without Calendar Access

Open gary-kim opened this issue 5 years ago • 3 comments

Steps to reproduce

  1. Create a Guest account that does not have access to Calendar
  2. Create a public calendar link
  3. Attempt to access said calendar's public link while logged in to guest account.

Expected behaviour

The embedded calendar should be visible as it is normally visible to anyone.

Actual behaviour

Screenshot from 2020-03-25 00-58-06

Calendar app

Experienced on cloud.nextcloud.com

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

gary-kim avatar Mar 24 '20 17:03 gary-kim

We are using @PublicPage on the Controller method, so from the calendar side of things, it should be accessible by anyone.

@rullzer @icewind1991 Should we move this issue to the server or guests repo?

georgehrke avatar Mar 24 '20 17:03 georgehrke

Let's move this to the guest repo for now.

georgehrke avatar Mar 28 '20 11:03 georgehrke

I had a quick look into this, so the main issue here is that the guest app checks access even before the controller gets loaded. I was thinking about moving the access checks to a middleware but aparently there is no way to register global middlewares as of now, just for within the app container. We can of course whitelist the url /apps/calendar/p/... in https://github.com/nextcloud/guests/blob/6a5d56bc47ddfe741efe8aa2ee4a21785c3596e5/lib/AppWhitelist.php#L94 but that would of course mean special code for each app inside of guests.

juliusknorr avatar Dec 16 '20 14:12 juliusknorr