Users have allways writeaccess to shared addressbooks.
Steps to reproduce
- Share an addressbook with an user and don't gain write access.
- Login as another user and open the contacts app
- Try to edit an existing contact in the shared addressbook.
Expected behaviour
You should not be able to edit this addressbook. You even should not be able to change the sharing-configuration.
Actual behaviour
You can do what you want like the addressbook's owner. You can even delete all contacts.
Server configuration
Operating system: Ubuntu 14.04 (Server)
Web server: Apache/2.4.7 (Ubuntu)
Database: MySQL
PHP version: PHP 5.5.9
ownCloud version: 9.0.0
Contacts version: 1.1.0.0
Updated from an older ownCloud or fresh install: Updated from 8.2 but user and addressbook were created after upgrade.
Signing status (ownCloud 9.0 and above):
No errors have been found.
List of activated apps:
Enabled:
- activity: 2.2.1
- activitydefaults: 0.1.0
- announcementcenter: 1.1.1
- audios: 1.2.5
- calendar: true
- comments: 0.2
- contacts: 1.1.0.0
- dav: 0.1.5
- documents: true
- encryption: 1.2.0
- external: 1.2
- federatedfilesharing: 0.1.0
- federation: 0.0.4
- files: 1.4.4
- files_antivirus: true
- files_external: 0.5.2
- files_mv: true
- files_pdfviewer: 0.8
- files_reader: 0.7.1
- files_sharing: 0.9.1
- files_texteditor: 2.1
- files_trashbin: 0.8.0
- files_versions: 1.2.0
- files_videoplayer: 0.9.8
- firstrunwizard: 1.1
- gallery: 14.5.0
- mail: true
- news: true
- notifications: 0.2.3
- ownnote: 1.07
- passwordpolicy: true
- polls: 0.7.0
- provisioning_api: 0.4.1
- sketch: 0.1.2
- systemtags: 0.2
- tasks: 0.9.0
- templateeditor: 0.1
- updatenotification: 0.1.0
Disabled:
- files_w2g
- music
- notes
- publisher
- registration
- user_external
- user_ldap
The content of config/config.php:
{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"***REMOVED SENSITIVE VALUE***",
"***REMOVED SENSITIVE VALUE***",
"***REMOVED SENSITIVE VALUE***",
"***REMOVED SENSITIVE VALUE***",
"***REMOVED SENSITIVE VALUE***"
],
"datadirectory": "\/var\/www.vhosts\/owncloud\/data",
"overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "9.0.0.19",
"dbname": "owncloud",
"dbhost": "localhost",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"logtimezone": "UTC",
"installed": true,
"appstore.experimental.enabled": true,
"mail_from_address": "owncloud",
"mail_smtpmode": "smtp",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpsecure": "ssl",
"mail_smtpauthtype": "LOGIN",
"mail_smtpauth": 1,
"mail_smtphost": "smtp.strato.de",
"mail_smtpport": "465",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"overwritehost": "***REMOVED SENSITIVE VALUE***",
"overwriteprotocol": "https",
"overwritewebroot": "***REMOVED SENSITIVE VALUE***",
"overwritecondaddr": "***REMOVED SENSITIVE VALUE***",
"loglevel": 2,
"logtype": "owncloud",
"logfile": "owncloud.log",
"default_language": "de",
"allow_user_to_change_display_name": true,
"enable_avatars": true,
"check_for_working_webdav": true,
"check_for_working_htaccess": true,
"has_internet_connection": true,
"theme": "",
"maintenance": false,
"preview_libreoffice_path": "\/usr\/bin\/libreoffice",
"enable_previews": true,
"share_folder": "\/Shared",
"singleuser": false,
"memcache.local": "\\OC\\Memcache\\APCu",
"trashbin_retention_obligation": "auto"
}
}
Are you using external storage, if yes which one: local and ftp
Are you using encryption: yes
Are you using an external user-backend, if yes which one: no
Client configuration
Browser: Firefox 45.0
Operating system: Linux MINT 17.3
CardDAV-clients: Thunderbird: Inverse SOGo Connector and DAVDroid (Android)
Temporary INSECURE AND INCOMPLETE fix concerning to share and deletion of addressbooks: Add
ng-if="ctrl.addressBook.url.indexOf('_shared_by_') == -1"
to delete and share button in addressBook.html template.
Issue in core. Fixed with 9.0.1
The problem partially still exists: When "can edit" is not set, can still edit the fields, but now the changes are not saved. In addition the users can edit the sharing-configuration (even if "can edit" is not set. In this case they can even set "can edit".)
When "can edit" is not set, can still edit the fields, but now the changes are not saved.
Should be fixed in Frontend (owncloud/calendar) I guess :grin:
In addition the users can edit the sharing-configuration (even if "can edit" is not set. In this case they can even set "can edit".)
Should be checked (reproduce and fixed) in the Backend (owncloud/core) I guess. Please open an issue there, if 9.0.1 did not solved this, and there is no similar issue :wink:
Reopened to fix readonly Contacts in ui
Now i tested the current version of this app in OC 9.0.2 and have the following behaviour:
If "canEdit" is not set: Users can not edit the contacts (good!), but the fields are still writeble, but the changes are not saved: The fields should be read-only.