[Bug 310734] New: Akonadi DAV resource doesn't react on 403 errors

Thomas Tanghus thomas at tanghus.net
Mon Nov 26 21:00:41 GMT 2012 

https://bugs.kde.org/show_bug.cgi?id=310734

            Bug ID: 310734
          Severity: normal
           Version: 4.9
          Priority: NOR
          Assignee: kdepim-bugs at kde.org
           Summary: Akonadi DAV resource doesn't react on 403 errors
    Classification: Unclassified
                OS: Linux
          Reporter: thomas at tanghus.net
          Hardware: Other
            Status: UNCONFIRMED
         Component: DAV Resource
           Product: Akonadi

When trying to delete a contact from a shared ownCloud addressbook, Akonadi
believes it is deleted even though the response clearly indicates it is
forbidden.

Reproducible: Always

Steps to Reproduce:
Delete a contact from a shared ownCloud addressbook that doesn't have
OCP\PERMISSION_DELETE, watch in the access log that the response is a 403.
Actual Results:  
The contact is removed from Akonadi cache.

Expected Results:  
The user should get an appropriate error message.

This is against ownCloud master branch, so results may vary. In 4.5 it was
possible to delete a resource even though the addressbook only had
PERMISSION_UPDATE.

Example URL:

DELETE
/owncloud/remote.php/carddav/addressbooks/test1/contacts_shared_by_test2/C52B52A4-8EA0-0001-2E8C-C89095241A13.vcf

Response:
HTTP/1.1 403 Forbidden
Date: Mon, 26 Nov 2012 20:32:34 GMT
Server: Apache/2.2.22 (Ubuntu)
(snipped)
Content-Length: 602
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/xml; charset=utf-8

Response body:

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:exception>Sabre_DAVACL_Exception_NeedPrivileges</s:exception>
  <s:message>User did not have the required privileges ({DAV:}unbind) for path
"addressbooks/test1/contacts_shared_by_test2"</s:message>
  <s:sabredav-version>1.7.1</s:sabredav-version>
  <d:need-privileges>
    <d:resource>
     
<d:href>/owncloud/remote.php/carddav/addressbooks/test1/contacts_shared_by_test2</d:href>
      <d:privilege>
        <d:unbind/>
      </d:privilege>
    </d:resource>
  </d:need-privileges>
</d:error>

I have only tested this with CardDAV, but I suppose the same applies for
CalDAV.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the Kdepim-bugs mailing list