[CalendarServer-users] Setting permissions or ACLs on calendarserver.

Wilfredo Sánchez Vega wsanchez at wsanchez.net
Thu May 31 17:22:29 PDT 2007 

   We believe that's the case.  :-)

   That is, we've implemented it, and have some tests, but since we  
lack real clients that use it, it's hard to know for sure that the  
implementation is satisfactory as-is.  Obviously, we'd love to see  
that change.

   Note that some resources do not allow editing of ACLs.  This may be  
true for some of the base hierarchy (eg /calendars), since we don't  
necessarily want to let those get into a "broken" state.

   Additionally, your home calendar will give you DAV:all access which  
is protected, meaning that you can't (that is, shouldn't be, unless  
there is a bug) remove that privilege from a calendar home's owner.

   The strategy that we've been pursuing to date in regarding ACL  
controls for calendar resources and their containers is to avoid doing  
ACL operations on individual calendar resources, and stick to editing  
ACLs for calendar collections.

   The server will allow you to do either, but I will bet that this  
will confuse some, if not many, clients.  ACLs are presently still a  
pretty bleeding-edge concept, and I think getting too funky with them  
may be tricky.

   So things like giving a friend read access to a calendar should be  
straighforward, but doing that for individual events has a lot of  
oddball corner-case issues, I think.  We think the server does sane  
things here, but again, without real use cases, it's hard to know for  
sure, and I don't expect that clients will necessary cope well.

   Note also that we have a notion of "proxy groups".  Each principal  
on the server has two such groups associated with it, a read proxy  
group, and a read/write proxy group.  The ACLs are already set up  
appropriately for these groups on each calendar collection, on the  
theory that editing the group membership is simpler than monkeying  
with ACLs.  Again, real-world usage will bear out how well that  
works.  One limitation is that this applies to all of your calendars,  
and not just some.

   Hope this helps.

	-wsv


On May 30, 2007, at 12:36 AM, mwacker at linagora.com wrote:

> Do you mean that CalDAV ACL are already implemented on the server  
> side ?
> As far as i remember CalDAV ACLs are applicable not only on a calendar
> object (which is a collection of events in webdav speaking) but ACLs  
> can
> be set event by event.
> Does Darwin Calendar Server implement this fully ?
>
> The only problem to exploit this come from client side ?

—
Wilfredo Sánchez - wsanchez at wsanchez.net

More information about the calendarserver-users mailing list