[CalendarServer-users] Client library and admin tool

Cyrus Daboo cdaboo at apple.com
Wed Apr 2 18:31:35 PDT 2008

Hi Scott,

--On April 2, 2008 5:50:14 PM -0700 Scott Buchanan <dscottbuch at mac.com> 

> I've installed the CS on a Tiger server and everything is working.  I
> want to use the calendars for the groups (our SW group for example) and
> this works fine BUT I don't want individuals of the group to be able to
> delete the entire calendar which is very easy to do by mistake from iCal
> for example.  They need to be able to add and edit events, but not the
> whole calendar.
> The only way I can see to do this is to somehow edit the acl for the
> .../swgroup/calendar/  directory so that it can not be deleted but I'm
> not enough of an expert on ACL's in general, and DAV acls in particular.

Ok, this is one of the more complex parts of WebDAV ACLs.

Bottom line is you need to deny the DAV:unbind privilege on the parent of 
the calendar. That will prevent the specified users from deleting anything 
within that parent collection.

Something like this would work:

1. Start the shell:

> ./runshell.py --server=... --user=... --password=...

2. Navigate to the parent directory of the calendars you want to "protect":

/ > cd /calendars/groups/testgroup

3. Run the ACL interactive mode:

/calendars/groups/testgroup > acl -i

4. Use the add command:

ACL > add

5. You will then get a list of existing privileges. You will probably want 
to insert the the one to block deletes above all the existing ones as the 
order of privileges counts when determining access. So enter 1:

Add ACL before [1 - 7] or cancel [q]: 1

6. You will then get prompted for a "principal type". This determines who 
the new privilege will apply to. In this case we want it to apply to 
everyone in a specific group, so enter 1:

Select type: 1

7. You will then get prompted to enter the principal path, so enter the 
path to the group you want to "block":

Enter principal path: /principals/groups/swgroup

8. In WebDAV you can have the privilege apply to the specified principal or 
apply to all principals that do not match that (invert). In this case we 
want the former so enter n:

Invert principal [y/n]: n

9. Next the prompt is for whether a privilege is being granted or denied. 
In this case we want deny, so enter d:

Grant or Deny privileges [g/d]: d

10. Then the prompt will be list of all the privileges that can be denied. 
In this case you want DAV:unbind so enter i:

Select multiple items: i

11. At that point the shell tool should write out the new privileges. Use 
the list command to verify it is there. Then, as a member of the group try 
to delete a calendar. Hopefully you won't be able to!

As you can see there are a lot of steps involved in managing ACLs and you 
do need to understand how the order and sets of privileges and invert, 
grant/deny etc all work.

Of course one could write a GUI for this that would just give a set of 
checkboxes to check off and it would look at lot easier than the command 
line approach.

Cyrus Daboo

More information about the calendarserver-users mailing list