[CalendarServer-users] Client library and admin tool
Cyrus Daboo
cdaboo at apple.com
Wed Apr 2 18:31:35 PDT 2008
Hi Scott,
--On April 2, 2008 5:50:14 PM -0700 Scott Buchanan <dscottbuch at mac.com>
wrote:
> I've installed the CS on a Tiger server and everything is working. I
> want to use the calendars for the groups (our SW group for example) and
> this works fine BUT I don't want individuals of the group to be able to
> delete the entire calendar which is very easy to do by mistake from iCal
> for example. They need to be able to add and edit events, but not the
> whole calendar.
>
> The only way I can see to do this is to somehow edit the acl for the
> .../swgroup/calendar/ directory so that it can not be deleted but I'm
> not enough of an expert on ACL's in general, and DAV acls in particular.
Ok, this is one of the more complex parts of WebDAV ACLs.
Bottom line is you need to deny the DAV:unbind privilege on the parent of
the calendar. That will prevent the specified users from deleting anything
within that parent collection.
Something like this would work:
1. Start the shell:
> ./runshell.py --server=... --user=... --password=...
2. Navigate to the parent directory of the calendars you want to "protect":
/ > cd /calendars/groups/testgroup
3. Run the ACL interactive mode:
/calendars/groups/testgroup > acl -i
4. Use the add command:
ACL > add
5. You will then get a list of existing privileges. You will probably want
to insert the the one to block deletes above all the existing ones as the
order of privileges counts when determining access. So enter 1:
Add ACL before [1 - 7] or cancel [q]: 1
6. You will then get prompted for a "principal type". This determines who
the new privilege will apply to. In this case we want it to apply to
everyone in a specific group, so enter 1:
Select type: 1
7. You will then get prompted to enter the principal path, so enter the
path to the group you want to "block":
Enter principal path: /principals/groups/swgroup
8. In WebDAV you can have the privilege apply to the specified principal or
apply to all principals that do not match that (invert). In this case we
want the former so enter n:
Invert principal [y/n]: n
9. Next the prompt is for whether a privilege is being granted or denied.
In this case we want deny, so enter d:
Grant or Deny privileges [g/d]: d
10. Then the prompt will be list of all the privileges that can be denied.
In this case you want DAV:unbind so enter i:
Select multiple items: i
11. At that point the shell tool should write out the new privileges. Use
the list command to verify it is there. Then, as a member of the group try
to delete a calendar. Hopefully you won't be able to!
As you can see there are a lot of steps involved in managing ACLs and you
do need to understand how the order and sets of privileges and invert,
grant/deny etc all work.
Of course one could write a GUI for this that would just give a set of
checkboxes to check off and it would look at lot easier than the command
line approach.
--
Cyrus Daboo
More information about the calendarserver-users
mailing list