[CalendarServer-users] Client library and admin tool

Scott Buchanan dscottbuch at mac.com
Wed Apr 2 18:44:35 PDT 2008 

Cyrus,

That makes sense (I've done enough ACL's to at least get the  
principle).  It would be nice to find a tutorial with, or without, the  
GUI.

On Apr 2, 2008, at 6:31 PM, Cyrus Daboo wrote:

> Hi Scott,
>
> --On April 2, 2008 5:50:14 PM -0700 Scott Buchanan  
> <dscottbuch at mac.com> wrote:
>
>> I've installed the CS on a Tiger server and everything is working.  I
>> want to use the calendars for the groups (our SW group for example)  
>> and
>> this works fine BUT I don't want individuals of the group to be  
>> able to
>> delete the entire calendar which is very easy to do by mistake from  
>> iCal
>> for example.  They need to be able to add and edit events, but not  
>> the
>> whole calendar.
>>
>> The only way I can see to do this is to somehow edit the acl for the
>> .../swgroup/calendar/  directory so that it can not be deleted but  
>> I'm
>> not enough of an expert on ACL's in general, and DAV acls in  
>> particular.
>
> Ok, this is one of the more complex parts of WebDAV ACLs.
>
> Bottom line is you need to deny the DAV:unbind privilege on the  
> parent of the calendar. That will prevent the specified users from  
> deleting anything within that parent collection.
>
> Something like this would work:
>
> 1. Start the shell:
>
>> ./runshell.py --server=... --user=... --password=...
>
> 2. Navigate to the parent directory of the calendars you want to  
> "protect":
>
> / > cd /calendars/groups/testgroup
>
> 3. Run the ACL interactive mode:
>
> /calendars/groups/testgroup > acl -i
>
> 4. Use the add command:
>
> ACL > add
>
> 5. You will then get a list of existing privileges. You will  
> probably want to insert the the one to block deletes above all the  
> existing ones as the order of privileges counts when determining  
> access. So enter 1:
>
> Add ACL before [1 - 7] or cancel [q]: 1
>
> 6. You will then get prompted for a "principal type". This  
> determines who the new privilege will apply to. In this case we want  
> it to apply to everyone in a specific group, so enter 1:
>
> Select type: 1
>
> 7. You will then get prompted to enter the principal path, so enter  
> the path to the group you want to "block":
>
> Enter principal path: /principals/groups/swgroup
>
> 8. In WebDAV you can have the privilege apply to the specified  
> principal or apply to all principals that do not match that  
> (invert). In this case we want the former so enter n:
>
> Invert principal [y/n]: n
>
> 9. Next the prompt is for whether a privilege is being granted or  
> denied. In this case we want deny, so enter d:
>
> Grant or Deny privileges [g/d]: d
>
> 10. Then the prompt will be list of all the privileges that can be  
> denied. In this case you want DAV:unbind so enter i:
>
> Select multiple items: i
>
> 11. At that point the shell tool should write out the new  
> privileges. Use the list command to verify it is there. Then, as a  
> member of the group try to delete a calendar. Hopefully you won't be  
> able to!
>
> As you can see there are a lot of steps involved in managing ACLs  
> and you do need to understand how the order and sets of privileges  
> and invert, grant/deny etc all work.
>
> Of course one could write a GUI for this that would just give a set  
> of checkboxes to check off and it would look at lot easier than the  
> command line approach.
>
> -- 
> Cyrus Daboo
>

More information about the calendarserver-users mailing list