Configuration/settings/allow get email visibility

From Davical
Jump to: navigation, search
$c->allow_get_email_visibility = true;

default: false

If set to true, then the user's e-mail will be checked against the attendee list when checking whether a user can view or modify a CLASS:PRIVATE or CLASS:CONFIDENTIAL resource.

CLASS:PRIVATE events are normally visible only to someone with DAV::all rights to the collection, such as the owner or an administrator. These are the most private type of events.

CLASS:CONFIDENTIAL events are normally fully visible only to someone with DAV::all rights to the collection, such as the owner or an administrator. Other people with sufficient access to read events from the collection will see an obfuscated version of the event, showing the start time, duration and a summary of 'Busy' (possibly localised to their language). Confidential events are less private than private ones.

Security Note

The reason this setting exists is that users are able to change their own e-mail address within DAViCal. A user wishing to circumvent the obfuscation or visibility could therefore do so by temporarily changing their e-mail address inside DAViCal to that of an attendee at a meeting. The meeting event would then be fully visible to them. In smaller organisations this is unlikely to be of concern, but in larger organisations it could well become an issue.

Available from DAViCal version: 0.9.7 or so and later