[Chore] Fix public calendar behavior

[tchapi]

Important

This PR contains a migration, that you need to run to be able to test the code. The migration is backwards compatible (meaning that running it adds a column, that is ignored if you rollback on an earlier version of the code)

[tchapi]

Linked to Davis Roadmap too

[1Luc1]

Thanks for this PR.

Tested it. I can now add a event to the public calendar as an owner of the calendar.

But I can't subscribe to the public calendar as "non-user" without credentials. It still prompts to add a password.

[tchapi]

But I can't subscribe to the public calendar as "non-user" without credentials. It still prompts to add a password.

@1Luc1 You test on Thunderbird, right? Do you have an option to "subscribe" to a calendar instead ("New Calendar Subscription" on iCal on macOs)? If yes, could you test if this works for the read only part?

[1Luc1]

But I can't subscribe to the public calendar as "non-user" without credentials. It still prompts to add a password.

@1Luc1 You test on Thunderbird, right? Do you have an option to "subscribe" to a calendar instead ("New Calendar Subscription" on iCal on macOs)? If yes, could you test if this works for the read only part?

Yes I tested on Thunderbird. Within Thunderbird you subscribe to a calendar. Button is called "New Calendar ..." .

I have a user test with a public calendar pubTest:

And I want to subscribe to this public calendar as a "outside" user within Thunderbird:

But it does ask for the credentials. As I understand it, it should be possible to subscribe to the calendar without credentials as read only - public calendar that is.

I also tried something, don't know if this helps, but if I open the URI within the browser a popup opens to enter login credentials and if i cancel the following error appears:

4.7.0 Sabre\DAV\Exception\NotAuthenticated No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured. Login was needed for privilege: {DAV:}read on calendars/test/pubTest

[tchapi]

Yes I tested on Thunderbird. Within Thunderbird you subscribe to a calendar. Button is called "New Calendar ..." .

Ok thanks. I've pushed a change just now as it seems sabre/dav treats most things as shared calendars under the hood, can you retry? I successfully subscribe to the calendar (or load it in a browser), while retaining write rights as owner

[1Luc1]

Thanks. Now it never asks for a password. And if the calendar is subscribed it will be set as read only, but "readonly" can be unset and then events can be added to the calendar without the need of any credentials.

Initial Implementation/Test/PR: #105 (comment)

[tchapi]

Thanks. Now it never asks for a password. And if the calendar is subscribed it will be set as read only, but "readonly" can be unset and then events can be added to the calendar without the need of any credentials.

I'm genuinely not understanding how sabre/dav handles acl at this point. When you access the calendar uri in a browser, do we agree that unauthenticated only has "read" access?

Are you sure Thunderbird doesn't actually use the owner credentials to be able to write to the calendar?

[tchapi]

Still via a browser, unauthenticated, my current user privileges set seem correct — so I don't see how you could write to it

[tchapi]

And finally, I cannot modify or change things (when unauthenticated):

<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
  <s:sabredav-version>4.7.0</s:sabredav-version>
  <s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
  <s:message>No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured. Login was needed for privilege: {DAV:}write-content on calendars/xxx/public-test/43E8882F-5E38-4649-AD93-BBDA7B41A929.ics</s:message>
</d:error>

[1Luc1]

Restarted Thunderbird and it seems to work now. If i want to add events i have to enter username/password. Maybe some caching within thunderbird did make this behavior.

For Future Me: Thunderbird can store passwords. Go to settings->search for password-> saved password -> popup -> delete entries for that domain -> restart thunderbird

So it does work! Thanks!

[tchapi]

Restarted Thunderbird and it seems to work now.

Ok I'm relieved, it was driving me crazy !

[1Luc1]

Sorry 😶‍🌫️

Something I notice - maybe some thunderbird bug, but still want to mention it - even if the public calendar is subscribed with username/password it will always be subscribed as read-only.

This of course can be reverted within the settings of the subscribed calendar to uncheck "Read Only". And of course you can then add events to the calendar, cause you previously entered username/password. But restarting thunderbird makes it read only again.

[tchapi]

This of course can be reverted within the settings of the subscribed calendar to uncheck "Read Only". And of course you can then add events to the calendar, cause you previously entered username/password. But restarting thunderbird makes it read only again.

This might be a specific behaviour of Thunderbird (I don't have this kind of thing on macOS or iOS for instance). To be honest I don't understand the "read only" checkbox on Thunderbird: if the calendar is read only, why having a check box you can change on the client side? Seems a bit odd to me.

In any case it might come from how Thunderbird interprets the ACLs and "deduce" stuff from it. You can try to fiddle around with the code in here (maybe change "unauthenticated" to "all"?) but I wouldn't bet on the fact that it changes anything.

[tchapi]

Just tested on my side, the read-only property is correctly set as non-existant when auth is passed, so it's a Thunderbird (cache?) issue:

(see the 404 on read-only in the payload below)

<?xml version="1.0"?>
<d:multistatus
	xmlns:d="DAV:"
	xmlns:s="http://sabredav.org/ns"
	xmlns:cal="urn:ietf:params:xml:ns:caldav"
	xmlns:cs="http://calendarserver.org/ns/"
	xmlns:card="urn:ietf:params:xml:ns:carddav">
	<d:response>
		<d:href>/dav/calendars/xxx/public-test/</d:href>
		<d:propstat>
			<d:prop>
				<d:current-user-privilege-set>
					<d:privilege>cal:read-free-busy/</d:privilege>
					<d:privilege>
						<d:read/>
					</d:privilege>
					<d:privilege>
						<d:read-acl/>
					</d:privilege>
					<d:privilege>
						<d:read-current-user-privilege-set/>
					</d:privilege>
					<d:privilege>
						<d:write-properties/>
					</d:privilege>
					<d:privilege>
						<d:write/>
					</d:privilege>
					<d:privilege>
						<d:write-content/>
					</d:privilege>
					<d:privilege>
						<d:unlock/>
					</d:privilege>
					<d:privilege>
						<d:bind/>
					</d:privilege>
					<d:privilege>
						<d:unbind/>
					</d:privilege>
					<d:privilege>
						<d:write-acl/>
					</d:privilege>
					<d:privilege>
						<d:share/>
					</d:privilege>
				</d:current-user-privilege-set>
			</d:prop>
			<d:status>HTTP/1.1 200 OK</d:status>
		</d:propstat>
		<d:propstat>
			<d:prop>
				<s:read-only/>
			</d:prop>
			<d:status>HTTP/1.1 404 Not Found</d:status>
		</d:propstat>
	</d:response>
</d:multistatus>