Impact
Any authenticated user has read-only permissions to the planning of every other user, even admin ones.
To reproduce
Steps to reproduce the behavior:
- Create a new planning with 'eduardo.mozart' user (from 'IT' group that belongs to 'Super-admin') into it's personal planning at 'Assistance' > 'Planning'.
- Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL.
- Inform the username and password from any valid user (e.g. 'camila' from 'Proativa' group).
- 'Camila' has read-only access to 'eduardo.mozart' personal planning.
The same behavior happen to any group. E.g. 'Camila' has access to 'IT' group planning, even if she doesn't belong to this group and has a 'Self-service' profile permission).
Patches
5272803
Workarounds
Remove the caldav.php file to block access to CalDAV server.
Impact
Any authenticated user has read-only permissions to the planning of every other user, even admin ones.
To reproduce
Steps to reproduce the behavior:
The same behavior happen to any group. E.g. 'Camila' has access to 'IT' group planning, even if she doesn't belong to this group and has a 'Self-service' profile permission).
Patches
5272803
Workarounds
Remove the
caldav.phpfile to block access to CalDAV server.