[#4050] Free/Busy URL privacy
Summary Free/Busy URL privacy
Queue Kronolith
Queue Version 2.1.1
Type Enhancement
State Accepted
Priority 1. Low
Owners
Requester stavros@staff.esc.net.au
Created 2006-06-16 (5046 days ago)
Due
Updated 2008-11-16 (4162 days ago)
Assigned
Resolved
Milestone
Patch No

Comments
stavros@staff.esc.net.au 2006-06-16 11:16:09
The free/busy url is accessible by anyone, and hence private 
information is available to anyone who wants it.

Jan Schneider <jan@horde.org> 2006-06-16 11:37:26
> The free/busy url is accessible by anyone,



That's the purpose of free/busy urls.



>  and hence private information is available to anyone who wants it.



Wrong, the freebusy information doesn't contain any private data.

michael.menge@zdv.uni-tuebingen.de 2008-06-06 13:44:30
The FB contains private data.

It allows to connect userid to Name and email Adress

It allows spammers to veryfy emailadresses by probing the FB urls



I think it would be usefull to allow users to deactivate generating of 
the FB information and/or

to use permissoins system to choose who is able to retrieve these informations



michael.menge@zdv.uni-tuebingen.de 2008-06-10 17:11:48
As my request http://bugs.horde.org/ticket/6889 was marked as 
dublicated i will repost my sugestion here to keep it on this request.



--------------------

Make free/busy informations shares



Making the free/busy information share has some advantages.

1. It will allow the user to controll who is able to acces the information

2. The user can have more than one F/B url (with different calendars 
checked and different permisions)

3. Only users with acces to the share could connect loginid and 
Name/email addres.

    Even that could be impeded by generating an URL that does not 
contain the loginid

    If implemeted that way validating LoginIds would be impossible and geting

    emailaddresses would be much harder and only possible for users wich

    allow read acces to unauthenticated users



Followin is an example:



A professor could tell his students the URL 
horde.some.edu/kronolith/fb.php/aefhca56c4 the see the Free/Busy 
informations

which will only contain his consultation-hours as free time.



and his staff members get the URL

horde.some.edu/kronolith/fb.php/ab4h3a0815 which will contain the 
Free/Busy information for his working time



he has also a third which share which also contains his private events 
and is used when he is planing an events with attendees.



Chuck Hagenbuch <chuck@horde.org> 2008-06-30 19:55:02
email and name are a good point. What do other devs think about this, 
and what does the requester think of simply omitting name and email 
address from the F/B info if the user doesn't have permissions to the 
calendar?

Jan Schneider <jan@horde.org> 2008-06-30 22:25:59
That's moot, because fb.php will always be requested from a guest 
user, thus they will never see any user name or email in the fb 
publish information or in the meeting planning interface.

Chuck Hagenbuch <chuck@horde.org> 2008-07-01 01:13:20
True enough. What do you think of the general issue of name/email?

Chuck Hagenbuch <chuck@horde.org> 2008-07-01 01:14:03
Actually I guess no one out there makes a calendar that authenticates 
to get free/busy info. So the option should be for users to turn off 
their free/busy info, or for users to mask their name/email in it?

Jan Schneider <jan@horde.org> 2008-07-01 07:58:32
We should check what other fb url providers do.

michael.menge@zdv.uni-tuebingen.de 2008-07-04 11:05:38
I would prefere a solution with authentication and permissions.

But the option for users to turn the FB of and configure the Information

shown would work for our site.

Chuck Hagenbuch <chuck@horde.org> 2008-11-06 03:37:31
I just looked at google calendar. You have to explicitly enable 
free/busy information there. I think we should go back to the same 
thing we used to do of using the VIEW permission for free/busy info.



We can turn it on by default, perhaps as a conf.php setting.



Also, we could learn a few things about the calendar/share management 
interface from google calendar. But I suspect we all knew that 
already. :)