Tickets :: [#15011] Notifications reveal private entries

6.0.0-alpha14

7/2/25

Summary	Notifications reveal private entries
Queue	Kronolith
Queue Version	FRAMEWORK_5_2
Type	Bug
State	Resolved
Priority	1. Low
Owners	mrubinsk (at) horde (dot) org
Requester	2020 (at) ichbinweg (dot) ch
Created	05/24/2020 (1865 days ago)
Due
Updated	07/04/2020 (1824 days ago)
Assigned
Resolved	07/04/2020 (1824 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch	No

07/04/2020 06:39:50 PM	Git Commit	Comment #4	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit 5f898094acc324f5c17deb13c66c9b6bc6c95005 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Sat, 04 Jul 2020 14:29:15 -0400 [mjr] SECURITY: Don't leak private details when sending notifications for private events (~~Bug #15011~~). M docs/changelog.yml https://github.com/horde/kronolith/commit/5f898094acc324f5c17deb13c66c9b6bc6c95005

07/04/2020 06:19:42 PM	Michael Rubinsky	Assigned to Michael Rubinsky State ⇒ Resolved

07/04/2020 06:16:35 PM	Git Commit	Comment #3	Reply to this comment
Changes have been made in Git (master): commit 74e0bf732327305edb3f2dd44517eb6b33d408e4 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Sat, 04 Jul 2020 14:16:03 -0400 ~~Bug: 15011~~ Don't leak details when sending notifications for private entries. A k.patch M lib/Kronolith.php M templates/update/notification.html.php M templates/update/notification.plain.php https://github.com/horde/kronolith/commit/74e0bf732327305edb3f2dd44517eb6b33d408e4

07/04/2020 04:46:41 PM	Git Commit	Comment #2	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit afc52b68583cfdd2643582e3066c08965848607a Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Sat, 04 Jul 2020 12:44:39 -0400 ~~Bug: 15011~~ Don't leak details when sending notifications for private entries. M lib/Kronolith.php https://github.com/horde/kronolith/commit/afc52b68583cfdd2643582e3066c08965848607a

05/24/2020 07:45:37 AM	2020 (at) ichbinweg (dot) ch	Comment #1 Priority ⇒ 1. Low Patch ⇒ No Milestone ⇒ Queue ⇒ Kronolith Summary ⇒ Notifications reveal private entries Type ⇒ Bug State ⇒ Unconfirmed	Reply to this comment
When read access is given for a given calendar to another user, they usually only get an indication like "Busy" for calendar entries marked private when accessed by web interface or ActiveSync. But when this user activates notifications of changes by e-mail, the explicit title of the calendar entry gets sent out instead of "Busy" only. Why is the calendar entry title masked on the web interface or ActiveSync, but not in email notifications? Access rights granted to other user: Show/Read/Edit/Delete Notifications activated by other user: Menu entry "On all calendars I have explicitly read access to"