Tickets :: [#15011] Notifications reveal private entries

6.0.0-git

2020-07-15

Summary	Notifications reveal private entries
Queue	Kronolith
Queue Version	FRAMEWORK_5_2
Type	Bug
State	Resolved
Priority	1. Low
Owners	mrubinsk (at) horde (dot) org
Requester	2020 (at) ichbinweg (dot) ch
Created	2020-05-24 (52 days ago)
Due
Updated	2020-07-04 (11 days ago)
Assigned
Resolved	2020-07-04 (11 days ago)
Milestone
Patch	No

2020-07-04 18:39:50	Git Commit	Comment #4	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit 5f898094acc324f5c17deb13c66c9b6bc6c95005 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Sat, 04 Jul 2020 14:29:15 -0400 [mjr] SECURITY: Don't leak private details when sending notifications for private events (~~Bug #15011~~). M docs/changelog.yml https://github.com/horde/kronolith/commit/5f898094acc324f5c17deb13c66c9b6bc6c95005

2020-07-04 18:19:42	Michael Rubinsky	Assigned to Michael Rubinsky State ⇒ Resolved

2020-07-04 18:16:35	Git Commit	Comment #3	Reply to this comment
Changes have been made in Git (master): commit 74e0bf732327305edb3f2dd44517eb6b33d408e4 Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Sat, 04 Jul 2020 14:16:03 -0400 ~~Bug: 15011~~ Don't leak details when sending notifications for private entries. A k.patch M lib/Kronolith.php M templates/update/notification.html.php M templates/update/notification.plain.php https://github.com/horde/kronolith/commit/74e0bf732327305edb3f2dd44517eb6b33d408e4

2020-07-04 16:46:41	Git Commit	Comment #2	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit afc52b68583cfdd2643582e3066c08965848607a Author: Michael J Rubinsky <mrubinsk@horde.org> Date: Sat, 04 Jul 2020 12:44:39 -0400 ~~Bug: 15011~~ Don't leak details when sending notifications for private entries. M lib/Kronolith.php https://github.com/horde/kronolith/commit/afc52b68583cfdd2643582e3066c08965848607a

2020-05-24 07:45:37	2020 (at) ichbinweg (dot) ch	Comment #1 Type ⇒ Bug State ⇒ Unconfirmed Priority ⇒ 1. Low Summary ⇒ Notifications reveal private entries Queue ⇒ Kronolith Milestone ⇒ Patch ⇒ No	Reply to this comment
When read access is given for a given calendar to another user, they usually only get an indication like "Busy" for calendar entries marked private when accessed by web interface or ActiveSync. But when this user activates notifications of changes by e-mail, the explicit title of the calendar entry gets sent out instead of "Busy" only. Why is the calendar entry title masked on the web interface or ActiveSync, but not in email notifications? Access rights granted to other user: Show/Read/Edit/Delete Notifications activated by other user: Menu entry "On all calendars I have explicitly read access to"