Tech Forum

Following up on the discussion of private calendar rights in this post, I found some odd behavior after my rights to a private calendar were revoked -- I was still subscribed. Here's the sequence:

1. As a default administrator, I edit a private calendar to which I have neither view/nor edit rights.
2. I add my calling as a viewer/editor and save.
3. Now that calendar appears on my subscription list (it was not there before). Since I have auto-subscribe on, I am automatically subscribed.
4. In the main calendar view, I now see that calendar in the list of available calendars, and I can see its events.
5. I then go back to Settings > Calendars and edit the calendar.
6. I remove my calling from the list of viewers/editors and save.
7. I go to my list of subscriptions, and see that the calendar no longer appears. That is the expected behavior.
8. When I go to the main calendar view, I am surprised to see that the private calendar still appears on the list of calendars, and that I can still see the events. I also can still create events on that calendar.
9. Signing out and signing back in has no effect -- I still have view/edit rights to the calendar.
10. So it appears that I am still subscribed, but since the calendar doesn't appear on my Subscriptions list, I can't unsubscribe.

The only way I could fix this was to give myself view/edit permissions again ("view only" probably would have been sufficient), manually unsubscribe, then go back and revoke the permissions again. Then the calendar finally disappeared from the list on the main calendar display.

aebrown wrote:When I go to the main calendar view, I am surprised to see that the private calendar still appears on the list of calendars, and that I can still see the events. I also can still create events on that calendar.

Being a default admin, your rights to create might be coming in from a different angle. I wonder what would happen if you gave yourself view only rights. Would you still be able to create events?

What about normal members? Can they still create events once their editorship has been revoked?

This problem seems similar to mine. I continue to receive notifications from my old ward calendar even though the old ward is not on any of my subscription lists? And I'm not getting the new ward notifications?

mcdonaj wrote:This problem seems similar to mine. I continue to receive notifications from my old ward calendar even though the old ward is not on any of my subscription lists? And I'm not getting the new ward notifications?

I doubt it's the same problem. Instead, your problem sounds exactly like what is reported in the thread Member not in unit (verified) receiving Calendar emails. Review that thread for a possible solution to your problem.

RussellHltn wrote:Being a default admin, your rights to create might be coming in from a different angle. I wonder what would happen if you gave yourself view only rights. Would you still be able to create events?

That wasn't really the topic of my post, but it is true that when an administrator is given "view only" permissions for a private calendar, he actually has "view and edit" permissions. That's understandable, given the powers of administrators, but it probably shouldn't work that way.

My post concerned the fact that my subscription remained after rights were revoked; the issue of whether "view only" becomes effectively "view and edit" is a side issue. It's a valid issue, but not one I raised, and not one that has any bearing on the subscription issue.

RussellHltn wrote:What about normal members? Can they still create events once their editorship has been revoked?

This problem doesn't seem to happen to normal members. When they are given rights to a private calendar, they have the appropriate "view only" or "view and edit" rights. The subscription seems to go away once their rights are revoked.

aebrown wrote:This problem doesn't seem to happen to normal members. When they are given rights to a private calendar, they have the appropriate "view only" or "view and edit" rights. The subscription seems to go away once their rights are revoked.

So if you were to be released from your calling, then it would disappear? In my mind that downgrades the problem from "security" to "bug".

RussellHltn wrote:So if you were to be released from your calling, then it would disappear? In my mind that downgrades the problem from "security" to "bug".

Yes, according to my testing, I would be unsubscribed if I were released.

But it's still a security issue. Clearly, according to this post, the design is that administrators should not be able to edit permissions for private calendars they have not been given permissions for. Once that security bug is fixed, an administrator will only have rights to a private calendar if the calendar creator or some other editor for that private calendar gives him rights. If those rights are then revoked, that means he should not have access, but this particular bug means he still has access. That's a security bug. It's admittedly a relatively rare case, but a security bug nonetheless.

thanks I think you're right, the "member not in unit" thread seems to answer my question. i logged in earlier looking for a way to edit it and maybe just by doing that i solved the problem?

aebrown wrote:But it's still a security issue.

True, but not as big a one as I first thought.