From 001e8c6c95129076da9b177950e33ccd54db67d1 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Jun 2024 22:11:07 +0200 Subject: [PATCH] extend for WebCAL sharing example --- Sharing-Collections.md | 108 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 106 insertions(+), 2 deletions(-) diff --git a/Sharing-Collections.md b/Sharing-Collections.md index 0487c6b..3429a8a 100644 --- a/Sharing-Collections.md +++ b/Sharing-Collections.md @@ -2,14 +2,16 @@ "radicale" is a lightwide CalDAV/CardDAV server and supporting sharing of collections only on server side with static configuration. -## Prepraration +## Sharing Collections with other configured users + +### Preparations * create a directory aside `collection-root` (which is the base directory of "radicale" to lookup user folders) like e.g. `collection-shared` * create a sub-directory structure with collections or group->collections * softlink required collection directory into user's directory * in case of read-only permissions are required for shared calendar, extend `rights` file matching particular collection and user -## Example for a storage layout incl. shared calendar/addressbook +### Example for a storage layout incl. shared calendar/addressbook Note: `*/.Radicale*` files/directories are not shown here @@ -72,3 +74,105 @@ user: USER2 collection: {user}/sharedaddressbook2(/.+)? permissions: r ``` + +## Sharing a collections read-only to public as WebCAL + +**ATTENTION: This is a simple and potentially insecure example** + +### Requirements + +* A reverse proxy in front of "radicale" is mandatory, because "radicale" itself is not supporting mix of authenticated and unauthenticated users. + +### Preparations + +* create/assign a directory structure (see below) +* create users ADMIN1 and ANON1 with secret passwords +* extend the `rights` file to limit the user ANON1 only to GET requests ("i") + +``` +[anon] +user: ANON1 +collection: {user}(/.*)? +permissions: i +``` + +* extend the reverse proxy configuration by a redirect and enriching the request with credentials of user ANON1 by conditionally adding the authorization header to the request. + +``` + ## Shortcut RUL + RewriteRule "/publicevents1.ics" /radicale/ANON1/publicevents1/ [R,L] + + ## Conditional enrich request with credentials + # "Basic " example generated with 'echo -n "ANON1:ANON1" | base64' + SetEnvIf Request_URI "^/radicale/ANON1/publicevents1/" ANON + RequestHeader setifempty Authorization "Basic QU5PTjE6QU5PTjE=" env=ANON +``` + +### Example for a storage layout + +``` +[d] /var +└─[d] /lib + └─[d] /radicale + └─[d] /collections + ├─[d] /collection-shared + │ └─[d] /public + │ └─[d] /publicevents1 (Collection) + │ ├─[f] sharedschedule1.ics + │ ├─[f] ... + │ └─[f] sharedscheduleX.ics + │ + └─[d] /collection-root + ├─[d] /ADMIN1 + │ └─[l] publicevents1 -> ../../collection-shared/public/publicevents1 (rw, default) + │ + └─[d] /ANON1 + └─[l] publicevents1 -> ../../collection-shared/public/publicevents1 (ro, only GET allowed) +``` + +### Testing + +#### GET request to user-friendly URL shortcut + +``` +curl -v -s http://localhost/publicevents1.ics +... +< Location: http://localhost/radicale/ANON1/publicevents1/ +... +``` + +#### GET request to redirected URL + +``` +curl -s http://localhost/radicale/ANON1/publicevents1/ | grep -E '(VEVENT|VCALENDAR)' +BEGIN:VCALENDAR +BEGIN:VEVENT +END:VEVENT +BEGIN:VEVENT +END:VEVENT +END:VCALENDAR +``` + +#### PROPFIND request to URL + +(expected forbidden) + +``` +curl --request PROPFIND http://localhost/radicale/ANON1/publicevents1/ +Access to the requested resource forbidden. +``` +#### PUT request to URL + +(expected forbidden) + +``` +curl --data-binary @test.ics --request PUT http://localhost/radicale/ANON1/publicevents1/test.ics +Access to the requested resource forbidden. +``` + +### Publishing + +URL for publishing e.g. via WebCAL in case client is supporting redirect response: + +* yes: `https://FQDN/publicevents1.ics` +* no: `https://FQDN/radicale/ANON1/publicevents1.ics` \ No newline at end of file