fix(CalDAV): set acls for DeletedCalendarObjectsCollection

[JohannesGGE]

• Resolves: #

Summary

TODO

• ...

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)

[ChristophWurst]

Makes sense

[tcitworld]

This brings

'privilege' => '{DAV:}all',

I think {DAV:}read should be enough, as the collection itself shouldn't be changed, but you'll need to test it.

[JohannesGGE]

You mean by adding:

public function getACL(): array {
	return [
		[
			'privilege' => '{DAV:}read',
			'principal' => $this->getOwner(),
			'protected' => true,
		],
		[
			'privilege' => '{DAV:}unbind',
			'principal' => '{DAV:}owner',
			'protected' => true,
		]
	];
}

?

[tcitworld]

Do you need {DAV:}unbind ?

[JohannesGGE]

yes. Otherwise the owner can no longer delete it themself.

[tcitworld]

But the owner should be able to delete the elements in the collection, not the collection itself, right?

DeletedCalendarObject already has {DAV:}unbind.

And in any case the delete method here throws Forbidden.

[JohannesGGE]

The deletion does not work either via cadaver or via web interface without {DAV:}unbind for the owner. At least in my setup.

[ChristophWurst]

But the owner should be able to delete the elements in the collection, not the collection itself, right?

DeletedCalendarObject already has {DAV:}unbind.

And in any case the delete method here throws Forbidden.

It's a bit strange. If you drop unbind from the collection, objects in the collection can't be deleted neither. Sabre returns a Node with name 'objects' could not be found.

Since deletion is indeed protected by the Forbidden, I would like to move forward with this.

[ChristophWurst]

\Sabre\DAVACL\Plugin::beforeUnbind checks the parent for unbind before a node is unbound.

#42850 (review)