Dav sharing permissions issue
Medium
Vulnerability Details
### Steps
1. Create users "Test 1" and "Test 2", make "Test 1" member of "Group A"
2. Share a calendar with group "Group A" editable
3. Share the same calendar with user "Test 2" readonly
4. As "Test 1" open the calendar app and unshare the calendar from "Test 2" - works
5. As "Test 1" open the calendar app and remove edit permissions for "Group A" - works
In my opinion steps 4 and 5 should not be possible. The shares should not even be visible in my opinion.
Actions
View on HackerOneReport Stats
- Report ID: 174896
- State: Closed
- Substate: resolved
- Upvotes: 5