Calendarr

Scarriffle/Calendarr

Fork 0

Commit Graph

Author	SHA1	Message	Date
Scarriffle	6869a15bb8	fix(security): stop private-event leak in merge read + harden busy masking, uploads, profile Findings from the security review: - HIGH: private local events leaked in full (title/location/description) to anyone who could READ a shared or group calendar via GET /api/caldav/events — the private_event_visibility rule was only enforced in /groups/{id}/combined. Now enforced in the merge read too, via a shared helper (apply_event_privacy) so the two paths can't drift. - HIGH: 'busy' masking was a blacklist that still leaked creator identity, source-calendar name, recurrence rule and per-event colour. Replaced with a whitelist (mask_busy_event): only timing/identity/render fields survive. - MEDIUM: .ics import had no size limit (raw = await file.read()) → memory DoS. Now capped at 5 MB (413), read before creating any calendar. - LOW/INFO: profile email now checked for uniqueness + basic format; display name / username / email length-capped and control-chars stripped. Deferred (tracked): RRULE expansion cap at the trust boundary, SQLite PRAGMA foreign_keys + ON DELETE cascade, and JWT-by-user-id + token version. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-01 17:49:56 +02:00
Scarriffle	f9923b022e	feat: Login-Name vs. Anzeigename (Server) - Neue Spalte users.display_name (Original-Schreibweise); username bleibt der lowercase Login-Name. Setup/Create setzen display_name aus der Eingabe. - Login bleibt case-insensitive (Anzeigename eingeben funktioniert -> wird lowercased -> trifft den Login-Namen). - Profil: PUT /api/profile/ kann display_name UND username (Login-Name) aendern; bei Login-Namen-Wechsel kommt ein frischer Token zurueck (JWT sub haengt am Namen). Stabile interne ID (Integer-PK) traegt alle Verweise -> Umbenennen bricht Shares/Gruppen/creator_id nicht. - display_name ueberall ausgeliefert/genutzt (me, profile, users, directory, shares, Gruppen-Mitglieder, creator/owner, ORGANIZER-Export). - Migration + Backfill (display_name = username). Tests ergaenzt (17 gruen). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-05-31 17:40:38 +02:00
Scarriffle	32268a18b2	feat: Kalender-Sharing, Gruppen, iCal Import/Export & Ersteller (Server) Kollaborations-Features ausschliesslich fuer lokale Kalender: - Sharing: calendar_shares-Tabelle, GET/POST/DELETE /api/local/calendars/{id}/shares (nur Besitzer), GET /api/users/directory, geteilte Kalender in GET /api/local/calendars (shared_by/permission/owned) und im Merge-Read. - Gruppen: groups/group_members/group_calendars + /api/groups-Router inkl. kombinierter Ansicht /api/groups/{id}/combined (owner + is_group_event). - Ersteller: local_events.creator_id (serverseitig gesetzt) + creator_name_external aus ORGANIZER; creator-Feld in allen lokalen Event-Responses. - Private-Flag: local_events.is_private + user_settings.private_event_visibility (hidden\|busy), Filterung in der Gruppenansicht. - iCal Import/Export: ical_io.py, POST /api/local/calendars/{id}/import, POST /api/local/import, GET /api/local/calendars/{id}/export. - Zentraler Berechtigungs-Helper (permissions.py) und gemeinsamer Event-Dict- Builder (local_events_util.py) ersetzen die Nur-Besitzer-Filter. - pytest-Suite (12 Tests) fuer Sharing, Gruppen, Parser, Private-Filterung. Additiv & rueckwaertskompatibel; Migrationen in main.py._migrate(). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-05-31 16:05:18 +02:00

Author

SHA1

Message

Date

Scarriffle

6869a15bb8

fix(security): stop private-event leak in merge read + harden busy masking, uploads, profile

Findings from the security review:
- HIGH: private local events leaked in full (title/location/description) to
  anyone who could READ a shared or group calendar via GET /api/caldav/events —
  the private_event_visibility rule was only enforced in /groups/{id}/combined.
  Now enforced in the merge read too, via a shared helper (apply_event_privacy)
  so the two paths can't drift.
- HIGH: 'busy' masking was a blacklist that still leaked creator identity,
  source-calendar name, recurrence rule and per-event colour. Replaced with a
  whitelist (mask_busy_event): only timing/identity/render fields survive.
- MEDIUM: .ics import had no size limit (raw = await file.read()) → memory DoS.
  Now capped at 5 MB (413), read before creating any calendar.
- LOW/INFO: profile email now checked for uniqueness + basic format; display
  name / username / email length-capped and control-chars stripped.

Deferred (tracked): RRULE expansion cap at the trust boundary, SQLite
PRAGMA foreign_keys + ON DELETE cascade, and JWT-by-user-id + token version.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-01 17:49:56 +02:00

Scarriffle

f9923b022e

feat: Login-Name vs. Anzeigename (Server)

- Neue Spalte users.display_name (Original-Schreibweise); username bleibt der
  lowercase Login-Name. Setup/Create setzen display_name aus der Eingabe.
- Login bleibt case-insensitive (Anzeigename eingeben funktioniert -> wird
  lowercased -> trifft den Login-Namen).
- Profil: PUT /api/profile/ kann display_name UND username (Login-Name) aendern;
  bei Login-Namen-Wechsel kommt ein frischer Token zurueck (JWT sub haengt am
  Namen). Stabile interne ID (Integer-PK) traegt alle Verweise -> Umbenennen
  bricht Shares/Gruppen/creator_id nicht.
- display_name ueberall ausgeliefert/genutzt (me, profile, users, directory,
  shares, Gruppen-Mitglieder, creator/owner, ORGANIZER-Export).
- Migration + Backfill (display_name = username). Tests ergaenzt (17 gruen).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-05-31 17:40:38 +02:00

Scarriffle

32268a18b2

feat: Kalender-Sharing, Gruppen, iCal Import/Export & Ersteller (Server)

Kollaborations-Features ausschliesslich fuer lokale Kalender:

- Sharing: calendar_shares-Tabelle, GET/POST/DELETE /api/local/calendars/{id}/shares
  (nur Besitzer), GET /api/users/directory, geteilte Kalender in
  GET /api/local/calendars (shared_by/permission/owned) und im Merge-Read.
- Gruppen: groups/group_members/group_calendars + /api/groups-Router inkl.
  kombinierter Ansicht /api/groups/{id}/combined (owner + is_group_event).
- Ersteller: local_events.creator_id (serverseitig gesetzt) + creator_name_external
  aus ORGANIZER; creator-Feld in allen lokalen Event-Responses.
- Private-Flag: local_events.is_private + user_settings.private_event_visibility
  (hidden|busy), Filterung in der Gruppenansicht.
- iCal Import/Export: ical_io.py, POST /api/local/calendars/{id}/import,
  POST /api/local/import, GET /api/local/calendars/{id}/export.
- Zentraler Berechtigungs-Helper (permissions.py) und gemeinsamer Event-Dict-
  Builder (local_events_util.py) ersetzen die Nur-Besitzer-Filter.
- pytest-Suite (12 Tests) fuer Sharing, Gruppen, Parser, Private-Filterung.

Additiv & rueckwaertskompatibel; Migrationen in main.py._migrate().

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-05-31 16:05:18 +02:00

3 Commits