Mysterious behind CalDAV ACL and sharing calendar
Unfortunately there is (currently) no UI to share your CalDAV Calendar with other CalDAV User. As long as Convergence not able to handle CalDAV User, this need's to be done manually by the System Administrator. If you as a System Administrator are asked by your Users about sharing, then this Blog might give you some ideas how to setup this.
First of all you need to get an idea about the ACL Model for CalDAV, it is based on 3 parts and I call them WHAT, WHO, HOW
The ACL are stored in the MySQL Resource Table, the initial ACL looks like this: V1;g^p:all^fs (V1 is just a Version string and each Rule end with a ";")
WHAT
| GRANT | g |
| DENY | d |
| OWNER | o |
| INHERIT | i |
WHO
| USER | u: |
| GROUP | g: |
| DOMAIN | d: |
| AUTHENTICATED | p:authenticated |
| UNAUTHENTICATED | p:unauthenticated |
| ALL | p:all |
HOW
| ALL | a |
| READ | r |
| READ_FREEBUSY | f |
| WRITE_COLLECTION_PROPERTIES | p |
| WRITE_RESOURCE_PROPERTIES | q |
| WRITE_CONTENT | w |
| BIND | b |
| UNBIND | d |
| SCHEDULE_DELIVER | s |
| SCHEDULE_POST | t |
| MANAGE_ACL | m |
With this information you now should able to read the initial ACL (grand - all - freebusy and schedule deliver).
Let's doing some practice example now.
1) You would like to share a calendar for read to all authenticated CalDAV User
V1;g^p:all^fs;g^p:authenticated^r
2) You would like to share a calendar for read to a dedicated CalDAV User only. This is more complex as it sounds like because users are identified by LDAP nsUniqueID but you even will find them in the MySQL backend itself at the Owner Table puid field.
Knowing the puid the user part of the ACL need's to be u:puid@domain.tld like
V1;g^p:all^fs;g^u:42b00d81-b18e11de-8007a9d7-8cb344ee@vmdomain.tld^r
NOTE: you can change the attribute to use to be something else than nsUniqueID, but only use this before you have any data in the MySQL backend, all existing data get lost, so usually you set this during installation.
See davcore.uriinfo.permanentuniqueid
How to share your calendar with iCal users?
To make a real life scenario more complex you can not subscribe to a CalDAV calendar from iCal.
NO solution, use subscribe:
In iCal you able to subscribe to an .ics file, as in CalDAV each event is stored in a separate .ics file, you can "subscribe" to one single event if you use subscribe from iCal, of course this don't make sense.
Solution, add new CalDAV account:
What you can do is to configure an account with the credentials of one user but the principal url of another. For this to work, you need first grant read access to the home collection (one level above from the default calendar) of that second user to the first user.
In this example user Paul London grand read access for user Tom Berlin.
Now you able to add a CalDAV account for the calendar to "subscribe" providing the own credentials. As we only grand read access in this example of course you unable to add events into this CalDAV account. User Tom Berlin add CalDAV account providing his own credentials and use the principal URL to access calendar of user Paul London.
As user Tom Berlin only grand with read access, he will get an error if he add event in Paul London calendar of course.
Note: The MySQL interface from the images is Sequel Pro, other interfaces available as well like the MySQL GUI Tools.
