Synology CalDAV reports write permissions for read-only calendars

---

Hi,

I have a calendar on my NAS that syncs just fine with Davdroid. But if I give read-only access (let’s say for my girlfriend) it fails to sync on android. Not even read works. iPhone can handle this.

Thanks in advance

Michael

Hello,

Thanks for this information. Or is there a question? If there is one, the actual question and further details would be useful.

@rfc2822 Sorry for being unclear.

The easy question is: How can I add a read-only calendar? Sync currently fails due to “write access denied”.

Samsung S5. Android 4.4 root. Synology NAS with CalDav.

If permission to calendar is set to r/w everything works fine.

Thank you.

When you set up the account, read-only calendars should be marked as read-only in the setup dialog.

Did you delete and add the calendar (= the account) again after changing the permissions?

@rfc2822 But I can’t find an option to tell DavDroid it’s a read-only calendar. Where is it?

Yes. I changed permission prior to account setup.

DAVdroid detects read-only calendars and flags them as read-only, so that you can’t insert/update its events.

Maybe you can provide detailed steps to reproduce? Did you already search the Synology forums for this?

@rfc2822 Maybe it detects them. But it doesn’t update them (not even reads them) saying “Sync error” and displays a comprehensive error message then. Access denied (of course).

@zoulhh Is there a “read-only” icon in the setup process next to the read-only calendars?

Also, I don’t know why, but I somehow think the error message could be useful.

Did you already search the Synology forums for this?

@rfc2822 No. I did not search the synology forum for a DavDroid issue. Also, I don’t know why, I think I posted the error message already. But for you, here it is again: Access denied.

Anyways, I think the problem can not be solved by you. You’re more in the putting-people-down stuff. So lets forget about it.

@zoulhh said:

@rfc2822 No. I did not search the synology forum for a DavDroid issue. Also, I don’t know why, I think I posted the error message already. But for you, here it is again: Access denied.

Please post the whole debug info – see [Please read before posting] What’s required to diagnose a problem. A two-word error message is not very helpful.

Anyways, I think the problem can not be solved by you. You’re more in the putting-people-down stuff. So lets forget about it.

It was not my intention to put anybody down, so if you feel like that, I’m sorry. Please understand that we get “bug reports” every day which don’t contain useful steps to reproduce, debug info, etc. Then I put effort into collecting all required information, and in most (of course not all) cases, it’s a configuration or server problem, so hours and hours of my time are wasted just because people don’t think it’s worth the time to make a useful bug report (not against you, but in general).

@rfc2822 I’m sorry too. I admit, I was pissed and unfair.

Ok, here’s what I did for testing:

I set up a calendar (named “Mick”) on the Synology NAS. It is located in a folder where user “Marion” has read-only access. User “Mick” has rw access.

I now added to accounts to my Samsung S5 mini using Davdroid. Both accounts point to calender “Mick”. The first account is user “Mick” and that works well. The second is “Marion” and it doesn’t sync. By the way, it is NOT marked as read only by DavDroid when adding it with the “Marion” account. The error occurs after user “Marion” edited a calendar entry made by user “Mick” (and DavDroid tries to sync it, which is not allowed of course).

And here comes the error message (after failed sync):

SYNCHRONIZATION INFO
Synchronization phase: 4
Account name: MickCal
Authority: com.android.calendar

HTTP REQUEST:
PUT https://zoulhh.ddns.net:5006/web/calendar/Mick/Mick/679b1103-c90c-4bd8-8ca3-2e467ff2b191.ics
Content-Length: 3291
Content-Type: text/calendar;charset=utf-8
If-Match: "525d90c4f10a8"

BEGIN:VCALENDAR[CR][LF]
VERSION:2.0[CR][LF]
PRODID:+//IDN bitfire.at//DAVdroid/0.9.1.2 ical4android ical4j/2.x[CR][LF]
BEGIN:VEVENT[CR][LF]
DTSTAMP:20151201T170224Z[CR][LF]
UID:679b1103-c90c-4bd8-8ca3-2e467ff2b191[CR][LF]
SEQUENCE:1[CR][LF]
DTSTART;TZID=Europe/Berlin:20151201T174524[CR][LF]
DTEND;TZID=Europe/Berlin:20151201T174524[CR][LF]
SUMMARY:Testio[CR][LF]
STATUS:CONFIRMED[CR][LF]
ORGANIZER:mailto:MickCAL[CR][LF]
BEGIN:VALARM[CR][LF]
TRIGGER:-PT30M[CR][LF]
ACTION:DISPLAY[CR][LF]
DESCRIPTION:Testio[CR][LF]
END:VALARM[CR][LF]
END:VEVENT[CR][LF]
BEGIN:VTIMEZONE[CR][LF]
TZID:Europe/Berlin[CR][LF]
TZURL:http://tzurl.org/zoneinfo/Europe/Berlin[CR][LF]
X-LIC-LOCATION:Europe/Berlin[CR][LF]
BEGIN:DAYLIGHT[CR][LF]
TZOFFSETFROM:+0100[CR][LF]
TZOFFSETTO:+0200[CR][LF]
TZNAME:CEST[CR][LF]
DTSTART:19810329T020000[CR][LF]
RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=-1SU[CR][LF]
END:DAYLIGHT[CR][LF]
BEGIN:STANDARD[CR][LF]
TZOFFSETFROM:+0200[CR][LF]
TZOFFSETTO:+0100[CR][LF]
TZNAME:CET[CR][LF]
DTSTART:19961027T030000[CR][LF]
RRULE:FREQ=YEARLY;BYMONTH=10;BYDAY=-1SU[CR][LF]
END:STANDARD[CR][LF]
BEGIN:STANDARD[CR][LF]
TZOFFSETFROM:+5328[CR][LF]
TZOFFSETTO:+0100[CR][LF]
TZNAME:CET[CR][LF]
DTSTART:18930401T000000[CR][LF]
RDATE;VALUE=DATE-TIME:18930401T000000[CR][LF]
END:STANDARD[CR][LF]
BEGIN:DAYLIGHT[CR][LF]
TZOFFSETFROM:+0100[CR][LF]
TZOFFSETTO:+0200[CR][LF]
TZNAME:CEST[CR][LF]
DTSTART:19160501T000000[CR][LF]
RDATE;VALUE=DATE-TIME:19160501T000000[CR][LF]
RDATE;VALUE=DATE-TIME:19170416T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19180415T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19400401T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19430329T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19440403T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19450402T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19460414T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19470406T040000[CR][LF]
RDATE;VALUE=DATE-TIME:19480418T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19490410T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19800406T020000[CR][LF]
END:DAYLIGHT[CR][LF]
BEGIN:STANDARD[CR][LF]
TZOFFSETFROM:+0200[CR][LF]
TZOFFSETTO:+0100[CR][LF]
TZNAME:CET[CR][LF]
DTSTART:19161001T010000[CR][LF]
RDATE;VALUE=DATE-TIME:19161001T010000[CR][LF]
RDATE;VALUE=DATE-TIME:19170917T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19180916T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19421102T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19431004T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19441002T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19451118T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19461007T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19471005T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19481003T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19491002T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19800928T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19810927T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19820926T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19830925T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19840930T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19850929T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19860928T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19870927T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19880925T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19890924T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19900930T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19910929T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19920927T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19930926T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19940925T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19950924T030000[CR][LF]
END:STANDARD[CR][LF]
BEGIN:DAYLIGHT[CR][LF]
TZOFFSETFROM:+0200[CR][LF]
TZOFFSETTO:+0300[CR][LF]
TZNAME:CEMT[CR][LF]
DTSTART:19450524T020000[CR][LF]
RDATE;VALUE=DATE-TIME:19450524T020000[CR][LF]
RDATE;VALUE=DATE-TIME:19470511T030000[CR][LF]
END:DAYLIGHT[CR][LF]
BEGIN:DAYLIGHT[CR][LF]
TZOFFSETFROM:+0300[CR][LF]
TZOFFSETTO:+0200[CR][LF]
TZNAME:CEST[CR][LF]
DTSTART:19450924T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19450924T030000[CR][LF]
RDATE;VALUE=DATE-TIME:19470629T030000[CR][LF]
END:DAYLIGHT[CR][LF]
BEGIN:STANDARD[CR][LF]
TZOFFSETFROM:+0100[CR][LF]
TZOFFSETTO:+0100[CR][LF]
TZNAME:CET[CR][LF]
DTSTART:19460101T000000[CR][LF]
RDATE;VALUE=DATE-TIME:19460101T000000[CR][LF]
RDATE;VALUE=DATE-TIME:19800101T000000[CR][LF]
END:STANDARD[CR][LF]
END:VTIMEZONE[CR][LF]
END:VCALENDAR[CR][LF]


HTTP RESPONSE:
http/1.1 403 Forbidden
Connection: Keep-Alive
Content-Length: 265
Content-Type: text/html; charset=iso-8859-1
Date: Tue, 01 Dec 2015 17:02:25 GMT
Keep-Alive: timeout=5, max=99
OkHttp-Received-Millis: 1448989345076
OkHttp-Selected-Protocol: http/1.1
OkHttp-Sent-Millis: 1448989345023
Server: Apache

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">[LF]
<html><head>[LF]
<title>403 Forbidden</title>[LF]
</head><body>[LF]
<h1>Forbidden</h1>[LF]
<p>You don't have permission to access /web/calendar/Mick/Mick/679b1103-c90c-4bd8-8ca3-2e467ff2b191.ics[LF]
on this server.</p>[LF]
</body></html>[LF]


STACK TRACE:
at.bitfire.dav4android.exception.HttpException: 403 Forbidden
at.bitfire.dav4android.exception.HttpException: 403 Forbidden
at at.bitfire.dav4android.DavResource.checkStatus(DavResource.java:281)
at at.bitfire.dav4android.DavResource.checkStatus(DavResource.java:286)
at at.bitfire.dav4android.DavResource.put(DavResource.java:181)
at at.bitfire.davdroid.syncadapter.SyncManager.uploadDirty(SyncManager.java:338)
at at.bitfire.davdroid.syncadapter.SyncManager.performSync(SyncManager.java:159)
at at.bitfire.davdroid.syncadapter.CalendarsSyncAdapterService$SyncAdapter.onPerformSync(CalendarsSyncAdapterService.java:58)
at android.content.AbstractThreadedSyncAdapter$SyncThread.run(AbstractThreadedSyncAdapter.java:259)

SOFTWARE INFORMATION
DAVdroid version: 0.9.1.2 (86) Tue Dec 01 17:59:34 MEZ 2015
Installed from: com.android.vending
JB Workaround installed: no

CONFIGURATION
System-wide synchronization: automatically
Account: MarionCal
  Address book sync. interval: —
  Calendar     sync. interval: 1440 min
  OpenTasks    sync. interval: —
Account: MarionContacts
  Address book sync. interval: 1440 min
  Calendar     sync. interval: —
  OpenTasks    sync. interval: —
Account: MickCal
  Address book sync. interval: —
  Calendar     sync. interval: 1440 min
  OpenTasks    sync. interval: —

SYSTEM INFORMATION
Android version: 4.4.2 (KOT49H.G800FXXU1AOG2)
Device: Samsung SM-G800F (kminilte)

@zoulhh I’ll try it on our Synology DSM (but it may take some time). Which DSM version and which software on your DSM do you use? Default CalDAV or an extra package like Baikal or Owncloud?

@rfc2822 Hi. It’s DSM 5.2-5644 Update 1 and default CalDAV.

@zoulhh I have reproduced your setup and can confirm that there is a problem:

1. Create a folder folder where user1 has r/w access and user2 has r/o access.
2. Create a calendar calendar in folder.
3. Accessing folder/calendar as user1 works as expected.
4. When accessing folder/calendar as user2, the server reports r/w privileges although user2 has only read access. This resuls in your HTTP Forbidden error as soon as you make changes to the Android calendar and DAVdroid tries to synchronize these changes to the server.

When querying the folder as read-only user (!):

--> PROPFIND /folder1/test/ HTTP/1.1
Depth: 1
Content-Type: application/xml; charset=utf-8
Content-Length: 384
Host: diskstation.lan:5005
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: DAVdroid/0.9.1.2 (2015/12/06; dav4android) Android/4.4.2
<?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:par\
ams:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><CAL:supported-c\
alendar-component-set /><resourcetype /><displayname /><current-user-privilege-set />\
<n0:calendar-color xmlns:n0="http://apple.com/ns/ical/" /><CAL:calendar-description /\
><CAL:calendar-timezone /></prop></propfind>
--> END PROPFIND (384-byte body)
<-- HTTP/1.1 207 Multi-Status (24ms)
Date: Sun, 06 Dec 2015 12:08:31 GMT
Server: Apache
Content-Length: 1339
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: application/xml; charset="utf-8"
OkHttp-Selected-Protocol: http/1.1
OkHttp-Sent-Millis: 1449403494370
OkHttp-Received-Millis: 1449403494394
<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:" xmlns:ns3="http://apple.com/ns/ical/" xmlns:ns2="urn:ie\
tf:params:xml:ns:caldav" xmlns:ns1="urn:ietf:params:xml:ns:carddav" xmlns:ns0="DAV:">
<D:response xmlns:lp1="DAV:" xmlns:g0="urn:ietf:params:xml:ns:caldav" xmlns:g1="DAV:"\
 xmlns:g2="http://apple.com/ns/ical/">
<D:href>/folder1/test/</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype><x:calendar xmlns:x="urn:ietf:params:xml:ns:caldav"/><D:collection/\
></lp1:resourcetype>
<lp1:current-user-privilege-set><D:privilege><D:all/></D:privilege>
<D:privilege><D:read-acl/></D:privilege>
<D:privilege><D:read/></D:privilege>
<D:privilege><D:read-current-user-privilege-set/></D:privilege>
<D:privilege><D:write-acl/></D:privilege>
<D:privilege><D:unlock/></D:privilege>
<D:privilege><D:write/></D:privilege>
<D:privilege><D:write-content/></D:privilege>
<D:privilege><D:write-properties/></D:privilege>
<D:privilege><D:bind/></D:privilege>
<D:privilege><D:unbind/></D:privilege>
</lp1:current-user-privilege-set>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
<D:propstat>
<D:prop>
<g0:supported-calendar-component-set/>
<g1:displayname/>
<g2:calendar-color/>
<g0:calendar-description/>
<g0:calendar-timezone/>
</D:prop>
<D:status>HTTP/1.1 404 Not Found</D:status>
</D:propstat>
</D:response>
</D:multistatus>

The pretty-printed response is:

<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:" xmlns:ns3="http://apple.com/ns/ical/" xmlns:ns2="urn:ietf:params:xml:ns:caldav" xmlns:ns1="urn:ietf:params:xml:ns:carddav" xmlns:ns0="DAV:">
<D:response xmlns:lp1="DAV:" xmlns:g0="urn:ietf:params:xml:ns:caldav" xmlns:g1="DAV:" xmlns:g2="http://apple.com/ns/ical/">
<D:href>/folder1/test/</D:href>
<D:propstat>
    <D:prop>
        <lp1:resourcetype>
            <x:calendar xmlns:x="urn:ietf:params:xml:ns:caldav"/>
            <D:collection/>
        </lp1:resourcetype>
        <lp1:current-user-privilege-set>
            <D:privilege>
                <D:all/>
            </D:privilege>
            <D:privilege>
                <D:read-acl/>
            </D:privilege>
            <D:privilege>
                <D:read/>
            </D:privilege>
            <D:privilege>
                <D:read-current-user-privilege-set/>
            </D:privilege>
            <D:privilege>
                <D:write-acl/>
            </D:privilege>
            <D:privilege>
                <D:unlock/>
            </D:privilege>
            <D:privilege>
                <D:write/>
            </D:privilege>
            <D:privilege>
                <D:write-content/>
            </D:privilege>
            <D:privilege>
                <D:write-properties/>
            </D:privilege>
            <D:privilege>
                <D:bind/>
            </D:privilege>
            <D:privilege>
                <D:unbind/>
            </D:privilege>
        </lp1:current-user-privilege-set>
    </D:prop>
    <D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
<D:propstat>
    <D:prop>
        <g0:supported-calendar-component-set/>
        <g1:displayname/>
        <g2:calendar-color/>
        <g0:calendar-description/>
        <g0:calendar-timezone/>
    </D:prop>
    <D:status>HTTP/1.1 404 Not Found</D:status>
</D:propstat>
</D:response>
</D:multistatus>

As you can see, the server reports the all and write permissions for the current user (which is the read-only user!).

I have reported this error to Synology (ticket #712664).

Synology have responded to the ticket (German):

eine explizite Rechtevergabe ist derzeit nicht möglich.
Ich werde die Anfragen gerne an unser Entwicklungsteam weitergeben!
Schließlich versuchen wir unsere Kundenwünsche zu erfüllen.
Wann oder Ob die gewünschten Funktionen umgesetzt werden, weiß ich zu diesem Zeitpunkt natürlich nicht.

So, to summarize, the Synology software doesn’t support shared calendars with read-only permissions at the moment.

@zoulhh I’m sorry that I can’t offer a solution, but as you can see, this is not a DAVdroid problem.

@rfc2822 Thanks for your kind support anyways.