privilege escalation / wrong permissions z-push and shared folders

Hi,

Z-Push: 2.3.8+0-0
PHP-MAPI: 8.4.5.0

Two users, sw and th, both having granted each other read permissions in own calendar
additionally, i have set each others calendar in z-push.conf.php to be shared. that works but private calendar entries can be read by each other and the opposite person can not read its own private calendar entries! They are just shown as “private” without any text at all. looks clearly like an z-push/kopano bug.

Removing the shared calendar stanza from config and resync calenderas brings back visibility of own private entries. only setting a single calendar as shared did also not show the issue.

Any help is grealy appreciated. already did several full resyncs and removed the accounts from devices and readded them. no change.

    array(
        'store'     => "th",
        'folderid'  => "67d6431c83e046cf9cd86b5f372bc306c20000000000",
        'name'      => "th Kontakte",
        'type'      => SYNC_FOLDER_TYPE_USER_APPOINTMENT,
    ),

    array(
        'store'     => "sw",
        'folderid'  => "67d6431c83e046cf9cd86b5f372bc3063f0000000000",
        'name'      => "sw Kontakte",
        'type'      => SYNC_FOLDER_TYPE_USER_APPOINTMENT,
    ),

);
root@mailserver:/home/admin# /usr/share/z-push/backend/kopano/listfolders.php -l sw
Available folders in store 'sw':
--------------------------------------------------
Folder name:	Kalender
Folder ID:	67d6431c83e046cf9cd86b5f372bc3063f0000000000
Type:		SYNC_FOLDER_TYPE_USER_APPOINTMENT


root@mailserver:/home/admin# /usr/share/z-push/backend/kopano/listfolders.php -l th
Available folders in store 'th':
--------------------------------------------------

Folder name:	Kalender
Folder ID:	67d6431c83e046cf9cd86b5f372bc306c20000000000
Type:		SYNC_FOLDER_TYPE_USER_APPOINTMENT

calendar is distributed to each others devices (ios & android with nine e-mail app)

root@mailserver:/home/admin# z-push-admin -u sw -a list

Synchronized devices of user: sw
-----------------------------------------------------
DeviceId:		5f6eopsocd6jvfeo6bv5r6h4t8
Device type:		iPad
UserAgent:		Apple-iPad4C4/1503.153
Device Model:		iPad4C4
Device friendly name:	iPad mini 2
Device OS:		iOS 11.2.1 15C153
Device OS Language:	de-DE
ActiveSync version:	14.0
First sync:		2018-01-18 15:22
Last sync:		2018-01-18 15:41
Total folders:		12
Short folder Ids:	Yes
Synchronized folders:	7
Synchronized data:	Calendars(2) Emails(2) Contacts Notes Tasks 
Additional Folders:	2
	Configured Calendar th             th Kontakte          Active 
	Configured Calendar sw             sw Kontakte          Active 
Status:			Not available
WipeRequest on:		not set
WipeRequest by:		not set
Wiped on:		not set
Policy name:		default
Attention needed:	No errors known

root@mailserver:/home/admin# z-push-admin -u th -a list

Synchronized devices of user: th

-----------------------------------------------------
DeviceId:		5a0rc98qfh2ur5l5m83vdu9mv4
Device type:		iPad
UserAgent:		Apple-iPad5C3/1503.202
Device Model:		iPad5C3
Device friendly name:	iPad Air 2
Device OS:		iOS 11.2.2 15C202
Device OS Language:	de-DE
ActiveSync version:	14.0
First sync:		2017-12-21 17:18
Last sync:		2018-01-18 16:01
Total folders:		46
Short folder Ids:	Yes
Synchronized folders:	42
Synchronized data:	Emails(37) Contacts Calendars(2) Notes Tasks 
Additional Folders:	2
	Configured Calendar th             th Kontakte          Active 
	Configured Calendar sw             sw Kontakte          Active 
Status:			OK
WipeRequest on:		not set
WipeRequest by:		not set
Wiped on:		not set
Policy name:		default
Attention needed:	No errors known
-----------------------------------------------------
DeviceId:		nine1d0875dc8fa2
Device type:		Android
UserAgent:		Nine-xcover3ltexx/LMY48B
Device Model:		SM-G388F
Device IMEI:		.........
Device friendly name:	xcover3ltexx
Device OS:		Android 5.1.1.G388FXXS1BPL2
Device OS Language:	German (Germany)
Device Phone nr:	+49............
Device Operator:	Telekom.de
ActiveSync version:	14.0
First sync:		2018-01-10 07:26
Last sync:		2018-01-18 16:43
Total folders:		47
Short folder Ids:	Yes
Synchronized folders:	7
Synchronized data:	Emails(2) Contacts Calendars(2) Notes Tasks 
Additional Folders:	2
	Configured Calendar th             th Kontakte          Active 
	Configured Calendar sw             sw Kontakte          Active 
Status:			Not available
WipeRequest on:		not set
WipeRequest by:		not set
Wiped on:		not set
Policy name:		default
Attention needed:	No errors known

Hi @plzk-de ,

since you are also in contact with our support (KS-39776) I’ll close up here to prevent double work.

Locked