Addressbook sharing as read-only

[C0rn3j]

I've been trying to figure out how to share an address book.

What I want is an address book only one "admin" account can edit, and everyone else has it shared.

There are issues like this one #696 but perhaps addressbook sharing is an easier issue and is doable without some massive symlink hacks?

If not, how would I go about the symlink hack?

I've tried applying some of this https://github.com/Kozea/Radicale/blob/master/rights in my config to no avail.

Config so far: https://haste.rys.pw/iqerofeyol

[JSzaszvari]

I'm not sure its possible without symlinks

My setup is as follows

My rights/user file:

[admin]
user: admin.*
collection: .*
permission: rw

[readonly_contacts]
user: bio_contacts
collection: .*
permission: r

Then in my collections/collections-root folder:

drwxr-xr-x 3 jszaszvari 102 Jan 23 04:03 admin
lrwxr-xr-x 1 jszaszvari   5 Jan 23 03:28 readonly_contacts -> admin

What I did was

• Log in as the admin user so the folders/data was created
• Symlink a folder called 'readonly_contacts' to point to the 'admin' folder
  ln -s admin readonly_contacts
  Seems to work as expected. Have it deployed to about 1200 mobile devices (the addressbook) and have had minimal issues

[C0rn3j]

Am a bit confused about your setup, do you give all those 1200 users the same username/password for bio_contacts account?

I've tried to replicate your setup but have it accessible to all users, but it doesn't seem to work for me

[JSzaszvari]

@C0rn3j We distribute it to iOS Devices, Both iPad and iPhones using a MDM solution by pushing out a Configuration Profile (.mobileconfig) to the devices that is pre-configured.

The users never actually know what the password is, the profile is just pushed out to all their devices and the account gets added and all the user sees is all the contacts showing up in their address book.

So yes, they are all using the same username and password for the read only user. We are distributing the exact same read only address book to all our devices.

Just in case your interested i've attached a copy of the .mobileconfig below (zipped up - Just open it in a text editor, its just XML) - CardDAV.mobileconfig.zip

I'll run through it as i write this so I'm sure I'm giving you the correct info. For a start, Here's a copy of my rights file and main config file - Config.zip

I've changed the location of the collections folder to be inside the Radicale folder, just makes the way I deploy it with docker easier. Should not matter where it is though.

So my folder structure is like this:

• Main Radicale Folder
  --- collections/collections-root/ (main collections store)
  --- config (main config)
  --- rights (rights config)
  --- users (htpassword bcrypted account creds in here)

I've run through the below as i wrote this and can confirm it worked just now:

1. Start the server, make sure your collections/colletions-root/ folder is completely empty.

2. Log in with the admin account that has read/write access and create an addressbook collection like i've done here:
   

3. Stop the Radicale app

At this point in your collections-root should just be the one 'admin' folder which contains the collection you just created

4. Create the symbolic link for the read only user:
   

Now both folders will appear to contain the same collection

5. Start the Radicale server back up and logging in as both users should display the exact same connection now
   

Hope this helps you out, let me know either way..

[C0rn3j]

Thanks for the writeup and a noob-friendly how-to.

My biggest problem was not defining the rights backend in the config file, which means my rights attempts were completely ignored every single time.

The rights examples I found before now work as they should, I'll just have to symlink every single LDAP user we have (about a hundred) periodically, but that should be easy.

Really wish this was supported natively in Radicale without any symlink hacks

[C0rn3j]

For posterity - ended up using this not-so-pretty bash script that's executed by cron every once in a while to keep the symlink hack going for all LDAP users.

Keeping this issue open as I think this should be available natively.

#!/bin/bash
set -euo pipefail
superUser="carddavreadonly"
cd /etc/radicale/
wget -q -O people.txt https://example.com/getLDAPusers.php 
# ^ Gets LDAP users line-by line in user@company.com format
arr=($(while read line; do
        echo $line | cut -f1 -d"@"
done <people.txt))
cd /root/.var/lib/radicale/collections/collection-root/
echo ${arr[@]} | sed s/\ /\\n/g | sort | uniq | while read line; do
        echo $line
        if [[ -e $line ]]; then
                if [[ ! -L $line && $line != $superUser ]]; then
                        rm -f $line
                        ln -s $superUser $line
                fi
        else
                ln -s $superUser $line
        fi
done

[NicoHood]

Will this get implemented eventually?

[pbiering]

somehow related to #1457

Using symlinks but no other magic in rights file would somehow require a per collection ACL feature, potentially also be able to be implemented by another custom extension to .Radicale.props and the DAV API.

[pbiering]

found an old related PR, one need to investigate and rebase: #885

[bilguun-zorigt]

for some reason I had to change the permissions in the rights file from rw to RrWw and r to Rr to make the solutions above work.

[admin]
user: admin
collection: .*
permissions: RrWw

[readonlyuser]
user: readonlyuser
collection: .*
permissions: Rr