Skip to content
This repository was archived by the owner on Jul 14, 2025. It is now read-only.
This repository was archived by the owner on Jul 14, 2025. It is now read-only.

Possible issue with rights generation #143

Closed
#144
Closed
Possible issue with rights generation#143
#144
@mirtouf

Description

@mirtouf
mirtouf
opened on May 16, 2025

Hi everyone,

for some years I let away modoboa-radicale plugin and it seems, for some reason I cannot figure out the radicale file used for rights and generated by the plugin is not filled correctly.
I am using modoboa 2.3.6 and modoboa-radicale 1.7.3.
Here is current one:
cat /etc/radicale/rights

#Rights management file for Radicale
#This file was generated by Modoboa on 2025-05-16 11:26:03.303839
#DO NOT EDIT MANUALLY!
        
[sa-admin-acr]
user = admin
collection = .*
permissions = rw

[[email protected]]
user = [email protected]
collection = mertens.re/user/.*
permissions = rw

[[email protected]]
user = [email protected]
collection = mirtouf.fr/user/.*
permissions = rw

[[email protected]]
user = [email protected]
collection = mirtouf.net/user/.*
permissions = rw

# Allow reading and writing principal collection (same as user name)
[principal]
user = .+
collection = {user}
permissions = RW

# Allow reading and writing calendars and address books that are direct children of the principal collection
[calendars]
user = .+
collection = {user}/[^/]+
permissions = rw

# Read-only access using a token
[[email protected]/Planning-access]
user = ac4b0288b821df13b0953cc1a2cd416b056375ca3e8bfde3
collection = [email protected]/Planning
permissions = r

And you can notice I am correctly identified but of course, no calendar creation is possible:
sudo -u radicale radicale -D -C /etc/radicale/config 

[2025-05-16 13:23:32 +0200] [646189] [INFO] Logging of backtrace is disabled in this loglevel
[2025-05-16 13:23:32 +0200] [646189] [DEBUG] Logging of backtrace is enabled by option in this loglevel
[2025-05-16 13:23:32 +0200] [646189] [INFO] Loaded default config
[2025-05-16 13:23:32 +0200] [646189] [INFO] Loaded config file '/etc/radicale/config'
[2025-05-16 13:23:32 +0200] [646189] [INFO] Loaded command line arguments
[2025-05-16 13:23:32 +0200] [646189] [INFO] Starting Radicale (python=3.11.2 radicale=3.5.2 vobject=0.9.6.1 passlib=1.7.4 defusedxml=0.7.1 dateutil=2.8.2 bcrypt=n/a pika=1.2.0 ldap=n/a ldap3=n/a pam=n/a)
[2025-05-16 13:23:32 +0200] [646189] [INFO] auth type is 'radicale.auth.imap'
[2025-05-16 13:23:32 +0200] [646189] [INFO] auth.strip_domain: False
[2025-05-16 13:23:32 +0200] [646189] [INFO] auth.lc_username: False
[2025-05-16 13:23:32 +0200] [646189] [INFO] auth.uc_username: False
[2025-05-16 13:23:32 +0200] [646189] [INFO] auth.delay: 1.000000
[2025-05-16 13:23:32 +0200] [646189] [INFO] auth.cache_logins: False
[2025-05-16 13:23:32 +0200] [646189] [INFO] auth imap host: 'localhost'
[2025-05-16 13:23:32 +0200] [646189] [WARNING] auth imap security: none (INSECURE, credentials are transmitted in clear text)
[2025-05-16 13:23:32 +0200] [646189] [INFO] auth imap port: 143
[2025-05-16 13:23:32 +0200] [646189] [DEBUG] storage cache version: "b'radicale=3.3.1;vobject=0.9.6.1;'"
[2025-05-16 13:23:32 +0200] [646189] [INFO] storage type is 'radicale.storage.multifilesystem'
[2025-05-16 13:23:32 +0200] [646189] [DEBUG] Lock file (StoragePartLock): '/var/lib/radicale/collections/.Radicale.lock'
[2025-05-16 13:23:32 +0200] [646189] [INFO] Storage location: '/var/lib/radicale/collections'
[2025-05-16 13:23:32 +0200] [646189] [INFO] Storage location subfolder: '/var/lib/radicale/collections/collection-root'
[2025-05-16 13:23:32 +0200] [646189] [INFO] Storage cache subfolder usage for 'item': False
[2025-05-16 13:23:32 +0200] [646189] [INFO] Storage cache subfolder usage for 'history': False
[2025-05-16 13:23:32 +0200] [646189] [INFO] Storage cache subfolder usage for 'sync-token': False
[2025-05-16 13:23:32 +0200] [646189] [INFO] Storage cache use mtime and size for 'item': False
[2025-05-16 13:23:32 +0200] [646189] [DEBUG] Storage item mtime resolution test with file: '/var/lib/radicale/collections/collection-root/.Radicale.mtime_test'
[2025-05-16 13:23:32 +0200] [646189] [DEBUG] Storage item mtime resoultion test set: 999999999999
[2025-05-16 13:23:32 +0200] [646189] [DEBUG] Storage item mtime resoultion test get: 999999999999
[2025-05-16 13:23:32 +0200] [646189] [INFO] Storage item mtime resolution test result: 1 ns
[2025-05-16 13:23:32 +0200] [646189] [INFO] Storage cache using mtime and size for 'item' may be an option in case of performance issues
[2025-05-16 13:23:32 +0200] [646189] [DEBUG] Storage cache action logging: False
[2025-05-16 13:23:32 +0200] [646189] [INFO] Storage folder umask (from system): '0022'
[2025-05-16 13:23:32 +0200] [646189] [INFO] rights type is 'radicale.rights.from_file'
[2025-05-16 13:23:32 +0200] [646189] [DEBUG] Read rights file
[2025-05-16 13:23:32 +0200] [646189] [INFO] web type is 'radicale.web.internal'
[2025-05-16 13:23:32 +0200] [646189] [INFO] hook type is 'radicale.hook.none'
[2025-05-16 13:23:32 +0200] [646189] [INFO] Default script name to strip from URI if called by reverse proxy is taken from HTTP_X_SCRIPT_NAME or SCRIPT_NAME
[2025-05-16 13:23:32 +0200] [646189] [INFO] permit delete of collection: True
[2025-05-16 13:23:32 +0200] [646189] [INFO] permit overwrite of collection: True
[2025-05-16 13:23:32 +0200] [646189] [DEBUG] getaddrinfo of 'localhost:5232': [(<AddressFamily.AF_INET6: 10>, <SocketKind.SOCK_STREAM: 1>, 6, '', ('::1', 5232, 0, 0)), (<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_STREAM: 1>, 6, '', ('127.0.0.1', 5232))]
[2025-05-16 13:23:32 +0200] [646189] [DEBUG] try to create server socket on '[::1]:5232'
[2025-05-16 13:23:32 +0200] [646189] [INFO] Listening on '[::1]:5232'
[2025-05-16 13:23:32 +0200] [646189] [DEBUG] try to create server socket on '127.0.0.1:5232'
[2025-05-16 13:23:32 +0200] [646189] [INFO] Listening on '127.0.0.1:5232'
[2025-05-16 13:23:32 +0200] [646189] [INFO] Radicale server ready
[2025-05-16 13:23:35 +0200] [646189/Thread-1 (process_request_thread)] [INFO] MKCALENDAR request for '/radicale/[email protected]/Planning' received from 127.0.0.1 using 'Mozilla/5.0'
[2025-05-16 13:23:35 +0200] [646189/Thread-1 (process_request_thread)] [DEBUG] Request header: suppressed by config/option [logging] request_header_on_debug
[2025-05-16 13:23:35 +0200] [646189/Thread-1 (process_request_thread)] [DEBUG] Sanitized path: '/radicale/[email protected]/Planning'
[2025-05-16 13:23:35 +0200] [646189/Thread-1 (process_request_thread)] [DEBUG] logging of rules which doesn't match suppressed by config/option [logging] rights_rule_doesnt_match_on_debug
[2025-05-16 13:23:35 +0200] [646189/Thread-1 (process_request_thread)] [DEBUG] Rights: '':'radicale/[email protected]/Planning' doesn't match any section
[2025-05-16 13:23:35 +0200] [646189/Thread-1 (process_request_thread)] [INFO] Access to '/radicale/[email protected]/Planning' denied for anonymous user
[2025-05-16 13:23:35 +0200] [646189/Thread-1 (process_request_thread)] [DEBUG] Asking client for authentication
[2025-05-16 13:23:35 +0200] [646189/Thread-1 (process_request_thread)] [DEBUG] Response content: suppressed by config/option [logging] response_content_on_debug
[2025-05-16 13:23:35 +0200] [646189/Thread-1 (process_request_thread)] [INFO] MKCALENDAR response status for '/radicale/[email protected]/Planning' in 0.001 seconds: 401 Unauthorized
[2025-05-16 13:23:35 +0200] [646189/Thread-2 (process_request_thread)] [INFO] MKCALENDAR request for '/radicale/[email protected]/Planning' received from 127.0.0.1 using 'Mozilla/5.0'
[2025-05-16 13:23:35 +0200] [646189/Thread-2 (process_request_thread)] [DEBUG] Request header: suppressed by config/option [logging] request_header_on_debug
[2025-05-16 13:23:35 +0200] [646189/Thread-2 (process_request_thread)] [DEBUG] Sanitized path: '/radicale/[email protected]/Planning'
[2025-05-16 13:23:36 +0200] [646189/Thread-2 (process_request_thread)] [INFO] Successful login: '[email protected]' (imap)
[2025-05-16 13:23:36 +0200] [646189/Thread-2 (process_request_thread)] [DEBUG] logging of rules which doesn't match suppressed by config/option [logging] rights_rule_doesnt_match_on_debug
[2025-05-16 13:23:36 +0200] [646189/Thread-2 (process_request_thread)] [DEBUG] Rights: '[email protected]':'radicale/[email protected]/Planning' doesn't match any section
[2025-05-16 13:23:36 +0200] [646189/Thread-2 (process_request_thread)] [INFO] Access to '/radicale/[email protected]/Planning' denied for '[email protected]'
[2025-05-16 13:23:36 +0200] [646189/Thread-2 (process_request_thread)] [DEBUG] Response content: suppressed by config/option [logging] response_content_on_debug
[2025-05-16 13:23:36 +0200] [646189/Thread-2 (process_request_thread)] [INFO] MKCALENDAR response status for '/radicale/[email protected]/Planning' in 0.163 seconds: 403 Forbidden

The config file used for radicale:

# -*- mode: conf -*-
# vim:ft=cfg

# Config file for Radicale - A simple calendar server
#
# Place it into /etc/radicale/config (global)
# or ~/.config/radicale/config (user)
#
# The current values are the default ones


[server]

# CalDAV server hostnames separated by a comma
# IPv4 syntax: address:port
# IPv6 syntax: [address]:port
# For example: 0.0.0.0:9999, [::]:9999
#hosts = localhost:5232

# Max parallel connections
#max_connections = 8

# Max size of request body (bytes)
#max_content_length = 100000000

# Socket timeout (seconds)
#timeout = 30

# SSL flag, enable HTTPS protocol
#ssl = False

# SSL certificate path
#certificate = /etc/ssl/certs/ssl-cert-snakeoil.pem
certificate = /home/mirtouf/.acme.sh/mirtouf.fr/fullchain.cer

# SSL private key
#key = /etc/ssl/private/ssl-cert-snakeoil.key
key = /home/mirtouf/.acme.sh/mirtouf.fr/mirtouf.fr.key

# CA certificate for validating clients. This can be used to secure
# TCP traffic between Radicale and a reverse proxy
#certificate_authority =


[encoding]

# Encoding for responding requests
#request = utf-8

# Encoding for storing local collections
#stock = utf-8


[auth]

# Authentication method
# Value: none | htpasswd | remote_user | http_x_remote_user
type = imap

# Radicale_IMAP Configuration
imap_host = localhost:143
imap_security = none

# Htpasswd filename
#htpasswd_filename = /etc/radicale/users

# Htpasswd encryption method
# Value: plain | bcrypt | md5
# bcrypt requires the installation of radicale[bcrypt].
#htpasswd_encryption = md5

# Incorrect authentication delay (seconds)
#delay = 1

# Message displayed in the client when a password is needed
#realm = Radicale - Password Required

##auth_socket = /run/dovecot/auth-radicale

[rights]

# Rights backend
# Value: none | authenticated | owner_only | owner_write | from_file
type = from_file

# File for rights management from_file
file = /etc/radicale/rights


[storage]

# Storage backend
# Value: multifilesystem | multifilesystem_nolock
#type = multifilesystem

# Folder for storing local collections, created if not present
#filesystem_folder = /var/lib/radicale/collections

# Delete sync token that are older (seconds)
#max_sync_token_age = 2592000

# Command that is run after changes to storage
# Example: ([ -d .git ] || git init) && ([ -e .gitignore ] || printf '.Radicale.cache\n.Radicale.lock\n.Radicale.tmp-*\n' > .gitignore) && git add -A && (git diff --cached --quiet || git commit -m "Changes by "%(user)s)
#hook =


[web]

# Web interface backend
# Value: none | internal
#type = internal


[logging]

# Threshold for the logger
# Value: debug | info | warning | error | critical
#level = warning

# Don't include passwords in logs
#mask_passwords = True


[headers]

# Additional HTTP headers
#Access-Control-Allow-Origin = *

I am reading the docs and cannot find out where I missed something.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions