fix(caldav): prevent unshare entry creation for owner unsharing

- Introduces a `unshare` method in `CalDavBackend` to handle user unshares.
- Implements check to determine if unshare entry is needed based on group/circle membership.
- Ensures `updateShares` is only used when the calendar owner manages shares.
- Resolves issue where unsharing a calendar as owner created an unshare entry in `oc_dav_shares`.

Related PRs:
- #43117
- #47737

Signed-off-by: Daniel Kesselberg <[email protected]>

Author: kesselb

apps/dav/appinfo/info.xml

@@ -55,13 +55,15 @@
 	</repair-steps>
 
 	<commands>
+		<command>OCA\DAV\Command\ClearCalendarUnshares</command>
 		<command>OCA\DAV\Command\CreateAddressBook</command>
 		<command>OCA\DAV\Command\CreateCalendar</command>
 		<command>OCA\DAV\Command\CreateSubscription</command>
 		<command>OCA\DAV\Command\DeleteCalendar</command>
 		<command>OCA\DAV\Command\DeleteSubscription</command>
 		<command>OCA\DAV\Command\FixCalendarSyncCommand</command>
 		<command>OCA\DAV\Command\ListAddressbooks</command>
+		<command>OCA\DAV\Command\ListCalendarShares</command>
 		<command>OCA\DAV\Command\ListCalendars</command>
 		<command>OCA\DAV\Command\ListSubscriptions</command>
 		<command>OCA\DAV\Command\MoveCalendar</command>

apps/dav/composer/composer/autoload_classmap.php

@@ -153,13 +153,15 @@
     'OCA\\DAV\\CardDAV\\UserAddressBooks' => $baseDir . '/../lib/CardDAV/UserAddressBooks.php',
     'OCA\\DAV\\CardDAV\\Validation\\CardDavValidatePlugin' => $baseDir . '/../lib/CardDAV/Validation/CardDavValidatePlugin.php',
     'OCA\\DAV\\CardDAV\\Xml\\Groups' => $baseDir . '/../lib/CardDAV/Xml/Groups.php',
+    'OCA\\DAV\\Command\\ClearCalendarUnshares' => $baseDir . '/../lib/Command/ClearCalendarUnshares.php',
     'OCA\\DAV\\Command\\CreateAddressBook' => $baseDir . '/../lib/Command/CreateAddressBook.php',
     'OCA\\DAV\\Command\\CreateCalendar' => $baseDir . '/../lib/Command/CreateCalendar.php',
     'OCA\\DAV\\Command\\CreateSubscription' => $baseDir . '/../lib/Command/CreateSubscription.php',
     'OCA\\DAV\\Command\\DeleteCalendar' => $baseDir . '/../lib/Command/DeleteCalendar.php',
     'OCA\\DAV\\Command\\DeleteSubscription' => $baseDir . '/../lib/Command/DeleteSubscription.php',
     'OCA\\DAV\\Command\\FixCalendarSyncCommand' => $baseDir . '/../lib/Command/FixCalendarSyncCommand.php',
     'OCA\\DAV\\Command\\ListAddressbooks' => $baseDir . '/../lib/Command/ListAddressbooks.php',
+    'OCA\\DAV\\Command\\ListCalendarShares' => $baseDir . '/../lib/Command/ListCalendarShares.php',
     'OCA\\DAV\\Command\\ListCalendars' => $baseDir . '/../lib/Command/ListCalendars.php',
     'OCA\\DAV\\Command\\ListSubscriptions' => $baseDir . '/../lib/Command/ListSubscriptions.php',
     'OCA\\DAV\\Command\\MoveCalendar' => $baseDir . '/../lib/Command/MoveCalendar.php',

apps/dav/composer/composer/autoload_static.php

@@ -168,13 +168,15 @@ class ComposerStaticInitDAV
         'OCA\\DAV\\CardDAV\\UserAddressBooks' => __DIR__ . '/..' . '/../lib/CardDAV/UserAddressBooks.php',
         'OCA\\DAV\\CardDAV\\Validation\\CardDavValidatePlugin' => __DIR__ . '/..' . '/../lib/CardDAV/Validation/CardDavValidatePlugin.php',
         'OCA\\DAV\\CardDAV\\Xml\\Groups' => __DIR__ . '/..' . '/../lib/CardDAV/Xml/Groups.php',
+        'OCA\\DAV\\Command\\ClearCalendarUnshares' => __DIR__ . '/..' . '/../lib/Command/ClearCalendarUnshares.php',
         'OCA\\DAV\\Command\\CreateAddressBook' => __DIR__ . '/..' . '/../lib/Command/CreateAddressBook.php',
         'OCA\\DAV\\Command\\CreateCalendar' => __DIR__ . '/..' . '/../lib/Command/CreateCalendar.php',
         'OCA\\DAV\\Command\\CreateSubscription' => __DIR__ . '/..' . '/../lib/Command/CreateSubscription.php',
         'OCA\\DAV\\Command\\DeleteCalendar' => __DIR__ . '/..' . '/../lib/Command/DeleteCalendar.php',
         'OCA\\DAV\\Command\\DeleteSubscription' => __DIR__ . '/..' . '/../lib/Command/DeleteSubscription.php',
         'OCA\\DAV\\Command\\FixCalendarSyncCommand' => __DIR__ . '/..' . '/../lib/Command/FixCalendarSyncCommand.php',
         'OCA\\DAV\\Command\\ListAddressbooks' => __DIR__ . '/..' . '/../lib/Command/ListAddressbooks.php',
+        'OCA\\DAV\\Command\\ListCalendarShares' => __DIR__ . '/..' . '/../lib/Command/ListCalendarShares.php',
         'OCA\\DAV\\Command\\ListCalendars' => __DIR__ . '/..' . '/../lib/Command/ListCalendars.php',
         'OCA\\DAV\\Command\\ListSubscriptions' => __DIR__ . '/..' . '/../lib/Command/ListSubscriptions.php',
         'OCA\\DAV\\Command\\MoveCalendar' => __DIR__ . '/..' . '/../lib/Command/MoveCalendar.php',

apps/dav/lib/CalDAV/CalDavBackend.php

@@ -88,6 +88,19 @@
  * Code is heavily inspired by https://github.com/fruux/sabre-dav/blob/master/lib/CalDAV/Backend/PDO.php
  *
  * @package OCA\DAV\CalDAV
+ *
+ * @psalm-type CalendarInfo = array{
+ *     id: int,
+ *     uri: string,
+ *     principaluri: string,
+ *     '{http://calendarserver.org/ns/}getctag': string,
+ *     '{http://sabredav.org/ns}sync-token': int,
+ *     '{urn:ietf:params:xml:ns:caldav}supported-calendar-component-set': \Sabre\CalDAV\Xml\Property\SupportedCalendarComponentSet,
+ *     '{urn:ietf:params:xml:ns:caldav}schedule-calendar-transp': \Sabre\CalDAV\Xml\Property\ScheduleCalendarTransp,
+ *     '{DAV:}displayname': string,
+ *     '{urn:ietf:params:xml:ns:caldav}calendar-timezone': ?string,
+ *     '{http://nextcloud.com/ns}owner-displayname': string,
+ * }
  */
 class CalDavBackend extends AbstractBackend implements SyncSupport, SubscriptionSupport, SchedulingSupport {
 	use TTransactional;
@@ -649,7 +662,8 @@ public function getCalendarByUri($principal, $uri) {
 	}
 
 	/**
-	 * @return array{id: int, uri: string, '{http://calendarserver.org/ns/}getctag': string, '{http://sabredav.org/ns}sync-token': int, '{urn:ietf:params:xml:ns:caldav}supported-calendar-component-set': SupportedCalendarComponentSet, '{urn:ietf:params:xml:ns:caldav}schedule-calendar-transp': ScheduleCalendarTransp, '{urn:ietf:params:xml:ns:caldav}calendar-timezone': ?string }|null
+	 * @psalm-return CalendarInfo|null
+	 * @return array|null
 	 */
 	public function getCalendarById(int $calendarId): ?array {
 		$fields = array_column($this->propertyMap, 0);
@@ -3628,4 +3642,26 @@ protected function purgeObjectInvitations(string $eventId): void {
 			->where($cmd->expr()->eq('uid', $cmd->createNamedParameter($eventId, IQueryBuilder::PARAM_STR), IQueryBuilder::PARAM_STR));
 		$cmd->executeStatement();
 	}
+
+	public function unshare(IShareable $shareable, string $principal): void {
+		$this->atomic(function () use ($shareable, $principal): void {
+			$calendarData = $this->getCalendarById($shareable->getResourceId());
+			if ($calendarData === null) {
+				throw new \RuntimeException('Trying to update shares for non-existing calendar: ' . $shareable->getResourceId());
+			}
+
+			$oldShares = $this->getShares($shareable->getResourceId());
+			$unshare = $this->calendarSharingBackend->unshare($shareable, $principal);
+
+			if ($unshare) {
+				$this->dispatcher->dispatchTyped(new CalendarShareUpdatedEvent(
+					$shareable->getResourceId(),
+					$calendarData,
+					$oldShares,
+					[],
+					[$principal]
+				));
+			}
+		}, $this->db);
+	}
 }

apps/dav/lib/CalDAV/Calendar.php

@@ -214,12 +214,8 @@ public function getOwner(): ?string {
 	}
 
 	public function delete() {
-		if (isset($this->calendarInfo['{http://owncloud.org/ns}owner-principal']) &&
-			$this->calendarInfo['{http://owncloud.org/ns}owner-principal'] !== $this->calendarInfo['principaluri']) {
-			$principal = 'principal:' . parent::getOwner();
-			$this->caldavBackend->updateShares($this, [], [
-				$principal
-			]);
+		if ($this->isShared()) {
+			$this->caldavBackend->unshare($this, 'principal:' . $this->getPrincipalURI());
 			return;
 		}
 

apps/dav/lib/Command/ClearCalendarUnshares.php

@@ -0,0 +1,114 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\DAV\Command;
+
+use OCA\DAV\CalDAV\CalDavBackend;
+use OCA\DAV\CalDAV\Sharing\Backend;
+use OCA\DAV\CalDAV\Sharing\Service;
+use OCA\DAV\Connector\Sabre\Principal;
+use OCA\DAV\DAV\Sharing\Backend as BackendAlias;
+use OCA\DAV\DAV\Sharing\SharingMapper;
+use OCP\IAppConfig;
+use OCP\IUserManager;
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Helper\QuestionHelper;
+use Symfony\Component\Console\Helper\Table;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Question\ConfirmationQuestion;
+
+#[AsCommand(
+	name: 'dav:clear-calendar-unshares',
+	description: 'Clear calendar unshares for a user',
+	hidden: false,
+)]
+class ClearCalendarUnshares extends Command {
+	public function __construct(
+		private IUserManager $userManager,
+		private IAppConfig $appConfig,
+		private Principal $principal,
+		private CalDavBackend $caldav,
+		private Backend $sharingBackend,
+		private Service $sharingService,
+		private SharingMapper $mapper,
+	) {
+		parent::__construct();
+	}
+
+	protected function configure(): void {
+		$this->addArgument(
+			'uid',
+			InputArgument::REQUIRED,
+			'User whose unshares to clear'
+		);
+	}
+
+	protected function execute(InputInterface $input, OutputInterface $output): int {
+		$user = (string)$input->getArgument('uid');
+		if (!$this->userManager->userExists($user)) {
+			throw new \InvalidArgumentException("User $user is unknown");
+		}
+
+		$principal = $this->principal->getPrincipalByPath('principals/users/' . $user);
+		if ($principal === null) {
+			throw new \InvalidArgumentException("Unable to fetch principal for user $user ");
+		}
+
+		$shares = $this->mapper->getSharesByPrincipals([$principal['uri']], 'calendar');
+		$unshares = array_filter($shares, static fn ($share) => $share['access'] === BackendAlias::ACCESS_UNSHARED);
+
+		if (count($unshares) === 0) {
+			$output->writeln("User $user has no calendar unshares");
+			return self::SUCCESS;
+		}
+
+		$rows = array_map(fn ($share) => $this->formatCalendarUnshare($share), $shares);
+
+		$table = new Table($output);
+		$table
+			->setHeaders(['Share Id', 'Calendar Id', 'Calendar URI', 'Calendar Name'])
+			->setRows($rows)
+			->render();
+
+		$output->writeln('');
+
+		/** @var QuestionHelper $helper */
+		$helper = $this->getHelper('question');
+		$question = new ConfirmationQuestion('Please confirm to delete the above calendar unshare entries [y/n]', false);
+
+		if ($helper->ask($input, $output, $question)) {
+			$this->mapper->deleteUnsharesByPrincipal($principal['uri'], 'calendar');
+			$output->writeln("Calendar unshares for user $user deleted");
+		}
+
+		return self::SUCCESS;
+	}
+
+	private function formatCalendarUnshare(array $share): array {
+		$calendarInfo = $this->caldav->getCalendarById($share['resourceid']);
+
+		$resourceUri = 'Resource not found';
+		$resourceName = '';
+
+		if ($calendarInfo !== null) {
+			$resourceUri = $calendarInfo['uri'];
+			$resourceName = $calendarInfo['{DAV:}displayname'];
+		}
+
+		return [
+			$share['id'],
+			$share['resourceid'],
+			$resourceUri,
+			$resourceName,
+		];
+	}
+}

apps/dav/lib/Command/ListCalendarShares.php

@@ -0,0 +1,131 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\DAV\Command;
+
+use OCA\DAV\CalDAV\CalDavBackend;
+use OCA\DAV\CalDAV\Sharing\Backend;
+use OCA\DAV\Connector\Sabre\Principal;
+use OCA\DAV\DAV\Sharing\SharingMapper;
+use OCP\IUserManager;
+use Symfony\Component\Console\Attribute\AsCommand;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Helper\Table;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+
+#[AsCommand(
+	name: 'dav:list-calendar-shares',
+	description: 'List all calendar shares for a user',
+	hidden: false,
+)]
+class ListCalendarShares extends Command {
+	public function __construct(
+		private IUserManager $userManager,
+		private Principal $principal,
+		private CalDavBackend $caldav,
+		private SharingMapper $mapper,
+	) {
+		parent::__construct();
+	}
+
+	protected function configure(): void {
+		$this->addArgument(
+			'uid',
+			InputArgument::REQUIRED,
+			'User whose calendar shares will be listed'
+		);
+		$this->addOption(
+			'calendar-id',
+			'',
+			InputOption::VALUE_REQUIRED,
+			'List only shares for the given calendar id id',
+			null,
+		);
+	}
+
+	protected function execute(InputInterface $input, OutputInterface $output): int {
+		$user = (string)$input->getArgument('uid');
+		if (!$this->userManager->userExists($user)) {
+			throw new \InvalidArgumentException("User $user is unknown");
+		}
+
+		$principal = $this->principal->getPrincipalByPath('principals/users/' . $user);
+		if ($principal === null) {
+			throw new \InvalidArgumentException("Unable to fetch principal for user $user");
+		}
+
+		$memberships = array_merge(
+			[$principal['uri']],
+			$this->principal->getGroupMembership($principal['uri']),
+			$this->principal->getCircleMembership($principal['uri']),
+		);
+
+		$shares = $this->mapper->getSharesByPrincipals($memberships, 'calendar');
+
+		$calendarId = $input->getOption('calendar-id');
+		if ($calendarId !== null) {
+			$shares = array_filter($shares, fn ($share) => $share['resourceid'] === (int)$calendarId);
+		}
+
+		$rows = array_map(fn ($share) => $this->formatCalendarShare($share), $shares);
+
+		if (count($rows) > 0) {
+			$table = new Table($output);
+			$table
+				->setHeaders(['Share Id', 'Calendar Id', 'Calendar URI', 'Calendar Name', 'Calendar Owner', 'Access By', 'Permissions'])
+				->setRows($rows)
+				->render();
+		} else {
+			$output->writeln("User $user has no calendar shares");
+		}
+
+		return self::SUCCESS;
+	}
+
+	private function formatCalendarShare(array $share): array {
+		$calendarInfo = $this->caldav->getCalendarById($share['resourceid']);
+
+		$calendarUri = 'Resource not found';
+		$calendarName = '';
+		$calendarOwner = '';
+
+		if ($calendarInfo !== null) {
+			$calendarUri = $calendarInfo['uri'];
+			$calendarName = $calendarInfo['{DAV:}displayname'];
+			$calendarOwner = $calendarInfo['{http://nextcloud.com/ns}owner-displayname'] . ' (' . $calendarInfo['principaluri'] . ')';
+		}
+
+		$accessBy = match (true) {
+			str_starts_with($share['principaluri'], 'principals/users/') => 'Individual',
+			str_starts_with($share['principaluri'], 'principals/groups/') => 'Group (' . $share['principaluri'] . ')',
+			str_starts_with($share['principaluri'], 'principals/circles/') => 'Team (' . $share['principaluri'] . ')',
+			default => $share['principaluri'],
+		};
+
+		$permissions = match ($share['access']) {
+			Backend::ACCESS_READ => 'Read',
+			Backend::ACCESS_READ_WRITE => 'Read/Write',
+			Backend::ACCESS_UNSHARED => 'Unshare',
+			default => $share['access'],
+		};
+
+		return [
+			$share['id'],
+			$share['resourceid'],
+			$calendarUri,
+			$calendarName,
+			$calendarOwner,
+			$accessBy,
+			$permissions,
+		];
+	}
+}