Goal: To have a single radicale account that is read only and distributed to approximately 500 users. Server is on Debian 10 behind Apache2 Users having issues are on IOS 13 or 14
Results: After referencing JSzaszvari in the radicale github I have successfully made an admin account with rw privileges and a user account with r only privileges. The contact list is symlinked between the admin and user account. After user testing this seems to work very well. Users with the user account can connect to radicale from their IOS device and see all contacts. Get updates in a timely fashion and importantly cannot edit or delete contacts. If they try and edit a contact it makes a duplicate named contact in their default account and puts any of the changes they've made there, preserving the read only contact.
Issue: The one thing I have found so far that is not working as intended is the "Update Contact" link that pops up on text messages on IOS. When a user clicks this link a new contact is not created and it seems that apple edits the read only contact locally on the phone. This leads to a PUT request with new data to the read only privileged account that fails. This is not a problem in itself but the subsequent read of the contacts does not occur and the users device is not updated with new contact information from the server. Only after the account is toggled off and back on from IOS settings does this reset and work correctly. However the "update contact" link reappears in text messages after some time.
Tried: I have tried editing the privileges to allow the user account to write to a dummy account and then read from the symlinked folder but I cannot get radicale to behave the way I would like. I have also considered adding all the updated photos using the admin account so users do not get the popup again but with over 400 contacts and the unpredictability of people updating this isn't a long term solution. Telling users not to click the "Update Contact" link is also an option but one prone to noncompliance.
Here is my radicale rights file:
[admin]
user: admin
collection: .*
permission: rw
[writeonly_contacts]
user: write
collection: .*
permission: r
[readonly_contacts]
user: usapct
collection: .*
permission: r
and /var/log/radicale/radicale.log when I try to sync afte clicking "update contact"
2020-10-06 19:02:26,970 - INFO: Starting Radicale
2020-10-06 19:02:26,970 - INFO: Authentication type is 'htpasswd'
2020-10-06 19:02:26,985 - DEBUG: registered 'bcrypt' handler: <class 'passlib.handlers.bcrypt.bcrypt'>
2020-10-06 19:02:26,988 - DEBUG: detected 'bcrypt' backend, version '3.1.6'
2020-10-06 19:02:26,988 - DEBUG: 'bcrypt' backend lacks $2$ support, enabling workaround
2020-10-06 19:02:27,318 - INFO: Storage type is 'multifilesystem'
2020-10-06 19:02:27,318 - INFO: Rights type is 'from_file'
2020-10-06 19:02:27,318 - INFO: Web type is 'internal'
2020-10-06 19:02:27,321 - INFO: Listening to 'localhost' on port 5232 using SSL
2020-10-06 19:02:27,328 - INFO: Radicale server ready
2020-10-06 19:02:35,249 - INFO: PUT request for '/usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22/Contact.vcf' received from ‘ip.address’ (forwarded by 127.0.0.1) using 'iOS/14.0.1 (18A393) dataaccessd/1.0'
2020-10-06 19:02:35,249 - DEBUG: Request headers:
{'CONTENT_LENGTH': '317814',
'CONTENT_TYPE': 'text/vcard; charset=utf-8',
'GATEWAY_INTERFACE': 'CGI/1.1',
'HTTP_ACCEPT': '*/*',
'HTTP_ACCEPT_ENCODING': 'gzip, deflate, br',
'HTTP_ACCEPT_LANGUAGE': 'en-us',
'HTTP_CONNECTION': 'Keep-Alive',
'HTTP_HOST': ‘contacts.example.com’,
'HTTP_IF_MATCH': '"e86f0978da9f6e2ebc0f1f254ef2ffe0"',
'HTTP_USER_AGENT': 'iOS/14.0.1 (18A393) dataaccessd/1.0',
'HTTP_X_FORWARDED_FOR': ‘ip.address’,
'HTTP_X_FORWARDED_HOST': ‘contacts.example.com’,
'HTTP_X_FORWARDED_SERVER': ‘contacts.example.com’,
'PATH_INFO': '/usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22/Contact.vcf',
'QUERY_STRING': '',
'REMOTE_ADDR': '127.0.0.1',
'REMOTE_CERTIFICATE': None,
'REMOTE_HOST': '',
'REQUEST_METHOD': 'PUT',
'SCRIPT_NAME': '',
'SERVER_NAME': 'localhost',
'SERVER_PORT': '5232',
'SERVER_PROTOCOL': 'HTTP/1.1',
'SERVER_SOFTWARE': 'WSGIServer/0.2',
'wsgi.errors': <_io.StringIO object at 0x7f51c16791f8>,
'wsgi.file_wrapper': <class 'wsgiref.util.FileWrapper'>,
'wsgi.input': <_io.BufferedReader name=7>,
'wsgi.multiprocess': False,
'wsgi.multithread': True,
'wsgi.run_once': False,
'wsgi.url_scheme': 'http',
'wsgi.version': (1, 0)}
2020-10-06 19:02:35,249 - DEBUG: Sanitized script name: ''
2020-10-06 19:02:35,250 - DEBUG: Sanitized path: '/usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22/Contact.vcf'
2020-10-06 19:02:35,251 - DEBUG: Rule '':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22/Contact.vcf' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:02:35,251 - DEBUG: Rule '':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22/Contact.vcf' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:02:35,251 - DEBUG: Rule '':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22/Contact.vcf' doesn't match 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:02:35,251 - INFO: Rights: '':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22/Contact.vcf' doesn't match any section
2020-10-06 19:02:35,252 - DEBUG: Rule '':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:02:35,252 - DEBUG: Rule '':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:02:35,252 - DEBUG: Rule '':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22' doesn't match 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:02:35,252 - INFO: Rights: '':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22' doesn't match any section
2020-10-06 19:02:35,252 - INFO: Access to '/usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22/Contact.vcf' denied for anonymous user
2020-10-06 19:02:35,252 - DEBUG: Asking client for authentication
2020-10-06 19:02:35,252 - DEBUG: Response content:
Access to the requested resource forbidden.
2020-10-06 19:02:35,252 - INFO: PUT response status for '/usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22/Contact.vcf' in 0.004 seconds: 401 Unauthorized
2020-10-06 19:02:59,278 - INFO: PROPFIND request for '/usapct/' with depth '0' received from ‘ip.address’ (forwarded by 127.0.0.1) using 'iOS/14.0.1 (18A393) dataaccessd/1.0'
2020-10-06 19:02:59,279 - DEBUG: Request headers:
{'CONTENT_LENGTH': '439',
'CONTENT_TYPE': 'text/xml',
'GATEWAY_INTERFACE': 'CGI/1.1',
'HTTP_ACCEPT': '*/*',
'HTTP_ACCEPT_ENCODING': 'gzip, deflate, br',
'HTTP_ACCEPT_LANGUAGE': 'en-us',
'HTTP_BRIEF': 't',
'HTTP_CONNECTION': 'Keep-Alive',
'HTTP_DEPTH': '0',
'HTTP_HOST': ‘contacts.example.com’,
'HTTP_PREFER': 'return=minimal',
'HTTP_USER_AGENT': 'iOS/14.0.1 (18A393) dataaccessd/1.0',
'HTTP_X_FORWARDED_FOR': ‘ip.address’,
'HTTP_X_FORWARDED_HOST': ‘contacts.example.com’,
'HTTP_X_FORWARDED_SERVER': ‘contacts.example.com’,
'PATH_INFO': '/usapct/',
'QUERY_STRING': '',
'REMOTE_ADDR': '127.0.0.1',
'REMOTE_CERTIFICATE': None,
'REMOTE_HOST': '',
'REQUEST_METHOD': 'PROPFIND',
'SCRIPT_NAME': '',
'SERVER_NAME': 'localhost',
'SERVER_PORT': '5232',
'SERVER_PROTOCOL': 'HTTP/1.1',
'SERVER_SOFTWARE': 'WSGIServer/0.2',
'wsgi.errors': <_io.StringIO object at 0x7f51c16791f8>,
'wsgi.file_wrapper': <class 'wsgiref.util.FileWrapper'>,
'wsgi.input': <_io.BufferedReader name=7>,
'wsgi.multiprocess': False,
'wsgi.multithread': True,
'wsgi.run_once': False,
'wsgi.url_scheme': 'http',
'wsgi.version': (1, 0)}
2020-10-06 19:02:59,279 - DEBUG: Sanitized script name: ''
2020-10-06 19:02:59,279 - DEBUG: Sanitized path: '/usapct/'
2020-10-06 19:02:59,280 - DEBUG: Rule '':'usapct' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:02:59,280 - DEBUG: Rule '':'usapct' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:02:59,280 - DEBUG: Rule '':'usapct' doesn't match 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:02:59,280 - INFO: Rights: '':'usapct' doesn't match any section
2020-10-06 19:02:59,280 - DEBUG: Rule '':'' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:02:59,280 - DEBUG: Rule '':'' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:02:59,280 - DEBUG: Rule '':'' doesn't match 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:02:59,280 - INFO: Rights: '':'' doesn't match any section
2020-10-06 19:02:59,280 - INFO: Access to '/usapct/' denied for anonymous user
2020-10-06 19:02:59,280 - DEBUG: Asking client for authentication
2020-10-06 19:02:59,280 - DEBUG: Response content:
Access to the requested resource forbidden.
2020-10-06 19:02:59,281 - INFO: PROPFIND response status for '/usapct/' with depth '0' in 0.003 seconds: 401 Unauthorized
2020-10-06 19:02:59,863 - INFO: PROPFIND request for '/usapct/' with depth '0' received from ‘ip.address’ (forwarded by 127.0.0.1) using 'iOS/14.0.1 (18A393) dataaccessd/1.0'
2020-10-06 19:02:59,863 - DEBUG: Request headers:
{'CONTENT_LENGTH': '439',
'CONTENT_TYPE': 'text/xml',
'GATEWAY_INTERFACE': 'CGI/1.1',
'HTTP_ACCEPT': '*/*',
'HTTP_ACCEPT_ENCODING': 'gzip, deflate, br',
'HTTP_ACCEPT_LANGUAGE': 'en-us',
'HTTP_AUTHORIZATION': 'Basic **masked**',
'HTTP_BRIEF': 't',
'HTTP_CONNECTION': 'Keep-Alive',
'HTTP_DEPTH': '0',
'HTTP_HOST': ‘contacts.example.com’,
'HTTP_PREFER': 'return=minimal',
'HTTP_USER_AGENT': 'iOS/14.0.1 (18A393) dataaccessd/1.0',
'HTTP_X_FORWARDED_FOR': ‘ip.address’,
'HTTP_X_FORWARDED_HOST': ‘contacts.example.com’,
'HTTP_X_FORWARDED_SERVER': ‘contacts.example.com’,
'PATH_INFO': '/usapct/',
'QUERY_STRING': '',
'REMOTE_ADDR': '127.0.0.1',
'REMOTE_CERTIFICATE': None,
'REMOTE_HOST': '',
'REQUEST_METHOD': 'PROPFIND',
'SCRIPT_NAME': '',
'SERVER_NAME': 'localhost',
'SERVER_PORT': '5232',
'SERVER_PROTOCOL': 'HTTP/1.1',
'SERVER_SOFTWARE': 'WSGIServer/0.2',
'wsgi.errors': <_io.StringIO object at 0x7f51c16791f8>,
'wsgi.file_wrapper': <class 'wsgiref.util.FileWrapper'>,
'wsgi.input': <_io.BufferedReader name=7>,
'wsgi.multiprocess': False,
'wsgi.multithread': True,
'wsgi.run_once': False,
'wsgi.url_scheme': 'http',
'wsgi.version': (1, 0)}
2020-10-06 19:02:59,863 - DEBUG: Sanitized script name: ''
2020-10-06 19:02:59,863 - DEBUG: Sanitized path: '/usapct/'
2020-10-06 19:02:59,866 - INFO: Successful login: 'usapct'
2020-10-06 19:02:59,867 - DEBUG: Rule 'usapct':'usapct' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:02:59,867 - DEBUG: Rule 'usapct':'usapct' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:02:59,867 - DEBUG: Rule 'usapct':'usapct' matches 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:02:59,867 - WARNING: Access to principal path '/usapct/' denied by rights backend
2020-10-06 19:02:59,868 - DEBUG: Rule 'usapct':'usapct' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:02:59,868 - DEBUG: Rule 'usapct':'usapct' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:02:59,868 - DEBUG: Rule 'usapct':'usapct' matches 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:02:59,868 - DEBUG: Rule 'usapct':'' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:02:59,868 - DEBUG: Rule 'usapct':'' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:02:59,868 - DEBUG: Rule 'usapct':'' matches 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:02:59,869 - DEBUG: Request content:
<?xml version="1.0"?>
<propfind xmlns="DAV:" xmlns:CR="urn:ietf:params:xml:ns:carddav" xmlns:CS="http://calendarserver.org/ns/">
<prop>
<CR:addressbook-home-set />
<CR:directory-gateway />
<displayname />
<CS:email-address-set />
<principal-collection-set />
<principal-URL />
<resource-id />
<supported-report-set />
</prop>
</propfind>
2020-10-06 19:02:59,870 - DEBUG: Rule 'usapct':'usapct' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:02:59,870 - DEBUG: Rule 'usapct':'usapct' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:02:59,870 - DEBUG: Rule 'usapct':'usapct' matches 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:02:59,870 - DEBUG: Rule 'usapct':'usapct' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:02:59,870 - DEBUG: Rule 'usapct':'usapct' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:02:59,870 - DEBUG: Rule 'usapct':'usapct' matches 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:02:59,871 - DEBUG: Rule 'usapct':'usapct' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:02:59,871 - DEBUG: Rule 'usapct':'usapct' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:02:59,871 - DEBUG: Rule 'usapct':'usapct' matches 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:02:59,871 - DEBUG: 'usapct' has read access to collection 'usapct'
2020-10-06 19:02:59,871 - DEBUG: Response content:
<?xml version="1.0"?>
<multistatus xmlns="DAV:" xmlns:CR="urn:ietf:params:xml:ns:carddav" xmlns:CS="http://calendarserver.org/ns/">
<response>
<href>/usapct/</href>
<propstat>
<prop>
<CR:addressbook-home-set>
<href>/usapct/</href>
</CR:addressbook-home-set>
<principal-collection-set>
<href>/</href>
</principal-collection-set>
<principal-URL>
<href>/usapct/</href>
</principal-URL>
<supported-report-set>
<supported-report>
<report>
<expand-property />
</report>
</supported-report>
<supported-report>
<report>
<principal-search-property-set />
</report>
</supported-report>
<supported-report>
<report>
<principal-property-search />
</report>
</supported-report>
</supported-report-set>
</prop>
<status>HTTP/1.1 200 OK</status>
</propstat>
<propstat>
<prop>
<CR:directory-gateway />
<displayname />
<CS:email-address-set />
<resource-id />
</prop>
<status>HTTP/1.1 404 Not Found</status>
</propstat>
</response>
</multistatus>
2020-10-06 19:02:59,872 - INFO: PROPFIND response status for '/usapct/' with depth '0' in 0.009 seconds: 207 Multi-Status
2020-10-06 19:03:00,130 - INFO: PROPFIND request for '/usapct/' with depth '1' received from ‘ip.address’ (forwarded by 127.0.0.1) using 'iOS/14.0.1 (18A393) dataaccessd/1.0'
2020-10-06 19:03:00,131 - DEBUG: Request headers:
{'CONTENT_LENGTH': '782',
'CONTENT_TYPE': 'text/xml',
'GATEWAY_INTERFACE': 'CGI/1.1',
'HTTP_ACCEPT': '*/*',
'HTTP_ACCEPT_ENCODING': 'gzip, deflate, br',
'HTTP_ACCEPT_LANGUAGE': 'en-us',
'HTTP_AUTHORIZATION': 'Basic **masked**',
'HTTP_BRIEF': 't',
'HTTP_CONNECTION': 'Keep-Alive',
'HTTP_DEPTH': '1',
'HTTP_HOST': ‘contacts.example.com’,
'HTTP_PREFER': 'return=minimal',
'HTTP_USER_AGENT': 'iOS/14.0.1 (18A393) dataaccessd/1.0',
'HTTP_X_FORWARDED_FOR': ‘ip.address’,
'HTTP_X_FORWARDED_HOST': ‘contacts.example.com’,
'HTTP_X_FORWARDED_SERVER': ‘contacts.example.com’,
'PATH_INFO': '/usapct/',
'QUERY_STRING': '',
'REMOTE_ADDR': '127.0.0.1',
'REMOTE_CERTIFICATE': None,
'REMOTE_HOST': '',
'REQUEST_METHOD': 'PROPFIND',
'SCRIPT_NAME': '',
'SERVER_NAME': 'localhost',
'SERVER_PORT': '5232',
'SERVER_PROTOCOL': 'HTTP/1.1',
'SERVER_SOFTWARE': 'WSGIServer/0.2',
'wsgi.errors': <_io.StringIO object at 0x7f51c16791f8>,
'wsgi.file_wrapper': <class 'wsgiref.util.FileWrapper'>,
'wsgi.input': <_io.BufferedReader name=7>,
'wsgi.multiprocess': False,
'wsgi.multithread': True,
'wsgi.run_once': False,
'wsgi.url_scheme': 'http',
'wsgi.version': (1, 0)}
2020-10-06 19:03:00,131 - DEBUG: Sanitized script name: ''
2020-10-06 19:03:00,131 - DEBUG: Sanitized path: '/usapct/'
2020-10-06 19:03:00,134 - INFO: Successful login: 'usapct'
2020-10-06 19:03:00,135 - DEBUG: Rule 'usapct':'usapct' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:03:00,135 - DEBUG: Rule 'usapct':'usapct' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:03:00,135 - DEBUG: Rule 'usapct':'usapct' matches 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:03:00,135 - WARNING: Access to principal path '/usapct/' denied by rights backend
2020-10-06 19:03:00,135 - DEBUG: Rule 'usapct':'usapct' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:03:00,135 - DEBUG: Rule 'usapct':'usapct' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:03:00,135 - DEBUG: Rule 'usapct':'usapct' matches 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:03:00,136 - DEBUG: Rule 'usapct':'' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:03:00,136 - DEBUG: Rule 'usapct':'' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:03:00,136 - DEBUG: Rule 'usapct':'' matches 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:03:00,136 - DEBUG: Request content:
<?xml version="1.0"?>
<propfind xmlns="DAV:" xmlns:CR="urn:ietf:params:xml:ns:carddav" xmlns:CS="http://calendarserver.org/ns/" xmlns:ME="http://me.com/_namespace/">
<prop>
<add-member />
<ME:bulk-requests />
<current-user-privilege-set />
<displayname />
<ME:guardian-restricted />
<CR:max-image-size />
<CR:max-resource-size />
<CS:me-card />
<owner />
<CS:push-transports />
<CS:pushkey />
<quota-available-bytes />
<quota-used-bytes />
<resource-id />
<resourcetype />
<supported-report-set />
<sync-token />
</prop>
</propfind>
2020-10-06 19:03:00,137 - DEBUG: Rule 'usapct':'usapct' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:03:00,137 - DEBUG: Rule 'usapct':'usapct' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:03:00,137 - DEBUG: Rule 'usapct':'usapct' matches 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:03:00,137 - DEBUG: Rule 'usapct':'usapct' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:03:00,137 - DEBUG: Rule 'usapct':'usapct' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:03:00,137 - DEBUG: Rule 'usapct':'usapct' matches 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:03:00,138 - DEBUG: Rule 'usapct':'usapct' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:03:00,138 - DEBUG: Rule 'usapct':'usapct' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:03:00,138 - DEBUG: Rule 'usapct':'usapct' matches 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:03:00,138 - DEBUG: 'usapct' has read access to collection 'usapct'
2020-10-06 19:03:00,138 - DEBUG: Rule 'usapct':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:03:00,139 - DEBUG: Rule 'usapct':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:03:00,139 - DEBUG: Rule 'usapct':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22' matches 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:03:00,139 - DEBUG: Rule 'usapct':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:03:00,139 - DEBUG: Rule 'usapct':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:03:00,139 - DEBUG: Rule 'usapct':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22' matches 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:03:00,139 - DEBUG: 'usapct' has read access to collection 'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22'
2020-10-06 19:03:00,202 - DEBUG: Response content:
<?xml version="1.0"?>
<multistatus xmlns="DAV:" xmlns:CR="urn:ietf:params:xml:ns:carddav" xmlns:CS="http://calendarserver.org/ns/" xmlns:ME="http://me.com/_namespace/">
<response>
<href>/usapct/</href>
<propstat>
<prop>
<current-user-privilege-set>
<privilege>
<read />
</privilege>
</current-user-privilege-set>
<owner>
<href>/usapct/</href>
</owner>
<resourcetype>
<principal />
<collection />
</resourcetype>
<supported-report-set>
<supported-report>
<report>
<expand-property />
</report>
</supported-report>
<supported-report>
<report>
<principal-search-property-set />
</report>
</supported-report>
<supported-report>
<report>
<principal-property-search />
</report>
</supported-report>
</supported-report-set>
</prop>
<status>HTTP/1.1 200 OK</status>
</propstat>
<propstat>
<prop>
<add-member />
<ME:bulk-requests />
<displayname />
<ME:guardian-restricted />
<CR:max-image-size />
<CR:max-resource-size />
<CS:me-card />
<CS:push-transports />
<CS:pushkey />
<quota-available-bytes />
<quota-used-bytes />
<resource-id />
<sync-token />
</prop>
<status>HTTP/1.1 404 Not Found</status>
</propstat>
</response>
<response>
<href>/usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22/</href>
<propstat>
<prop>
<current-user-privilege-set>
<privilege>
<read />
</privilege>
</current-user-privilege-set>
<displayname>contacts</displayname>
<owner>
<href>/usapct/</href>
</owner>
<resourcetype>
<CR:addressbook />
<collection />
</resourcetype>
<supported-report-set>
<supported-report>
<report>
<expand-property />
</report>
</supported-report>
<supported-report>
<report>
<principal-search-property-set />
</report>
</supported-report>
<supported-report>
<report>
<principal-property-search />
</report>
</supported-report>
<supported-report>
<report>
<sync-collection />
</report>
</supported-report>
<supported-report>
<report>
<CR:addressbook-multiget />
</report>
</supported-report>
<supported-report>
<report>
<CR:addressbook-query />
</report>
</supported-report>
</supported-report-set>
<sync-token>http://radicale.org/ns/sync/ea1aeaeaae753ad79d88626223a1a86f</sync-token>
</prop>
<status>HTTP/1.1 200 OK</status>
</propstat>
<propstat>
<prop>
<add-member />
<ME:bulk-requests />
<ME:guardian-restricted />
<CR:max-image-size />
<CR:max-resource-size />
<CS:me-card />
<CS:push-transports />
<CS:pushkey />
<quota-available-bytes />
<quota-used-bytes />
<resource-id />
</prop>
<status>HTTP/1.1 404 Not Found</status>
</propstat>
</response>
</multistatus>
2020-10-06 19:03:00,203 - INFO: PROPFIND response status for '/usapct/' with depth '1' in 0.072 seconds: 207 Multi-Status
2020-10-06 19:03:03,069 - INFO: PUT request for '/usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22/Contact.vcf' received from ‘ip.address’ (forwarded by 127.0.0.1) using 'iOS/14.0.1 (18A393) dataaccessd/1.0'
2020-10-06 19:03:03,070 - DEBUG: Request headers:
{'CONTENT_LENGTH': '317814',
'CONTENT_TYPE': 'text/vcard; charset=utf-8',
'GATEWAY_INTERFACE': 'CGI/1.1',
'HTTP_ACCEPT': '*/*',
'HTTP_ACCEPT_ENCODING': 'gzip, deflate, br',
'HTTP_ACCEPT_LANGUAGE': 'en-us',
'HTTP_CONNECTION': 'Keep-Alive',
'HTTP_HOST': ‘contacts.example.com’,
'HTTP_IF_MATCH': '"e86f0978da9f6e2ebc0f1f254ef2ffe0"',
'HTTP_USER_AGENT': 'iOS/14.0.1 (18A393) dataaccessd/1.0',
'HTTP_X_FORWARDED_FOR': ‘ip.address’,
'HTTP_X_FORWARDED_HOST': ‘contacts.example.com’,
'HTTP_X_FORWARDED_SERVER': ‘contacts.example.com’,
'PATH_INFO': '/usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22/Contact.vcf',
'QUERY_STRING': '',
'REMOTE_ADDR': '127.0.0.1',
'REMOTE_CERTIFICATE': None,
'REMOTE_HOST': '',
'REQUEST_METHOD': 'PUT',
'SCRIPT_NAME': '',
'SERVER_NAME': 'localhost',
'SERVER_PORT': '5232',
'SERVER_PROTOCOL': 'HTTP/1.1',
'SERVER_SOFTWARE': 'WSGIServer/0.2',
'wsgi.errors': <_io.StringIO object at 0x7f51c16791f8>,
'wsgi.file_wrapper': <class 'wsgiref.util.FileWrapper'>,
'wsgi.input': <_io.BufferedReader name=7>,
'wsgi.multiprocess': False,
'wsgi.multithread': True,
'wsgi.run_once': False,
'wsgi.url_scheme': 'http',
'wsgi.version': (1, 0)}
2020-10-06 19:03:03,070 - DEBUG: Sanitized script name: ''
2020-10-06 19:03:03,070 - DEBUG: Sanitized path: '/usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22/Contact.vcf'
2020-10-06 19:03:03,071 - DEBUG: Rule '':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22/Contact.vcf' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:03:03,071 - DEBUG: Rule '':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22/Contact.vcf' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:03:03,071 - DEBUG: Rule '':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22/Contact.vcf' doesn't match 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:03:03,071 - INFO: Rights: '':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22/Contact.vcf' doesn't match any section
2020-10-06 19:03:03,071 - DEBUG: Rule '':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22' doesn't match 'admin':'.*' from section 'admin'
2020-10-06 19:03:03,071 - DEBUG: Rule '':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22' doesn't match 'write':'.*' from section 'writeonly_contacts'
2020-10-06 19:03:03,071 - DEBUG: Rule '':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22' doesn't match 'usapct':'.*' from section 'readonly_contacts'
2020-10-06 19:03:03,071 - INFO: Rights: '':'usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22' doesn't match any section
2020-10-06 19:03:03,071 - INFO: Access to '/usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22/Contact.vcf' denied for anonymous user
2020-10-06 19:03:03,071 - DEBUG: Asking client for authentication
2020-10-06 19:03:03,072 - DEBUG: Response content:
Access to the requested resource forbidden.
2020-10-06 19:03:03,072 - INFO: PUT response status for '/usapct/8cdcbb5d-9816-b89c-d22c-63d2ac4a9a22/Contact.vcf' in 0.002 seconds: 401 Unauthorized
Any ideas?