[Tickets #10470] full creator permissions on a calendar "all authenticated" can show+read does not imply add privileges

bugs at horde.org bugs at horde.org
Wed Aug 31 14:29:48 UTC 2011


DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/10470
------------------------------------------------------------------------------
  Ticket             | 10470
  Created By         | Ralf Lang (B1 Systems GmbH) <lang at b1-systems.de>
  Summary            | full creator permissions on a calendar "all
                     | authenticated" can show+read does not imply add
                     | privileges
  Queue              | Kronolith
  Version            | 3.0.7
  Type               | Bug
  State              | Unconfirmed
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


Ralf Lang (B1 Systems GmbH) <lang at b1-systems.de> (2011-08-31 14:29) wrote:

See also mailing list. As you describe the intendedbehaviour I assume  
this is a bug.
If you think the slightly dated version 3.0.7 is an issue I'll verify  
against git.

> > Well yes, it's logical. The creator of an event has permission [xyz] but
> > an event that doesn't exist has no creator. I still have to figure how
> > that works. Probably we're missing something here. It's not a
> > bleeding-edge new thing after all.
>
> How it worked in Horde 3 and how it's still supposed to work in Horde
> 4, is that setting creator permissions implicitly sets add permissions
> too. So even if not all authenticated users have write permissions,
> they all have add permissions as soon as they have creator permissions.
>
> Jan.

Actually no, and it seems to be consistent between traditional and ajax view.

test setup:
login admin.
create system calendar "permstest"

Setup matrix:


all auth gets show + read
normal user "testuser1" gets no on calendar perms
object creator gets full perms

logout admin.
login testuser1 (traditional)
create event.
Dropdown "calendar" doesn't offer 'permstest'
change to ajax
create event
Dropdown "calendar" doesn't offer 'permstest'





More information about the bugs mailing list