[Tickets #12411] Re: horde could be used even if "Terms Of Service Agreement" would be rejected

noreply at bugs.horde.org noreply at bugs.horde.org
Fri Nov 1 04:11:36 UTC 2013 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/12411
------------------------------------------------------------------------------
  Ticket             | 12411
  Updated By         | Michael Slusarz <slusarz at horde.org>
  Summary            | horde could be used even if "Terms Of Service
                     | Agreement" would be rejected
  Queue              | Horde Base
  Version            | 5.1.1
  Type               | Bug
-State              | Assigned
+State              | Feedback
-Priority           | 2. Medium
+Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             | Michael Slusarz
------------------------------------------------------------------------------


Michael Slusarz <slusarz at horde.org> (2013-10-31 22:11) wrote:

> (we use ldap as auth source)
>
> The TOS (a type of "Horde_LoginTasks::DISPLAY_AGREE") could be  
> passed by at least two ways:
>
> 1st: As default the task will only be run for the first login. So do  
> not accept, whatever... just came back for the second time and no  
> TOS will be appear.

Cannot reproduce.  I can verify that if you DON'T accept the screen  
will show up on the next login.

This is the SQL query results after declining the agreement (and being  
logged out):

horde=> select * from horde_prefs where pref_name = 'last_logintasks';
  pref_uid | pref_scope | pref_name | pref_value
----------+------------+-----------+------------
(0 rows)

horde=> select * from horde_prefs where pref_name = 'last_login';
  pref_uid | pref_scope | pref_name | pref_value
----------+------------+-----------+------------
(0 rows)

> 2nd: Do not say no, just remove the  
> "services/logintasks.php?app=horde" part from your browser url (kind  
> of the 1st problem).

The TOS (or any task) was not really designed to prevent direct URL  
manipulation.

Indeed - it is entirely possible to use Horde services without logging  
in and accepting the agreement.  We simply don't have a mechanism that  
locks down the entire system.  This was never intended to do that in  
the first place anyway.

I don't see a pressing need to workaround this.  Just write in your  
TOS that continued use of the system, whether you actually click on  
the Agree button, constitutes acceptance of the agreement.  Problem  
solved.

More information about the bugs mailing list