[dev] Virtual address book permissions

[Michael Rubinsky]

I've been going back and forth with this for a little bit now.  I'm not 
sure which way is the best from both a user's and administrator's point 
of view.  First, some background:

With the new virtual address book code, it will be possible to set 
permissions on the vbook independently from the actual source address 
book.  This allows an admin to set up vbooks for, let's say each 
department, and allow users access to those vbooks, without giving 
permissions to the entire source the vbook is based on.  What I keep 
going back and forth on is how to handle PERMS_EDIT.  ON the one hand, 
the vbook is obviously read-only in the sense that you can't 
add/delete/create lists etc...  On the other hand (and this is how I 
currently have it implemented), if you give PERMS_EDIT to a user you 
could allow that user to edit the actual contact entries so that the 
admin could give someone else authority to change, say the contact's 
cell phone number.  The problem (as I see it) is that this also gives 
that person the ability to edit the field that is causing the person to 
even appear in the vbook in the first place.  In some cases that would 
be fine...a person changes jobs and moves to another department, so the 
user changes the department field, updates the contact and viola, the 
contact is no longer in the vbook.

My question is...is this something that should be allowed, from an 
admin's point of view...in that the user could unknowingly update the 
'critical field' and remove the contact from the vbook?  It's a simple 
matter to just remove PERMS_EDIT for all vbooks regardless of the 
permissions that are requested...just wanted to get the group's 
feedback to see what everyone thought would be the 'correct' behaviour 
for vbook permissions.

Thanks,
mike

--
The Horde Project (www.horde.org)
mrubinsk at horde.org