[dev] removeUserData permissions
Jan Schneider
jan at horde.org
Mon Jun 12 04:05:43 PDT 2006
Zitat von Karsten Fourmont <fourmont at gmx.de>:
> Hi,
>
> in Turba, Nag, Mnemo and Kronolith we now have a removeUserData
> function in the external api. This deletes all data (like private
> address book and history) of a user for the respective app.
> removeUserData is automatically called for each app by Auth::removeUser
> when a user is removed.
>
> However this doesn't work as expected due to permission issues:
>
> when a user (let's call him "admin") removes a user "jondoe", "admin"
> normally doesn't have write (delete) permission on "jondoe"s private
> data. So the _delete and _list functions internally used by
> removeUserData return "permission denied".
The only user that should be able to call removeUser() should be an
admin, and admins shouldn't have permission restrictions.
Jan.
--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/
More information about the dev
mailing list