[dev] removeUserData permissions
Michael Rubinsky
mike at theupstairsroom.com
Sat Jun 17 07:41:44 PDT 2006
Quoting Karsten Fourmont <fourmont at gmx.de>:
> Hi,
>
>> The only user that should be able to call removeUser() should be an
>> admin, and admins shouldn't have permission restrictions.
>
> It's a bit more subtle.
> Take mnemo_delete for example. It contains this:
>
> if (!array_key_exists($memo['memolist_id'],
> Mnemo::listNotepads(false, PERMS_DELETE))) {
> return PEAR::raiseError(_("Permission Denied"));
> }
>
> listNotepad calls listShares of the share package. And this doesn't
> seem to return the complete list of shares for admins.
I had a similar problem when trying to deal with turba shares in the
create_default_history upgade script. The only way I could get access
to all the shares was to use something like $shares->listAllShares()
in the upgrade script. I don't have the code to Mnemo in front of me
at the moment, but what about adding something like
Mnemo::getAllShares() which could check that the current user is the
admin before returning the shares and if not admin, maybe falling
through to Mnemo::listShares()?
Just brainstorming...
Thanks,
mike
--
The Horde Project (www.horde.org)
mrubinsk at horde.org
More information about the dev
mailing list