[dev] removeUserData permissions
Karsten Fourmont
fourmont at gmx.de
Sun Jun 18 05:18:32 PDT 2006
Hi,
luckily, here we know the share name already and just need to check
permissions. So adding an && !auth->isAdmin() should do.
Cheers,
Karsten
Michael Rubinsky wrote:
> Quoting Karsten Fourmont <fourmont at gmx.de>:
>
>> Hi,
>>
>>> The only user that should be able to call removeUser() should be an
>>> admin, and admins shouldn't have permission restrictions.
>>
>> It's a bit more subtle.
>> Take mnemo_delete for example. It contains this:
>>
>> if (!array_key_exists($memo['memolist_id'],
>> Mnemo::listNotepads(false, PERMS_DELETE))) {
>> return PEAR::raiseError(_("Permission Denied"));
>> }
>>
>> listNotepad calls listShares of the share package. And this doesn't
>> seem to return the complete list of shares for admins.
>
> I had a similar problem when trying to deal with turba shares in the
> create_default_history upgade script. The only way I could get access
> to all the shares was to use something like $shares->listAllShares() in
> the upgrade script. I don't have the code to Mnemo in front of me at
> the moment, but what about adding something like Mnemo::getAllShares()
> which could check that the current user is the admin before returning
> the shares and if not admin, maybe falling through to Mnemo::listShares()?
>
> Just brainstorming...
>
>
> Thanks,
> mike
>
> --
> The Horde Project (www.horde.org)
> mrubinsk at horde.org
>
>
> --Horde developers mailing list - Join the hunt: http://horde.org/bounties/
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: dev-unsubscribe at lists.horde.org
More information about the dev
mailing list