[dev] removeUserData permissions

Jan Schneider jan at horde.org
Wed Jun 21 16:15:26 PDT 2006


Zitat von Michael Rubinsky <mike at theupstairsroom.com>:

> Quoting Karsten Fourmont <fourmont at gmx.de>:
>
>> Hi,
>>
>>> The only user that should be able to call removeUser() should be an
>>> admin, and admins shouldn't have permission restrictions.
>>
>> It's a bit more subtle.
>> Take mnemo_delete for example. It contains this:
>>
>>    if (!array_key_exists($memo['memolist_id'],
>> 		Mnemo::listNotepads(false, PERMS_DELETE))) {
>>        return PEAR::raiseError(_("Permission Denied"));
>>    }
>>
>> listNotepad calls listShares of the share package. And this doesn't
>> seem to return the complete list of shares for admins.
>
> I had a similar problem when trying to deal with turba shares in the
> create_default_history upgade script.  The only way I could get access
> to all the shares was to use something like $shares->listAllShares()
> in the upgrade script.  I don't have the code to Mnemo in front of me
> at the moment, but what about adding something like
> Mnemo::getAllShares() which could check that the current user is the
> admin before returning the shares and if not admin, maybe falling
> through to Mnemo::listShares()?

Why not simply adding an Auth::isAdmin() test to _mnemo_delete()?

Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/



More information about the dev mailing list