[dev] removeUserData permissions
Jan Schneider
jan at horde.org
Wed Jun 21 16:15:26 PDT 2006
Zitat von Michael Rubinsky <mike at theupstairsroom.com>:
> Quoting Karsten Fourmont <fourmont at gmx.de>:
>
>> Hi,
>>
>>> The only user that should be able to call removeUser() should be an
>>> admin, and admins shouldn't have permission restrictions.
>>
>> It's a bit more subtle.
>> Take mnemo_delete for example. It contains this:
>>
>> if (!array_key_exists($memo['memolist_id'],
>> Mnemo::listNotepads(false, PERMS_DELETE))) {
>> return PEAR::raiseError(_("Permission Denied"));
>> }
>>
>> listNotepad calls listShares of the share package. And this doesn't
>> seem to return the complete list of shares for admins.
>
> I had a similar problem when trying to deal with turba shares in the
> create_default_history upgade script. The only way I could get access
> to all the shares was to use something like $shares->listAllShares()
> in the upgrade script. I don't have the code to Mnemo in front of me
> at the moment, but what about adding something like
> Mnemo::getAllShares() which could check that the current user is the
> admin before returning the shares and if not admin, maybe falling
> through to Mnemo::listShares()?
Why not simply adding an Auth::isAdmin() test to _mnemo_delete()?
Jan.
--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/
More information about the dev
mailing list