[dev] removeUserData permissions

[Michael Rubinsky]

Quoting Jan Schneider <jan at horde.org>:

> Yeah, the same should work for all the other apps, with the exception
> of Turba.
>
> Jan.


This is actually looking a little more complicated.  This will really  
only work with a SQL driver in most cases.  For example, looking at  
Kronolith there a few issues:

1) Only the user's 'default' calendar is attempted to be deleted.

2) If Kronolith is using the Kolab driver, then the current user's  
(most likely an admin) data is attempted to be deleted.  I'm not sure  
if it would even be possible to delete another user's data using this  
driver without knowing that user's credentials.

Moving back to Turba - with some Turba_Drivers it would be impossible  
to delete user data without knowing that user's credentials.  IMSP,  
and possibly the Kolab driver come to mind.  I'm not sure about LDAP.

What I'm thinking is the application drivers need to be extended to  
include something like $driver->deleteAllByUser($userID).  In the  
Application_Driver class, this should return a Not Supported error,  
while drivers that can implement this override this method.  Of  
course, there would have to be a Auth::isAdmin() check in there...

Turba might be a special case in that we would have to support sources  
that may or may not be represented by Horde_Shares as well.

Thoughts?


Thanks,
mike

--
The Horde Project (www.horde.org)
mrubinsk at horde.org