[horde] H5.2 & IMP 6.2.6 list user capability is "true" wrongly

Thu Jan 22 13:33:08 UTC 2015

On Wed, 21 Jan 2015, Steffen wrote:
> On Wed, 21 Jan 2015, Jan Schneider wrote:
>> Zitat von Steffen <skhorde at smail.inf.fh-bonn-rhein-sieg.de>:
>> 
>>> I have configured IMP as auth backend for Horde, but I have no admin user 
>>> in the backend: "
>>> * admin: (array) Use this if you want to enable mailbox management for
>>> *   administrators via Horde's user administration interface. The mailbox
>>> *   management gets enabled if you let IMP handle the Horde authentication
>>> *   the 'application' authentication driver.  Your IMAP server needs to
>>> *   support mailbox management via IMAP commands.
>>> *
>>> *   Do not define this value if you do not want mailbox management 
>>> [DEFAULT].
>>> "
>>> 
>>> I don't want mailbox management from Horde and till H5.1 & IMP 6.1.7 to 
>>> create new calendars and sharing anything worked without a list of users .
>>> 
>>> Now, in webmail 5.2.4 usernames cannot be validated in the share dialogue 
>>> in services/shares/edit.php, because $auth->hasCapability('list') returns 
>>> true .
>>> 
>>> problem 1)
>>> After upgrade from IMP 6.1.7 to 6.2.6 I cannot create new calenders no 
>>> longer. This can be avoided by setting
>>> $conf['auth']['list_users'] = 'input';
>>> 
>>> This error is thrown: "Admin access not enabled."
>>> 
>>> If I change in ./imp/lib/Factory/AuthImap.php:
>>>
>>>        $admin = 
>>> $injector->getInstance('IMP_Factory_Imap')->create()->config->admin;
>>>        if (!$admin) {
>>>            //throw new IMP_Exception('Admin access not enabled.');
>>>            $admin = array();		// TODO
>>>        }
>>> 
>>> I get "Listing of users is nor supported."
>>> 
>>> problem 2)
>>> sharing calendars, tasklists, notebooks and such I cannot set permission 
>>> to other users, because the user cannot be validated, because of this 
>>> snippet in edit.php:
>>>
>>>        } elseif ($auth->hasCapability('list') && 
>>> !$auth->exists($new_owner_backend)) {
>>>            $notification->push(sprintf(_("The user \"%s\" does not 
>>> exist."), $new_owner_backend), 'horde.error');
>>> 
>>> ====
>>> 
>>> I patched Core/Auth/Application.php to return false always:
>>> 
>>>
>>>        if($capability == "list")	//TODO
>>>        	return false;
>>>        return in_array(strtolower($capability), $this->_appCapabilities);
>>> 
>>> Now H5.2 behaves as H5.1.
>>> 
>>> Did the upgrade from H5.1 to H5.2 introduced a new setting controlling 
>>> this capability? I did not found something in Horde nor Imp config.
>> 
>> Bug 13808
>
> I can access a shared calendar via CalDAV.
> Imp 6.2.6 seems to include the patch in comment #3.
>
> The capabilities at line 142 of imp/lib/Application are good:
>
> imp/Application.php _init $auth = array (#012  1 => 'authenticate',#012  3 => 
> 'transparent',#012)
>
> still, in services/shares/edit.php the call $auth->hasCapability('list') 
> returns true. Looks like
>
> For testing purpose, I added the
> if(empty($injector->getInstance('IMP_Factory_Imap')->create()->config->admin)) 
> {
>  $this->auth = array_diff($this->auth, array('add', 'list', 'remove'));
> }
>
> to bootstrap, too, but the problem persists.

the script in services/shares/edit.php

$app = $vars->app;
$shares = $injector->getInstance('Horde_Core_Factory_Share')->create($app);
$groups = $injector->getInstance('Horde_Group');
$auth = $injector->getInstance('Horde_Core_Factory_Auth')->create();
$help = $registry->hasMethod('shareHelp', $app)
     ? $registry->callByPackage($app, 'shareHelp')
     : null;

calls

new Horde_Core_Auth_Application ('imp') once,
then new Horde_Core_Auth_Application ('horde'),
but there is no call to imp's _init().

-- 
Steffen