[horde] Behavior of Object Creator permissions

[Jens Wahnes]

Hi,

like others before me, I've been trying to figure out how "Object 
Creator" permissions are supposed to work in Horde applications. As far 
as I could tell from past discussions on the mailing lists, some of the 
strange things that happen when Object Creator permissions are set on a 
share seem to be intentional. For instance, a calendar that has got 
"show" permissions for Object Creator (perm_creator_2) shows up in 
everyone's "Shared Calendars" section of Kronolith. If one enables such 
a calendar with a check mark, a red "Permission Denied" warning shows up 
in the lower right-hand corner. As far as I can tell from previous 
answers here, this seems to be the intended user experience.

Still, I'm uncertain if some of the other quirky things I've seen with 
Object Creator permissions are bugs or if they are intentional, too.

For instance, in Nag, when there is a tasklist on the system that has 
just "read" permissions for "object creator" (perm_creator_4) but no 
other permissions are given, the contents of that tasklist are displayed 
on the Horde portal page to any user if they've got an information block 
of "Tasks: Tasks Summary" with no particular task list selected. Is that 
intentional behavior of the "object creator" permissions? If you click 
on a certain task, then of course permission is denied, but still the 
information is displayed in the first place. These task lists do not 
show in the "Shared Task Lists" section of Nag but are displayed in 
portal view.

As far as notes are concerned, there is a strange thing going on as 
well. If there is a notepad with Object Creator permissions set to 
"show" (perm_creator_2), the contents of that notepad are more or less 
available to any user in the "Shared Notepads" section of Mnemo. If that 
particular notepad is enabled, notes from it are visible to anyone (both 
the first line/heading and more text through the mouse over effect). 
Clicking on a note gives a "permission denied" warning, yet anyone can 
read those notes. I find it hard to believe that just object creator 
permissions should really disclose that much information. But then 
again, the whole Object Creator permissions thing remains a mystery to me.

Are the above experiences examples of bugs with these Object Creator 
permissions? Am I understanding correctly what rights they are supposed 
to give? Or how are Object Creator permissions intended to work?


Jens


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4986 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.horde.org/archives/horde/attachments/20160707/4db3db1b/attachment.bin>