[kronolith] Shared Calendars Permissions Not Secure?
Chuck Hagenbuch
chuck@horde.org
Fri Nov 29 18:57:22 2002
Quoting "Derek J. Balling" <dredd@megacity.org>:
> "dballing" creates a shared calendar "dballingtestcal", and sets
> default permissions of "Show" and "Read" on it.
>
> "testuser" now sees that calendar and its events as available for him
> to view (yayyyy!), *but* he can also go into "Edit My Calendars", see
> the calendar in there, and edit its permissions, etc. etc. as well
> (boooooo!)
>
> Have I got something horribly misconfigured? Is this a known or unknown
> bug?
'Twas a mostly unknown bug, or rather, two of them:
1. Kronolith::listCalendars() wasn't honoring the $owneronly parameter
2. shares/edit.php wasn't checking permissions strictly enough.
Both of these are now fixed in CVS.
-chuck
--
Charles Hagenbuch, <chuck@horde.org>
"People ask me all the time what it will be like living without otters."
- Google, thanks to Harpers
More information about the kronolith
mailing list