[kronolith] Privacy in Kronolith 3.0 vs. Horde admin rights
Jan Schneider
jan at horde.org
Wed Apr 13 12:32:25 UTC 2011
Zitat von Christoph Haas <chhaas-ml at uk-bw.de>:
> Hello,
>
> I'm fairly new to Horde 4 (final) .. but I'm a little bit worried
> about privacy
> in Kronolith 3.0:
>
> We are a team of some network-admins in our organization. So we share our
> Kronolith calendars with each other.
>
> Since some of us are also Horde admins (Administration -> Authentication ->
> $conf[auth][admins] ) , there is quite a big problem for us evolving: every
> admin can see also as "private" marked appointments, thus the calendar share
> is only set to "show" not "read".
>
> In my opinion also a super-user should not be able to see private
> appointments
> of other users by _default_.
>
> -> Is there a way to prohibit admins seeing _private_ appointments of useres
> which share their Kronolith calendar with them?
>
> (Of course in paranoia-mode one could also encrypt private entries in the
> database, so that even a db-dump does not show private things ... - but this
> seems to me at the moment not necessary)
This is not easy, because all APIs of Kronolith (or any Horde app
fwiw) assume a current user. This could be a guest user, an
authenticated user, or an admin. Depending on this user state certain
information is returned, hidden, etc. We need to return the full event
details for admins, because this is how we pull events when sending
event reminders or daily agendas.
Jan.
--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/
More information about the kronolith
mailing list