[kronolith] Privacy in Kronolith 3.0 vs. Horde admin rights

Jan Schneider jan at horde.org
Wed Apr 13 12:32:25 UTC 2011


Zitat von Christoph Haas <chhaas-ml at uk-bw.de>:

> Hello,
>
> I'm fairly new to Horde 4 (final) .. but I'm a little bit worried  
> about privacy
> in Kronolith 3.0:
>
> We are a team of some network-admins in our organization. So we share our
> Kronolith calendars with each other.
>
> Since some of us are also Horde admins (Administration -> Authentication ->
> $conf[auth][admins] ) , there is quite a big problem for us evolving: every
> admin can see also as "private" marked appointments, thus the calendar share
> is only set to "show" not "read".
>
> In my opinion also a super-user should not be able to see private  
> appointments
> of other users by _default_.
>
> -> Is there a way to prohibit admins seeing _private_ appointments of useres
> which share their Kronolith calendar with them?
>
> (Of course in paranoia-mode one could also encrypt private entries in the
> database, so that even a db-dump does not show private things ... - but this
> seems to me at the moment not necessary)

This is not easy, because all APIs of Kronolith (or any Horde app  
fwiw) assume a current user. This could be a guest user, an  
authenticated user, or an admin. Depending on this user state certain  
information is returned, hidden, etc. We need to return the full event  
details for admins, because this is how we pull events when sending  
event reminders or daily agendas.

Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/



More information about the kronolith mailing list