[kronolith] Privacy in Kronolith 3.0 vs. Horde admin rights
Jan Schneider
jan at horde.org
Wed Apr 13 15:57:27 UTC 2011
Zitat von Christoph Haas <chhaas-ml at uk-bw.de>:
> Hello Jan,
>
> Jan Schneider <jan at horde.org> wrote on 2011-04-13 14:32:
>>
>> Zitat von Christoph Haas <chhaas-ml at uk-bw.de>:
> [...]
>>> -> Is there a way to prohibit admins seeing _private_ appointments of
>>> useres
>>> which share their Kronolith calendar with them?
> [...]
>> This is not easy, because all APIs of Kronolith (or any Horde app fwiw)
>> assume a current user. This could be a guest user, an authenticated
>> user, or an admin. Depending on this user state certain information is
>> returned, hidden, etc. We need to return the full event details for
>> admins, because this is how we pull events when sending event reminders
>> or daily agendas.
>>
>> Jan.
>
> thank you for you fast reply!
>
> But your answer is not really satisfying in matters of data privacy
> protection :-( there are a lot of thinkable (and existing) scenarios,
> where this leads to real harm.
> E.g. not all appointments of a team-leader should be visible to
> team-members, etc.
>
> Could the event reminders and agendas not be pulled by a pure system
> account? Other systems do so, to keep privacy.
>
> Do I have to file for this issue a bug or enhancement ticket in the
> horde bugtracker?
> And when yes, where should it be assigned: "Horde Framework Packages"
> (since I guess that such privacy things regard more than the Kronolith
> app)? Or somewhere else?
Well, the solution is simple, don't "misuse" admin accounts. Those
should really be used for adminstration tasks only, and there is no
reason to assign administration rights to a whole bunch of users.
Jan.
--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/
More information about the kronolith
mailing list