[turba] contact ownership issue

Patrick Boutilier boutilpj@ednet.ns.ca
Tue, 06 Aug 2002 23:00:31 -0300


I used this strategy to make the pam_mysql module case sensitive. I am 
not sure if this can be applied to Turba or not. This select statement 
will only return a row if the case of $user and $pass are the same case 
as userid and password in the MySql record.


select userid from user where userid='$user' AND passwd='$pass' AND 
STRCMP(userid,'$user') = 0 AND STRCMP(passwd,'$pass') = 0;



jlewis@lewis.org wrote:
> I honestly haven't gotten to debugging this at the imapd level...but I was
> surprised to see that username is case insensitive with both the uw and
> courier imapd's I've tested against.  On our system running uw imap, all 
> usernames are required to be lower case...so even if this patch isn't a 
> good idea for everyone, I think it'll work for me.
> 
> In the case where User and USER are different accounts, turba would have
> issues since AFAIK, mysql is case insensitive, so it'll have a hard time
> selecting just User's or just USER's contacts, showing them all to both
> accounts.
> 
> On Tue, 6 Aug 2002, Patrick Boutilier wrote:
> 
> 
>>Are user, User, and USER all the same account? (case-insensitive login)
>>
>>I ran into a similar situation where the users were authenticating 
>>against a MySql database so they could login in as user or USER (etc..) 
>>but the Cyrus IMAP server would only show them their mail if they logged 
>>on correctly as user (all lower case).
>>
>>To get around that problem I made the pam_mysql pam module make the 
>>login case sensitive.
>>
>>
>>
>>jlewis@lewis.org wrote:
>>
>>>I just ran into an interesting contact ownership issue in turba-1.1.
>>>
>>>Suppose a user logs into IMP as user and creates some contacts.  Later, 
>>>they log in as User and create a few more.  Then later, they log in as 
>>>USER.  Logged in as USER, they see all contacts created by user and User, 
>>>but turba doesn't think they own the contacts, so they can't edit/delete 
>>>them.
>>>
>>>Is there anything wrong with doing the following:
>>>
>>>--- lib/AbstractObject.php.orig Tue Aug  6 19:17:01 2002
>>>+++ lib/AbstractObject.php      Tue Aug  6 19:24:25 2002
>>>@@ -101,7 +101,7 @@
>>>         if ($this->source->readonly) {
>>>             return false;
>>>         } else if ($this->hasValue('__owner') &&
>>>-                   $this->getValue('__owner') != Auth::getAuth()) {
>>>+                   (strcasecmp($this->getValue('__owner'),Auth::getAuth()))) {
>>>             return false;
>>>         }
>>>
>>>
>>>----------------------------------------------------------------------
>>> Jon Lewis *jlewis@lewis.org*|  I route
>>> System Administrator        |  therefore you are
>>> Atlantic Net                |  
>>>_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>>>
>>>
>>
> 
> ----------------------------------------------------------------------
>  Jon Lewis *jlewis@lewis.org*|  I route
>  System Administrator        |  therefore you are
>  Atlantic Net                |  
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>