[turba] patch for readonly sources

Bo Daley bo at tilda.com.au
Tue Apr 8 14:24:48 PDT 2003


Quoting Chuck Hagenbuch <chuck at horde.org>:

> > Someone here was confused that there were 'edit' and 'delete' links
> > visible on displayobject.php and browse.php for objects in readonly
> > address books. I checked this and Turba doesn't let users modify readonly
> > objects but it does display the links in a couple of places where it
> > probably shouldn't.
>
> Turba::checkPermissions() already checks this; the only case that it checks
> that you don't is it allows the links for global Horde admins. I can't
> reproduce any behavior of showing them to a non-admin.

oops -- right you are. ;)

I think it was me who got myself confused because I noticed that browse.php
behaves slightly differently to search.php.

browse.php creates a select box of sources based on whether they have the
'export' attribute, while search.php simply lists all the sources. This means
that the two select lists can look like they're out of sync with each other.

Actually the comments suggest that the 'export' attribute should be used to
determine whether a source can be exported (eg. to CSV) rather than to
determine whether or not to make it visible, so perhaps we need something like
checkPermissions for sources too. Maybe something like this?


Index: lib/Turba.php
===================================================================
RCS file: /repository/turba/lib/Turba.php,v
retrieving revision 1.33
diff -u -r1.33 Turba.php
--- lib/Turba.php       2 Apr 2003 18:54:24 -0000       1.33
+++ lib/Turba.php       8 Apr 2003 03:32:34 -0000
@@ -153,12 +153,16 @@
     {
         $userID = Auth::getAuth();
         $admin = Auth::isAdmin();
-        if ($admin || in_array($userID, $in->source->admin)) {
+
+        if ($admin) {
             return true;
         }

         switch ($filter) {
         case 'object':
+            if (in_array($userID, $in->source->admin)) {
+                return true;
+            }
             switch ($permission) {
             case _PERMS_SHOW:
             case _PERMS_READ:
@@ -182,6 +186,20 @@
                 break;
             }
             break;
+
+        case 'source':
+            if (in_array($userID, $in['admin'])) {
+                return true;
+            }
+            switch ($permission) {
+            case _PERMS_SHOW:
+            case _PERMS_READ:
+                if (isset($in['public']) && $in['public']) {
+                    return true;
+                }
+                break;
+            }
+            break;

         default:
             return true;


This could be implemented in browse.php as follows:

Index: browse.php
===================================================================
RCS file: /repository/turba/browse.php,v
retrieving revision 1.34
diff -u -r1.34 browse.php
--- browse.php  4 Mar 2003 15:20:12 -0000       1.34
+++ browse.php  8 Apr 2003 03:34:05 -0000
@@ -38,7 +38,7 @@
 $source_options = '';
 $source_count = 0;
 foreach ($cfgSources as $key => $curSource) {
-    if (!empty($curSource['export'])) {
+    if (Turba::checkPermissions($curSource, 'source', _PERMS_READ)) {
         $selected = ($key == $source) ? ' selected="selected"' : '';
         $source_options .= '<option value="' . $key . '" ' . $selected;
         $source_options .= '>' . $curSource['title'] . '</option>';



If this looks workable I can make patches for the other pages too (Add, Search,
Advanced Search, Export etc etc). Or maybe I'm going totally down the wrong
track here?

thanks,

bo.










More information about the turba mailing list