[pkg-horde] Bug#464058: turba access checking issue
Gregory Colpart
reg at evolix.fr
Thu Feb 7 01:37:55 UTC 2008
Hi Chuck,
On Tue, Feb 05, 2008 at 03:25:10PM -0500, Chuck Hagenbuch wrote:
> Hi Gregory.
>
> Can you please test this patch on Turba 2.1.x?
>
> I have a more comprehensive update for Turba 2.2.x and HEAD which
> cleans up the _read() function's API a bit more but has the same
> effect. In my tests it denies access properly now.
>
> Also, if you're curious: the issue is that you can access other user's
> contacts in the same database table ("source") by specifying your own
> source id in the URL, but a contact id of another user's contact. I
> can't reproduce or find any issues other than that - can you confirm?
>
> Thanks,
> -chuck
>
>
> Index: lib/Driver/sql.php
> ===================================================================
> RCS file: /repository/turba/lib/Driver/sql.php,v
> retrieving revision 1.59.10.17
> diff -u -r1.59.10.17 sql.php
> --- lib/Driver/sql.php 30 Nov 2006 21:33:47 -0000 1.59.10.17
> +++ lib/Driver/sql.php 5 Feb 2008 20:35:43 -0000
> @@ -182,6 +182,15 @@
> $where = $criteria . ' = ?';
> $values[] = $this->_convertToDriver($id);
> }
> + if (isset($this->map['__owner'])) {
> + if ($this->usingShares) {
> + $owner = $this->share->get('uid');
> + } else {
> + $owner = Auth::getAuth();
> + }
> + $where .= ' AND ' . $this->map['__owner'] . ' = ?';
> + $values[] = $this->_convertToDriver($owner);
> + }
> if (!empty($this->_params['filter'])) {
> $where .= ' AND ' . $this->_params['filter'];
> }
>
I test your patch with success. I have now a "no results" message
when I try to edit a contact owned by a different user.
(Note: I Cc: Debian BTS because it's an unembargoed bug ;)
Regards,
--
Gregory Colpart <reg at evolix.fr> GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
More information about the pkg-horde-hackers
mailing list