[pkg-horde] Bug#464058: turba access checking issue
Chuck Hagenbuch
chuck at horde.org
Thu Feb 7 17:06:09 UTC 2008
Quoting Peter Paul Elfferich <pp at dia.uva.nl>:
> We just use a single, default, 'localsql' configuration (with use_shares =>
> true).
>
> Steps to reproduce this:
> - Login as user A
> - Select an entry from your private address book
> - Select a contact list that is stored in a shared address book and click
> 'Add'
> - You can view the contact list to check the address was added
> - Logout and log back in as user B with access to the shared address book,
> but not to user A's private address book
> - View the same contact list and the address will have disappeared
> - Logout and log back in as user A
> - View the same contact list and the address to check the address has really
> disappeared
>
> I also verified this by looking at the entry data in the database. The entry
> key is removed from the serialized object_members array of the shared
> contact list at the moment user B views the contact list.
>
> This wouldn't be a problem if it wouldn't be possible to add entries from
> (in this case) your private address book to a contact list in a shared
> address book. So I figure that should be patched as well.
Thanks for the detailed description. I think the simplest fix here is
to just not remove people from the shared list. If someone in a
contact list is not in an addressbook you're allowed to see, then I
don't think you should see them.
Does that sound reasonable?
-chuck
More information about the pkg-horde-hackers
mailing list