phpgroupware-developers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Phpgroupware-developers] phpWebHosting and ACL

From: Giancarlo Susin
Subject: Re: [Phpgroupware-developers] phpWebHosting and ACL
Date: Mon, 24 Jun 2002 19:13:02 -0300
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1 
Jason Wies wrote:

> Good patch!  Committed to Version-0_9_14-branch and HEAD.  Some
> notes:
>
> - We can't remove the buttons when they don't have access because
> ACL support goes down to the file level rather than the directory
> level.  It is possible a user would have access to some files in a
> directory but not to others.  We can hide the upload form and
> Create folder button because those apply on a directory level only.
I don't understand how can a user have access to some files in a directory but not to others, at least in the current VFS model. When VFS checks for user privileges in a specific file, it relies on function acl->get_rights(). This function doesn't accept a file name as a parameter; it only gets privileges granted from a group to an user (and lately, to a group too), as stored in table phpgw_acl. This grants to the user uniform access to all content of a given directory. So, seems to me that we still can hide buttons based on directory privileges. Please correct me if I'm wrong. 

> - Make sure that you unset() or initialize to empty any arrays, or
> they can be filled by a malicious user ($readable_groups,
> $groups_applications).

Ok!

> - I merged the vfs->check_access() back into vfs->acl_check() to
> simplify things for app developers.
>
> Very well done!  This should handle most organizations' group file
> sharing access needs.

Thank you,

Giancarlo
reply via email to
[Prev in Thread] Current Thread [Next in Thread]