Hi Chuck, On Tue, Feb 05, 2008 at 03:25:10PM -0500, Chuck Hagenbuch wrote: > Hi Gregory. > > Can you please test this patch on Turba 2.1.x? > > I have a more comprehensive update for Turba 2.2.x and HEAD which > cleans up the _read() function's API a bit more but has the same > effect. In my tests it denies access properly now. > > Also, if you're curious: the issue is that you can access other user's > contacts in the same database table ("source") by specifying your own > source id in the URL, but a contact id of another user's contact. I > can't reproduce or find any issues other than that - can you confirm? > > Thanks, > -chuck > > > Index: lib/Driver/sql.php > =================================================================== > RCS file: /repository/turba/lib/Driver/sql.php,v > retrieving revision 1.59.10.17 > diff -u -r1.59.10.17 sql.php > --- lib/Driver/sql.php 30 Nov 2006 21:33:47 -0000 1.59.10.17 > +++ lib/Driver/sql.php 5 Feb 2008 20:35:43 -0000 > @@ -182,6 +182,15 @@ > $where = $criteria . ' = ?'; > $values[] = $this->_convertToDriver($id); > } > + if (isset($this->map['__owner'])) { > + if ($this->usingShares) { > + $owner = $this->share->get('uid'); > + } else { > + $owner = Auth::getAuth(); > + } > + $where .= ' AND ' . $this->map['__owner'] . ' = ?'; > + $values[] = $this->_convertToDriver($owner); > + } > if (!empty($this->_params['filter'])) { > $where .= ' AND ' . $this->_params['filter']; > } >
I test your patch with success. I have now a "no results" message when I try to edit a contact owned by a different user. (Note: I Cc: Debian BTS because it's an unembargoed bug ;) Regards, -- Gregory Colpart <[EMAIL PROTECTED]> GnuPG:1024D/C1027A0E Evolix - Informatique et Logiciels Libres http://www.evolix.fr/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]