Thank you for your discretion. I agree with Ralf, this not a issue
that requires protection, so I’m bringing this to the list:
Lukasz:
I have a user, who is allowed to make CSV imports into addressbook (in
fact not sure if that can be disabled for all users?). Even though he
can’t edit/add his own categories, the csv import code does allow that
- when the user edits the category name as exported from addressbook,
when the resulting csv is imported back, the csv import code adds the
new name as a completely new category, but only in addressbook
application…
As such it’s invisible in Global Categories, has owner field in the
database set to user id of whoever has it imported, even administrator
with /all/ the rights can’t edit/delete these using Addressbook
Categories editor - the only reliable way to get rid of them, is to
change owner to -1 and app to phpgw (using phpmyadmin…) and only
then they can actually be removed from the Global Categories editor
page.
So currently any user that has CSV import allowed, (in fact, it’s on
by default) could cause the Categories table to go overboard (pollute
it) and/or make it more difficult for others to use the Addressbook
(and/or other applications that use csv import…) by creating bogus
categories…
If you don’t think this is that serious, and we could go public with
this ‘discovery’ because the impact of this is not that serious, I
apologise in advance…
Nathan:
For the following I’m assuming trunk, importing using Import/Export
app - things are different in 1.8, but should be similar.
If you’re in 1.8, and referring to “CSV-Import” in sidebox menu, not
the Import/Export app, you can only disable it by editing
addressbook/inc/class.addressbook_hooks.inc.php, remove line 38. This
has been removed in trunk. Import/Export app gives more control.
The kind of categories being created are personal categories, not
globals, and are generally not visible to other [normal] users. The
user already has the ability to create these kinds of categories on
their own (See Addressbook Preferences -> Edit categories),
Import/Export just uses it. Yes, it makes it faster to damage, but
they’re clearly flagged and not visible to other users. Now, in
checking I see that there are some bugs in the category interface
(trunk) - a user can’t delete their own categories. That will
certainly have to be fixed, but as an admin I was able to right click
-> delete.
How to stop it:
There used to be a flag to turn auto-creating categories off in 1.8,
but nobody used it - in fact it was requested removed. You still have
some options though:
- Disable Import / Export - no app permissions, no import
- Disable Addressbook import definitions - no permission to
addressbook definitions, no addressbook imports
Really, if you can’t trust your users with categories, how can you
trust them with the whole addressbook?
- Sanitized import definitions - As an admin, create import
definitions that skip the category field, and allow users to use that.
Nathan
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers
