Mailing List Archive: [Davical-general] Controlling what a user sees on the web page & more group/admin functionality suggestion

On Mon, 2011-01-24 at 11:05 -0600, Travis Williams wrote:
> Is there a simple method to limit what the user sees on the web page
> with out me changing the code? Truthfully I really only want them to
> see their personal information (full name, email address, language,
> password) and nothing else.
>
>
>
> It would also be nice to be able to create a group and create an admin
> for that group that can only create/modify users with in that group,
> possibly even more granular control, where I can say if a person can
> add/remove collections, or if he can just add/remove users, or just
> change user passwords. I don't think this is in any way there today,
> but just thought I'd throw it out there as a suggestion.

I'd be very happy to see patches which provided more granular control in
this area.

Really, I'd be happy to see patches which fixed many of the deficiencies
in this part of the software... :-)

Cheers,
Andrew.

--
------------------------------------------------------------------------
andrew (AT) morphoss (DOT) com +64(272)DEBIAN
It is often easier to tame a wild idea than to breathe life into a
dull one. -- Alex Osborn

------------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.davical.org/pipermail/davical-dev/attachments/20110128/e75b265c/attachment.pgp>

> On Mon, 2011-01-24 at 11:05 -0600, Travis Williams wrote:
>> Is there a simple method to limit what the user sees on the web page
>> with out me changing the code? Truthfully I really only want them to
>> see their personal information (full name, email address, language,
>> password) and nothing else.

I've, as you already mentioned, edited the code directly to achieve that...

>> It would also be nice to be able to create a group and create an admin
>> for that group that can only create/modify users with in that group,
>> possibly even more granular control, where I can say if a person can
>> add/remove collections, or if he can just add/remove users, or just
>> change user passwords. I don't think this is in any way there today,
>> but just thought I'd throw it out there as a suggestion.

The feature, I would call it "group managers", would indeed be very nice
to have.

On 28.01.2011 13:24, Andrew McMillan wrote:
>>
>> I'd be very happy to see patches which provided more granular control in
>> this area.
>>
>> Really, I'd be happy to see patches which fixed many of the deficiencies
>> in this part of the software... :-)

I'm planning to do user interface improvements for DAViCal. As I see it,
Andrew is more into the implementation of the functionality, rather than
UI design ;) However, I'm also very busy with my course of studies and
currently just cannot concentrate on this. I will, however, have some
spare time at the end of next months. A good time to commit some of my
changes to the LDAP driver and the admin interface (which have to be
rebased against origin/master), as well as thinking up a good solution
for the refinement of the UI, maybe also offering better possibilities
for customization.

I've also noticed that the web interface is GREATLY vulnerable to XSS
attacks. You can simply insert JavaScript code into your calendar names
or descriptions and anybody who browses your record will have that code
executed on the client side. This should be fixed by providing some sort
of plain-checking function and rigorously applying it when displaying
data that was entered by users.

Regards,

Michael