Mailing List Archive: Default permission of principals on resssources

On Fri, 2010-04-09 at 10:56 +0200, Lucas Furlani wrote:
> Hi Everybody,
>
> I just did a fresh install of 0.9.8.4. Everything works fine.
>
> I added 3 new user (principals) from the web interface. I tested the
> access rights of the new principals on resources of another principal
> from a client application and everything works as expected.
>
> But to my big surprise every principal can login to the web interface
> and change access permission on resources of another principal. This
> seems pretty strange. One user (principal) could give her/himself access
> to the calendar of another user.

Yeah, indeed. Looks like a security check was missed in the changes in
version 0.9.8.

I'll be releasing 0.9.9 in a couple of days which will include a fix for
this issue.

Thanks for the report.

> Could anybody explain me the default security model?

Well you should not be able to do this, for sure :-)

Cheers,
Andrew.

------------------------------------------------------------------------
andrew (AT) morphoss (DOT) com +64(272)DEBIAN
Many pages make a thick book.
------------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.morphoss.com/pipermail/davical-users/attachments/20100412/f9ef91fd/attachment.pgp>
-------------- next part --------------