Re: Multiple users and security problem

Hi Wesley,

Thanks for the response. Comments interspersed...

Wesley Miaw wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Todd,
>
> > I couldn't find an answer in the README or the list archives, so here 
> > goes. I'm using webDAV to allow folks to publish calendars, but I've 
> > created a structure like this:
> >
> > /var/www/calendars/public/user1 user2 etc.
> > /var/www/calendars/private/user1 user2 etc.
> >
> > In an httpd conf file I have the directory options set so that anybody 
> > can read public calendars but only the user can publish; for private 
> > calendars, only the user can read and publish.
> >
> > What I'd like to do is use phpicalendar so that each user could see 
> > his/her public calendars combined, but I haven't been able to find a 
> > way to do that. It seems I would have to have a separate config file 
> > for each to point to the users public calendar directory.
>
>
> I believe it is the case that if you list all a user's public calendars 
> in apache_map, they will be seen combined instead of individually. But 
> only when that user is logged in via HTTP authentication. If you want 
> everyone to see that user's public calendars combined...I don't think 
> that is supported right now.

I thought about using those options at the end of the config.inc.php 
file, but realized it would be an administrative nightmare if there are 
many users and many calendars. I suppose one could run a cron job to 
search for calendar files in a certain user's directory, but then the 
user would have to wait until it ran...and I'd like to make simple 
viewing of calendars in a user's public calendar directory not require 
any authentication.

> > Just playing around I pointed to /var/www/calendars as the path to 
> > calendars. I then noticed that I could add 
> > "month.php?cal=public/user1/calendarname" to display a particular 
> > calendar, but not combined calendars.
> >
> > Then I noticed that I could even do 
> > "month.php?cal=private/user1/privatecalendar" and the calendar would 
> > display, even though I was not authenticated (http basic). I assumed 
> > it would not display since trying to access it directly in a browser 
> > prompts for credentials.
>
>
> To block private calendars, they need to be added to the locked_cals 
> list in config.inc.php. Unfortunately there currently is no way to 
> specify a list of directories or a regular expression to identify locked 
> calendars. Maybe a good thing to add to the feature requests on 
> SourceForge.

Yes, will do.

> Then map locked_cals calendars to users in apache_map to allow users to 
> see their private calendars.
>
> > Is there any way to have each user's public directory be the "root" as 
> > defined in the config.inc.php? I'm a little concerned about the 
> > private directory being readable through phpicalendar, but for now 
> > it's no big deal since I can just exclude it from the path.
>
>
> Not sure what you want to do here? Can you give an example of what you 
> want your config.inc.php to look like?

Basically I want it to work as if I had phpicalendar installed in every 
users' public calendar directory so that visiting 
http://domain.com/calendars/public/user displays all calendars found in 
that directory at once.

Here's what I have done (seems to work OK), but it seems like it should 
be easier ;)

1. installed phpicalendar in a web directory

2. linked to all files/directories contained in phpicalendar from users' 
public calendar directory *except* config.inc.php

3. copied a generic config.inc.php and replaced the line about calendar 
path as appropriate (this is different for each user)

I did the same thing for private calendar directories, and as expected, 
the user gets prompted for credentials to even view the calendars.

I'm not sure if I'm making any sense here, and there's probably a better 
way of explaining what I was after. I've hacked some php but I'm not 
particularly qualified to see how easy it would be to make this set up 
possible out of the box...

Best,
Todd


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click