Re: Multiple users and security problem

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Todd,

> > I believe it is the case that if you list all a user's public 
> > calendars in apache_map, they will be seen combined instead of 
> > individually. But only when that user is logged in via HTTP 
> > authentication. If you want everyone to see that user's public 
> > calendars combined...I don't think that is supported right now.
>
> I thought about using those options at the end of the config.inc.php 
> file, but realized it would be an administrative nightmare if there 
> are many users and many calendars. I suppose one could run a cron job 
> to search for calendar files in a certain user's directory, but then 
> the user would have to wait until it ran...and I'd like to make simple 
> viewing of calendars in a user's public calendar directory not require 
> any authentication.

Yeah. I suggest you hack something up in 
functions/calendar_functions.php to return the correct list of 
calendars based on your particular setup. If you get something 
integrated well but in a generic fashion, perhaps you can submit it as 
a feature request.

> > To block private calendars, they need to be added to the locked_cals 
> > list in config.inc.php. Unfortunately there currently is no way to 
> > specify a list of directories or a regular expression to identify 
> > locked calendars. Maybe a good thing to add to the feature requests 
> > on SourceForge.
>
> Yes, will do.

If you want to make this work for your site in the meantime, play 
around with functions/calendar_functions.php.

> > > Is there any way to have each user's public directory be the "root" 
> > > as defined in the config.inc.php? I'm a little concerned about the 
> > > private directory being readable through phpicalendar, but for now 
> > > it's no big deal since I can just exclude it from the path.
> >
> > Not sure what you want to do here? Can you give an example of what 
> > you want your config.inc.php to look like?
>
> Basically I want it to work as if I had phpicalendar installed in 
> every users' public calendar directory so that visiting 
> http://domain.com/calendars/public/user displays all calendars found 
> in that directory at once.
>
> Here's what I have done (seems to work OK), but it seems like it 
> should be easier ;)
>
> 1. installed phpicalendar in a web directory
>
> 2. linked to all files/directories contained in phpicalendar from 
> users' public calendar directory *except* config.inc.php
>
> 3. copied a generic config.inc.php and replaced the line about 
> calendar path as appropriate (this is different for each user)
>
> I did the same thing for private calendar directories, and as 
> expected, the user gets prompted for credentials to even view the 
> calendars.
>
> I'm not sure if I'm making any sense here, and there's probably a 
> better way of explaining what I was after. I've hacked some php but 
> I'm not particularly qualified to see how easy it would be to make 
> this set up possible out of the box...

Yeah. I think you should use a combination of the HTTP authentication 
and the referring URL to modify functions/calendar_functions.php so as 
to show only the calendars appropriate to the user's web space. I think 
that should give you exactly what you want without having to copy 
config.inc.php for every user.

You could also create a new users.php file in the single PHPiCalendar 
directory (remove the .php if desired by adding an entry to specify the 
default file type and handler in .htaccess), then use 
functions/calendar_functions.php with the query path to get into a 
specific user's directory.

e.g. http://www.domain.com/users.php/wesley/

This also removes the need to link files in user directories. Adding or 
removing a user would only require creating/deleting/locking out 
directories and updating your htpasswd file.

Hope this helps,
- --
Wesley Miaw
http://www.wesman.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFCCuurQv4agqRAk2kRAmtfAKCT7oy64z8pV1Ch/i3F9eRB8/WpsACgmnoF
tyqNs+/cbkAUSFFibIShMKI=
=KrYg
-----END PGP SIGNATURE-----



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click