Re: [PHPiCalendar-DEV] Multiple users and security problem

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Todd,

> I couldn't find an answer in the README or the list archives, so here 
> goes. I'm using webDAV to allow folks to publish calendars, but I've 
> created a structure like this:
>
> /var/www/calendars/public/user1 user2 etc.
> /var/www/calendars/private/user1 user2 etc.
>
> In an httpd conf file I have the directory options set so that anybody 
> can read public calendars but only the user can publish; for private 
> calendars, only the user can read and publish.
>
> What I'd like to do is use phpicalendar so that each user could see 
> his/her public calendars combined, but I haven't been able to find a 
> way to do that. It seems I would have to have a separate config file 
> for each to point to the users public calendar directory.

I believe it is the case that if you list all a user's public calendars 
in apache_map, they will be seen combined instead of individually. But 
only when that user is logged in via HTTP authentication. If you want 
everyone to see that user's public calendars combined...I don't think 
that is supported right now.

> Just playing around I pointed to /var/www/calendars as the path to 
> calendars. I then noticed that I could add 
> "month.php?cal=public/user1/calendarname" to display a particular 
> calendar, but not combined calendars.
>
> Then I noticed that I could even do 
> "month.php?cal=private/user1/privatecalendar" and the calendar would 
> display, even though I was not authenticated (http basic). I assumed 
> it would not display since trying to access it directly in a browser 
> prompts for credentials.

To block private calendars, they need to be added to the locked_cals 
list in config.inc.php. Unfortunately there currently is no way to 
specify a list of directories or a regular expression to identify 
locked calendars. Maybe a good thing to add to the feature requests on 
SourceForge.

Then map locked_cals calendars to users in apache_map to allow users to 
see their private calendars.

> Is there any way to have each user's public directory be the "root" as 
> defined in the config.inc.php? I'm a little concerned about the 
> private directory being readable through phpicalendar, but for now 
> it's no big deal since I can just exclude it from the path.

Not sure what you want to do here? Can you give an example of what you 
want your config.inc.php to look like?

Later,
- --
Wesley Miaw
http://www.wesman.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFCCYlWQv4agqRAk2kRAn62AJ4lzkOCuMqcIj51y7ZQuzI8ODdFWACgoLkg
zKhMqWrrS7N2XeJDTyDz/GM=
=kiwE
-----END PGP SIGNATURE-----