phpicalendar-devel

[PHPiCalendar-DEV] Multiple users and security problem

[Todd S. <to...@we...>]

I couldn't find an answer in the README or the list archives, so here 
goes. I'm using webDAV to allow folks to publish calendars, but I've 
created a structure like this:

/var/www/calendars/public/user1 user2 etc.
/var/www/calendars/private/user1 user2 etc.

In an httpd conf file I have the directory options set so that anybody 
can read public calendars but only the user can publish; for private 
calendars, only the user can read and publish.

What I'd like to do is use phpicalendar so that each user could see 
his/her public calendars combined, but I haven't been able to find a way 
to do that. It seems I would have to have a separate config file for 
each to point to the users public calendar directory.

Just playing around I pointed to /var/www/calendars as the path to 
calendars. I then noticed that I could add 
"month.php?cal=public/user1/calendarname" to display a particular 
calendar, but not combined calendars.

Then I noticed that I could even do 
"month.php?cal=private/user1/privatecalendar" and the calendar would 
display, even though I was not authenticated (http basic). I assumed it 
would not display since trying to access it directly in a browser 
prompts for credentials.

Is there any way to have each user's public directory be the "root" as 
defined in the config.inc.php? I'm a little concerned about the private 
directory being readable through phpicalendar, but for now it's no big 
deal since I can just exclude it from the path.

Advice or suggestions are most welcome.

Thanks,
Todd

Re: [PHPiCalendar-DEV] Multiple users and security problem

[Wesley M. <we...@we...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Todd,

> I couldn't find an answer in the README or the list archives, so here 
> goes. I'm using webDAV to allow folks to publish calendars, but I've 
> created a structure like this:
>
> /var/www/calendars/public/user1 user2 etc.
> /var/www/calendars/private/user1 user2 etc.
>
> In an httpd conf file I have the directory options set so that anybody 
> can read public calendars but only the user can publish; for private 
> calendars, only the user can read and publish.
>
> What I'd like to do is use phpicalendar so that each user could see 
> his/her public calendars combined, but I haven't been able to find a 
> way to do that. It seems I would have to have a separate config file 
> for each to point to the users public calendar directory.

I believe it is the case that if you list all a user's public calendars 
in apache_map, they will be seen combined instead of individually. But 
only when that user is logged in via HTTP authentication. If you want 
everyone to see that user's public calendars combined...I don't think 
that is supported right now.

> Just playing around I pointed to /var/www/calendars as the path to 
> calendars. I then noticed that I could add 
> "month.php?cal=public/user1/calendarname" to display a particular 
> calendar, but not combined calendars.
>
> Then I noticed that I could even do 
> "month.php?cal=private/user1/privatecalendar" and the calendar would 
> display, even though I was not authenticated (http basic). I assumed 
> it would not display since trying to access it directly in a browser 
> prompts for credentials.

To block private calendars, they need to be added to the locked_cals 
list in config.inc.php. Unfortunately there currently is no way to 
specify a list of directories or a regular expression to identify 
locked calendars. Maybe a good thing to add to the feature requests on 
SourceForge.

Then map locked_cals calendars to users in apache_map to allow users to 
see their private calendars.

> Is there any way to have each user's public directory be the "root" as 
> defined in the config.inc.php? I'm a little concerned about the 
> private directory being readable through phpicalendar, but for now 
> it's no big deal since I can just exclude it from the path.

Not sure what you want to do here? Can you give an example of what you 
want your config.inc.php to look like?

Later,
- --
Wesley Miaw
http://www.wesman.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFCCYlWQv4agqRAk2kRAn62AJ4lzkOCuMqcIj51y7ZQuzI8ODdFWACgoLkg
zKhMqWrrS7N2XeJDTyDz/GM=
=kiwE
-----END PGP SIGNATURE-----

Re: [PHPiCalendar-DEV] Multiple users and security problem

[Todd S. <to...@we...>]

Hi Wesley,

Thanks for the response. Comments interspersed...

Wesley Miaw wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Todd,
> 
>> I couldn't find an answer in the README or the list archives, so here 
>> goes. I'm using webDAV to allow folks to publish calendars, but I've 
>> created a structure like this:
>>
>> /var/www/calendars/public/user1 user2 etc.
>> /var/www/calendars/private/user1 user2 etc.
>>
>> In an httpd conf file I have the directory options set so that anybody 
>> can read public calendars but only the user can publish; for private 
>> calendars, only the user can read and publish.
>>
>> What I'd like to do is use phpicalendar so that each user could see 
>> his/her public calendars combined, but I haven't been able to find a 
>> way to do that. It seems I would have to have a separate config file 
>> for each to point to the users public calendar directory.
> 
> 
> I believe it is the case that if you list all a user's public calendars 
> in apache_map, they will be seen combined instead of individually. But 
> only when that user is logged in via HTTP authentication. If you want 
> everyone to see that user's public calendars combined...I don't think 
> that is supported right now.

I thought about using those options at the end of the config.inc.php 
file, but realized it would be an administrative nightmare if there are 
many users and many calendars. I suppose one could run a cron job to 
search for calendar files in a certain user's directory, but then the 
user would have to wait until it ran...and I'd like to make simple 
viewing of calendars in a user's public calendar directory not require 
any authentication.

>> Just playing around I pointed to /var/www/calendars as the path to 
>> calendars. I then noticed that I could add 
>> "month.php?cal=public/user1/calendarname" to display a particular 
>> calendar, but not combined calendars.
>>
>> Then I noticed that I could even do 
>> "month.php?cal=private/user1/privatecalendar" and the calendar would 
>> display, even though I was not authenticated (http basic). I assumed 
>> it would not display since trying to access it directly in a browser 
>> prompts for credentials.
> 
> 
> To block private calendars, they need to be added to the locked_cals 
> list in config.inc.php. Unfortunately there currently is no way to 
> specify a list of directories or a regular expression to identify locked 
> calendars. Maybe a good thing to add to the feature requests on 
> SourceForge.

Yes, will do.

> Then map locked_cals calendars to users in apache_map to allow users to 
> see their private calendars.
> 
>> Is there any way to have each user's public directory be the "root" as 
>> defined in the config.inc.php? I'm a little concerned about the 
>> private directory being readable through phpicalendar, but for now 
>> it's no big deal since I can just exclude it from the path.
> 
> 
> Not sure what you want to do here? Can you give an example of what you 
> want your config.inc.php to look like?

Basically I want it to work as if I had phpicalendar installed in every 
users' public calendar directory so that visiting 
http://domain.com/calendars/public/user displays all calendars found in 
that directory at once.

Here's what I have done (seems to work OK), but it seems like it should 
be easier ;)

1. installed phpicalendar in a web directory

2. linked to all files/directories contained in phpicalendar from users' 
public calendar directory *except* config.inc.php

3. copied a generic config.inc.php and replaced the line about calendar 
path as appropriate (this is different for each user)

I did the same thing for private calendar directories, and as expected, 
the user gets prompted for credentials to even view the calendars.

I'm not sure if I'm making any sense here, and there's probably a better 
way of explaining what I was after. I've hacked some php but I'm not 
particularly qualified to see how easy it would be to make this set up 
possible out of the box...

Best,
Todd

Re: [PHPiCalendar-DEV] Multiple users and security problem

[Wesley M. <we...@we...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Todd,

>> I believe it is the case that if you list all a user's public 
>> calendars in apache_map, they will be seen combined instead of 
>> individually. But only when that user is logged in via HTTP 
>> authentication. If you want everyone to see that user's public 
>> calendars combined...I don't think that is supported right now.
>
> I thought about using those options at the end of the config.inc.php 
> file, but realized it would be an administrative nightmare if there 
> are many users and many calendars. I suppose one could run a cron job 
> to search for calendar files in a certain user's directory, but then 
> the user would have to wait until it ran...and I'd like to make simple 
> viewing of calendars in a user's public calendar directory not require 
> any authentication.

Yeah. I suggest you hack something up in 
functions/calendar_functions.php to return the correct list of 
calendars based on your particular setup. If you get something 
integrated well but in a generic fashion, perhaps you can submit it as 
a feature request.

>> To block private calendars, they need to be added to the locked_cals 
>> list in config.inc.php. Unfortunately there currently is no way to 
>> specify a list of directories or a regular expression to identify 
>> locked calendars. Maybe a good thing to add to the feature requests 
>> on SourceForge.
>
> Yes, will do.

If you want to make this work for your site in the meantime, play 
around with functions/calendar_functions.php.

>>> Is there any way to have each user's public directory be the "root" 
>>> as defined in the config.inc.php? I'm a little concerned about the 
>>> private directory being readable through phpicalendar, but for now 
>>> it's no big deal since I can just exclude it from the path.
>>
>> Not sure what you want to do here? Can you give an example of what 
>> you want your config.inc.php to look like?
>
> Basically I want it to work as if I had phpicalendar installed in 
> every users' public calendar directory so that visiting 
> http://domain.com/calendars/public/user displays all calendars found 
> in that directory at once.
>
> Here's what I have done (seems to work OK), but it seems like it 
> should be easier ;)
>
> 1. installed phpicalendar in a web directory
>
> 2. linked to all files/directories contained in phpicalendar from 
> users' public calendar directory *except* config.inc.php
>
> 3. copied a generic config.inc.php and replaced the line about 
> calendar path as appropriate (this is different for each user)
>
> I did the same thing for private calendar directories, and as 
> expected, the user gets prompted for credentials to even view the 
> calendars.
>
> I'm not sure if I'm making any sense here, and there's probably a 
> better way of explaining what I was after. I've hacked some php but 
> I'm not particularly qualified to see how easy it would be to make 
> this set up possible out of the box...

Yeah. I think you should use a combination of the HTTP authentication 
and the referring URL to modify functions/calendar_functions.php so as 
to show only the calendars appropriate to the user's web space. I think 
that should give you exactly what you want without having to copy 
config.inc.php for every user.

You could also create a new users.php file in the single PHPiCalendar 
directory (remove the .php if desired by adding an entry to specify the 
default file type and handler in .htaccess), then use 
functions/calendar_functions.php with the query path to get into a 
specific user's directory.

e.g. http://www.domain.com/users.php/wesley/

This also removes the need to link files in user directories. Adding or 
removing a user would only require creating/deleting/locking out 
directories and updating your htpasswd file.

Hope this helps,
- --
Wesley Miaw
http://www.wesman.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFCCuurQv4agqRAk2kRAmtfAKCT7oy64z8pV1Ch/i3F9eRB8/WpsACgmnoF
tyqNs+/cbkAUSFFibIShMKI=
=KrYg
-----END PGP SIGNATURE-----