Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Welcoming script

  1. #11
    metux is offline Senior Member
    Join Date
    Feb 2012
    Posts
    53
    Rep Power
    3

    Default

    Quote Originally Posted by tdesorbaix View Post
    As example, there is a user property to enable/disable the Calendar feature, but it can't be changed by the user, only the admins can change it.
    Thats exactly what I meant. If this setting is stored in these properties, the user
    can change it by sending proper requests, bypassing the admin's decision.

    I'd consider this a security hole.

  2. #12
    tdesorbaix is offline Zimlet Guru & Moderator
    Join Date
    Apr 2007
    Location
    Paris, France
    Posts
    365
    Rep Power
    8

    Default

    What I am saying is that there is a soap request to change user preferences, not for changing user properties.

    the request to change the user property to enable/disable the Calendar feature is available on the admin console side, not on the client side.

  3. #13
    metux is offline Senior Member
    Join Date
    Feb 2012
    Posts
    53
    Rep Power
    3

    Default

    Quote Originally Posted by tdesorbaix View Post
    What I am saying is that there is a soap request to change user preferences, not for changing user properties.

    the request to change the user property to enable/disable the Calendar feature is available on the admin console side, not on the client side.
    Just to make sure, we're not talking about different things:

    #1: you've been capable of writing new user properties value downto ldap using a zimlet (client side java script code)
    #2: the user calendar flag is stored in that properties field in ldap

    Right ?

  4. #14
    tdesorbaix is offline Zimlet Guru & Moderator
    Join Date
    Apr 2007
    Location
    Paris, France
    Posts
    365
    Rep Power
    8

    Default

    Quote Originally Posted by metux View Post
    #1: you've been capable of writing new user properties value downto ldap using a zimlet (client side java script code)
    Yes, the javascript call a soap request (so sent to the server to modify the ldap) that modify user preferences.

    Quote Originally Posted by metux View Post
    #2: the user calendar flag is stored in that properties field in ldap
    Not one properties field, but several fields each defining a property.

    And yes those fields are stored at the same place, but the LDAP modification is done on server side after the reception of the soap request.
    So I suppose that zimbra when it manage the soap request, check if the value the soap request ask to modify is in the list of the value a user can change.

  5. #15
    metux is offline Senior Member
    Join Date
    Feb 2012
    Posts
    53
    Rep Power
    3

    Default

    Quote Originally Posted by tdesorbaix View Post
    And yes those fields are stored at the same place, but the LDAP modification is done on server side after the reception of the soap request.
    So I suppose that zimbra when it manage the soap request, check if the value the soap request ask to modify is in the list of the value a user can change.
    Okay, let me summarize what I understood so far ... please correct me if I'm wrong:

    * user properties are hold within the user objects in LDAP
    * js client code holds them and allows arbitrary changes and adding new ones locally
    * it writes them back to LDAP via an SOAP call
    * that SOAP call will protect specific properties that may not be changed by the user.

    Right ?

    By the way: do those additional properties easily survive an upgrade ?
    (you know, LDAP schemata tend to be incompatible between different
    ZCS versions and the update process handles the conversion).

  6. #16
    tdesorbaix is offline Zimlet Guru & Moderator
    Join Date
    Apr 2007
    Location
    Paris, France
    Posts
    365
    Rep Power
    8

    Default

    Quote Originally Posted by metux View Post
    * js client code holds them and allows arbitrary changes and adding new ones locally
    It can change values but not create new fields.
    Zimlets user properties is one field, with multi-values. Each value is stored in this field with the format :
    zimlet_nameroperty_nameroperty_value

    Quote Originally Posted by metux View Post
    * that SOAP call will protect specific properties that may not be changed by the user.
    Probably more like the soap request can only handle a defined list of properties.

    Quote Originally Posted by metux View Post
    By the way: do those additional properties easily survive an upgrade ?
    (you know, LDAP schemata tend to be incompatible between different
    ZCS versions and the update process handles the conversion).
    Never had any problems with the field for zimlet user properties.
    So yes, it can easily survive an upgrade.

  7. #17
    metux is offline Senior Member
    Join Date
    Feb 2012
    Posts
    53
    Rep Power
    3

    Default

    Sounds good.

    Seems our previous way of storing that information in an separate
    mysql table was quite hackish. In future, we'll have to find a solution
    to handle user movals anyways, so perhaps we can cooperate and
    develop a more generic zimlet using your approach that also satisfies
    our needs.

  8. #18
    tdesorbaix is offline Zimlet Guru & Moderator
    Join Date
    Apr 2007
    Location
    Paris, France
    Posts
    365
    Rep Power
    8

    Default

    I corrected a bit my example and updated the attachment.
    You can just use it, modify the title and the put the HTML you want in the body of the dialog box.
    Is there anything else to do?

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 658
    Last Post: 04-04-2014, 09:01 AM
  2. Zimbra Backup Script ... Small Problem
    By frankb in forum Administrators
    Replies: 12
    Last Post: 07-14-2008, 08:40 AM
  3. Backup script issues
    By SSS in forum Administrators
    Replies: 18
    Last Post: 12-03-2007, 09:56 AM
  4. Replies: 3
    Last Post: 10-01-2007, 10:54 PM
  5. Warning: Unresponsive script
    By yetdog in forum Administrators
    Replies: 5
    Last Post: 04-03-2006, 12:15 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •