merge of 'b5a68a922e7dfe7ff0ee88a40ce86bf257337314'

and 'c0ba6ea9411e86e50582cdd4036256776349b556' Monotone-Parent: b5a68a922e7dfe7ff0ee88a40ce86bf257337314 Monotone-Parent: c0ba6ea9411e86e50582cdd4036256776349b556 Monotone-Revision: 2c8266b41b53ae4ece560d6f611a57376986383a Monotone-Author: wsourdeau@inverse.ca Monotone-Date: 2009-08-18T17:37:04 Monotone-Branch: ca.inverse.sogo
2009-08-18 17:37:04 +00:00 · 2009-08-18 17:37:04 +00:00 · b7e5eef86f
parent 7885aa117f 1652ba8c0b
commit b7e5eef86f
2 changed files with 10 additions and 4 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+2009-08-18  Wolfgang Sourdeau  <wsourdeau@inverse.ca>
+
+	* SoObjects/SOGo/SOGoGCSFolder.m
+	(-initializeQuickTablesAclsInContext:): don't give the right to
+	view everything to users who can delete objects. This may cause
+	deletion from working from a web method, but everyone who uses
+	such as configuration will probably use DAV instead.
+
 2009-08-18  Francis Lachapelle  <flachapelle@inverse.ca>

 	* UI/Scheduler/UIxCalendarProperties.m ([UIxCalendarProperties
--- a/SoObjects/SOGo/SOGoGCSFolder.m
+++ b/SoObjects/SOGo/SOGoGCSFolder.m
@ -1171,10 +1171,8 @@ static NSArray *childRecordFields = nil;
      /* we only grant "userCanAccessAllObjects" for role "ObjectEraser" and
         not "ObjectCreator" because the latter doesn't imply we can read
         properties from subobjects or even know their existence. */
-      userCanAccessAllObjects = ([[self ownerInContext: localContext]
-                                       isEqualToString: login]
-                                 || [[self aclsForUser: login]
-                                        containsObject: SOGoRole_ObjectEraser]);
+      userCanAccessAllObjects
+        = [[self ownerInContext: localContext] isEqualToString: login];
    }
 }