Welcoming script

Have a great idea for extending Zimbra? Share ideas, ask questions, contribute, and get feedback.
lisasali
Posts: 1
Joined: Sat Sep 13, 2014 1:56 am

Welcoming script

Postby lisasali » Thu Mar 31, 2011 4:41 am

Can zimbra generate an automatic welcoming screen to all its firts time users when they log in??

Just like other mailing system i think it is very important.
lisa


10119metux
Advanced member
Advanced member
Posts: 75
Joined: Sat Sep 13, 2014 2:29 am

Welcoming script

Postby 10119metux » Wed Feb 29, 2012 9:14 pm

lisasali wrote:Can zimbra generate an automatic welcoming screen to all its firts time users when they log in??


We've already done this by a zimlet.
It's yet a bit hackish as it stores the data in the mailboxd node's local mysql database,

we probably should use LDAP instead. But it works quite well, eg. in a big international

bank.
tdesorbaix
Outstanding Member
Outstanding Member
Posts: 366
Joined: Fri Sep 12, 2014 10:31 pm

Welcoming script

Postby tdesorbaix » Thu Mar 01, 2012 3:52 am

Here is a simple example zimlet creating a welcome message that show up only the first time the user log in.
This use a zimlet user properties (stored in LDAP) to check if this is the first time the user log in.

zimlet_welcome.zip

10119metux
Advanced member
Advanced member
Posts: 75
Joined: Sat Sep 13, 2014 2:29 am

Welcoming script

Postby 10119metux » Thu Mar 01, 2012 6:25 am

[quote]HERE IS A SIMPLE EXAMPLE ZIMLET CREATING A WELCOME MESSAGE THAT SHOW UP ONLY THE FIRST TIME THE USER LOG IN :


THIS USE A ZIMLET USER PROPERTIES (STORED IN LDAP) TO CHECK IF THIS IS THE FIRST TIME THE USER LOG IN.[/QUOTE]
ARE YOU SURE, THESE PROPERTIES YOU SET ON *CLIENT* SIDE WITH THE

[QUOTE]

THIS.SETUSERPROPERTY(...)

[/QUOTE]

CALL ARE REALLY WRITTEN BACK TO LDAP ?
I REALLY DOUBT IT, AS IT WOULD BE A BIG SECURITY HOLE.
tdesorbaix
Outstanding Member
Outstanding Member
Posts: 366
Joined: Fri Sep 12, 2014 10:31 pm

Welcoming script

Postby tdesorbaix » Thu Mar 01, 2012 7:44 am

If you have doubts, then just use an ldap explorer software and check your ldap. :D
The user preferences, including zimlets user preferences are in your LDAP.
Why do you think this is a big security hole?
10119metux
Advanced member
Advanced member
Posts: 75
Joined: Sat Sep 13, 2014 2:29 am

Welcoming script

Postby 10119metux » Thu Mar 01, 2012 8:10 am

tdesorbaix wrote:
The user preferences, including zimlets user preferences are in your LDAP.


The question isn't whether they are store in LDAP, but whether the frontend

javascript code can simply overwrite them.

Why do you think this is a big security hole?


Because the user then can arbitrarily change them at will.
10119metux
Advanced member
Advanced member
Posts: 75
Joined: Sat Sep 13, 2014 2:29 am

Welcoming script

Postby 10119metux » Thu Mar 01, 2012 8:11 am

By the way: did you already confirm that they're actually written back to LDAP when changing them this way ?
tdesorbaix
Outstanding Member
Outstanding Member
Posts: 366
Joined: Fri Sep 12, 2014 10:31 pm

Welcoming script

Postby tdesorbaix » Thu Mar 01, 2012 8:49 am

Of course the user can change them, since this is user preferences.
Also, you don't even need the javascript frontend.

The changes are made by a soap request (called by the javascript).

So you just need to make the correct soap request.
And yes, I confirm that this overwrite the values in ldap.
10119metux
Advanced member
Advanced member
Posts: 75
Joined: Sat Sep 13, 2014 2:29 am

Welcoming script

Postby 10119metux » Thu Mar 01, 2012 9:38 am

tdesorbaix wrote:
Of course the user can change them, since this is user preferences.


Oh, that really *has* security impact in certain environments (not an unusual

customer requirement in our projects) users should not be allowed to change

certain user properties.
Do you know which things are stored there ?
tdesorbaix
Outstanding Member
Outstanding Member
Posts: 366
Joined: Fri Sep 12, 2014 10:31 pm

Welcoming script

Postby tdesorbaix » Thu Mar 01, 2012 10:05 am

It's not like the user can modify everything in the LDAP.

I use the word preferences instead of properties on purpose.
The values the user can modify are the values corresponding to the preferences you can find in the User Web Client preferences tab, and the zimlets user preferences.
As example, there is a user property to enable/disable the Calendar feature, but it can't be changed by the user, only the admins can change it.

Return to “Developers”

Who is online

Users browsing this forum: No registered users and 8 guests