Page 1 of 2

Welcoming script

Posted: Thu Mar 31, 2011 4:41 am
by lisasali
Can zimbra generate an automatic welcoming screen to all its firts time users when they log in??

Just like other mailing system i think it is very important.
lisa

Welcoming script

Posted: Wed Feb 29, 2012 9:14 pm
by 10119metux
lisasali wrote:Can zimbra generate an automatic welcoming screen to all its firts time users when they log in??


We've already done this by a zimlet.
It's yet a bit hackish as it stores the data in the mailboxd node's local mysql database,

we probably should use LDAP instead. But it works quite well, eg. in a big international

bank.

Welcoming script

Posted: Thu Mar 01, 2012 3:52 am
by tdesorbaix
Here is a simple example zimlet creating a welcome message that show up only the first time the user log in.
This use a zimlet user properties (stored in LDAP) to check if this is the first time the user log in.

zimlet_welcome.zip


Welcoming script

Posted: Thu Mar 01, 2012 6:25 am
by 10119metux
[quote]HERE IS A SIMPLE EXAMPLE ZIMLET CREATING A WELCOME MESSAGE THAT SHOW UP ONLY THE FIRST TIME THE USER LOG IN :


THIS USE A ZIMLET USER PROPERTIES (STORED IN LDAP) TO CHECK IF THIS IS THE FIRST TIME THE USER LOG IN.[/QUOTE]
ARE YOU SURE, THESE PROPERTIES YOU SET ON *CLIENT* SIDE WITH THE

[QUOTE]

THIS.SETUSERPROPERTY(...)

[/QUOTE]

CALL ARE REALLY WRITTEN BACK TO LDAP ?
I REALLY DOUBT IT, AS IT WOULD BE A BIG SECURITY HOLE.

Welcoming script

Posted: Thu Mar 01, 2012 7:44 am
by tdesorbaix
If you have doubts, then just use an ldap explorer software and check your ldap. :D
The user preferences, including zimlets user preferences are in your LDAP.
Why do you think this is a big security hole?

Welcoming script

Posted: Thu Mar 01, 2012 8:10 am
by 10119metux
tdesorbaix wrote:
The user preferences, including zimlets user preferences are in your LDAP.


The question isn't whether they are store in LDAP, but whether the frontend

javascript code can simply overwrite them.

Why do you think this is a big security hole?


Because the user then can arbitrarily change them at will.

Welcoming script

Posted: Thu Mar 01, 2012 8:11 am
by 10119metux
By the way: did you already confirm that they're actually written back to LDAP when changing them this way ?

Welcoming script

Posted: Thu Mar 01, 2012 8:49 am
by tdesorbaix
Of course the user can change them, since this is user preferences.
Also, you don't even need the javascript frontend.

The changes are made by a soap request (called by the javascript).

So you just need to make the correct soap request.
And yes, I confirm that this overwrite the values in ldap.

Welcoming script

Posted: Thu Mar 01, 2012 9:38 am
by 10119metux
tdesorbaix wrote:
Of course the user can change them, since this is user preferences.


Oh, that really *has* security impact in certain environments (not an unusual

customer requirement in our projects) users should not be allowed to change

certain user properties.
Do you know which things are stored there ?

Welcoming script

Posted: Thu Mar 01, 2012 10:05 am
by tdesorbaix
It's not like the user can modify everything in the LDAP.

I use the word preferences instead of properties on purpose.
The values the user can modify are the values corresponding to the preferences you can find in the User Web Client preferences tab, and the zimlets user preferences.
As example, there is a user property to enable/disable the Calendar feature, but it can't be changed by the user, only the admins can change it.