Jump to content

Security bug - Domain address book


voipguy

Recommended Posts

Under the users extension settings, the admin can set the users directory button to allow/see:

 

-Both domain and personal addresses

-Domain addresses only

-Personal addresses only

 

If you set it to "Personal addresses only" then on the users phone they can only see phone directory listings that they created and not the phone listings created in the Domain address book - this works....but if the user logs into the pbxnsip web interface under their own user extension they can see the entire Domain address book listings - that is the bug. The Domain address book is for VIP listings that the employees should not have access to.

 

Please confirm this is a bug and add it to the fix Q.

 

Thanks

Link to comment
Share on other sites

There is a setting on the phone http://wiki.snom.com.../display_method that influences what is being displayed on the phone. If you change the template on the PBX web interface, then you can influence what the phone will display. E.g. add the line

 

<display_method permission="RW">display_name_number</display_method>

 

to the file snom_3xx_phone.xml and reboot the phone.

Link to comment
Share on other sites

 

Please confirm this is a bug and add it to the fix Q.

 

Thanks

 

Well that was only for the phone. It was not added to put restrictions on the web interface or on the phone, but it was an option for the users to control what they want to see on their phone when they press the address book button.

 

If you do not want the users to see this field, then admin can hide it by Admin->Web Page Control->UserPage Control:User can select the address book.

 

Users always had the access to domain address book on the web interface.

 

Now with the web page template controls, admin can take the domain address book link out.

Link to comment
Share on other sites

There is a setting on the phone http://wiki.snom.com.../display_method that influences what is being displayed on the phone. If you change the template on the PBX web interface, then you can influence what the phone will display. E.g. add the line

 

<display_method permission="RW">display_name_number</display_method>

 

to the file snom_3xx_phone.xml and reboot the phone.

 

Hi snom ONE,

 

You completely didn't understand my post. Why would I edit the template which effects all users/domains when that part/feature works fine in the pbxnsip web interface - that works - that's not the bug.

Link to comment
Share on other sites

Well that was only for the phone. It was not added to put restrictions on the web interface or on the phone, but it was an option for the users to control what they want to see on their phone when they press the address book button.

 

I have to disagree with you. This feature didn't even exist until I requested it to be put into the software. I requested it in June 2010 and 2 days later Pradeep sent me a new build 4.1.0.4011 with this feature that we now see in the software today.

 

The reason I requested this feature was so the end users/employees can't see the Domain/Companies address book. Why? because the Domain/Company address book can contain VIP info like LLB's, hiring/firing people, plus notes on each listing - you don't want your employees to see or even worse edit/delete this info but you do want your President, VP and managers to have access to the Domain/Company address book.

 

Back in June when I requested this feature and it was implemented I tested it for the phone and it does work - the users can't see the Domain address book data on their phones but I never thought to login to the web interface as a end user (I always stay logged in as Admin) and see if it removes the Domain address book tab until yesterday when a new client I setup emailed me and complained that his employees can see the Domain/Company address book listings. This was a feature I sold him on and now he can't use it.

 

 

If you do not want the users to see this field, then admin can hide it by Admin->Web Page Control->UserPage Control:User can select the address book.

 

I know - I did hide the option for the end user so the end user can't select what phone book he can see - that's not the problem. This was added so that the end user can't see the Domain address book - only the admin can setup who can and can't see what phone book based on if the person is a manager/president etc. This field only exists because it's part of my feature request from June 2010.

 

Users always had the access to domain address book on the web interface.

 

We know - that's why I requested the feature to control who can and can't see what type of phone book.

 

Now with the web page template controls, admin can take the domain address book link out.

 

This is a hosted system so that would effect all my other Domains - which we can't do because then all the other Managers in other Domains won't have access to the Domains address book in their pbxnsip web interface - no way to add/delete auto dial etc the phone book entries.

 

 

What needs to be done is fix the software so it obeys the setting that was created for this feature

 

"Under the users extension settings, the admin can set the users directory button to allow/see:

 

-Both domain and personal addresses

-Domain addresses only

-Personal addresses only"

 

If the users account is set to "Personal addresses only" then when the user logs into his pbxnsip web interface under the List tab the user wont see the "Domain Addresses" tab.

 

If the users account is set to "Domain addresses only" then when the user logs into his pbxnsip web interface under the List tab the user wont see the "Personal addresses" tab.

 

If the users account is set to "Both domain and personal addresses" then when the user logs into his pbxnsip web interface under the List tab the user will see "Both domain and personal addresses" tab.

 

Could you please add this to the fix q.

 

Thanks

Link to comment
Share on other sites

Currently, we are not doing any "feature" additions to the v4. Only bug fixes. But on v5, we already have the domain/user level template change capability.

 

But we will evaluate if we can make this change on v4.

 

Hi pbx support,

 

That would be awesome if you could evaluate this and put it in ver4. Ver 5 sounds like it's going to be amazing - bringing everything down to the domain level makes the software much more powerful.

 

Thanks,

Link to comment
Share on other sites

Currently, we are not doing any "feature" additions to the v4. Only bug fixes. But on v5, we already have the domain/user level template change capability.

 

But we will evaluate if we can make this change on v4.

 

Thanks for putting this in ver 4 - just tested it and it works great!!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...