Welcoming script

Have a great idea for extending Zimbra? Share ideas, ask questions, contribute, and get feedback.
lisasali
Posts: 1
Joined: Sat Sep 13, 2014 1:56 am

Welcoming script

Post by lisasali »

Can zimbra generate an automatic welcoming screen to all its firts time users when they log in??

Just like other mailing system i think it is very important.
lisa
10119metux
Advanced member
Advanced member
Posts: 75
Joined: Sat Sep 13, 2014 2:29 am

Welcoming script

Post by 10119metux »

lisasali wrote:Can zimbra generate an automatic welcoming screen to all its firts time users when they log in??
We've already done this by a zimlet.
It's yet a bit hackish as it stores the data in the mailboxd node's local mysql database,

we probably should use LDAP instead. But it works quite well, eg. in a big international

bank.
tdesorbaix
Outstanding Member
Outstanding Member
Posts: 366
Joined: Fri Sep 12, 2014 10:31 pm

Welcoming script

Post by tdesorbaix »

Here is a simple example zimlet creating a welcome message that show up only the first time the user log in.
This use a zimlet user properties (stored in LDAP) to check if this is the first time the user log in.
zimlet_welcome.zip
10119metux
Advanced member
Advanced member
Posts: 75
Joined: Sat Sep 13, 2014 2:29 am

Welcoming script

Post by 10119metux »

[quote]HERE IS A SIMPLE EXAMPLE ZIMLET CREATING A WELCOME MESSAGE THAT SHOW UP ONLY THE FIRST TIME THE USER LOG IN :


THIS USE A ZIMLET USER PROPERTIES (STORED IN LDAP) TO CHECK IF THIS IS THE FIRST TIME THE USER LOG IN.[/QUOTE]
ARE YOU SURE, THESE PROPERTIES YOU SET ON *CLIENT* SIDE WITH THE

[QUOTE]

THIS.SETUSERPROPERTY(...)

[/QUOTE]

CALL ARE REALLY WRITTEN BACK TO LDAP ?
I REALLY DOUBT IT, AS IT WOULD BE A BIG SECURITY HOLE.
tdesorbaix
Outstanding Member
Outstanding Member
Posts: 366
Joined: Fri Sep 12, 2014 10:31 pm

Welcoming script

Post by tdesorbaix »

If you have doubts, then just use an ldap explorer software and check your ldap. :D
The user preferences, including zimlets user preferences are in your LDAP.
Why do you think this is a big security hole?
10119metux
Advanced member
Advanced member
Posts: 75
Joined: Sat Sep 13, 2014 2:29 am

Welcoming script

Post by 10119metux »

tdesorbaix wrote:
The user preferences, including zimlets user preferences are in your LDAP.
The question isn't whether they are store in LDAP, but whether the frontend

javascript code can simply overwrite them.

Why do you think this is a big security hole?
Because the user then can arbitrarily change them at will.
10119metux
Advanced member
Advanced member
Posts: 75
Joined: Sat Sep 13, 2014 2:29 am

Welcoming script

Post by 10119metux »

By the way: did you already confirm that they're actually written back to LDAP when changing them this way ?
tdesorbaix
Outstanding Member
Outstanding Member
Posts: 366
Joined: Fri Sep 12, 2014 10:31 pm

Welcoming script

Post by tdesorbaix »

Of course the user can change them, since this is user preferences.
Also, you don't even need the javascript frontend.

The changes are made by a soap request (called by the javascript).

So you just need to make the correct soap request.
And yes, I confirm that this overwrite the values in ldap.
10119metux
Advanced member
Advanced member
Posts: 75
Joined: Sat Sep 13, 2014 2:29 am

Welcoming script

Post by 10119metux »

tdesorbaix wrote:
Of course the user can change them, since this is user preferences.
Oh, that really *has* security impact in certain environments (not an unusual

customer requirement in our projects) users should not be allowed to change

certain user properties.
Do you know which things are stored there ?
tdesorbaix
Outstanding Member
Outstanding Member
Posts: 366
Joined: Fri Sep 12, 2014 10:31 pm

Welcoming script

Post by tdesorbaix »

It's not like the user can modify everything in the LDAP.

I use the word preferences instead of properties on purpose.
The values the user can modify are the values corresponding to the preferences you can find in the User Web Client preferences tab, and the zimlets user preferences.
As example, there is a user property to enable/disable the Calendar feature, but it can't be changed by the user, only the admins can change it.
Post Reply