From 1652ba8c0bb1d02de50348252370fc01487ce41c Mon Sep 17 00:00:00 2001
From: Wolfgang Sourdeau <wsourdeau@inverse.ca>
Date: Tue, 18 Aug 2009 17:36:20 +0000
Subject: [PATCH] Monotone-Parent: 3015b169187acab527747642b2900806a48dbe60
 Monotone-Revision: c0ba6ea9411e86e50582cdd4036256776349b556

Monotone-Author: wsourdeau@inverse.ca
Monotone-Date: 2009-08-18T17:36:20
Monotone-Branch: ca.inverse.sogo
---
 ChangeLog                      | 8 ++++++++
 SoObjects/SOGo/SOGoGCSFolder.m | 6 ++----
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 7b40d8160..0a8396f22 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2009-08-18  Wolfgang Sourdeau  <wsourdeau@inverse.ca>
+
+	* SoObjects/SOGo/SOGoGCSFolder.m
+	(-initializeQuickTablesAclsInContext:): don't give the right to
+	view everything to users who can delete objects. This may cause
+	deletion from working from a web method, but everyone who uses
+	such as configuration will probably use DAV instead.
+
 2009-08-17  Cyril Robert <crobert@inverse.ca>
 
 	* UI/Scheduler/UIxCalListingActions.m: Added support for new user default:
diff --git a/SoObjects/SOGo/SOGoGCSFolder.m b/SoObjects/SOGo/SOGoGCSFolder.m
index edcc5c0fd..b4eec7d26 100644
--- a/SoObjects/SOGo/SOGoGCSFolder.m
+++ b/SoObjects/SOGo/SOGoGCSFolder.m
@@ -1171,10 +1171,8 @@ static NSArray *childRecordFields = nil;
       /* we only grant "userCanAccessAllObjects" for role "ObjectEraser" and
          not "ObjectCreator" because the latter doesn't imply we can read
          properties from subobjects or even know their existence. */
-      userCanAccessAllObjects = ([[self ownerInContext: localContext]
-                                       isEqualToString: login]
-                                 || [[self aclsForUser: login]
-                                        containsObject: SOGoRole_ObjectEraser]);
+      userCanAccessAllObjects
+        = [[self ownerInContext: localContext] isEqualToString: login];
     }
 }