Quoting Peter Paul Elfferich <[EMAIL PROTECTED]>:
We just use a single, default, 'localsql' configuration (with use_shares => true). Steps to reproduce this: - Login as user A - Select an entry from your private address book - Select a contact list that is stored in a shared address book and click 'Add' - You can view the contact list to check the address was added - Logout and log back in as user B with access to the shared address book, but not to user A's private address book - View the same contact list and the address will have disappeared - Logout and log back in as user A - View the same contact list and the address to check the address has really disappeared I also verified this by looking at the entry data in the database. The entry key is removed from the serialized object_members array of the shared contact list at the moment user B views the contact list. This wouldn't be a problem if it wouldn't be possible to add entries from (in this case) your private address book to a contact list in a shared address book. So I figure that should be patched as well.
Thanks for the detailed description. I think the simplest fix here is to just not remove people from the shared list. If someone in a contact list is not in an addressbook you're allowed to see, then I don't think you should see them.
Does that sound reasonable? -chuck
