Ok, now I verified the issue - all contacts are shown in a JavaScript section of the page when a new mail is composed - this is not very smart for two reasons. One has already been outlined - security - but the other one is even more important - performance.
Imagine there are 500 contacts in the database - all of those will be transferred whenever a mail is composed, which is not needed. Instead the auto-completion should use an AJAX request back to the server and don't search on the client side. Yeah, it will be a bit slower for the end user to get suggestions on autocompletion, but the overall page will load way faster!
Any plans to fix this in the next Roundcube release?
Mike
Jonathan Batista de Araujo Neto wrote:
I don't understand, is your entire addressbook "exposed", or just the user's contacts?
The common LDAP addressbook is "exposed" at the compose page code. There's no problem of one user reading the contacts of someone else.
Also, if a user has access to your addressbook, isn't there a certain level of trust already?
Yes, there's some level trust. All my users can send emails to each other, placing the desired contacts in the "to:", "bcc:" or "cc:" fields.
What I'm wanting to avoid is that someone just "right click" on the compose page and "show source code". Then, copy all contacts, and past it at "bcc:", for sending spam for all other users.
He would have to hack the HTML page and open another .js file or create a script for getting it with an ajax page. That is, I want get things harder for dummy users wishing to send spam mail.
Thanks a lot for your help