Fwd: Security fix that started all this

["Christopher Murtagh" <..hidden..>]

Oops, list is not set to reply-to list. BTW, I know some people have
strong objections to setting reply-to list, but it is my preference. I
don't want to force upon everyone though if the concensus is to not do
so. Any thoughts?

Cheers,

Chris

---------- Forwarded message ----------
Subject: Re: [Ledger-smb-devel] Security fix that started all this

On 9/8/06, Tony Fraser <..hidden..> wrote:
> If the plan is to actually use server side sessions to store data in the
> future then by all means let's refine what we have now. But I just want
> to ask the question: Do we really want server side per session storage
> or was it just the way that seemed easiest to solve the problem at hand?

The plan is to move all the files in users/ into a central database,
and the same for user modified templates and css. The advantages this
has are:

- the server doesn't need file permissions anywhere anymore
- a goof in an apache config won't expose members or username.conf
- portability issues in dealing with filesystems (allowed chars, case,
etc..) are all gone
- 3rd party tools to modify/maintain user content only needs to talk
postgres, no file

Also, we can move to a plugable authentication and support other
mechanisms (LDAP, Basic HTTP Auth, Kerberos, etc..) and store user
data in the db.

Cheers,

Chris