Re: user creation rfc

[Erik Huelsmann <..hidden..>]

Hi Chris,

On Fri, May 27, 2011 at 6:28 AM, Chris Travers <..hidden..> wrote:
> Hi all;
>
> I have gone through the patch queue and applied those which are safe
> to apply.  A few conflicted with more recent changes.  In those cases,
> I have generally looked at functional differences where I can.
>
> I have a few patches which cannot be applied as such, but represent
> needed changes in the application.  These will be re-engineered and
> applied perhaps tomorrow with one exception.
>
> The exception has to do with user creation where the desired username
> is not a LedgerSMB user but is a db cluster user in PostgreSQL.
>
> Currently we refuse to create the user when this happens.  This is the
> default safe approach.  We have a patch to change this behavior so
> that it will import an existing user.  This makes a lot of sense in
> some environments (multiple companies on one db cluster, same
> bookkeepers), but it is dangerous in others (managed hosting
> environments).  The concern I have is that it may be a case of
> accidently giving one user permission to another database without
> warning.  On the other hand, sometimes that is desired behavior.

Personally, if I would buy into a managed hosting solution, I would
want my hosting provider to set me up with a separate cluster / VPS.
So, in that situation, it wouldn't be too bad. How about an option in
ledgersmb.conf to allow it, but setting it to 'off'/false by default
to prevent unwanted security risks?

> What I'd propose is that we leave current behavior unchanged and then
> set up the patched routines as an add-on for 1.3.

Is it worth the effort to set up these patches, or can we trivially do
with a configurable boolean ?


Bye,

Erik.