[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Any objection to releasing 1.3.27 tomorrow?

On Tue, Jan 1, 2013 at 7:23 AM, Michael Richardson <..hidden..> wrote:

>>>>> "Chris" == Chris Travers <..hidden..> writes:
    Chris> 2)  A couple of important extensions to setup.pl including:
    Chris> * If no db is entered in the credentials screen, a list of
    Chris> db's found
    Chris> on the server is brought up.

Can this be turned off?

Certainly one can disable the setup.pl and use other means (command line) to upgrade your db's.  I suppose we could add a global configuration  variable to disable listing of db's, but to be honest, if that's a concern, I would suggest disabling the setup.pl anyway since it requires db superuser access to run.

Again this is just the setup utility, not the main app and it only works once you can log in as superuser.

It can invite trolling on a site that might be visible to the Internet.
(and a scan of port 443 would be the first thing I'd do if I got into
an Intranet with malicious intent) 

I also wouldn't mind if the default company could be stored in a
long-term cookie, and if whatever is causing my browser to refuse to
save my password could be optional.

I'd rather give users really really really strong passwords which their
browser stores (under a browser master password), than force them to
type and/or copy&paste each time which encourages them to keep a post-it
on their monitor.

Again this isn't a user-visible change so much as an admin-visible change.  Note that in 1.2 (and SQL-Ledger) when creating a database it would list existing db's at the top of the screen.

Best Wishes,
Chris Travers