The 
-- CrawfordCurrie - 15 May 2007
I far as my overview can tell the part of this proposal that could be implemented has been implemented.
Changing to merged to core.
-- KennethLavrsen - 03 Jun 2007
passwd and resetpasswd scripts duplicate functionality available through manage. They are incorrectly documented, and are only used in a few topics in TWiki web. The more paths there are to user management functionality, the harder it is to secure and the more risk there is of an exploit being uncovered, so they should be removed, and the topics redirected to the manage script.
These scripts are very unlikely to be used by anything outside of the system topics, but if they are it is easy to replace an invocation with the equivalent manage call.
I have already removed the scripts, as if the consensus is to retain those entry points they will need to be rewritten to use the manage functionality anyway.
-- Contributors: CrawfordCurrie - 14 May 2007
Discussion
Does that work with the auth / not-auth requirement of the scripts when basic auth is used? -- PeterThoeny - 14 May 2007 Sorry, I don't understand the question....manage is as protectable as the individual scripts....
-- CrawfordCurrie - 14 May 2007
I welcome a simplification of the number of bin files. Makes setting up Apache simpler. I always had doubts which scripts to protect with require valid user and which I should not.
With this change Crawford make sure this aspect is also covered in release note and apache setting example files shipped with the release.
-- KennethLavrsen - 14 May 2007
I also agree that simplifying stuff is good, I am supportive of handling admin stuff in manage.
Clarification on auth / not auth in a basic auth setup:
Assuming manage is not authenticated: Does any of the functions provided by manage need authentication? If so, it can be resolved with a redirect to manageauth (same as view and viewauth)
Assuming manage is authenticated: Might be a problem for those functions that may not be authenticated, such as resetting a password.
-- PeterThoeny - 15 May 2007
Peter has a good question there.
This is the normal Apache config for ApacheLogin
<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*"> require valid-user </FilesMatch>Note that
manage is authenticated. Crawford how does a user reset his password now when manage is authenticated?
Or do we also change the Apache config?
If this is the case it will need a very visible upgrade description in the release note and in the upgrade guide.
-- KennethLavrsen - 15 May 2007
I have confirmed that the reset password is now broken with ApacheLogin. Sigh!
-- KennethLavrsen - 15 May 2007
Please see my remarks in Bugs:Item4063
-- CrawfordCurrie - 15 May 2007
I far as my overview can tell the part of this proposal that could be implemented has been implemented.
Changing to merged to core.
-- KennethLavrsen - 03 Jun 2007
| ChangeProposalForm | |
|---|---|
| TopicClassification | FeatureRequest |
| TopicSummary |
Remove redundant passwd and resetpasswd scripts
|
| CurrentState | MergedToCore |
| CommittedDeveloper | CrawfordCurrie |
| ReasonForDecision | None |
| DateOfCommitment | 2007-05-14 |
| ConcernRaisedBy | KennethLavrsen |
| BugTracking |
Bugs:Item4063
|
| OutstandingIssues | Reset password is broken with ApacheLogin |
| RelatedTopics | |
| InterestedParties | |
| ProposedFor | GeorgetownRelease |
| TWikiContributors | |
Topic revision: r9 - 2007-12-25 - KennethLavrsen
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.