My initial idea was that if one user creates a
ticket which is password-protected, no password
is ever shown or stored, and an administrator won't be
automatically able to download it. You can remove it,
maybe rename it, but that's it.

But don't you think, that in most cases the administrator of dl will also be the root or a privileged user on the webserver/system? In this case he would always be able to get those uploaded files through system access.

Furthermore administrator is administrator. If you want avoid administrative access on the tickets, you really have to encrypt it, as mentioned by you. But I don't think that this is really needed.

I will use dl for exchanging files with customers, instead of using 'email attachements' or open FTP servers. All of my colleagues will use it as well, but there is no need for secrets. For me it's a 'little' tool, which makes my life easier.


The password was originally added into the 'send via
e-mail' button as an afterthought ;)

Yes, but I'm speaking about grants, not just 'tickets'. I couldn't find the password in any mail.

If I send the password in all notifications, all the
password does is prevent a brute-force attack on ticket
IDs. Which is nice, I guess, but not impressive.

I'm mostly ok with sending the password in
notifications though.

What do you think about showing the password for the registered user? Don't send it out through email in any way. Just show it in the WebGUI. Or send it out through email for download tickets, but show it on the WebGUI as well.

But should an administrator have access to all files
then?

In my opinion an administrator is an administrator. So he should be able to have access to all files.

Just have another idea. Let the user decice whether the administrator may see it or not. If not, save the password as a Hash and if he should see it, save it as clear text and show it through the WebGUI. This is not very complex to impement.


Greets,
ssc



Reply via email to