Ate:

I see the security stuff is working for you, :).

See inline comments below:

Randy

Ate Douma wrote:


Is a message missing from the list or did you get a message from 'David' privately?

Yes, David sent a message to Scott and I wonding about issues he was having with the Customizer.


I'd like to add another problem I encountered. Because the guest user now is a proper user, we should think of some way to disallow login to this user as it is meant to be used as buildin/internal user only.

A simple solution to that would be setting the user is_enabled flag to
false, but that still leaves the possibility someone enables it again
through the UserManager.

I personally would like to see a stronger protection against login of this
user. This could be done by adding one more boolean attribute to the
security_credential table (like is_buildin) or a hardcoded check in the
UserManager.authenticate against the anonymous username. This name
(default 'guest') is now managed by the Profiler though, so maybe we
should move it to the UserManager then.

+1, seems like a good idea to limit the login.


Another issue: the security rules on the Administrative folder won't allow
a non-admin user to change its password. I will move the
change-password.psml into the root folder to fix this.


I checked in this change to restrict access to the Administrative folder, but I did not spend a whole bunch of time to reorganize the demo site to make sense. David has mentioned over and over again that he was going to go for it one of these days, so I left it to him. Of course, change password needs to be available to every user! Sorry if this caused you too much grief...

If time permits, I will also check in tonight the second part of my
JS2-151 issue containing enforced password change on first login. This
includes automatic navigation to the Change Password psml with no way to
navigate from it until the password is changed (logoff is still a way out
though).
Also included is a configurable set of days before password expiration
when a user will be asked to change its password. The last day before
expiration will require the password to be changed.

These features are currently *not* (longer) working though as result of the
new 'guest' user configuration which now *also* is required to change its
password, even if this user isn't logged on at all.
Kinda blocking problem :(
I need this handled before I will check in my changes.

Thanks for the notice. I will hold off on upgrading my production site until we get this worked out.

Regards,

Ate




--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]



Reply via email to