On Mon, Feb 20, 2006, Eric Wilhelm wrote: > In case anyone missed it (I'm getting that feeling) I did write some > code and it does work and I did check it into svn. Try it.
I didn't miss it :) Discussion is healthy, though :) > The discussion has been mostly about the inherent security flaws in this > approach and how to get around them. While Ben (who has apparently > made his hat out of the wrong sort of foil) insists that this is more > work and concern about security than is justified, the point of the > pdxruby.org app is as much to give us something to work on and learn > from as it is to herd cats. I just use those mylar balloons. They're foil, right? In seriousness, though, I'm quite paranoid about security... when it matters. Here, it just really doesn't. As for the learning exercise aspect, I agree with you to a point. What I'm concerned about is a bunch of over-engineered code going live and breaking the app or painting us into a corner. We have to remember that this application is our website. If it breaks we look bad. Anyone who has worked with me knows that I'm all for design wankery, but we have to try to keep it in its place. I fully support building a robust password recovery mechanism... but it's most important to have a *working* password recovery mechanism and add OpenID, PGP encryption, and crazy cookie handshakes later :) I know that I've voiced concerns about some of the possible solutions posted here, but every should understand that (a) that doesn't mean I'm going to fight to keep those changes out and (b) I'm not in any more a position of power than anyone else here. Not that I think there's any danger of people getting confused on point b :) The code you wrote looks good, but like I said elsewhere in the thread, it needs tests. To give you an idea of where I land on the design of this change, Had you not written it I'd be pushing to integrate acts_as_authenticated and add on the extra features we're talking about. Bottom line: we should try to do new cool things, but we should be careful not to let it get out of hand. We should talk about stuff before we implement it but at some point the code just has to be written. Check -dev for a (much) more general post on this topic in a few minutes. Ben _______________________________________________ PDXRuby mailing list [email protected] IRC: #pdx.rb on irc.freenode.net http://lists.pdxruby.org/mailman/listinfo/pdxruby
