BJ, I fail to see how this could possibly be a feature. Right now, I'm at the level where I fiddle around with the code. As a new user, should I be expected to have to review the code to see if it stands up to security standards? I don't know much, but I do know when something isn't right, and this happens to be one of those. In the real world, people use friendly names to send/receive email and conduct business. They shouldn't be expected to remember a user name like mikej49q because an application needs obfuscation to protect itself.
I would hope that maybe this feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a capta code to prevent dictionary attacks. On Thu, Aug 4, 2011 at 10:56 AM, BJ Freeman <[email protected]> wrote: > Yes david if it is a bug, but by your definition many times this is a > fearture. > My point of the second paragraph that you did not include > 1)part of the solution providing a way to circomvent security isssues > not part of ofbiz but how one sets up ofbiz > 2)the issues are addressed if one reads the code. > > David E Jones sent the following on 8/4/2011 8:38 AM: >> >> On Aug 4, 2011, at 6:39 AM, BJ Freeman wrote: >> >>> It sounds like you speaking of Ofbiz as a finished product, in which >>> case I agree with you first paragraph. However Ofbiz is not a finished >>> product and is meant for Consultants to setup for end users. The >>> consultant should know this information and make the application they >>> setup for their client fully secure. >> >> Sorry BJ, this simply isn't true. If there is something bad in the project >> it should be changed. >> >> By your line of reasoning everyone doing consulting based on OFBiz should >> keep a big list of issues to address every time they do anything for a >> client… wouldn't it be better to just fix those things and be done with it? >> >> -David >> >> >
