Although it's nice that you have to enter a password in order to change Bonsai parameters from the web, I think it would be better if you had to enter the password in order to even SEE the parameters. The admin page isn't so bad, because it's mostly commands to do stuff, and you have to have the password to run them. But the editparams page linked to from admin is wide open. As mentioned, you have to enter a password to update it, but since it contains your database username and password in particular, it's probably not a good thing to have out in the open. I notice someone at mozilla.org was concerned about that, too, because they have those two params blanked out on the parameters page, and they probably hardcoded it in the files that used it.
I noticed this too. IMHO it should be at least noted in the documentation.
Severity: normal → major
QA Contact: matty → timeless
Created attachment 102432 [details] [diff] [review] suggested documentation change In case anyone cares
I've been looking at this and I'd love to have Bugzilla-style authorization, but that would entail creating a users/roles table which is probably overkill. Will definitely update the docs, but will continue to try and come up with something a little more elegant.
Status: NEW → ASSIGNED
Created attachment 105481 [details] [diff] [review] Patch to check for password prior to bringing up the editparams form
Hrm, fixed the text slightly to make more sense (Bonsai doesn't really have a concept of "log in") and checking this baby in...
Status: ASSIGNED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.