VULAB-170 - First User is Super User

Colin Clark colin.clark at utoronto.ca
Wed Feb 18 22:09:11 UTC 2009

Previous message: VULAB-170 - First User is Super User
Next message: VULAB-170 - First User is Super User
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Blake,

On 17-Feb-09, at 2:03 PM, electBlake wrote:

> I have created and attached a patch that allows the first user  
> signed up to be a super user, this streamlining the signup process.
>
> Affects: manage.php & signup.php

I've taken a look at this patch and the implementation looks fairly  
reasonable. A couple of questions before I commit it:

1. It seems a bit risky to assume that you'll always get back a row ID  
of "1" from the first insert into your User table. I would assume this  
is fairly consistent in MySQL, but is it an implementation detail that  
might change in different environments, with different ID generation  
schemes, etc? Does it make sense to count the rows in the table instead?

2. This style of "first person register is root" reminds me of the old  
days of some mickey-mouse UNIX security exploits. Do you think it will  
be reasonably clear to users that they have to login and set up that  
first account before deploying the application publicly? Or are we  
encouraging a security risk here?

Curious to hear your thoughts,

Colin

---
Colin Clark
Technical Lead, Fluid Project
Adaptive Technology Resource Centre, University of Toronto
http://fluidproject.org

Previous message: VULAB-170 - First User is Super User
Next message: VULAB-170 - First User is Super User
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]