VULAB-170 - First User is Super User
electBlake
electblake at gmail.com
Wed Feb 18 22:21:02 UTC 2009
Yeah, this was a tricky move when I made it. It was the most direct
way. That being said, I think a re-write is in order.
There is a permissions system that is database driven, I can use that.
So hold off on that one, and I'll remove from JIRA.
On 18-Feb-09, at 5:09 PM, Colin Clark wrote:
> Blake,
>
> On 17-Feb-09, at 2:03 PM, electBlake wrote:
>
>> I have created and attached a patch that allows the first user
>> signed up to be a super user, this streamlining the signup process.
>>
>> Affects: manage.php & signup.php
>
> I've taken a look at this patch and the implementation looks fairly
> reasonable. A couple of questions before I commit it:
>
> 1. It seems a bit risky to assume that you'll always get back a row
> ID of "1" from the first insert into your User table. I would assume
> this is fairly consistent in MySQL, but is it an implementation
> detail that might change in different environments, with different
> ID generation schemes, etc? Does it make sense to count the rows in
> the table instead?
> 2. This style of "first person register is root" reminds me of the
> old days of some mickey-mouse UNIX security exploits. Do you think
> it will be reasonably clear to users that they have to login and set
> up that first account before deploying the application publicly? Or
> are we encouraging a security risk here?
>
> Curious to hear your thoughts,
>
> Colin
>
> ---
> Colin Clark
> Technical Lead, Fluid Project
> Adaptive Technology Resource Centre, University of Toronto
> http://fluidproject.org
>
More information about the fluid-work
mailing list