[dev] help/options links

Roel Gloudemans roel at gloudemans.info
Tue Aug 31 07:16:17 PDT 2004 

>> I see you moved both getServiceLink and showService to the Horde class. For
>> getServiceLink this is an excellent place. I have doubts about 
>> showService. Its sole purpose is to parse a configuration parameter. 
>> If I has to search for the method, I'd go looking in Prefs. But I 
>> think this is just a matter of taste, because the next place I'd 
>> look is the Horde class.
>
> But it's not a preference. Which is why I moved it out; it'd just pollute the
> prefs api with unrelated code.

I see your point.

>> I see that one patch didn't make it; the patch for 
>> services/prefs.php. The patch disallows the prefs from being set 
>> (next to not showing the link). Any
>> particular reason? (Just curious)
>
> Because these patches were for UI issues, not for security, and I
> didn't want to
> completely disallow access to prefs.php based on them, in case someone wanted
> to have a direct link somewhere.

Hmmm, what would be a good way to block access to the options 
mechanism? I know
you can lock the preferences, but if the 'Options' icon is set to
'authenticated users' only a mechanism to block setting options for 
guests only
would be nice.

Add an extra checkbox to settings to 'enforce' the choice made?

>> I'm not done yet on the menus. I'm somewhat of a security freak 
>> (professional
>> deformation) and don't like the mysql/php/command shell in the admin 
>> menu. One
>> of the reasons is that I have certificate based ssh access for just me and
>> password based access for the Horde users. The shells destroy what I gain by
>> using certificates on SSH.
>>
>> I have to think of a way to turn them off (in an elegant way), with 
>> no way to
>> turn them on from the Horde interface.
>
> Sure, propose a patch. Conf options, and not letting the webserver
> overwrite the
> horde conf.php file, should be fine.

I was thinking of another solution. Let the menu detect the permissions on the
php files. If permissions are thus that the webserver cannot read the files,
then don't show the options. In this way you could allow overwriting conf.php
from horde and still keep the shells disallowed.

This configuration should then be added to the installation script, for 
which I
saw a bounty.

Cheers,
Roel.

More information about the dev mailing list