[sork] patch: customsql option and other goodies

Jan Schneider jan at horde.org
Thu May 13 08:36:31 PDT 2004 

Zitat von Eric Rostetter <eric.rostetter at physics.utexas.edu>:

> Quoting Jan Schneider <jan at horde.org>:
>
>> I only committed the keep local part of the patch for now. The password
>> isn't really requested for security reasons, it's only necessary for some
>> drivers.
>
> No, actually, it is also there for security reasons.  I would object to
> removing it, though I won't object to a configuration option to remove
> it.

We are not talking about passwd, but forwards, just to make that clear. I
see no difference between forwards and any other module that we have that
interacts with the local system like Ingo for example.

>> configuration. I think the driver should return if it needs a password at
>> all. Additionally we could add a configuration setting for those drivers
>> that need a password to disable the password field. In these cases the
>> drivers would return "i don't need a password" and use the Horde password
>> instead.
>
> I don't follow that exactly.  But you *must* allow the admin to force
> the password to be required.  You *may* also allow it to be optional
> if the driver doesn't need it.

The password in forwards is *only* used for the backends that actually
*need* a password for the driver to activate the message. There is no check
in any driver to verify the user password with the current one. It wouldn't
make sense anyway IMO, see above.

> But the driver may not know if it is needed or not.  For the ftp driver,
> the horde password may or may not work, depending on where they ftp to
> and how authentication is done.  So the driver will not know if it is
> needed or not.  This is fairly minor as it can just say if it might be
> needed, return that it is needed.  Only if there is absolutely no doubt
> that it will never be needed can the driver say it isn't needed.

The driver that needs credentials to work can take a look at the
configuration to see if horde auth is enabled. In this case it knows that
it doesn't need a password and needsPassword() (or whatever) returns false,
otherwise true.

Jan.

--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/

More information about the sork mailing list