[Typo3-dev] Re: [Typo3] Freesite Extension

"Kasper Skårhøj" kasper at typo3.com
Sat Dec 27 20:14:30 CET 2003 

I like the concept of "admin" user:

"admin" - user can do all, as a developer you don't have to think too much, admin user should only be given to trusted users
"non-admin" - these users are limited and should not be able to hack their way into the system.

The Constant Editor seems like something we could allow non-admins to use. On the surface of things that might also be true.
But access to constants is access to the "Setup" field as well - and seconds from access to PHP which means access to anything.
Therefore the conclusion is:

- it is NOT safe to allow anyone non-admin access to TypoScript Templates directly without careful data-checking because that is the same as access to the whole system.

Whether or not the Constants Editor is safely evaluating userinput I cannot say. But I didn't program it with that much security in mind! Just a warning.





God bless

- kasper

*********** REPLY SEPARATOR  ***********

On 25-12-2003 at 13:11 Carlos Chiari (DE) wrote:

>Hi Folks:
>
>Merry christmas for all christians on the list, and happy new year for all!
>
>About allowing a privileged, non-admin, user to have access to the Constant
>Editor, I think there is no need for another solution, but to re-think the
>"admin-only" privilege setting of the tool, as well as, I dare to say, to
>rethink the whole concept of "admin-only" enforced by software instead of
>allowed or not by admin, as told on others threads (for awstats, etc.).
>
>As the Constant Tool (typo3/ext/tstemplate_ceditor) is an extension of the
>Template Module (typo3/ext/tstemplate), which is an "admin-only" one, no
>way
>it can be used by privileged back-end users.
>
>Yet, it is farther more easier to move this tool to the "Web->Functions"
>module or to configure the "Templates" module to be available to
>"users,groups", then be able to configure which functions of the menu are
>available for each group (I have read something about this in other
>places),
>including the group at the user's record, etcetera, than to "reinvent the
>wheel".
>
>And, finally, the Admins should set the editable constants (with the
>"#cat=basic/dims..." etc construction) so they can be used by some User,
>and
>not by themselves.
>
>***************
>I have also  thought  that there could be a category or prefix/sufix  for a
>group of constants that could be set as privileged constants, be it that
>the
>script is modified to allow them to admins or disallow them to regular
>users, and then modify the constant parser to recognize them.  Something
>like
>
>#cat=basic/dims/admin
>myconstant =
>or
>#cat=basic/dims
>admin.myconstant =
>
>
>Well... know everybody is with family, and work has been turned off for
>holidays... so best wishes for you all on 2004
>
>Best regards,
>
>Carlos
>
>
>----- Original Message -----
>From: "Ingmar Schlecht" <ingmars at web.de>
>Newsgroups: typo3.english,typo3.dev
>To: <typo3-dev at lists.netfielders.de>
>Sent: Wednesday, December 24, 2003 6:16 PM
>Subject: [Typo3-dev] Re: [Typo3] Freesite Extension
>
>
>> Hi John,
>>
>> John Romano wrote:
>> > So here's the question:
>> > Are there any plans to make the constant editor safely/securely
>> > available to non-Admin users so that they can make minor cosmetic
>> > changes to a template without having the ability to trash the entire
>> > Typo3 installation?
>>
>> Your conclusion is right, and has been mentioned by others some times
>> already.
>>
>> Anyway, I don't know of anyone working on a solution to this.
>>
>> Perhaps you could gather some guys and form a team working on this.
>> http://typo3.org/1477.0.html
>>
>> Merry Christmas!
>>
>> cheers,
>> Ingmar
>> _______________________________________________
>> Typo3-dev mailing list
>> Typo3-dev at lists.netfielders.de
>> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
>>
>
>
>
>_______________________________________________
>Typo3-dev mailing list
>Typo3-dev at lists.netfielders.de
>http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev



God bless

- kasper
- kasper

--------------------- o ---------------------
Mange kokke fordærver maden.

More information about the TYPO3-dev mailing list