[Typo3-dev] the horror of different usertables

Mathias Schreiber [K1net] ms at k1net.de
Mon May 31 22:18:13 CEST 2004


Elmar Hinz wrote:
> The image of one bit is in any case very nice. But as each user would
> be assigned to his groups it would be one bit in each assigning
> record. That means lots of bits if you have lots of users. Each bit
> on a differnt place on the data carrier.

the only thing that makes sense in this matter to me is that BE Users are FE
Users as well.
I mean as long as you do *not* come from a community background, why would
you want "identified website surfers" to be able to change the content of
the website? **headscratch**
Nothing makes sense the other way round.

So I think the solution could be something like "Add FE Groups to BE Users"
Kasper, maybe I don't see any major (or minor) security issues here, but
would it be such a big thing to check BE Users as well in FE Logins?
This way the BE Users would not be redundant in the FE sense, but security
through different tables be given.
Plus this could increase overall security by using different mysql users for
frontend and backend stuff (just a quick thought).

> Following the bit argument you could never trust your bank, cause
> with the change of one bit all your money can go to someone else. :-)

what about bits n bytes in nuclear missile silos? ;)

> The risk lies rather in db queries, that are not coded correctly and
> admins that don't understand their system of groups. Things that
> happen.

*raises finger*
Please keep in mind that as soon as typo3 security relies more on smart
admins every messed up install will fall back negatively on typo3 - not the
admin.
And I hate to tell my clients that the system itself is secure but the admin
on the heise newsticker was dumb.
Because they will not believe me and think I will be telling them marketing
nonsense.

>>> In the resulting overhead of syncronization, as you propose it, I
>>> personally rather see new doors of weakness. Syncronization isn't
>>> trivial and failures have to be expected.

With DBAL you could X-class the FE Login to use a view instead of a table
;-)
DBAL offers loads of cool possibilities.

Another thought you maybe didn't think of yet:
What about different websites in one pagetree?

So BE Users would have to be located in any sysfolder as well.
Plus BE Groups would have to be located in sysfolders as well.
A quick thought about is more horror to me than adding 5-10 FE Users by hand
or maybe syncing them over.
In my mind, BE Users belong to the INSTALL as is and not to a certain part
of the pagetree.






More information about the TYPO3-dev mailing list