[TYPO3-dev] securing the DB for FE access

[Martin Kutschker]

Hi!

Currently TYPO3 uses per default one DB user. But there are three roles: 
FE, BE, BE-Admin.

BE-Admin needs during install, when installing extension and when 
performing maintenance tasks full DB access with all rights.

Standard BE session need (possibly) full write access to all tables (but eg 
no rights to create tables).

Standard FE sessions need read access to most tables but write access to 
only a few tables.

How about an info file that describes these roles? The idea is that an DB 
administration tool uses this data to make securing the DB on the access 
level easier.

The extension author lists all custom tables that an FE-session must be 
able to read, and all tables (perhaps even on a column level!) that that 
the FE-session must be able to write.

Additionally tables may be marked as admin-only. For this feature TYPO3 
must be changed in a way that it changes the DB-user after a successful 
admin-login.

Any comments?

Masi

PS: The format may be eg embedded SQL comments in ext_tables.sql but could 
be written into a separated ext_tables.xml.