[TYPO3-v4] Automatically enabled install tool

Oliver Hader oliver.hader at typo3.org
Wed Aug 3 16:39:47 CEST 2011 

Hi everybody,

thanks for your comments on this issue. I read that most agree on the
fact that creating the INSTALL_TOOL_ENABLE is not optimal. However on
the other hand most agree on the fact that the Install Tools with a weak
password encrytion offers a real security risk.

So I'd like to go the following way:
* revert the introduced change of commit
8119a4c3bfb86e4a55bb5713d43fa5538e8eec6d
* modify the behaviour as suggested by Kay

If you agree I'd take care of reverting the mentioned commit.

Cheers,
Olly


Am 02.08.11 23:52, schrieb Helmut Hummel:
> Hi,
> 
> there have been a lot of discussions about automatically enabling the
> install tool and I regularly fought against it.
> 
> Now it has been merged into 4.6beta and I'm a bit tired of fighting
> against it.
> 
> That is the status (AFAIK):
> 
> 1. The install tool (still is) a great danger for a TYPO3 installation.
>    TYPO3 sites have been hacked because the install tool was
>    (permanently) available (of course not only because of that).
> 2. If an admin clicks on the install backend module he install tool is
>    enabled for 1h (independently of a logged in admin user)
> 3. While it is easy to enable, the disable button is still hidden in
>    the user settings.
> 
> From a admin user perspective it is of course nicer/ easier this way and
> it is much more integrated into the backend.
> 
> What I do not like about it:
> 
> I tells the wrong message.
> 
> 1. It looks like a normal module now, but it's not.
> 2. There's no information/ confirmation any more that accessing/
>    activating the install could be something dangerous.
> 3. Disabling the install tool is much more complicated than enabling it.
> 4. If I accidently click on the install tool menu item (although
>    wanted to go to the log module), I enable it, exposing the
>    TYPO3 installation to an unnecessary risk.
> 
> 
> I kindly ask to rethink this decision, or at least implement it in a way
> which does not make the install tool look like a regular backend module.
> It is not.
> 
> Thanks.
> 
> Kind regards,
> Helmut
-- 
Oliver Hader
TYPO3 v4 Core Team Leader

TYPO3 .... inspiring people to share!
Get involved: http://typo3.org

More information about the TYPO3-project-v4 mailing list