[TYPO3-v4] Automatically enabled install tool

Jigal van Hemert jigal at xs4all.nl
Thu Aug 4 10:06:32 CEST 2011 

Hi,

On 3-8-2011 22:30, Steffen Gebert wrote:
>> No need to revert all changes there, as it introduces a "real" backend
>> module which can be enhanced.
> I also don't see a reason why everybody is so terrified and why this
> change should be revert completely.

The big problem is awareness of security. The Install Tool is a powerful 
tool and when it's unlocked only a single password (even without a 
username) protects its use. With the weak passwords a lot of people use 
it's often easy to guess the password.

The ENABLE_INSTALL_TOOL mechanism just adds a bit more security to the 
Install Tool. It is however important that BE admins are aware of 
security for their site. The problem is IMO the silent enabling of the 
Install Tool.
A big warning with a button to enable it (should we have a countdown 
button like Firefox/Thunderbird have when installing a plugin, to make 
it more likely that you read the message?) may cause people to use the 
logout from Install Tool button (which should disable the Install Tool 
too) to lock the Install Tool, instead of just going to another module.

> Although I don't see a big problem with having the Install Tool
> activated for one hour,

It's not a real problem if the admin is aware of this. Silently enabling 
it lowers security without raising awareness.

> it is in line with my
> concern to finally move the management of the ENABLE_INSTALL_TOOL file
> out of the user settings. It's just so misplaced there that I want to
> run away instead of explaining sb. why it is located there (or start
> crying..)

Be more Zen :-) Not everything needs to be explained, sometimes it's 
enough just to accept the way things are.
Ever tried to *explain* the name of t3lib_extMgm::addPItoST43() ?
Or *why* there are HTML template processing functions inside tslib_cObj 
which are wrappers around static calls to the same functions in 
t3lib_parsehtml?
Or *why* we use a certain versioning tool (I really had a lot of 
questions about this from clients)?

It's nevertheless a good improvement to move it to a more logical place!

-- 
Kind regards / met vriendelijke groet,

Jigal van Hemert.

More information about the TYPO3-project-v4 mailing list