[TYPO3-v4] Automatically enabled install tool
Jigal van Hemert
jigal at xs4all.nl
Thu Aug 4 10:06:32 CEST 2011
Hi,
On 3-8-2011 22:30, Steffen Gebert wrote:
>> No need to revert all changes there, as it introduces a "real" backend
>> module which can be enhanced.
> I also don't see a reason why everybody is so terrified and why this
> change should be revert completely.
The big problem is awareness of security. The Install Tool is a powerful
tool and when it's unlocked only a single password (even without a
username) protects its use. With the weak passwords a lot of people use
it's often easy to guess the password.
The ENABLE_INSTALL_TOOL mechanism just adds a bit more security to the
Install Tool. It is however important that BE admins are aware of
security for their site. The problem is IMO the silent enabling of the
Install Tool.
A big warning with a button to enable it (should we have a countdown
button like Firefox/Thunderbird have when installing a plugin, to make
it more likely that you read the message?) may cause people to use the
logout from Install Tool button (which should disable the Install Tool
too) to lock the Install Tool, instead of just going to another module.
> Although I don't see a big problem with having the Install Tool
> activated for one hour,
It's not a real problem if the admin is aware of this. Silently enabling
it lowers security without raising awareness.
> it is in line with my
> concern to finally move the management of the ENABLE_INSTALL_TOOL file
> out of the user settings. It's just so misplaced there that I want to
> run away instead of explaining sb. why it is located there (or start
> crying..)
Be more Zen :-) Not everything needs to be explained, sometimes it's
enough just to accept the way things are.
Ever tried to *explain* the name of t3lib_extMgm::addPItoST43() ?
Or *why* there are HTML template processing functions inside tslib_cObj
which are wrappers around static calls to the same functions in
t3lib_parsehtml?
Or *why* we use a certain versioning tool (I really had a lot of
questions about this from clients)?
It's nevertheless a good improvement to move it to a more logical place!
--
Kind regards / met vriendelijke groet,
Jigal van Hemert.
More information about the TYPO3-project-v4
mailing list