[TYPO3-core] RFC: Feature Request #6882: Enable stdWrap for select.where
David Bruchmann
typo3-team-core at bruchmann-web.de
Wed Sep 30 23:59:51 CEST 2009
Betreff: Re: [TYPO3-core] RFC: Feature Request #6882: Enable stdWrap
for select.where
Hello together,
main problem is that option select as part of stdWrap gives a tool that
allows everything.
On the one hand I can't understand every point of the discussion because
templates are restricted to admins anyhow.
On the other hand it's right to have a look on security and to keep
optional vulnerabilities as small as possible.
The point that templates can be allowed for editors is important but I
omit it here because I don't want to integrate any whols anyway.
back to my first sentence:
I propose to make stdWrap resrictable by BE-User and BE-Group
Administration.
I see that it isn't a solution for the quoting-challenge with selects
but it makes risks more calculable because functionality of stdWrap can
be cut and reduced to the origin sense of text- and content-manipulation
by predefined methods.
So the quoting-challeng could perhaps being solved later but after my
proposed change of rights.
For the case that my proposition seems considerable it could be thought
about different ranges of rights:
Simple selects may be possible for many (perhaps with restriction to
non-system-tables), joins and system-tables may be accessible for a
smaller group.
Furthermore a new element (similar to template-element) could be build
that allows creating selects by formular like in phpmyadmin or access.
So it would be much easier to control access for selects: In TS they may
be referenced but never included directly.
Without a tool like that the secure way would be to disallow selects in
general, the hard way would be to integrate a parser that compares
syntax and rights.
Best Regards
David
More information about the TYPO3-team-core
mailing list