Looks promising. What auths are checks in site.auth.email? I assumed the target(s) of the email, to allow only certain members to send to certain lists/ids, but when I think about, that seems difficult.
I'll give this ago inside of a few weeks, I think. Bet ya I'm gonna have problems with old plugins and settings when I do... Having an optional override in site.config or similar for mode might be good, in order to allow finished sites the option to avoid a lot of work. On Sep 18, 2:12 pm, The Editor <[email protected]> wrote: > Update on mail function/command: > > So far I've done a good bit or reworking of the core mail function > including these upgrades: > > * Optional return & reply parameters. If not set, uses from parameter > correctly in both. > * Added a simply html=true mode to send html messages, processing markup. > * Overhaul of how demo display looks. Now shows entire message, with > all headers. > * Added a BCC option which can call a page with a list of emails or member ids > > Now the security issues: > > Currently, to send an email, you must set mailmode to active or demo > in site.config. (Active to send, demo for display). Then if a > site.auth.email page exists, permissions are checked. I don't like > this particularly, because if someone sets the mode to active and > forgets to create a site.auth.email page, someone could send email > from a comment box, or even a sandbox, etc. Not good. Also, if you > want to test an email, you have to remember to set mode=demo, rather > than it automatically testing the message first until you remember to > set mode=active. Plus having a mode parameter and a config mailmode is > probably a bit confusing... > > Proposed: > 1) to send emails you have to manually create a site.auth.email page > and specify permissions. That essentially turns things on. To use BCC > you will have to manually create a site.auth.email.bcc. > 2) all mail functions automatically go to demo mode until mode=active > is specifically set. This means you always get a test output until you > are certain it is ready to go. > > These two changes should tighten security and simplify development of > email based functions. Of course the disadvantage is you would have to > go through all your existing mail forms/functions and add mode=active. > What does everyone think? > > Cheers, > Dan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "BoltWire" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/boltwire?hl=en -~----------~----~----~----~------~----~------~--~---
