On Sun, Jun 27, 2010 at 7:17 AM, DrunkenMonk <[email protected]> wrote:
> I should clarify:
>
> I suggest you move the setting of member variables and groups into a
> core function, so that the session writing is handled in engine.php.
> That way, plugin writers won't need to understand what is going on
> with the _SESSION variable, which is good, and the login-data can be
> acquired from wherever.
Perhaps, but these aren't complicated, and you can copy from the core
code easily enough. Basically you just have to set these:
$_SESSION[$BOLTfieldKey]['ID']['id'] = $id;
$_SESSION[$BOLTfieldKey]['ID']['member'] = $member;
And for each group,
$_SESSION[$BOLTfieldKey]['GROUP'][$groupname] = 1;
Or for the groups, just call the BOLTFmemberships function like I do
in the login command.
> Checking for correct authorization and similar can then be done in
> commands, although it would be nice if there was a way to let the
> engine test for correct password as well.
I don't think the session values are so complex it warrants a new
system in addition to toolmapping.
> Also, right now there is good seperation between what is defined in
> markups, command and function .php, but all of these encroach on the
> domain of the engine.
Agreed, there is overlap, but because there are so many authentication
schemes possible it seems far more reasonable to not build one into
the engine itself. Leave these for commands and the like which can be
more easily customized.
> In my opinion, this is a problem in it's own right.
>
> Uhm, I dislike derailing a discussion, but I need to ask this
> somewhere:
> What is the point of having a check for passwords that are allready
> encrypted? Isn't this a security risk, as it allows anyone with view
> access to the pages to log in?
> I see risks, but no gains.
Security vulnerabilities are generally best discussed offlist--for
everyone's protection. I'll respond to this separately...
Cheers,
Dan
--
You received this message because you are subscribed to the Google Groups
"BoltWire" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/boltwire?hl=en.
