On Feb 16, 2006, at 3:01 AM, Andrus wrote:
I have a user in my application which cannot see some tables
(payroll data). In the same computer, some other user can have full
access.
It think it is unreasonable to create separate cnxml file for each
user.
So prefer to have a table of user privileges which my application
uses to show menus to logged-in user and single cnxml file which
contains login information for full database access.
Perhaps we should have a way of adding user information on the fly.
IOW, instead of connecting right away, have your application ask the
user for login information. We then take that, along with the host/
database/port/etc. info in the cnxml file and use that to create the
connection. That way, nothing is stored on the disk that could be
used to gain access.
Unfortunately, non-privileged user can reverse-engineer password
from cnxl file, decompile my python appl or listen connection to
obtain privileged user password.
That's one of the reasons why we made the security stuff modular, so
you can swap in your own encryption. Anyone with Dabo source code can
figure out how to 'crack' the 'encrypted' password, so relying on the
built-in stuff is not recommended.
It is not reasonable to manage local user/password files in hundres
of standalone client computers. This requires a lot of programming.
It is better to manage dbms user list using admin tools shipped
with dbms in server database.
So is better to allow dbms to validate user name and password.
OK, I'll have to look into the flow of things to determine how big a
change this will be. With PyCon coming up next week, I'm not able to
spend a lot of time on such changes, but I do think that this is
important. Please enter this as an issue on http://dabodev.com/
tracker/ so that it doesn't get forgotten in the craziness of
preparing for my PyCon presentation.
-- Ed Leafe
-- http://leafe.com
-- http://dabodev.com
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/dabo-users
