On Saturday, 23 February 2019 23:11:33 UTC+8, Noel Grandin wrote: > > If you are running the console against local databases, you're doing > anything you're already allowed to do. We just made it less convenient. > Yes, there is a way to break “security”. Another user on the same home computer or terminal server can create an own database, make its file readable by other users, open H2 Console launched by another user and connect to it.
H2 Console and TCP/PG servers need better security model, we discussed it some time ago, but it is still not implemented. In terms of usability there are many issues when people use relative URLs with another base directory or in-memory database in another process and get confused why their database is empty. Now a correct error message appears. Other people are now required to do more steps to create a new database from Console. We need more intuitive interface for it and reasonable security configuration by default. Personally I don't think that H2 Console should allow unlimited access from sessions of other users without explicit permission from Console's owner. -- You received this message because you are subscribed to the Google Groups "H2 Database" group. To unsubscribe from this group and stop receiving emails from it, send an email to h2-database+unsubscr...@googlegroups.com. To post to this group, send email to h2-database@googlegroups.com. Visit this group at https://groups.google.com/group/h2-database. For more options, visit https://groups.google.com/d/optout.
