[tg-tickets] Re: [TurboGears] #2282: Authentication and authorization settings should be customizable on deployment

Tue, 06 Oct 2009 21:23:08 -0700 

#2282: Authentication and authorization settings should be customizable on
deployment
------------------------+---------------------------------------------------
 Reporter:  kikidonk    |        Owner:  Gustavo 
     Type:  defect      |       Status:  assigned
 Priority:  high        |    Milestone:  2.1     
Component:  TurboGears  |      Version:  trunk   
 Severity:  critical    |   Resolution:          
 Keywords:  auth        |  
------------------------+---------------------------------------------------
Comment (by pedersen):

 beaker.session.secret is set to a random string for
 production.ini/deployment.ini before today.

 As of today, it is also set to a random value in development.ini (see
 changesets at  http://bitbucket.org/pedersen/tgdevtools-dev/)

 Furthermore, the code in tg/configuration.py now looks for this and uses
 beaker.session.secret as the default value for sa_auth.cookie_secret (see
 changeset: http://bitbucket.org/pedersen/tg-dev-
 fork/changeset/25717e2bd5f8/)

 This problem was actually slightly insidious, as storing the cookie secret
 in app_cfg.py results in a secret that will be common to all installations
 of a given app, since that file will be viewed as source code by the
 people who install the application.

 We really needed to have it default to using the value stored in the .ini
 file. The changesets above make sure that the value in the ini file is
 always random, and ensure that they will be used (unless overridden in
 app_cfg.py).

 The end result is that the developer does not need to do anything extra to
 benefit from this fix. It just works.

-- 
Ticket URL: <http://trac.turbogears.org/ticket/2282#comment:8>
TurboGears <http://www.turbogears.org/>
TurboGears front-to-back web development

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "TurboGears Tickets" group.
This group is read-only. No posting by normal members allowed.
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/turbogears-tickets?hl=en?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to