[Seaside-dev] Re: Initialize /seaside/config with random password?
Julian Fitzell
jfitzell at gmail.com
Mon Sep 22 10:02:57 UTC 2008
On Mon, Sep 22, 2008 at 9:30 AM, Lukas Renggli <renggli at gmail.com> wrote:
>> > What I wanted to add is that in the permission denied message we could
>> > even tell the user what he has to do.
>>
>> We could also force the user to pick a password when first logging
>> into the web interface. This isn't quite as secure because if they
>> never used the admin interface but left it running in production
>> somebody else could set a password and get in... but it's more
>> convenient. Depends what balance we want to strike... I think most
>> people either (a) use the web interface or (b) know what they're
>> doing.
>
> A password for the config app doesn't help anything, if there is a
> single application that has the toolbar activated. So why even bother?
>
> For productive use, people hopefully won't load the development tools anyway.
I don't necessarily consider the web config app a "development tool".
The toolbar certainly is and definitely should not be loaded in a
production environment. I'd like to see the config app moved into the
Environment package, myself because I think you might well want it in
a production environment (with at *least* a password... it should
really be running on another port that is appropriately firewalled).
Julian
More information about the seaside-dev
mailing list