On 7/19/07, Antoine Delignat-Lavaud <antoine@...> wrote:
> Dear SquirrelMail developers,
> As you should know, our small summer-team is working on a new design for
> SquirrelMail configuration.
Are you going to close up the other threads we had going? I'm not
sure if there are open issues in them?
> This raises a new problem : access control for the configuration editor.
> Here is my current idea of implementation :
> - At install stage, the administrator needs to setup the
> toplevel-config : language, charset, configuration backends (and
> possibly database settings), and an administrator password to access the
> configuration editor.
I'd say make it as simple as possible, since the idea is to avoid
command-line configuration, don't make the user have to change much of
anything out of the box to bring up the configurator. If you design
the configurator so that it can write to its own top-level config
file, you can avoid making the user fill in things like DB DSN and
anything else before the tool is run.
> - Once this is done, the configuration editor is loaded. Once
"is loaded" how? Below you suggest allowing access to it from the
login page, so are you suggesting that SM somehow know when you hit
login.php that if it hasn't been fully configured, it redirects to the
> everything is well tuned, the configurator creates the config file (or
> SQL records or whatever else), if there is no write permission a
> downloadable config file must be uploaded by whatever means.
> - To enter the configuration editor again, the administrator provides a
> special username (e.g. @config) and the administrator password on the
> login page.
I think branching it off of the login page introduces unnecessary
potential complexities. Similar to configtest.php, I think it needs
to be a separate script. This also helps cut down on needless CPU
cycles when under normal operation.
Also, I think SM should refuse to run if the web server has write
access to the config dir.
Finally, the other way to operate this tool is as a re-written
administrator plugin. If you haven't yet looked at this plugin,
please do. I do believe you are effectively replacing it, so you
should propose removing it or look at how you might put the whole
project into that space.
> If you have any comment or suggestion to improve this behaviour, feel
> free to post it.
> Best Regards,