From: Luka K. <lu...@kl...> - 2004-02-25 16:37:01
|
gal...@li... <> wrote: > If you hard-coded it anyone who knew anything about gallery > would know how to get around it. The only way I ever go into > configure mode is by running configure.sh on the command > line. One possibility would be to have configure.sh stdout a > random password when it's run. If you're worried about a user > not seeing this because they can't get feedback from a > terminal it could just spit the password out to a random file > called 'password-39209339.txt' where 39209339 is the password. yes well I wasn't thinking of a hard-coded password like a universal gallery password. I said hard-coded because it would be directly written into the setup/index.php and I don't understand your "The only way I ever go into configure mode is by running configure.sh on the command line.". I don't see the relevance :) this 'password' protection I'm rooting for shouldn't be the only protection for the setup script. it should be only a second level of protection which guards the setup script while gallery is in configuration mode. I like the random password being blurted out on the screen, but I have shell access so it's not a problem for me. the idea of generating the password-32432423432.txt file is a great way to go around the problem. > Realistically, I would think that gallery would have an "upgrade.sh" > which would only allow a previous admin user access to do an > upgrade on the gallery. Then you'd just use your admin > user/password to do your upgrade and things would be peachy. I don't think this is really do-able because almost all gallery files are clobbered while extracting the tarball... there is no way for that process to know whether you're upgrading or not. on the other hand, I think the setup script could read the existing config file, see where the user database is, and if it exists, challenge the user for the admin login/password. if the config file doesn't exist or the userdb specified in it doesn't exist, ignore the whole thing and work like it does now. > This issue has always bothered me. I'm glad it was brought up! well, we're all here for the same reason, aren't we? -- Someday I'll try again and not pretend, this time forever Someday I'll get it straight but not today, have you ever *AlliXSenoS*mailto:lu...@kl...*ICQ:100757909* |