Re: [PHPiCalendar-DEV] adding interface to upload new calendars - design discussion

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Wednesday, Mar 26, 2003, at 14:44 America/Vancouver, Mike Traum 
wrote:

> there will be only one user/password, which is configured in 
> config.inc.php. afaik, this is a slight security problem, in that if 
> something goes haywire with the server, it's possible that the text of 
> config.inc.php could be obtained. That being said, it's the simpliest 
> and I think sufficiently secure.
>
> Comments?

I think an admin panel is a great idea; however, since most 
phpicalendar installations will be using webdav, and therefore already 
have some sort of Apache Basic (or digest) authentication enabled, it 
would make more sense to use that (i.e., use the $REMOTE_USER variable) 
--- perhaps a list of users who are allowed access to the admin panel.

Of course, there could always be an override password --- a username 
isn't necessary. But in any case, it would be nice to be able to turn 
this off, since it's always better to store passwords apart from the 
web server's gaze than close to it ;-)

b.