phpgroupware-developers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Phpgroupware-developers] patch for review

From: Dave Hall
Subject: Re: [Phpgroupware-developers] patch for review
Date: Thu, 07 Sep 2006 10:14:12 +1000 
Commited

On Wed, 2006-09-06 at 23:10 +0200, Sigurd Nes wrote:
> Benoit Hamet wrote:
> > Hi all, .
> > 
> > <snip>
> >>> There is also applications::d2name , categories::d2name and
> >>> interserver::d2name.
> >>> I think it risky to rename the calls to only accounts::id2name - I
> >>> think it would be better to keep the "old" accounts::id2name - and
> >>> rather implement the new accounts::id2name as accounts::id2full_name
> >>> or something.
> >> It hasn't been renamed.  The old method accounts::id2name now returns
> >> the user's fullname, and doesn't reveal the user's login id, which is
> >> good security imho.  If you already have the login id then you have 1
> >> half of the puzzle for cracking an account.  Some organizations have
> >> policies on login ids others don't, which will also impact on benefit of
> >> this change.
> >>
> >> applications::d2name , categories::d2name and interserver::id2name are
> >> uneffected by this change, as they return the relevant string for the
> >> data type and it has no security implications.
> >>
> >> The change in the string returned by accounts::id2name has been in HEAD
> >> for months.  The new accounts::id2lid is only for those cases where
> >> internally we need the login id, which is very rare.  As
> >> accounts::id2name is used a lot for presenting username information in
> >> the GUI, it is safest to change the functionality.  Where there is a
> >> need to for the login id, use accounts::id2lid, which can be changed
> >> manually on a case by case basis.
> > 
> > It looks ok to me. AFAIU, there's no relationship between accounts and
> > categories or applications or interserver ? right ? so returning the
> > real full name in id2name for account, doesn't disturb anything ? Or did
> > I miss your point Sigurd ?
> > 
> That is also how I understand it. (Unless you really want the username 
> (lid) for something).
> 
> For the record - it's ok by me.
> 
> Regards
> 
> Sigurd
> 
> 
> _______________________________________________
> Phpgroupware-developers mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/phpgroupware-developers
-- 
Dave Hall (aka skwashd)
API Coordinator
phpGroupWare
+-------------------------------------+-------------------------------+
| e address@hidden          | w phpgroupware.org            |
| j address@hidden                 | aim skwashd                   |
| icq 278064022                       | msn address@hidden       |
| sip address@hidden       | y! skwashd                    |
+-------------------------------------+-------------------------------+
reply via email to
[Prev in Thread] Current Thread [Next in Thread]