[geeklog-devtalk] geeklog-devel digest, Vol 1 #260 - 6 msgs
geeklog-devel-request at lists.geeklog.net
geeklog-devel-request at lists.geeklog.net
Tue Jan 27 13:00:08 EST 2004
Send geeklog-devel mailing list submissions to
geeklog-devel at lists.geeklog.net
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.geeklog.net/listinfo/geeklog-devel
or, via email, send a message with subject or body 'help' to
geeklog-devel-request at lists.geeklog.net
You can reach the person managing the list at
geeklog-devel-admin at lists.geeklog.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of geeklog-devel digest..."
Today's Topics:
1. Re: [geeklog-announce] Geeklog 1.3.8-1sr4 and 1.3.7sr5 security updates (Vincent Furia)
2. Re: Re: [geeklog-announce] Geeklog 1.3.8-1sr4 and
1.3.7sr5 security updates (Dirk Haun)
3. Group Admin revisited (Dirk Haun)
4. Re: Group Admin revisited (Blaine Lang)
5. Re: Re: [geeklog-announce] Geeklog 1.3.8-1sr4 and 1.3.7sr5 security updates (Blaine Lang)
--__--__--
Message: 1
Date: Mon, 26 Jan 2004 16:29:38 -0500
From: Vincent Furia <vmf at abtech.org>
To: geeklog-devel at lists.geeklog.net
Subject: [geeklog-devel] Re: [geeklog-announce] Geeklog 1.3.8-1sr4 and 1.3.7sr5 security updates
Reply-To: geeklog-devel at lists.geeklog.net
Dirk,
How much longer do you plan on support 1.3.7? I know you had discussed
earlier that this may be the last security fix. If so you might want to
mention that in the article or at least as a comment to the article so
people can start upgrading (or planning to upgrade) to 1.3.8.
On that same note what is the progress with 1.3.9. Are there any areas
where you could use help getting the release out. I know you mailed a
summary of things needed for 1.3.9 a couple months ago, what is the
status of those?
Thanks,
Vinny
geeklog-announce-admin at lists.geeklog.net wrote:
>Security updates for Geeklog 1.3.8-1sr3 and 1.3.7sr4 are available for
>download now, addressing a variety of security issues. Please see
>
> http://www.geeklog.net/article.php?story=20040126141531711
>
>for details. We suggest you upgrade your site(s) at your earliest convenience.
>
>bye, Dirk
>
>
>
>
--__--__--
Message: 2
From: "Dirk Haun" <dirk at haun-online.de>
To: <geeklog-devel at lists.geeklog.net>
Subject: Re: [geeklog-devel] Re: [geeklog-announce] Geeklog 1.3.8-1sr4 and
1.3.7sr5 security updates
Date: Mon, 26 Jan 2004 23:08:02 +0100
Organization: Terra Software Systems
Reply-To: geeklog-devel at lists.geeklog.net
Vinny,
>How much longer do you plan on support 1.3.7?
I would prefer to drop it sooner rather than later (getting some of the
new fixes into the old code was a bit of a pain). If it weren't for me
running a 1.3.7 site myself ...
Once 1.3.9 is finally out, that will certainly be the end of the 1.3.7
support.
>On that same note what is the progress with 1.3.9. Are there any areas
>where you could use help getting the release out. I know you mailed a
>summary of things needed for 1.3.9 a couple months ago, what is the
>status of those?
Good question.
There's that tedious bit of work of having to review each and every
parameter that's passed in a POST or GET and applying COM_applyFilter to
it. I've already decided to leave the admin/*.php files for later. The
files in public_html are mostly done, although usersettings.php and
calendar.php are only half done and I haven't even started on the search
(i.e. actually the search class, as search.php doesn't include much code
any more).
And while reviewing the code, I keep finding little oddities and bugs
(two of which are fixed in today's security release). E.g. when deleting
a user, we leave quite a few things orphaned, i.e. with an owner_id that
doesn't exist any more (links, events, blocks, ...).
I also have an ever-increasing list of tiny "it would be extremely nice
to have" things - I guess I just have to cut short that list and try to
get through with the above.
bye, Dirk
--
http://www.haun-online.de/
http://www.tinyweb.de/
--__--__--
Message: 3
From: "Dirk Haun" <dirk at haun-online.de>
To: <geeklog-devel at lists.geeklog.net>
Date: Mon, 26 Jan 2004 23:13:57 +0100
Organization: Terra Software Systems
Subject: [geeklog-devel] Group Admin revisited
Reply-To: geeklog-devel at lists.geeklog.net
In the wake of bug #135 (Group Admin can become Root - fixed with the
latest security release), I'd like to discuss the idea behind how Group
Admin works at the moment.
Samuel Stone, who found the above bug, wrote:
>There is another issue. While the Root access
>problem is solved, I can not limit permission on other items if I give
>that person Users Admin permission.
>
>For example, I give him User Admin but not Plugin Admin. He can still
>change his own user permission to include Plugin Admin.
>
>I think the logic is to hide all the non-permitted check boxes for the
>Users admin.
My first reaction was "okay, so maybe we need two sorts of Group Admins".
But the more I think about it, the more Sam's suggestion makes sense.
Is there any reason why a Group Admin should be able to assign someone to
a group in which he himself is not a member? I can't think of one. Tony?
Anyone?
bye, Dirk
--
http://www.haun-online.de/
http://www.macosx-faq.de/
--__--__--
Message: 4
From: "Blaine Lang" <geeklog at langfamily.ca>
To: <geeklog-devel at lists.geeklog.net>
Subject: Re: [geeklog-devel] Group Admin revisited
Date: Mon, 26 Jan 2004 17:51:38 -0500
Reply-To: geeklog-devel at lists.geeklog.net
If it performed that way - only able to assign members to groups he/she
belonged to - it may actually be more useful.
Blaine
----- Original Message -----
From: "Dirk Haun" <dirk at haun-online.de>
To: <geeklog-devel at lists.geeklog.net>
Sent: Monday, January 26, 2004 5:13 PM
Subject: [geeklog-devel] Group Admin revisited
> In the wake of bug #135 (Group Admin can become Root - fixed with the
> latest security release), I'd like to discuss the idea behind how Group
> Admin works at the moment.
>
> Samuel Stone, who found the above bug, wrote:
>
> >There is another issue. While the Root access
> >problem is solved, I can not limit permission on other items if I give
> >that person Users Admin permission.
> >
> >For example, I give him User Admin but not Plugin Admin. He can still
> >change his own user permission to include Plugin Admin.
> >
> >I think the logic is to hide all the non-permitted check boxes for the
> >Users admin.
>
> My first reaction was "okay, so maybe we need two sorts of Group Admins".
> But the more I think about it, the more Sam's suggestion makes sense.
>
> Is there any reason why a Group Admin should be able to assign someone to
> a group in which he himself is not a member? I can't think of one. Tony?
> Anyone?
>
> bye, Dirk
>
>
> --
> http://www.haun-online.de/
> http://www.macosx-faq.de/
>
> _______________________________________________
> geeklog-devel mailing list
> geeklog-devel at lists.geeklog.net
> http://lists.geeklog.net/listinfo/geeklog-devel
>
--__--__--
Message: 5
From: "Blaine Lang" <geeklog at langfamily.ca>
To: <geeklog-devel at lists.geeklog.net>
Subject: Re: [geeklog-devel] Re: [geeklog-announce] Geeklog 1.3.8-1sr4 and 1.3.7sr5 security updates
Date: Mon, 26 Jan 2004 17:56:29 -0500
Reply-To: geeklog-devel at lists.geeklog.net
Dirk wrote:
>> There's that tedious bit of work of having to review each and every
parameter that's passed in a POST or GET and applying COM_applyFilter to
it. I've already decided to leave the admin/*.php files for later.
And while reviewing the code, I keep finding little oddities and bugs
(two of which are fixed in today's security release).
---
Sounds a lot like my experience with the current Forum Plugin version. I
also only added the GET and POST filter checks to the public scripts. And
every time I went back into a program, I'd find other things to change. It
seems the more I changed the more little new bugs also appeared. Just a lot
of features and combinations to test.
--__--__--
_______________________________________________
geeklog-devel mailing list
geeklog-devel at lists.geeklog.net
http://lists.geeklog.net/listinfo/geeklog-devel
End of geeklog-devel Digest
More information about the geeklog-devtalk
mailing list