First of all, I successfully passed my second evaluations. Thanks to my mentor. 🙂
The reason I didn’t blog since then is that there was not much progress. Reopening of my college and registration took up more time than expected. Adding to the trouble, my next task Setup improvements turned out be more challenging than expected. It was not suggested in the initial project enhancements collection. But I added it as I felt it is important feature and a good replacement for the other task – Filling random test data in database. Why I had to replace? That’s another story.
Coming to the point, allowing access to file-system is a sensitive issue. After a lot of discussion with Michal, we finally agreed on following scheme for allowing access to setup:
- If there is no
config.inc.phpand it can be written to, redirect user to setup and force him creating config at least with setup password. This will make the attack window minimal as most people will try to access the tool just after installing.
- For existing installs user has to manually add the password to the configuration. This is needed to avoid somebody remotely creating that.
Access to setup:
- If there is no config file, access to setup is allowed for initial setup.
- If there is config without password, access is rejected with link to documentation how to enable it.
- If there is config with password, user has to enter the password prior entering setup.
And this was finalized just last week. Also, I came across a few existing bugs after starting to work on setting up the credential-setup. These bugs further added to delay. I had to fix them and proceed. Current standpoint is that credential-setup is still not completely done. There is one more issue I ran into. The config options which I applied are not reflecting in the generated config file. I and Isaac are working to resolve this. You can check out work in progress by checking out my branch. Now it is clear that my idea for Setup Improvements was ambitious. I talked with Isaac about this. He understood the situation as the pencils down time is approaching. Now I plan to just implement editable configuration completely for this task.