[wikka-community] Help with final testing needed

Brian Koontz brian
Thu Mar 20 02:40:24 GMT 2008


On Thu, Mar 20, 2008 at 11:45:23AM +1300, Raffael wrote:
> i updated three 1164 beta versions but don't see a green batch...
> because no automatic upgrade script. but regarding the locked file,
> should the upgrade page be only available to admins by default?

That's correct...the setup wizard was never intended to be used for beta
upgrades within the same version.  If you set the lockfile, then there
should be no access to the wiki site.  Do you see something differently? 

> new install: if connection to mysql not possible: how about a link back?
> or I guess, the back button should do.

Back button works fine.  You will need to re-enter your DB parameters
though.

> green note is there. {{checkversion}} will connect to your server,
> whenever an admin browses the homesite? so if all admins are logged in
> and browse there homepages, you will have quite a bit of traffic...
> maybe put it in recentchanges or the login page instead.

It's just hitting one file that's a couple of bytes large, and most
admins will immediately change their HomePage anyway after installation.


> ad categorycategory: why does the page "WikiCategory" belong to that
> category? I found it to be a bit confusing (you have CategoryWiki and
> WikiCategory). It should be part of CategoryWiki.

WikiCategory belongs to CategoryWiki (says so right at the bottom of the
page).  The page is intended to describe the use of categories.  Mabye a
name change to UsingWikkaCategories might be clearer, though.

> Login error messages still give too much info:
> Sorry, this user name doesn't exist.
> Sorry, you entered the wrong password.

I can see this information being privileged on a system where users don't
necessarily share visibility with other users (i.e., banking account),
and where disclosure of whether or not a user name exists could be used
as a pretext to a dictionary-style attack (meaning the effort involved
would be worth whatever prize was sought after).  But there's a good chance
many wiki users will be visible to other users on a wiki, so there's no
value gained by hiding the fact that a user name does or does not exist.
And I certainly don't see the security ramifications of displaying a
message that a password is incorrect -- while this implies the existence
of a user, I don't believe risk of exposing this information is worth the
time of hiding it.

That said, you can always blank out these strings in
actions/usersettings.php for your own installation.  For instance, if you
set ERROR_WRONG_PASSWORD to an empty string, then nothing will display to
your users when they enter a wrong password. 

  --Brian

-- 
Brian Koontz
Wikka Development Team
Systems Support and Random Tasking Dept.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.wikkawiki.org/pipermail/community_wikkawiki.org/attachments/20080319/be0d3e86/attachment.bin 



More information about the community mailing list