On Jan 24, 2006, at 10:33 AM, Allie Micka wrote:
Like many hosting providers, we grant full access to databases for site administrators, and we create a separate, rights-limited user for each database.
This is a great idea until it's time to run update.php. It really should detect that I don't have DROP, ALTER, etc; but instead it just fails badly.
What I've been doing is editing settings.php to replace the credentials in $db_url, running update.php, and then re-editing the file. I'm sure that most of our users are just leaving things as- is, which is bad for many reasons.
It would be nice to have a place to enter some temporary credentials, stored in $_SESSION and disposed of when the user logs out.
a) Is this in-progress someplace? b) Anybody have UI suggestions for this? It could just go into update.php, but may have use elsewhere.
I am definitely interested in this. With the latest release candidate for CivicSpace we have now included security checks on configuration files to ensure that files written to in the installation should now be locked down on the webserver. It would make sense to evolve these same sorts of protections for update.php. No ideas on implementation, but interested in continuing the conversation to make this happen. Cheers, Kieran
Allie Micka pajunas interactive, inc. http://www.pajunas.com
scalable web hosting and open source strategies