[development] "Sudo" Module

Matt Chapman matt at ninjitsuweb.com
Mon Aug 9 17:54:08 UTC 2010


Ah ha. I see what you're going for.

My personal approach is to try to never give users a level of access
where they might break the site, even accidentally. But that does
often require additional work that I realize is not always practical,
if you're dealing with limited time or budgets.

If Domenic doesn't persuade you, and you're still going to go to the
point of creating a custom module, may I suggest that you require
users to re-enter their OWN password, rather than sharing the user 1
password with every one? Really, you're asking for trouble by sharing
that password with anyone who doesn't absolutely need it.

All the Best,

Matt Chapman
Ninjitsu Web Development
ph: 818-660-6465 (818-660-NINJA)
fx: 888-702-3095

--
The contents of this message should be assumed to be Confidential, and
may not be disclosed without permission of the sender.



On Mon, Aug 9, 2010 at 10:39 AM, James Benstead
<james.benstead at gmail.com> wrote:
> Hi Matt,
> It's "deliberate inconvenience" if you like. The site will have a manager
> who will, through their regular account, be able to upload and manage
> content, process Ubercart orders, etc. I'd like them to quickly be able to
> switch to the root account for more technical (and therefore dangerous)
> tasks. The act of entering a password will give them the sense that what
> they are doing implies a risk. Also, the root account will have a slightly
> different theme. Possibly plastered with skull and crossbone motifs ;)
> --Jim
> --
> My IM and Skype details are at http://state68.com/contact
>
>
> On 9 August 2010 18:33, Matt Chapman <matt at ninjitsuweb.com> wrote:
>>
>> Hi James,
>>
>> I curious about your reasoning for requiring a password? It seems like
>> an example of "security" that only inconveniences the legitimate
>> users.
>>
>> Both the modules mentioned provide an explicit permission to switch,
>> ensuring that only authorized users have the capability, and both
>> allow you to permit it without sharing a password that could be
>> accidentally exposed to unauthorized users.
>>
>> It seems to me your proposed module weakens security for no practical
>> benefit. Am I missing something?
>>
>> All the Best,
>>
>> Matt Chapman
>> Ninjitsu Web Development
>> ph: 818-660-6465 (818-660-NINJA)
>> fx: 888-702-3095
>>
>> --
>> The contents of this message should be assumed to be Confidential, and
>> may not be disclosed without permission of the sender.
>>
>>
>>
>> On Mon, Aug 9, 2010 at 9:48 AM, James Benstead <james.benstead at gmail.com>
>> wrote:
>> > Thanks - both of these modules solve half of the problem (i.e., the
>> > switching part) - but neither seem to allow me to force the user to
>> > enter
>> > the root password in order to switch to the root account. Very useful,
>> > though; two new questions:
>> >
>> > If I were to build a module that was dependent on either masquerade or
>> > devel
>> > switch user to provide the functionality I'm talking about, which module
>> > would be the best foundation?
>> > Is there a simple way I can mash-up this module with the regular user
>> > module
>> > to do this? I'm guessing there must be.
>> >
>> > Thanks again, guys; the best bit about Drupal (and the Drupal community)
>> > is
>> > not having to re-invent the wheel ;)
>> > --Jim
>> > --
>> > My IM and Skype details are at http://state68.com/contact
>> >
>> > Paolo Mainardi:
>> > http://drupal.org/project/masquerade
>> > On 9 August 2010 17:40, Pedro Faria de Miranda Pinto
>> > <predofaria at gmail.com>
>> > wrote:
>> >>
>> >> You can use devel module with switch user block
>> >>
>> >> On Mon, Aug 9, 2010 at 1:35 PM, James Benstead
>> >> <james.benstead at gmail.com>
>> >> wrote:
>> >>>
>> >>> I'm very interested in UI design, and mapping the design of Drupal
>> >>> admin
>> >>> interfaces to pre-existing, long-standing frameworks. I'm currently
>> >>> looking
>> >>> for a module that allows a "site manager" to quickly switch to and
>> >>> from the
>> >>> root user of a D6 site - in my mind's eye this module displays a block
>> >>> with
>> >>> a password field and a submit button; entering the root password and
>> >>> hitting
>> >>> the button is broadly equivalent to "sudo su" in Unix. Once the user
>> >>> has
>> >>> root privileges, a click on the "step down" button in the same block
>> >>> returns
>> >>> them to their saved regular session.
>> >>> My question: does a module exists that does this, or gets close to
>> >>> this?
>> >>> Or is it possible to cobble together this functionality by using
>> >>> existing
>> >>> functionality in already-existing D6 modules?
>> >>> Thanks,
>> >>> --Jim
>> >>> --
>> >>> My IM and Skype details are at http://state68.com/contact
>> >>
>> >>
>> >>
>> >> --
>> >> Pedro Faria de Miranda Pinto
>> >> http://www.eusouopedro.com
>> >> http://www.phpavancado.net
>> >
>> >
>
>


More information about the development mailing list