[Bug 189195] Review Request: horde - php application framework

bugzilla at redhat.com bugzilla at redhat.com
Wed Apr 19 06:01:54 UTC 2006 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: Review Request: horde - php application framework


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189195





------- Additional Comments From holbrookbw at users.sourceforge.net  2006-04-19 02:01 EST -------
Spec URL: http://theholbrooks.org/RPMS/horde.spec
SRPM URL: http://theholbrooks.org/RPMS/horde-3.1.1-9.7.src.rpm

(In reply to comment #1)
> * config files MUST not be under /usr; place them under /etc or /var
>   (see below)
> 
> * horde requires write access to the config files (they are editable
>   through the web interface); so permissions should be 0660 for
>   root:apache or even apache ownership. These files should be located
>   under /var
> 
>   Perhaps location of the config files can be changed in the code,
>   perhaps you have to use symlinks for that

Using symlinks, and rewriting horde's configuration a little, I have relocated
horde's config files to /var/lib/horde, all 0660 apache:apache

> 
> * the 'locale/*/horde.mo' files should be annotated with the corresponding
>   %lang() tags; it would be probably the best to move them to the
>   %regular /usr/share/locale and run '%find_lang horde'

I've done the first part, labeled all the locales with the %lang() macro, but
I'm not sure if %find_lang applied in this situation.  All the horde locales are
specified as ar_SY, bg_BG, en_US, etc... but most of the locales in
/usr/share/locale is just the 2-letter ar, bg, en, etc.  Is find_lang smart
enough to overcome this, should I run some logic to figure it out myself, or
should they be copied in as-is?

> 
> * docs/ should be removed and packaged like
> 
>   | %doc docs/*

Done

> 
> * it might be a good idea to restrict the initial visibility of Horde
>   to localhost; e.g. by adding
> 
>   | <Directory /usr/share/horde>
>   |   Allow from 127.0.0.1
>   |   Deny  from all
>   | </Directory>
> 
>   to the apache configuration.

Done

> 
>   What is with the authentication during the initial setup? Is there
>   a non-default password required for the 'Administrator' user? If
>   not, some modifications shall be done to avoid that an unconfigured
>   Horde installation can be run by unauthorized users.
> 

There isn't any authentication during the inital setup, the browser is
automatically logged in as Administrator.  By default, Horde's "Authentication
Mechanism" (configurable in 'Setup|Authentication') is set to "Automatically
authenticate as a certain user", and the end user can then change that to HTTP,
LDAP, whatever...  For an added level of obscurity, I could make HTTP the
default, and include an .htaccess file with a name and password, but it would be
the same password for every installation and not really any more secure than the
default no-password setup.  Is this unacceptable?

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the Fedora-package-review mailing list