[Bug 189195] Review Request: horde - php application framework
bugzilla at redhat.com
bugzilla at redhat.com
Wed Apr 19 06:01:54 UTC 2006
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: Review Request: horde - php application framework
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189195
------- Additional Comments From holbrookbw at users.sourceforge.net 2006-04-19 02:01 EST -------
Spec URL: http://theholbrooks.org/RPMS/horde.spec
SRPM URL: http://theholbrooks.org/RPMS/horde-3.1.1-9.7.src.rpm
(In reply to comment #1)
> * config files MUST not be under /usr; place them under /etc or /var
> (see below)
>
> * horde requires write access to the config files (they are editable
> through the web interface); so permissions should be 0660 for
> root:apache or even apache ownership. These files should be located
> under /var
>
> Perhaps location of the config files can be changed in the code,
> perhaps you have to use symlinks for that
Using symlinks, and rewriting horde's configuration a little, I have relocated
horde's config files to /var/lib/horde, all 0660 apache:apache
>
> * the 'locale/*/horde.mo' files should be annotated with the corresponding
> %lang() tags; it would be probably the best to move them to the
> %regular /usr/share/locale and run '%find_lang horde'
I've done the first part, labeled all the locales with the %lang() macro, but
I'm not sure if %find_lang applied in this situation. All the horde locales are
specified as ar_SY, bg_BG, en_US, etc... but most of the locales in
/usr/share/locale is just the 2-letter ar, bg, en, etc. Is find_lang smart
enough to overcome this, should I run some logic to figure it out myself, or
should they be copied in as-is?
>
> * docs/ should be removed and packaged like
>
> | %doc docs/*
Done
>
> * it might be a good idea to restrict the initial visibility of Horde
> to localhost; e.g. by adding
>
> | <Directory /usr/share/horde>
> | Allow from 127.0.0.1
> | Deny from all
> | </Directory>
>
> to the apache configuration.
Done
>
> What is with the authentication during the initial setup? Is there
> a non-default password required for the 'Administrator' user? If
> not, some modifications shall be done to avoid that an unconfigured
> Horde installation can be run by unauthorized users.
>
There isn't any authentication during the inital setup, the browser is
automatically logged in as Administrator. By default, Horde's "Authentication
Mechanism" (configurable in 'Setup|Authentication') is set to "Automatically
authenticate as a certain user", and the end user can then change that to HTTP,
LDAP, whatever... For an added level of obscurity, I could make HTTP the
default, and include an .htaccess file with a name and password, but it would be
the same password for every installation and not really any more secure than the
default no-password setup. Is this unacceptable?
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the Fedora-package-review
mailing list