David Recordon (daveman692) wrote in lj_dev,
David Recordon

Moodthemes, moodlist, and Security

Hey guys,
I'll take this chance just to introduce myself a bit. I started working at Danga last week as a programmer here on LiveJournal as part of an internship. Been having a great time and looking forward to the next few months.

A few days ago I started work on a rewrite of the moodlist.bml page to make it both more navigable as well as better to look at. A new copy was committed to the CVS on Monday and then a patch to it yesterday which was supposed to correct it to use the old style GET argument as well as support of custom made mood themes. This has created a problem that we would like your input on. Currently yesterdays patch makes it so that for custom mood themes you can only view ones that you have created. This adds a layer of security in that people can't just change the mood theme id number and browse through every theme and use your bandwidth. It however no longer lets you share your mood theme with others just by giving them the link. The underlying question is should anyone be able to view any custom mood theme or should there be some bit of security involved? All custom mood themes have the is_public field set to no as they are not system themes. Does it make sense to add two new columns to the moodthemes table along the lines is_viewable and then can_use? Your thoughts, opinions, ideas on all of this?
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded