Brad Whitaker (whitaker) wrote in lj_dev,
Brad Whitaker

Community Rename Security

With the resolution of Zilla Bug #593 and the subsequent disabling of community logins, communities are no longer able to use rename tokens, since that page requires the target user to be logged in. A user complained about this one day because they were able to purchase a rename token for their community, but then had no way to use it.

2 solutions:
1) Disable purchasing of rename tokens for communities (lame)
2) Add authas support to /htdocs/rename/use.bml (good)

The problem comes when we decide what the policy should be for using #2. Who should be allowed? Any maintainer? Only the original user? Some other criteria?

We've been discussing this internally for a few days now and the basic consensus is that any community maintainer should be able to do the rename... and the responsibility will be on communities to only have maintainers that should actually have full admin access to the community. Obviously the decision made here will eventually have repurcussions throughout the rest of the site, as we run into this problem in other places... so I wanted to make sure this was well thought-out.

All of the staff members seem to agree that allowing any maintainer is the right thing to do, but I just wanted to get some input from everyone to see if they have strong objections or better suggestions. Thoughts?

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded