More thoughts on securing series

[Gervase Markham]

Joel and I just had a chat about securing charts. I won't do a timeless 
and just quote the entire IRC log, leaving you to figure out what was 
said ;-); here's an edited summary.

Basically, joel suggested a bunch of stuff (including some things which 
have been proposed on the list) and I said what problems each idea had :-)

Further comments very welcome. I am willing to carve out time to fix 
this properly, if Dave is willing to wait a few days for me to do so, 
and help tighten up the review cycle for the patch.

Gerv

<snip>

Gerv: The problem with "release now with no migration, and migrate 
later" is that if we migrate at the start, it's guaranteed to succeed 
(no name clashes). If we migrate later, we have to deal with the issue 
that the users may have created a series with a name we want to use.
Also, a non-zero number of installations on the 2.17 branch will have 
migrated already.

joel: True. We just went through the same issue with adding a new system 
group "admin".

joel: Though I think we place too much importance on the names as a key 
- which doesn't survive renames. If we are going to have the permissions 
follow those of a product, I would have a reference to the product's ID 
in the tables, but show the products name in the UI.

Gerv: But not all series are related to products. That's the point - the 
names are totally arbitrary. [This is one of the big improvements over 
the previous version.]

joel: If we want to name something after a product and that would have 
caused a collision, prepend/append a character to make it unique.

Gerv: But that's really nasty. What happens if some series clash for a 
particular product, but others don't? Sorting the mess out for an admin 
would be a nightmare, particularly as they don't see private series. (It 
would make their UI unmanageable.)

joel: I'd lean towards having the feature require enabling by the 
adminustrator and default to "off", that way we don't make anyone leak 
unless they are aware of the need to secure things.

Gerv: We could do that, i.e. migrate the lot and have a special group 
for access, but that presents its own migration issues. For example, if 
we later implement group-based security, how do we retroactively apply 
it to all existing series? We can't make an admin do that by hand. There 
are hundreds of them. We could make a hacky "guessing" algorithm which 
tries to match product names to series categories, but I don't like that 
idea much.

joel: We definitely should keep track of the product id when we 
auto-migrate or auto-create and think hard about the defaults.

Gerv: But that makes some series special. What happens if we implement 
series editing, and the series changes to something else? It's already 
complicated enough :-) The only good answer is to fix this right.

Gerv