More thoughts on securing series
Joel Peshkin
bugreport at peshkin.net
Thu May 27 19:35:03 UTC 2004
Ok, here's the proposal.
When creating a series, the creator can select a product with which the
series is associated. The series is then only available/visible to
users for whom that product would be selectable. The ID of that product
is stored in the series table so that it will automatically track
product renames. It also makes it possible for product renames to
rename the series IF the associated series (or its category) has a name
that is identical to the name of the product.
When the series is run, it runs under the privileges of its creator.
(optionally - let the creator indicate that a subset of the creator's
privileges are to be used)
Migration code and product creation code populates the product ID for
any series created by that code, so there is no leak created.
More information about the developers
mailing list