rejetto forum

Password inheritance

Martok · 7 · 3509

0 Members and 1 Guest are viewing this topic.

Offline Martok

  • Occasional poster
  • *
    • Posts: 88
    • View Profile
Hello Rejetto,

for HFS 2.1, I have a suggestion which is (for me, at least) missing or confusing now.

When I have set user/pass or a user for a folder, this settings are also applied to it's subfolders. When I select 'restrict access'->ALL, all users are allowed to see this folder, but anonymous users cannot login.
Would it be possible to add an option 'Anonymous' to this menu?

For further explaining the sense of this:
My root is always protected, as I have most subfolders (about 20) that should be restricted. But there are folders I wish to be available for everyone (a public project I work on and my 'chat' using a shoutbox). It would be great to set them to 'Anonymous' instead of moving all others to a subfolder and protecting this one (path names would be too long to share them without writing).

Could you please think about this?
Cheers,

Martok


Anonymous

  • Guest
Martok
 I'm curious why you can't use:
Root-unprotected>Server Folder-unprotected> Guest-unprotected.
Then also in Server Folder>Reports-protected.
I'm setup that way, so guest can browse and download without
logging in. With List Protected Ony For Allowed turned on, someone
can log in and see "their" folders. I don't use anon log in at all.
Of course I'm not "public" from a search engine point of view.
Actually with my router and hfs on a timer I'm told I'm pretty well hidden!
Is there a security flaw in my structure?


Offline Martok

  • Occasional poster
  • *
    • Posts: 88
    • View Profile
Quote from: "Anonymous"
Martok
 I'm curious why you can't use:
Root-unprotected>Server Folder-unprotected> Guest-unprotected.
Then also in Server Folder>Reports-protected.
There is no direct reason, but it is....unpractical.
I would have to tell my "login-users" to go to mysite.dyndns.org/protected/thesite/
this is quite long, you see?

And it is at least confusing as I can set 'ALL' but this does not mean 'everyone' but 'all who can login'.

Quote
Is there a security flaw in my structure?
No, I am using this just because it was handy at the time I had no public folders.
Cheers,

Martok


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13291
    • View Profile
about the clearness problem, i suggest to change ALL and NONE to ALL ACCOUNTS and NO RESTRICTION.

about the feature you ask, ok, it's in 2.1 beta9.
please make some test to know if there are security flaws.


Offline Martok

  • Occasional poster
  • *
    • Posts: 88
    • View Profile
Great, it works just as I meant!

Some display things: the @anonymous entry does not get a check-mark when selected, also @anonymous does not appear in the VFS item's hint text.
But this is just a displaying issue, everything else is ok.
It asks me correctly to login if I go to another pretotected folder(parent, for example). Protected folders inside an anonymous are correctly hidden. Ao in conclusion, I think security is not a problem.

Big thanks for adding this!
Cheers,

Martok


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13291
    • View Profile
ok... bugs are fixed in beta10

anyway, i think the option "Visible only to anonymous users" can now be removed.
you can achieve it by protecting and enabling "List protected items only for allowed users".
well, having it is a slightly more flexible than that, but it was introduced because there was no @anonymous.


Anonymous

  • Guest
I see the point in restricting the public up load folder, but unless you are getting
hundreds of uploads per day, the public one works for all (for me at least)
with File Filter /*.
It is quicker because I only have one to check and virus scan.
Be advised that with @anonymous, its all or nothing. You cannot have it selected in
the restrictions and another account too. My test indicate then both will see the
public upload folder.
I probably didn't check it with all possible conditions, but the Visable To Anonymous
appeared to perform exactly the same way.
Its been possible to configure the root directory to meet all my server needs, so
far, so there are several features I never use.
 If @anonymous is going to stay, would it be possible to have it marked with a check mark
when selected ? That way I can be sure I haven't selected it by accident. :)