[Koha-devel] Re: FAQ: Why am I prompted to save a .pl file? was: Problems adding a biblio...
Chris Cormack
crc at liblime.com
Fri Sep 14 02:15:27 CEST 2007
On 14/09/2007, at 11:57 AM, Rick Welykochy wrote:
> Joe Atzberger wrote:
>
>> On 9/13/07, *Rick Welykochy* <rick at praxis.com.au
>> <mailto:rick at praxis.com.au>> wrote:
>> But it will be hard to turn CGI:Carp on in development and off
>> in production. Actually, it seems pretty easy to me. use
>> CGI::Carp qw(fatalsToBrowser);
>> ... # some code ...
>> fatalsToBrowser(0); # off
>> ... # more code ...
>> fatalsToBrowser(1); # back on
>> So you can decide to turn it on or off at runtime conditionally,
>> based on whatever you want. You wouldn't have to move code around
>> at all.
>
> Now we are getting somewhere. But we don't want a solution where the
> library installer has to edit perl source code, do we?
>
> Suppose my library's security policy is to disallow any errors or
> dumps of same to the browser. In this production case, ALL fatals
> to browser in all Koha scripts must be disabled.
>
> Rather than forcing the Koha sys admin / installer to edit all the
> scripts,
> this is my proposal:
>
>
> in a typical koha_whatever.pl script we have:
>
> use CGI::Carp qw(fatalsToBrowser); # trap errors to error_log
> and the browser
> :
> :
> fatalsToBrowser(0) if !Koha::Config->fatalstobrowser; # trap
> errors only to error_log if so configured
>
>
> This enables any Koha implementation to (a) see all fatal errors in
> error_log at all times and (b) disable the viewing of same in the
> browser
> if they see fit.
>
> All that is then needed is a new entry in /etc/koha.conf
>
> fatalstobrowser=1
>
> and all the installer needs to do once testing is complete and the
> system
> is ready for production (if they want):
>
> fatalstobrowser=0
>
>
Which actually takes me back to what I said :)
on the 12/9
"Mason has just suggested to me that we could do it with a syspref.
So you could turn it off if you wanted. (I know there is some school
of thought that exposing errors in the browser is a security risk)."
So not in the config file, but as a syspref then it can be toggled on
and off in the web interface, so if someone is reporting an error,
we can ask them to toggle it on, and cut and paste the error, then
toggle it off. Without having them edit the conf file
Chris
--
Chris Cormack chris.cormack at liblime.com
VP Research and Development www.liblime.com
LibLime +64 21 542 131
More information about the Koha-devel
mailing list