[Koha-devel] SQL reports [error]
Ian Walls
koha.sekjal at gmail.com
Mon Apr 30 17:59:34 CEST 2012
I agree with Katrin; this is a very risky proposition and probably
shouldn't be added to the Koha codebase.
Not only is doing this securely hard, but it also makes the job of your
system support specialist much harder (speaking as a former professional
Koha support guy here). If you're in a situation where you cannot access
MySQL directly, then there is a strong chance someone else is
administrating the database (or entire Koha installation) for you. Making
database-level changes through the GUI could result in massive damage to
your data, and seriously ruin the day of your sysadmin. If you need to
make these changes, I'd run it by whoever is responsible for the server,
and hopefully they can help you do it in a safe/sane way. If you yourself
are the administrator of the server, then you should be able to do this
kind of work against MySQL directly, so adding a GUI-level interface would
be unnecessary.
-Ian
On Mon, Apr 30, 2012 at 11:44, Fischer, Katrin <Katrin.Fischer at bsz-bw.de>wrote:
> Hi Paul,****
>
> ** **
>
> I really don’t like the idea. I think if you want someone to make changes
> to the database, you should give them a proper tool and training to do that
> (outside of Koha). The interface for statistics is very limited and does
> not give feedback when your SQL statements have errors or produce no result
> sets. Also it seems like a big security risk to me.****
>
> ** **
>
> Katrin****
>
> ** **
>
> *From:* koha-devel-bounces at lists.koha-community.org [mailto:
> koha-devel-bounces at lists.koha-community.org] *On Behalf Of *Jared
> Camins-Esakov
> *Sent:* Monday, April 30, 2012 5:21 PM
> *To:* Paul Poulain
> *Cc:* koha-devel at lists.koha-community.org
> *Subject:* Re: [Koha-devel] SQL reports [error]****
>
> ** **
>
> Paul,****
>
> ** **
>
> ** **
>
> On Mon, Apr 30, 2012 at 11:17 AM, Paul Poulain <paul.poulain at biblibre.com>
> wrote:****
>
> Question to all = could it be a good idea to let superlibrarians execute
> dangerous SQLs like the one forbidden by the test ?
> Otherwise asked: could we add a
> unless permission eq 'superlibrarian'
> condition ?
>
> ( ie: "with great power comes great responsibility" - at spiderman uncle- )**
> **
>
> ** **
>
> We were actually just discussing that on #koha a few days ago. I argued
> that only the database user (i.e. user 0) should be allowed to do it. If
> you have the direct login, there's nothing you can't do with the system
> just by logging into the database.****
>
> ** **
>
> Regards,****
>
> Jared ****
>
> ** **
>
> --
> Jared Camins-Esakov****
>
> Bibliographer, C & P Bibliography Services, LLC****
>
> (phone) +1 (917) 727-3445****
>
> (e-mail) jcamins at cpbibliography.com****
>
> (web) http://www.cpbibliography.com/****
>
> ** **
>
> _______________________________________________
> Koha-devel mailing list
> Koha-devel at lists.koha-community.org
> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> website : http://www.koha-community.org/
> git : http://git.koha-community.org/
> bugs : http://bugs.koha-community.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/koha-devel/attachments/20120430/7b6f80b6/attachment.htm>
More information about the Koha-devel
mailing list