[Phpmyadmin-devel] [Phpmyadmin-svn] SF.net SVN: phpmyadmin:[11562] trunk/phpMyAdmin

Sun Sep 7 13:03:59 CEST 2008

Hi

Just few comments to recent changes to Swekey.

Dne Sat, 06 Sep 2008 12:41:35 +0000
lem9 at users.sourceforge.net napsal(a):

> Revision: 11562
>           http://phpmyadmin.svn.sourceforge.net/phpmyadmin/?rev=11562&view=rev
> Author:   lem9
> Date:     2008-09-06 12:41:34 +0000 (Sat, 06 Sep 2008)
> 
> Log Message:
> -----------
> latest Swekey fixes

>  <!-- Login form -->
> @@ -268,7 +243,7 @@
>  <?php } ?>
>          <div class="item">
>              <label for="input_username"><?php echo $GLOBALS['strLogUsername']; ?></label>
> -            <input type="text" name="pma_username" id="input_username" value="<?php echo htmlspecialchars($default_user); ?>" size="24" class="textfield" <?php echo $user_input_disabled; ?>/>
> +            <input type="text" name="pma_username" id="input_username" value="" size="24" class="textfield"/>

What is reason for dropping default_user here? It is used for user name
recall from cookie.

> +	        Swekey_SetUnplugUrl(key, "pma_login", url + "/libraries/auth/swekey/unplugged.php?session_to_unset=<?php echo session_id();?>");

This still won't work, if user has disable access to libraries, what is
what we suggest.

> +            function open_swekey_site()
> +            {
> +                window.open("http://www.swekey.com?promo=pma");
> +            }

Didn't we agree not to put any direct links to their website?

> +            var input_username = document.getElementById("<?php echo $input_name; ?>");
> +            var input_go = document.getElementById("<?php echo $input_go; ?>");
> +        	var swekey_status = document.createElement('img');
> +        	swekey_status.setAttribute('onClick', 'open_swekey_site()');
> +        	swekey_status.setAttribute('style', 'width:8px; height:16px; border:0px; vspace:0px; hspace:0px; frameborder:no');
> +            if (user == null)
> +			{
> +				swekey_status.setAttribute('src', 'http://artwork.swekey.com/unplugged-8x16.png');
> +				//swekey_status.setAttribute('title', 'No swekey plugged');
> +				input_go.disabled = true;
> +			}
> +			else
> +			{
> +				swekey_status.setAttribute('src', 'http://artwork.swekey.com/plugged-8x16.png');

Do we have to use external images?

> @@ -4,6 +4,9 @@
>   * Version 1.0
>   * 
>   * History:
> + * 1.2 Use curl (widely installed) to query the server
> + *     Fixed a possible tempfile race attack
> + *     Random token cache can now be disabled 

Documentation should mention curl requirement.

>   * 1.1 Added Swekey_HttpGet function that support faulty servers 
>   *     Support for custom servers 
>   * 1.0 First release  
> @@ -54,6 +57,12 @@
>  if (! isset($gSwekeyStatusServer))
>      $gSwekeyStatusServer = 'http://auth-status.musbe.net';

Why is default still http?

> -define ("SWEKEY_STATUS_STOLLEN",4);	   // The key was stolen (typo kept for backward comp)
> -define ("SWEKEY_STATUS_STOLEN",4);	   // The key was stolen
> +define ("SWEKEY_STATUS_STOLLEN",4);	   // The key was stollen
> +define ("SWEKEY_STATUS_STOLEN",4);	   // The key was stollen

Why introducing a typo and removing explanation comment?

-- 
	Michal Čihař | http://cihar.com | http://phpmyadmin.cz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20080907/7e957c10/attachment.sig>