View Full Version : [Bug 792] security: CLI should require authenticationif HTTP does

2005-02-26, 07:39

Peter and I have been discussing the implementation of CLI security on
Bugzilla and here are our conclusions so far:

(a) Options in the Security tab of the Server Preferences apply to CLI
and HTTP. There is no separate settings for each.

(b) CLI security is enforced when the connection is established. If the
Server Prefs are changed, existing connections are unaffected.

(c) A new "login user password" command is added to the CLI. If
successful, it returns "login user ****", if not, the connection is
dropped by the server. Any other command issues if login is required
has the same effect, the connection is dropped.

The reason for the disconnection is that the CLI has no status code.
There is no indication in the returned CLI data that the command was
successful or not. Introducing this would be a good idea for the future
but for the meantime, disconnection has the desired effect on any
client: something is wrong. This keeps compatibility to a maximum while
enforcing the security.

Comments welcomed, in particular by any CLI user out there.