Re: [Phpgroupware-users] FAQ? and admin authentication bugs

[Chris Weiss]

Patrick Price (address@hidden) wrote*:
>
>Is there a phpGroupWare FAQ?
>
>Some things I'd like to see or which would have helped during installation:
>
>ICONS
>Instructions to install alternate application icons.  The navbar is one
>style while the app icons look like they were designed for the web from
>10 years ago.  Is there a collection?

currently no.  There is an option in most templates to use text instead of icons
but that's about it.  The apps themselves define their icon so it would be 
rather
difficult to make a global set of icons.

>
>INSTALLATION
>Integration of generating header.inc.php and the setup/config functions.
> They seem to be two different functions and having one login for each
>doesn't make sense from a user standpoint. They are both critical to
>getting the basic site working.  Why cannot header admin be called from
>one main config setup screen?  Failing this, a quick install quide to
>explain this clearly, however....

Makes perfect sence if you have ever installed a web based database driven app
before.  The difference is most apps make you edit the "header" manually to set 
the
database login and such.  phpGW is one of the few that gives you a gui for it.  
I
don't know the reason for 2 different passwords, but I'm sure there's a good 
one.

>
>... there is a BIG problem how these two (Header manage and setup/config
>admin) authenticate.
>
>I can login to header admin, hit back button, then hit reload, and I get
>the setup/config screen!  No setup/config password required!
>
>The reverse also works.  Login (after closing browser) to setup/config
>screen, then enter URL /phpgroupware/setup/manageheader.php.  No
>password required!
>

very interesting, but it only works when the two passwords are the same.

>The third problem with this is that once logged into setup/config admin,
>you cannot get the header admin login nor any links to header admin -
>you always get the setup/config admin if you go to /phpgroupware/setup
>until you close your browser and try again.

are you clicking the logout link?  Granted, it could be easier to see.

>
>This is obviously broken.  This works the same way even if the two admin
>passwords are not the same.  Why two separate logins for two admin
>functions which are both critical and basically do the same things?
> Dependencies of setup admin on the header having been generated?  Bah.

it's only broken in the sense that you are not familiar with the way web based
application work.  The two sections do not do the same thing, one sets up the 
site
so it can access the database and work on your web server, the other installs 
apps
and sets up the database for the application to work.

>
>
>DOCUMENTATION
>Better documentation!  There's no information on security during
>install.  I'll contribute if someone tells me how.  If I can figure out
>how to make something work, I can document what I learn about it.

Docs are lacking, but this also still BETA and evolving.  There is also a doc 
team
which I haven't heard from in a while.

>
>1: A quick TEXT install guide in the /phpgroupware root directory
>instead of having to dig around for /doc/en_US/html/admin/ to find the
>directions.  UNIX people always look for an INSTALL or README file and
>there's nothing of the sort.  I did find the /doc/README which contains:
>
>PLEASE SEE THE index.html OR index.txt files.
>
>which doesn't tell you where these files are.

This is becoming more common in UNIX apps to have all docs in the doc dir,
including the classic README and INSTALL files.  It is also becoming more 
common to
provide all the classic files, but only one of them be of any use.  I'd rather 
open
the one file that possibly could be a doc, be it a README INSTALL doc.txt or
whatever, than have to open 2 or 3 files that tell me where the real docs are.

>
>2: No mention of file ownership for other files, only the /files subdir.
> It is implied that the webserver only needs to write to the /files and
>/tmp directories but not sure if this is true.  Do I chown all
>/phpgroupware files to be owned by the webserver process?  The docs
>don't mention this.  Security...

I'm not sure about the temp dir, but the first time you try to use the /files/ 
dir
it provides the needed info.  Also could be made more clear.

>
>I'm not carping on the project, but see instead a lot of Easily Solved
>things that will scare people away, and I want to find a good PHP
>groupware platform to work with.
>
>Patrick Price
>West Virginia University
>

Usability is something that I personally find hard to code, and especially when 
I'm
more worried about the back end working correctly.  I think a lot of developers 
can
relate to this.  I know the phpGW team is always open to suggestions on how to 
make
it better, but so far you've only stated what you see as problems.  Looking 
forward
to suggestions on how to "fix" it.