Forum OpenACS Q&A: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!)

Jonahtan,

That is just wrong. Security is not just one thing. I don't see any reason to require a password for certain actions. Have you ever ordered something from Amazon.com?

Increasing the security of certain forms is a good idea. Requiring authentication for certain actions is a good idea. Improving the signing of variables is a good idea.

The way to secure against a unknown vunerability is to have security in layers. Site-wide admin actions such as granting site-wide admin privilege is the type of action that can require additional authentication.