Forum .LRN Q&A: Re: Re: .LRN Security

Collapse
3: Re: Re: .LRN Security (response to 2)
Posted by Michael Sachnik on
Hi Dirk, ay concern is, if its possible for somebody without a password, to hack into the system and get data or any information. The other thing is if it is possible for an registered user to hack into an other account (without his password) and get data or informations from him. I think that a good hacker can do that, but does .LRN provied any security beside the password login? (SSL for example) Thanks! Michael
Collapse
4: Re: Re: Re: .LRN Security (response to 3)
Posted by Dirk Gomez on
No those things .LRN is pretty well protected against :) SSL is a webserver setting, not an application setting. And AOLserver, the webserver for .LRN, supports SSL. .LRN has object-level security, basically for every object in the system you can answer the questions "has user x the permission to do y on object z?". The permissioning model is hierarchical and at times fairly complex, but well-understood. Another big security plus of .lrn is ad_page_contract, a programming function which makes it quite easy and comfortable to check user input. As a community, I think both .LRN and OpenACS are quite security-conscious. Why and more importantly how do you think a good hacker can turn around a .lrn system?