Beta over protected?

[asekeris]

After playing around for a while with the Beta 1.5 i have some concerns about the new protection model and it appears to me as over-protected.

First i will make clear that i am thankfull for all the work the developers are putting in ZC and that this in no way is an attack but just some considerations that may or may not appeal to other users.

While i never used credit-cards and do not intend to use them in the future i see the fixed password renewal period of 90 days as very restrictive.
I am not against this forced renewal but 90 days is to short and an adjustable period should be appreciated.
It gives a high load maintaning double passwords (user/super user) for multiple stores.

I always used the admin-profiles addon to cleanup the admin from unused menu items to keep it usable on lower screen resolutions and not for additional users.
In the new implementation i am forced to create a second user to get this behaviour meaning i have to remember a second username/password multiplied by the number of stores that has to be renewed every 90 days.
(I think my most visited page will be 'password forgotten' in the future.)

So a config setting for this PA-DSS (on/off) and password renewal time (90-365) would be appreciated.
Also making the the profile of the super-user editable would make sense to me.

In al those years i never locked out myself by changing the profile and some self discipline may be expected from the users.
(Do you refuse to learn your kid how to walk just because of the risk that he could fall.)

[kuroi]

I don't think you'll find many people that disagree with your sentiments. Trouble is, if Zen Cart is to be PA-DSS-compliant, it's the view of the people writing and interpreting the PA-DSS requirements that end up making the decisions.

However ...

Minimum password renewal frequency is mandated by the regs. Zen Cart is already using the longest allowable, so any adjustment period would need to be capped at 90 days.

And a config setting that allowed the features that had to be built in to meet PA-DSS requirements be turned off would prevent PA-DSS compliance from be granted.

On the question of the Superuser profile being editable, that's not technically possible as super users (you can have more than one) bypass the profile system when accessing menus and pages - that's what makes them super users.

There has to be one, in that one is created during installation / upgrade, and it's not possible to delete the last one for user protection. I appreciate your diligence in never locking yourself out, but other people do make mistakes and there are regular forum requests from users in a panic on this specific issue. There's a reason why the relevant FAQ article was the second to be added.

But that doesn't mean that you have to maintain a superuser. If you're not going to use it, create the user profile you want and just forget about the super user.

[asekeris]

I understand that regs have to be followed to get the certification and again i see a beautfull open source project killed by external regulations.
Not dived into the source code yet but this over burocratic ruleset leaving no room for other applications of the software package is asking for a tweake branch of the main program.
(I have read all the docs regarding this issue so i know the limitations imposed by it)
This certification is killing for showcase only application and those not using credit cards in any way.

I will wait for the final release and then see if i can make an uncertified version because i love ZC to much to abandon it.

[rstevenson]

I too feel the 90 day rollover for admin passwords is awful. But the 'crats in control of PA-DSS have made up their minds and musn't be confused with other opinions. But let's take a poll: hold your hand up if you think a password requirement that forces people to write the password down is a good idea. ... Nobody? Right!

Rob

[asekeris]

But that doesn't mean that you have to maintain a superuser. If you're not going to use it, create the user profile you want and just forget about the super user.

I do not think that it will work that way because afer installing a mod that creates an extra admin page access has to be granted by..... right the superuser.

And that was the main reason for using the old add-on to make room in the menu's for extra menu points for those who dont use a 32" screen or bigger.
(My mainly used screen is only 10" with a resolution of 1024x600pixels)

[kuroi]

I do not think that it will work that way because afer installing a mod that creates an extra admin page access has to be granted by..... right the superuser.

That's not correct. Access can be granted by anybody who has the profiles page in their profile. There's no need for them to be a superuser.

[Design75]

Why not make it optional to make zen PA-DSS-compliant. I don't care it is compliant but love zen cart. To renew my password every 90 days seems to be ridiculous.

The easiest way would be to make an admin option with a warning not being PA-DSS-compliant, and let me choose to be compliant or not, or am I missing something in the big picture?

[Kim]

Perhaps you'll complain to the PCI/credit card folks? It is their rule and to get PA-DSS Certified, we have to follow the rules.

[asekeris]

This ask for a new mod for those not willing to follow the PA-DSS rules where some settings could be altered and keep the core system ready for certification.

Most of the rules make sense and should be left untouched where others beg for tweaking if you don't need this certification.
Let the team do their good work and when it is released dive in the code to make a nice tweak for this point because everything what smells like relaxation of the rules would prevent certification.

[Vger]

Trying to have a cart which can maintain PA/DSS Certification may not be so much a "Holy Grail" as a "Poisoned Chalice". Why? Because they keep changing their requirements - always increasing security levels - and so the cart will have to be constantly updated to keep up with their changes. And site owners, who already have a lamentable record when it comes to upgrading, will have to constantly upgrade to maintain PA/DSS Certification.

It's only my 2c worth, so feel free to ignore it, but my view is that only commercial software such as Magento Enterprise Edition (where site owners pay big bucks to keep it updated for them) will be able to keep up with these requirements. I can't see an Open Source cart being able to do it.

Vger