2023-01-05 Meeting notes

https://docs.google.com/document/d/104vSgLvfi5zyQk3PT0S3z-9KnO-9pAwdxHne_CnLHTQ/edit#

For PC review, new module that corrects security defect in mod-config with a new module called mod-settings
Mod-cofig stores permissions for apps, ex: ldp stores connection details for databases, Users stores list of users who are special and cannot be edited (admins)
Security flaw - only 2 permissions read/write, applies to all modules, if you can write to one, you can write to them all

TC yesterday looked at TCR-24 and Ingolf and Jeremy said they would do the review,

Initiative in TC to fix with a distributed config, but a lot of duplication of effort and potential confusion due to overlap
Easier way to fix the security flaw is to implement a separate module rather than adjust existing module(s) and use a more modern framework
Mod Settings, deprecate mod config eventually
Setting consists of an identifier, scope name of module or more specific, read some write others, sep scope
Admins can change other users settings and their own
3 permissions for each scope -- read, write, delete, much smaller module

For other dev teams to use this – there will be a migration guide to move off of mod-config onto mod-settings, but doing that is not required. Define permissions, change paths, handle new error states that didn’t exist before.

PC members will look at the document and Kristen posted to the PC channel and Mike and Charlotte can answer questions there. Take a formal vote next week.