I am working on a central login system for an application written in Django with MediaWiki wikis and Roundup bugtracks. Currently, the method I'm thinking of is to use the AuthDjango extension for Mediawiki (https://bitbucket.org/toml/django-mediawiki-authentication/src) and hack something similar for Roundup. This method is based on creating a SessionProfile model in Django that matches session identifiers (taken from cookies) for user instances, and MediaWiki / Roundup accesses the data directly, querying the Django database.
The advantage of this is that the login, session, and logout processes in all three applications are easily combined. However, the problem is that it uses MediaWiki / Roundup, which stores credentials for the Django database, and the requirements for accessing MediaWiki or Roundup accounts are intentionally less stringent than for the main Django application (currently only one person has access to the Django product). Thus, the administrators of the MediaWiki / Roundup instance (i.e., with shell access) or anyone who breaks in through a remote exploit could potentially grab user accounts on the main site.
So my question is: does anyone know how to better integrate the login mechanisms of these systems into the system? Or, how can I provide MediaWiki / Roundup with secure access to the Django database and minimize the chance of abuse by people with access to the MediaWiki shell?
source
share