Database Connection Security!

I just caught a very important security issue that I had missed! The SQLPAS PlonePAS module requires a database connection to the user/password tables. Since you can’t add a Z MySQL DB Connection (or any dbc for that matter) in the acl_users folder, I left it at the top level root directory. This unfortunately has the effect of making that database connection usable to students in the Members directory, by acquisition! They could conceivably then do a SHOW TABLES, etc to find out student info, including grades!

The solution was to create a Z MySQL DB Connection with the exact same id and create it in the Members folder. That way, if a student creates a Z SQL Method the only connection that he/she sees would be the one to the test database, not the student info db!