Edit Security

Presently (as of 02-15-2010), the existing core code base relies on the edit pages and subsequent read/write functions being placed in a secure "MEMBERS" folder. The general expectation is that most of the people using this will likely be using an inexpensive hosting company, a shared Linux host without full admin or root access. In our implementation here we are simply using the .htaccess methodology provided by our hosting company DirectNIC.com to prevent access to the program pages themselves. No logic is currently present within our code base to control edit rights.

In terms of wider distributed user base, this is less of an issue than it might seem. A small company could, for example, remove the edit pages from the live site and host them internally on their own Intranet or even on individual local workstations. This would, in a single step, restrict any public access to edit functionality while providing easy access for employees to edit their web site. A secondary benefit to this type of solutions is that it lives within an existing security framework and does not necessitate another level of username/password authentication or user management. We are always big fans of any methodology that promotes a single point of authentication/administration. 

Eventually we will most likely implement some sort of group/user based rights to edit pages or categories. But at this time nothing is in the works.