netw3rker [netw3rker]

Hello, and thanks for applying for a CVS account.

As you are applying to be a co-maintainer, you should have created a support request in the project queue, offering to become co-maintainer; only once the current maintainer accepted you as co-maintainer, you should have applied for a CVS account.

If you already created such support request, please report the link to the issue. In alternative, I am also happy if the current maintainer would add a comment here saying you are accepted as co-maintainer.

1) Should use http://api.drupal.org/api/constant/DRUPAL_AUTHENTICATED_RID/6 instead of integer 2.

2) The value of #value in "header_value" needs to be properly sanitized.

3) User role names used in textarea #title need to be properly sanitized.

4) There is no validation of submitted form values at all here. However, submitted form values are used as-is, without further sanitation in the run-time logic. Sanitation needs to happen in at least one of both places. Ideally validate on input, and additionally sanitize prior to usage.

i do not want this to become its own project since it will just be part of the siteminder package.

Therefore, this application is for being co-maintainer. In this case, we need more information (see comment #2).

@netw3rker: The status is postponed (maintainers needs more info) because there is nothing to review for a co-maintainer application. You didn't report the link to the support request you opened for Siteminder.

that means this is no longer a 'co-maintainer request'.

I would like to use my cvs account to co-maintain a couple of projects too (in particular the ldap module approved in the ldap modules call for co-maintainers here: http://drupal.org/node/806068 )

If this is no longer a co-maintainer request, then the code needs to be reviewed. I can do it, but after June 22.

As per previous comment (comment #3) by sun, I am changing the status to needs work.

The pointed to LDAP project looks and reads like a new joint effort of developers having the same intention, which is very good to see. However, it also means that co-maintenance has been accepted on a hypothetical basis, since the module is not yet in use.

Given that we already have a code review here, which turned out to list a couple of security issues in the proposed siteminder_roles module, it would be preferred to see a revised module as attachment here, in which at least all critical issues have been addressed.

Hi, I am going to go ahead and approve Chris's CVS account. Chris is my colleague so I've asked him to post publicly.

But LDAP integration is critical for Drupal adoption in the enterprise, and since the maintainers have okayed him it doesn't seem to make much sense delaying that effort. If anyone objects to this, I'll gladly accept a reverse in this decision.

But we need more capable maintainers working on critical features that drive Drupal adoption. I trust the siteminder security issues will be resolved.

Kieran

I am late to the thread; Chris (netw3rker) and I have been discussing the siteminder module and the siteminder roles addon module and I had accepted Chris's co-maintainership of the siteminder module. Chris asked me to confirm this on this thread initially but it fell of my radar and I caught it while reviewing my backlog. Even if siteminder_roles is its own module there are patches w/ Siteminder Chris and I discussed and which is why he needed his CVS account. Anyway, looks like he's got it now. Sorry if my late reply caused this thread to drag out.

Ian