I would propose that the changes to Database settings, Application settings, and Plug-ins should not be allowed until a user has successfully logged into a database. Some of the more strict security features are basically rendered useless by allowing changes to them when by an unauthenticated user. I realize that someone could create a database and log into it and then make changes, but that is one more layer of complexity to access settings. This also could potentially be mitigated if it were possible to create per database settings somehow.
↧