Melange can only have moderate security...
Melange will use google account log ins extensively. Because of various sophisticated (and some less sophisticated) forms of malware, each google account-password combination cannot be considered as having high security - particularly given the large numbers of users. For example, ‘‘an admin in a mentoring organisation may work on a compromised machine and accidentally reveal his or her google account password’’. This could be used to maliciously change the delivery addresses for the mentor organisation, change ‘payment not required’ to ‘not received yet’ - if Melange tracks that - and for other more devious acts. It needs to be understood in the design that the system as a whole is medium to low in security, and parts involving decisions on real money must be kept cleanly outside melange itself.
Exactly where that clean dividing line is needs very careful thought and input from developers with sound security experience. The security ‘dividing line’ creates a need to at times be able to generate reports, e.g. lists of people who are apparently to be paid, that can be exported to a more secure system from which payments can actually be made.
Improving our security awareness will also help in other ways. For example:
The issue of security isn‘t entirely theoretical. In 2008 a large number of GSoC organizations were approached by several people whom they ‘did not know’ asking to be mentors, one of whom may have been trying to impersonate Google’s David Anderson, hence the !notme botcommand on #gsoc.
Edit Hint: Move the two security sections to a new page and keep this page just for ACLs?
Different users/roles have different permissions. They even vary over time.
It's expected that pages will share some centrally provided formatting routines that automatically choose whether to show a field as an editable or non editable box based on the permissions.
A highly privileged user may drop down to a lower role to see a page as a lower user would see it. Many pages may be read-only by default, with the option to open an editable view available to sufficiently authorised users.
Terms-of-Use figure in the access control