Comment 3 for bug 1629711

clayg (clay-gerrard) wrote :

maybe, probably, or not...

we could definately make it required? I do sorta doubt that anyone is using the default w/o calling it out explicitly - because stuff is so broken w/o it - most deployments probably have it explicitly set to true in their configs and wouldn't even notice if we required it.

but I'm not sure I wouldn't go for just changing it - it's not really a security thing - it's just a provisioning workflow - you can have a valid auth token but not use the service because a reselleradmin didn't put your account - nobodies auth systems work like that?

OTOH, just making it required is 100% safe, and give us the option to relax with a different default down the road.