Project

General

Profile

Bug #8597

When we use password 'plain' method, the password is always displayed in the directive

Added by Nicolas CHARLES over 1 year ago. Updated 10 months ago.

Status:
Rejected
Priority:
N/A
Category:
Web - Config management
Target version:
Target version (plugin):
Severity:
Minor - inconvenience | misleading | easy workaround
User visibility:
Getting started - demo | first install | level 1 Techniques
Effort required:
Pull Request:
Priority:
0

Description

In User Management technique, if we use the 'plain' method for password management, the clear text password is always displayed. We should have an option to at least obfucate it so that people with little rights won't see it

History

#1 Updated by François ARMAND over 1 year ago

To make the need more clear: we need to specify what a user with READ ONLY rights on the directive can see.

It may make sens to only display "*******" for any password, be it plain or hash or whatever.

#2 Updated by François ARMAND over 1 year ago

  • Assignee set to François ARMAND

#3 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 2.11.23 to 2.11.24

#4 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 2.11.24 to 308

#5 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 308 to 3.1.14

#6 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 3.1.14 to 3.1.15

#7 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 3.1.15 to 3.1.16

#8 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 3.1.16 to 3.1.17

#9 Updated by Vincent MEMBRÉ about 1 year ago

  • Target version changed from 3.1.17 to 3.1.18

#10 Updated by Vincent MEMBRÉ 11 months ago

  • Target version changed from 3.1.18 to 3.1.19

#11 Updated by Benoît PECCATTE 10 months ago

  • Severity set to Minor - inconvenience | misleading | easy workaround
  • User visibility set to Getting started - demo | first install | level 1 Techniques
  • Priority set to 0

#12 Updated by François ARMAND 10 months ago

  • Status changed from New to Rejected

In last version of the technique, we are not displaying the password unless if you check the option for that.

About the right: it does not seem correct to forbid people with READ ONLY rights to see the clear text password (think for example about an auditor who need to have access to that information). The correct behavior if it is a problem is to use hashed passwords.

Also available in: Atom PDF