On 10/29/99 12:42 PM, Tres Seaver at tseaver@palladion.com wrote:
I was tweaking with adding some of the functionality of 'manage_access' to a custom form/method, and discovered what seems to be a hole in it: the form embeds the edited user's password (in plaintext) as the text of the password/confirm fields (either text or hidden fields). In either case, "View | Page Source" shows the plaintext.
"Normally", administrators are not be able to see users' passwords, but can only reset them. Is this a real problem, or is BasicAuthentication so weak that we shouldn't care, anyway?
This has been resolved in the CVS version and will no longer be a problem with 2.1.0 which should see daylight REAL soon now. Chris -- | Christopher Petrilli Python Powered Digital Creations, Inc. | petrilli@digicool.com http://www.digicool.com