[Zope-dev] Lax 'manage_access' practice?
Christopher Petrilli
petrilli@digicool.com
Fri, 29 Oct 1999 13:09:15 -0400
On 10/29/99 12:42 PM, Tres Seaver at tseaver@palladion.com wrote:
> I was tweaking with adding some of the functionality of 'manage_access' to a
> custom form/method, and discovered what seems to be a hole in it: the form
> embeds the edited user's password (in plaintext) as the text of the
> password/confirm fields (either text or hidden fields). In either case, "View
> |
> Page Source" shows the plaintext.
>
> "Normally", administrators are not be able to see users' passwords, but can
> only
> reset them. Is this a real problem, or is BasicAuthentication so weak that we
> shouldn't care, anyway?
This has been resolved in the CVS version and will no longer be a problem
with 2.1.0 which should see daylight REAL soon now.
Chris
--
| Christopher Petrilli Python Powered Digital Creations, Inc.
| petrilli@digicool.com http://www.digicool.com