45579 - Params page should require a password to VIEW, not just update

Status: RESOLVED FIXED

(Webtools Graveyard :: Bonsai, defect, P3)

Description

[Dave Miller [:justdave]]

Although it's nice that you have to enter a password in order to change Bonsai 
parameters from the web, I think it would be better if you had to enter the 
password in order to even SEE the parameters.  The admin page isn't so bad, 
because it's mostly commands to do stuff, and you have to have the password to 
run them.  But the editparams page linked to from admin is wide open.  As 
mentioned, you have to enter a password to update it, but since it contains your 
database username and password in particular, it's probably not a good thing to 
have out in the open.

I notice someone at mozilla.org was concerned about that, too, because they have 
those two params blanked out on the parameters page, and they probably hardcoded 
it in the files that used it.

Comment 1

[uamjet602]

I noticed this too. IMHO it should be at least noted in the documentation.

Comment 2

[Matthew Smith]

Attachment: suggested documentation change

In case anyone cares

Comment 3

[Tara Hernandez]

I've been looking at this and I'd love to have Bugzilla-style authorization, but
that would entail creating a users/roles table which is probably overkill.  Will
definitely update the docs, but will continue to try and come up with something
a little more elegant.

Comment 4

[Tara Hernandez]

Attachment: Patch to check for password prior to bringing up the editparams form

Comment 5

[Tara Hernandez]

Hrm, fixed the text slightly to make more sense (Bonsai doesn't really have a
concept of "log in") and checking this baby in...