Params page should require a password to VIEW, not just update

RESOLVED FIXED

Status

Webtools Graveyard
Bonsai
P3
major
RESOLVED FIXED
18 years ago
2 years ago

People

(Reporter: justdave, Assigned: Tara Hernandez)

Tracking

Details

(Whiteboard: security, URL)

Attachments

(2 attachments)

Although it's nice that you have to enter a password in order to change Bonsai 
parameters from the web, I think it would be better if you had to enter the 
password in order to even SEE the parameters.  The admin page isn't so bad, 
because it's mostly commands to do stuff, and you have to have the password to 
run them.  But the editparams page linked to from admin is wide open.  As 
mentioned, you have to enter a password to update it, but since it contains your 
database username and password in particular, it's probably not a good thing to 
have out in the open.

I notice someone at mozilla.org was concerned about that, too, because they have 
those two params blanked out on the parameters page, and they probably hardcoded 
it in the files that used it.

Comment 1

16 years ago
I noticed this too. IMHO it should be at least noted in the documentation.

Updated

16 years ago
Severity: normal → major
QA Contact: matty → timeless
Whiteboard: security

Comment 2

16 years ago
Created attachment 102432 [details] [diff] [review]
suggested documentation change

In case anyone cares
(Assignee)

Comment 3

16 years ago
I've been looking at this and I'd love to have Bugzilla-style authorization, but
that would entail creating a users/roles table which is probably overkill.  Will
definitely update the docs, but will continue to try and come up with something
a little more elegant.
Status: NEW → ASSIGNED
(Assignee)

Comment 4

16 years ago
Created attachment 105481 [details] [diff] [review]
Patch to check for password prior to bringing up the editparams form
(Assignee)

Comment 5

16 years ago
Hrm, fixed the text slightly to make more sense (Bonsai doesn't really have a
concept of "log in") and checking this baby in...
Status: ASSIGNED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.