Re: [xwiki-devs] [Proposal] Introduce a new API method in order to be able to check an user password

I think it's more secure to let it be used only on the current user profile page. Otherwise we can imagine an attacker creating a page where this check is performed against the current user, enabling him to gain information about the users visiting this page. (For example he could do something like #foreach($passwd in $passwdList) #if($xwiki.getUser().checkPassword($passwd)) Store this information somewhere (in another doc, in an object, or even by sending me a mail) #end #end)

And I don't think that users with PR need to be able to make this check on any user (and if they need they can still perform it through the core), so I prefer to keep it this way.

Cheers, Thomas On Mon, May 13, 2013 at 5:42 PM, Sergiu Dumitriu <sergiu(a)xwiki.org> wrote: > On 05/06/2013 09:44 AM, Thomas Delafosse wrote: >> Hi all, >> >> After discussing it with Vincent, it seems that it would be better to >> be able to access this method without PR : thus we could keep the code > for >> changing the password in passwd.vm instead of having to make a new page >> with PR for that. To avoid malicious users to use it nonetheless, I > propose >> that this method could only be used to check the current user password, > and >> only on its profile page. >> Does this seems OK to you, or do you think this should be done another > way ? > > Why only on the user's profile page? > > The method could allow public check only for the current user, and PR > check for any user.