13 May
2013
13 May
'13
6:13 p.m.
I think it's more secure to let it be used only on the current user profile
page. Otherwise we can imagine an attacker creating a page where this check
is performed against the current user, enabling him to gain information
about the users visiting this page.
(For example he could do something like
#foreach($passwd in $passwdList)
#if($xwiki.getUser().checkPassword($passwd))
Store this information somewhere (in another doc, in an object, or
even by sending me a mail)
#end
#end)
And I don't think that users with PR need to be able to make this check on
any user (and if they need they can still perform it through the core), so
I prefer to keep it this way.
Cheers,
Thomas
On Mon, May 13, 2013 at 5:42 PM, Sergiu Dumitriu <sergiu(a)xwiki.org> wrote:
On 05/06/2013 09:44 AM, Thomas Delafosse wrote:
Hi all,
After discussing it with Vincent, it seems that it would be better to
be able to access this method without PR : thus we could keep the code
for
changing the password in passwd.vm instead of
having to make a new page
with PR for that. To avoid malicious users to use it nonetheless, I
propose
that this method could only be used to check the
current user password,
and
only on its profile page.
Does this seems OK to you, or do you think this should be done another
way ?
Why only on the user's profile page?
The method could allow public check only for the current user, and PR
check for any user.
--
Sergiu Dumitriu
http://purl.org/net/sergiu
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs