Issue 52: SECURITY PATCH Show action shows user password hash.
Status:  Fixed
Owner: ----
Closed:  Apr 2008
Reported by edmundo...@gmail.com, Mar 13, 2008
What steps will reproduce the problem?
1. Login with an administrator account.
2. Put /show/1 as the action and id.

What is the expected output? What do you see instead?
I don't think passwords should be shown to who doesn't have the database
password, I think it should be nothing. The password hash is shown, now its
encrypted. 

What version of the product are you using? On what operating system?
trunk. Ubuntu 7.04

Please provide any additional information below.
Easy, it's not the end of the world here. If you can login as an
administrator you can change other people passwords, but I think that
nobody not even the owner of its own account should be able to see password
hashes. ONLY who has access to the hashes repository should be able to do
that, in that case the database owner.

Follows a patch commenting out the action, until someone decide if agrees
with that and if the view should be changed/deleted or whatever.
dont_show_password_hashes.patch
670 bytes   View   Download
Apr 8, 2008
Project Member #1 subim...@gmail.com
That show method wasn't being used any longer...I don't have the same concerns about showing password hash 
- but I removed the view & the action anyhow.

Fixed - revision 67
Status: Fixed