I think it's more secure to let it be used only on the current user profile
page. Otherwise we can imagine an attacker creating a page where this check
is performed against the current user, enabling him to gain information
about the users visiting this page.
(For example he could do something like
#foreach($passwd in $passwdList)
#if($xwiki.getUser().checkPassword($passwd))
Store this information somewhere (in another doc, in an object, or
even by sending me a mail)
#end
#end)
And I don't think that users with PR need to be able to make this check on
any user (and if they need they can still perform it through the core), so
I prefer to keep it this way.
Cheers,
Thomas
On Mon, May 13, 2013 at 5:42 PM, Sergiu Dumitriu <[email protected]> wrote:
> On 05/06/2013 09:44 AM, Thomas Delafosse wrote:
> > Hi all,
> >
> > After discussing it with Vincent, it seems that it would be better to
> > be able to access this method without PR : thus we could keep the code
> for
> > changing the password in passwd.vm instead of having to make a new page
> > with PR for that. To avoid malicious users to use it nonetheless, I
> propose
> > that this method could only be used to check the current user password,
> and
> > only on its profile page.
> > Does this seems OK to you, or do you think this should be done another
> way ?
>
> Why only on the user's profile page?
>
> The method could allow public check only for the current user, and PR
> check for any user.
> --
> Sergiu Dumitriu
> http://purl.org/net/sergiu
> _______________________________________________
> devs mailing list
> [email protected]
> http://lists.xwiki.org/mailman/listinfo/devs
>
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs
