Hello All,
So, my co-worker and I came across something interesting in
CatWalk. If you are using identity and go to view the User table, the
passwords will show up in plaintext.
This is not a big deal if you are encrypting them, because only
the encrypted versions will be seen. However, regardless of
encryption, when you go to add a user, the password is shown in
plaintext. If somebody is looking over your shoulder, they could pick
up somebodys password.
I made the following monkey patches to the code to solve this problem:
\toolbox\catwalk\browse_grid.kid
(after line 102):
<?python
if col['name'] == 'password':
str = "*****"
else:
str = row.get(col['name'],'')
?>
<span py:replace="str"></span>
\toolbox\catwalk\static\javascript\catwalk.js
(after line 1053)
if(column.columnName == 'password'){
return TD(null, createDOM('INPUT',
{'class':'txtfield',
'type':'password',
'name':column.columnName,
'value':catwalk.getFieldValue(column),
'maxlength':column.length
}
)
);
}
There are obviously some problems with this. First and foremost, it
means that only columns named "password" will be blotted out. Columns
named "pwd" or "passwd" will not. Second, there is no verification.
Now that you can't see what you are typing, the password should be
entered again and checked to make sure you typed in what you actually
meant to type in.
Again, this is just a monkey patch. If there are other people out
there who can do this better, by all means, do so. I just wanted to
throw this out there.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/turbogears
-~----------~----~----~----~------~----~------~--~---
