The _users database is not so open since our 1.2.0 release. A user can only see their own document. Even before this you could only see password hashes, but we agreed even this was too much to show.
B. On 17 July 2013 00:08, Oliver Schmidt <[email protected]> wrote: > While reading the Kan.so docs ( > http://kan.so/docs/The_users_database ) I saw > that the users database, which includes > username and password, is publicly accessible > for everyone. Couldn't an attacker use this to > create a list of all username-password pairs? > Wouldn't it be more secure to use a server side > function which validates the password without > giving the users db directly to everyone? Or am I > just too paranoid? > > Regards
