[Fez-users] Fwd: passwords in error messages

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi All

Another possible security leak is that when displaying fedora error
messages, the dump of the soap transaction shows the fedora password.
While it's handy to have this information, maybe it's best not to spew
this out to the screen unless you are an administrator.  To make this
modification, you could edit class.fedora_api.php.

Find openSoapCall and change the if statement to have
Auth::isAdministrator() on the front like this:

if (Auth::isAdministrator() && $debug_error && is_array($result) &&
(isset($result['faultcode']) || $call == 'addDatastream')) {
           Error_Handler::logError(array(print_r($result,true),Fedora_API::debugInfo($client,
true)),
                   __FILE__,__LINE__);
       }

Matt