|
From: SourceForge.net <no...@so...> - 2012-05-28 19:10:11
|
Feature Requests item #2332595, was opened at 2008-11-23 04:15 Message generated for change (Comment added) made by christian_boltz You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937967&aid=2332595&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Interface Improvements (example) Group: SVN (please specify revision!) >Status: Closed >Resolution: Wont Fix Priority: 5 Private: No Submitted By: Christian Boltz (christian_boltz) Assigned to: Nobody/Anonymous (nobody) Summary: add "show password" link for mailboxes Initial Comment: SVN r482 introduced showing passwords in edit-mailbox.php - but in a quite broken way because it relied on an browser extension to change the stars in the password field to readable text. r482 was therefore reverted. We should add this feature in a way that works for everybody. (Needless to say that this is only useful for non-encrypted passwords ;-) Some sniplets and ideas from the mailinglist: add a "show password" link (with a $CONF setting to enable it, default should be disabled) which displays the password somewhere (using flash_info or a alert() feeded with a AJAX request) This would have some advantages: - it works in every browser and does not depend on special browser extensions - it only transfers the password on request - which reduces the risk (and number) of passwords in browser cache etc. a lot - it would easily allow to mail a notification to the user, which might be required by some people/companies for privacy or policy reasons > (So far, Postfixadmin is AJAX free, perhaps it should stay this way?) I don't want to do "big" things with AJAX. But I don't see a problem in using something like alert($password_fetched_by_AJAX_request>) The fallback could be that the "show password" link uses flash_info for this - with the disadvantage of causing a page reload (and possibly loose changes). ---------------------------------------------------------------------- >Comment By: Christian Boltz (christian_boltz) Date: 2012-05-28 12:10 Message: Thinking about this again, I'm finally closing this request as "wontfix". Reasons are: - the password would be available in the browser cache - if someone can read your cache, then he'll be able to steal the password. - it would only work with cleartext passwords - the idea of an additional clear_password column makes things even worse - if the config says to encrypt the password, then admins will kill us for having an additional clear_password column ---------------------------------------------------------------------- Comment By: Bjorn (bjornnilsen) Date: 2009-05-21 19:58 Message: I have a requirement for this feature and I was able to implement is very simply. I have tried to keep the changes to an absolute minimum so that I can easily add it into new releases as they come out. I was very impressed at how simple it was to add this feature. I guess this shows postfixadmin has been designed very well :) ALTER TABLE `mailbox` ADD `clear_password` VARCHAR( 255 ) NOT NULL ; vi edit-mailbox.php FIND: $tName = $user_details['name']; ADD: $tClearPassword = $user_details['clear_password']; FIND: $formvars['password'] = pacrypt($fPassword); ADD: $formvars['clear_password'] = $fPassword; vi templates/edit-mailbox.php FIND: <tr> <td><?php print $PALANG['pEdit_mailbox_username']; ?></td> <td><?php print $fUsername; ?></td> <td><?php print $pEdit_mailbox_username_text; ?></td> </tr> ADD: <tr> <td>Password</td> <td><?php print $tClearPassword; ?></td> <td></td> </tr> ---------------------------------------------------------------------- Comment By: Pavel Volkovitskiy (olfway) Date: 2009-03-03 01:35 Message: why would you open edit-mailbox if you don't want to change name/password? so user should be notified if someone open it mailbox in edit mode if you care about security you should use https to avoid passwords sniffing also i'm not sure that you can copy password from js alert box the real issue was only missing check if password stored in clear text or not also, you can't always change password for user b/c then you will have to change settings on every users pc/gadget ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937967&aid=2332595&group_id=191583 |
