Fork me on GitHub
Subscribe 2

Ticket #20 (fixed enhancement)

Hide SMTP password in admin options

  • Created: 2010-05-25 23:19:48
  • Reported by: Franz
  • Assigned to: Franz
  • Milestone: 1.4.3
  • Component: usability
  • Priority: normal

Again, related to security. Requires some logic rewrite.

http://fluxbb.org/forums/viewtopic.php?pid=29342#p29342

History

Franz 2010-06-20 16:05:56

  • Owner set to Franz.

Reines 2010-07-21 23:06:33

  • Milestone changed from 1.4.1 to 1.4.2.

Franz 2010-07-23 17:42:52

So, people: For security reasons, should we encrypt the password in the database using some encryption key stored in the config file?

For more information, read the thread mentioned above.

Reines 2010-07-23 17:50:56

I would actually be tempted to change this to "future" rather than 1.4.

Franz 2010-07-23 18:00:16

Reines wrote:

I would actually be tempted to change this to "future" rather than 1.4.

But why?

Franz 2010-07-24 11:27:45

What about a compromise? I'll add the hidden fields and we take a look at encryption later.

Reines 2010-07-24 14:45:46

Sounds good, it was mainly the encryption part I was suggesting to leave anyway.

Franz 2010-07-25 22:11:18

Actually, how should this be done? I can't just show two password fields and let the administrator only enter a password, if he wants to change the data, because that would make it impossible to remove a password (as having no password at all is perfectly legitimate, too).
How should we handle this?

Reines 2010-08-01 13:13:48

I guess the only options then are:

  1. Add a checkbox used to clear the password.

  2. Leave this for a later date tongue

Reines 2010-08-09 12:30:26

  • Milestone changed from 1.4.2 to 1.4.3.

Reines 2010-10-20 17:01:09

Have you made a start on this, or can I take over the ticket?

Franz 2010-10-20 21:22:35

I have made a start on this. Let me review it and I will tell you if I have enough to finish it or just leave it to you.
Tomorrow probably.

Franz 2010-11-07 23:18:35

Commit da2cd73 to fluxbb fluxbb-1.4

#20: Hide SMTP password in admin options.

Franz 2010-11-07 23:20:26

  • Status changed from open to fixed.

Okay, I implemented this now.

The way I did it is that you have to check a checkbox every time you want to set, edit or remove the SMTP password. The fields are also filled with some random strings so that you can notice that there is currently a password set (note: some random string, we obviously don't want the true password to be displayed).

If you want to do me a favor, please review the UI stuff I did. It might not fit some existing standards (though I did not find anything that would match this situation). My English might also leave room to be improved.