Security: Remove all plain text password logic and ui#4178
Merged
JohnMcLear merged 5 commits intoether:developfrom Oct 7, 2020
Merged
Security: Remove all plain text password logic and ui#4178JohnMcLear merged 5 commits intoether:developfrom
JohnMcLear merged 5 commits intoether:developfrom
Conversation
JohnMcLear
changed the title
rhansen
reviewed
Sep 28, 2020
Member
rhansen
left a comment
rhansen
left a comment
There was a problem hiding this comment.
Is the idea to force users to use plugins instead? (authorize in particular)
Also need to remove password stuff from:
src/node/db/SecurityManager.jssrc/static/js/pad.js
Member
|
Please rebase onto current develop. |
rhansen
force-pushed
the
strip-out-password
branch
from
f5dadef to
229983d
Compare
Member
I rebased your branch onto develop and force-pushed to your fork. |
Member
Author
|
Ready for further review. |
rhansen
force-pushed
the
strip-out-password
branch
from
0bb8c47 to
ae33209
Compare
It is still used for authz failures.
rhansen
force-pushed
the
strip-out-password
branch
from
ae33209 to
71cab37
Compare
Member
|
@JohnMcLear I rebased your branch and pushed some additional changes. Please take a look. If everything looks good to you, I think it's ready to squash and merge. |
|
Kudos, SonarCloud Quality Gate passed!
|
JohnMcLear
added a commit
that referenced
this pull request
Dec 23, 2020
#4178) This will be a breaking change for some people. We removed all internal password control logic. If this affects you, you have two options: 1. Use a plugin for authentication and use session based pad access (recommended). 1. Use a plugin for password setting. The reasoning for removing this feature is to reduce the overall security footprint of Etherpad. It is unnecessary and cumbersome to keep this feature and with the thousands of available authentication methods available in the world our focus should be on supporting those and allowing more granual access based on their implementations (instead of half assed baking our own).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #230
This doesn't deprecate.
It doesn't gracefully remove the API methods from being available
It doesn't publish an API version.
It is a pure cut off. If you use these API endpoints, it will screw you over.