Tags:
create new tag
, view all tags

HidePasswordPluginDev Discussion: Page for developer collaboration, enhancement requests, patches and improved versions on HidePasswordPlugin contributed by the TWikiCommunity.
• Please let us know what you think of this extension.
• For support, check the existing questions, or ask a new support question in the Support web!
• Please report bugs below

Feedback on HidePasswordPlugin

-- MikeEggleston - 20 Nov 2006

Thank you Mike for sharing this plugin with the TWikiCommunity!

Some feedback:

  • I fixed some text (added required SHORTDESCRIPTION) and removed redundant text on the plugin topic, please feel free to take this back into the next release.
  • I understand how you can hide the plain text password in normal topic view. Does the password get obfuscated as well with view raw?
  • How about measuring and documenting the PluginBenchmarks numbers?
  • TWiki Dependency lists $TWiki::Plugins::VERSION 1.1, which is TWiki 4.0. The form lists the Sep 2004 version, which is $TWiki::Plugins::VERSION 1.024.
  • The zip file contains an extra twikiHidePasswords directory, e.g. the perl module is at twikiHidePasswords/lib/TWiki/Plugins/HidePasswordPlugin.pm. The standard for TWiki plugins is to package from the TWiki root, e.g. lib/TWiki/Plugins/HidePasswordPlugin.pm.
  • The TWIKIDATAPATH setting is a security risk. Better to use official TWiki::Func::... modules.

-- PeterThoeny - 20 Nov 2006

The plugin does not obfuscate the passwords in the raw *.txt file. My intent is to hide passwords from someone accessing an open terminal and that someone that has edit privileges on the topic is someone that can see the passwords. I looked for something in the official TWiki::Func::... modules module that would return where the data directory is so I can combine the Web name with the Topic name for the purpose of chmod 0600 $file to prevent casual viewing of the passwords at the filesystem level. Currently the chmod command is commented out. I have some performance problems with calling this routine at the moment.

I do not like *.zip nor *.tar.gz that extract into your current directory, that's why there is a top level directory of twikiHidePasswords and an install.sh script.

-- MikeEggleston - 21 Nov 2006

The data directory is in a config option $TWiki::cfg{DataDir}, or you can use TWiki::Func::getDataDir (which is deprecated). Anybody who can see a topic can also see the raw topic and therefore read your passwords, unless you change the skin and also reprogram the view script to not allow raw as a parameter.

-- ThomasWeigert - 21 Nov 2006

I had seen TWiki::Func::getDataDir is deprecated and didn't use it. I missed the $TWiki::cfg{DataDir}. As mentioned above I was going to chmod 0600 $TWiki::cfg{DataDir}/$Web/$Topic.txt to prevent casual access to the embedded passwords. The files in my httpd are owned by apache, so using 0600 allows apache to continue updating the files, but prevents non-apache from viewing the files at the filesystem level.

-- MikeEggleston - 21 Nov 2006

If you give a topic the parameter ?raw=on or ?raw=debug you can see the topic text (the latter including the meta data). So anybody that can access the topic via TWiki can also see your password. There is even a button in the action bar to allow raw topic view.

-- ThomasWeigert - 21 Nov 2006

One option to get around the view raw issue is to encrypt the password on topic save, and decrypt it on edit.

-- PeterThoeny - 21 Nov 2006

Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r6 - 2006-11-21 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.