You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@fineract.apache.org by GitBox <gi...@apache.org> on 2019/12/12 08:01:42 UTC
[GitHub] [fineract] vorburger commented on a change in pull request #639:
Enhancement for FINERACT #516
vorburger commented on a change in pull request #639: Enhancement for FINERACT #516
URL: https://github.com/apache/fineract/pull/639#discussion_r357001951
##########
File path: fineract-provider/src/main/java/org/apache/fineract/useradministration/api/UsersApiResource.java
##########
@@ -64,7 +64,7 @@
* {@link AppUserData}.
*/
private final Set<String> RESPONSE_DATA_PARAMETERS = new HashSet<>(Arrays.asList("id", "officeId", "officeName", "username",
- "firstname", "lastname", "email", "allowedOffices", "availableRoles", "selectedRoles", "staff"));
+ "firstname", "lastname", "email", "allowedOffices", "availableRoles", "selectedRoles", "staff", "currentPassword"));
Review comment:
is this secure and safe? From what (little) I understand, this will expose any user's current password in the API (to other accounts with admin permissions, I guess, but still) which perhaps doesn't seem like such a great idea? Passwords usually are "write only", and then verified, but never returned back out of a system.
@awasum @avikganguly01 @vishwasbabu or anyone else reading this, care to chime in if I misunderstand this and it's OK or if this is No Go?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services