@mattab opened this Issue on April 12th 2018 Member

In Administration > Email reports, users can download an email report. The "Download" link includes the token_auth. This is problematic because token_auth are then leaked in server access logs and browser history.

-> We should change it so that the link doesn't include the token_auth, and instead the "download" should be a POST request with the token_auth in the POST body.

@tsteur commented on April 12th 2018 Member

When you POST, the reload might be problematic. Can probably simply add a controller action for this that executes the API method so no token needed etc.

Powered by GitHub Issue Mirror