@justinvelluppillai opened this Pull Request on December 21st 2022 Member

Description:

Fixes #19904

Review

@sgiehl commented on December 21st 2022 Member

@tsteur could you quickly confirm that we really want to add a config option to disable password confirmations? Personally I think that makes it a way too easy to disable this security feature.
Also I guess this is a workaround for a problem that should be solved in another way.
For plugins that provide another login mechanism and a password might not be available there is already an event that can be used instead. And for people that get annoyed by password confirmations the solution should imho not be to allow them disabling the password confirmation globally. It would be a more secure solution to only ask for the password every 5 minutes or so.

@tsteur commented on December 21st 2022 Member

For plugins that provide another login mechanism and a password might not be available there is already an event that can be used instead.

👍 Thinking the same. Plugins should definitely use the events for this.

And for people that get annoyed by password confirmations the solution should imho not be to allow them disabling the password confirmation globally. It would be a more secure solution to only ask for the password every 5 minutes or so.

Indeed. I've checked with @mattab and we moved the issue out of the milestone as it would have been only a non-user friendly and non-security friendly workaround to the problem. So we could close the PR

This Pull Request was closed on December 21st 2022
Powered by GitHub Issue Mirror