@justinvelluppillai
Description:
Fixes #19904
Review
- [ ] Functional review done
- [ ] Potential edge cases thought about (behavior of the code with strange input, with strange internal state or possible interactions with other Matomo subsystems)
- [ ] Usability review done (is anything maybe unclear or think about anything that would cause people to reach out to support)
- [ ] Security review done
- [ ] Wording review done
- [ ] Code review done
- [ ] Tests were added if useful/possible
- [ ] Reviewed for breaking changes
- [ ] Developer changelog updated if needed
- [ ] Documentation added if needed
- [ ] Existing documentation updated if needed
@sgiehl
@tsteur could you quickly confirm that we really want to add a config option to disable password confirmations? Personally I think that makes it a way too easy to disable this security feature.
Also I guess this is a workaround for a problem that should be solved in another way.
For plugins that provide another login mechanism and a password might not be available there is already an event that can be used instead. And for people that get annoyed by password confirmations the solution should imho not be to allow them disabling the password confirmation globally. It would be a more secure solution to only ask for the password every 5 minutes or so.
@tsteur
For plugins that provide another login mechanism and a password might not be available there is already an event that can be used instead.
👍 Thinking the same. Plugins should definitely use the events for this.
And for people that get annoyed by password confirmations the solution should imho not be to allow them disabling the password confirmation globally. It would be a more secure solution to only ask for the password every 5 minutes or so.
Indeed. I've checked with @mattab and we moved the issue out of the milestone as it would have been only a non-user friendly and non-security friendly workaround to the problem. So we could close the PR