Password reveal feature should be configurable

Horizon has a password reveal eye button which allows the
password field to be viewed in plain text.  This is a security risk
because a malicious user can check the OpenStack password at an
unattended computer.

Add new DISABLE_PASSWORD_REVEAL setting which is by default, False.

DocImpact

Change-Id: I21a2eaedbff4c1ee73d97c5674eca43c0258ca1a
Closes-Bug: #1400872
This commit is contained in:
Cindy Lu 2015-01-08 11:39:43 -08:00
parent a88bdb6643
commit afbca3d431
4 changed files with 20 additions and 3 deletions

View File

@ -182,6 +182,16 @@ element, do not close the modal after clicking outside of it) and ``"static"``
(show backdrop element outside the modal, do not close the modal after
clicking on backdrop).
``disable_password_reveal``
---------------------------
.. versionadded:: 2015.1(Kilo)
Default: ``False``
Setting this to True will disable the reveal button for password fields,
including on the login form.
``password_validator``
----------------------

View File

@ -197,9 +197,11 @@ horizon.addInitFunction(horizon.forms.init = function () {
horizon.forms.handle_object_upload_source();
horizon.forms.datepicker();
horizon.forms.add_password_fields_reveal_buttons($("body"));
horizon.modals.addModalInitFunction(
horizon.forms.add_password_fields_reveal_buttons);
if (!horizon.conf.disable_password_reveal) {
horizon.forms.add_password_fields_reveal_buttons($("body"));
horizon.modals.addModalInitFunction(
horizon.forms.add_password_fields_reveal_buttons);
}
// Bind event handlers to confirm dangerous actions.
$("body").on("click", "form button.btn-danger", function (evt) {

View File

@ -42,6 +42,7 @@ angular.module('hz')
fade_duration: {{ HORIZON_CONFIG.auto_fade_alerts.fade_duration|default:"1500" }},
types: {{ HORIZON_CONFIG.auto_fade_alerts.types|default:"[]"|safe }}
};
hzConfig.disable_password_reveal = {{ HORIZON_CONFIG.disable_password_reveal|yesno:"true,false" }};
}]);
</script>

View File

@ -82,6 +82,10 @@ HORIZON_CONFIG = {
# the database creation workflow if so desired.
# HORIZON_CONFIG["password_autocomplete"] = "off"
# Setting this to True will disable the reveal button for password fields,
# including on the login form.
# HORIZON_CONFIG["disable_password_reveal"] = False
LOCAL_PATH = os.path.dirname(os.path.abspath(__file__))
# Set custom secret key: