openstack/horizon
Code Issues Proposed changes

Password reveal feature should be configurable

Browse Source 
Horizon has a password reveal eye button which allows the
password field to be viewed in plain text.  This is a security risk
because a malicious user can check the OpenStack password at an
unattended computer.

Add new DISABLE_PASSWORD_REVEAL setting which is by default, False.

DocImpact

Change-Id: I21a2eaedbff4c1ee73d97c5674eca43c0258ca1a
Closes-Bug: #1400872
This commit is contained in:
Cindy Lu 2015-01-08 11:39:43 -08:00
parent a88bdb6643
commit afbca3d431
4 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
doc/source/topics/settings.rst
View File

@ -182,6 +182,16 @@ element, do not close the modal after clicking outside of it) and ``"static"``
(show backdrop element outside the modal, do not close the modal after (show backdrop element outside the modal, do not close the modal after
clicking on backdrop). clicking on backdrop).
``disable_password_reveal``
---------------------------
.. versionadded:: 2015.1(Kilo)
Default: ``False``
Setting this to True will disable the reveal button for password fields,
including on the login form.
``password_validator`` ``password_validator``
---------------------- ----------------------

8
horizon/static/horizon/js/horizon.forms.js
View File

@ -197,9 +197,11 @@ horizon.addInitFunction(horizon.forms.init = function () {
horizon.forms.handle_object_upload_source(); horizon.forms.handle_object_upload_source();
horizon.forms.datepicker(); horizon.forms.datepicker();
horizon.forms.add_password_fields_reveal_buttons($("body")); if (!horizon.conf.disable_password_reveal) {
horizon.modals.addModalInitFunction( horizon.forms.add_password_fields_reveal_buttons($("body"));
horizon.forms.add_password_fields_reveal_buttons); horizon.modals.addModalInitFunction(
horizon.forms.add_password_fields_reveal_buttons);
}
// Bind event handlers to confirm dangerous actions. // Bind event handlers to confirm dangerous actions.
$("body").on("click", "form button.btn-danger", function (evt) { $("body").on("click", "form button.btn-danger", function (evt) {

1
horizon/templates/horizon/_conf.html
View File

@ -42,6 +42,7 @@ angular.module('hz')
fade_duration: {{ HORIZON_CONFIG.auto_fade_alerts.fade_duration|default:"1500" }}, fade_duration: {{ HORIZON_CONFIG.auto_fade_alerts.fade_duration|default:"1500" }},
types: {{ HORIZON_CONFIG.auto_fade_alerts.types|default:"[]"|safe }} types: {{ HORIZON_CONFIG.auto_fade_alerts.types|default:"[]"|safe }}
}; };
hzConfig.disable_password_reveal = {{ HORIZON_CONFIG.disable_password_reveal|yesno:"true,false" }};
}]); }]);
</script> </script>

4
openstack_dashboard/local/local_settings.py.example
View File

@ -82,6 +82,10 @@ HORIZON_CONFIG = {
# the database creation workflow if so desired. # the database creation workflow if so desired.
# HORIZON_CONFIG["password_autocomplete"] = "off" # HORIZON_CONFIG["password_autocomplete"] = "off"
# Setting this to True will disable the reveal button for password fields,
# including on the login form.
# HORIZON_CONFIG["disable_password_reveal"] = False
LOCAL_PATH = os.path.dirname(os.path.abspath(__file__)) LOCAL_PATH = os.path.dirname(os.path.abspath(__file__))
# Set custom secret key: # Set custom secret key: