anoved
commented
7 years ago Thanks for the heads-up. I will test it this weekend. I have been meaning to work on this plugin anyway so this is a good impetus.
Closed foosel closed 7 years ago
anoved
commented
7 years ago Thanks for the heads-up. I will test it this weekend. I have been meaning to work on this plugin anyway so this is a good impetus.
I recently noticed that I'd not properly protected some sensitive data in one of my own plugins. An API key was available on the settings API for basically everyone with access to the instance in question (settings API GET requests are not restricted since a lot of settings data is directly needed in the frontend for various things). Not a good idea. So I fixed that in my own plugin, added a new utility method in OctoPrint itself in future versions to allow to define restricted settings paths (already part of 1.2.17rc1) and thought I'd also go around and send some PRs to the plugins I know of that also might have sensitive data such as API keys and what not stored in their settings.
This PR is the result of that. I have to admit that I could not properly test it myself due to not having an SMTP server on hand, so please give it a test whirl before merging and releasing it.
The basic idea is to set sensitive settings fields to "None" if the settings load call does not originate from a user with admin rights.
Two implementations are provided, one for OctoPrint versions up to and including 1.2.16, and one for OctoPrint versions after 1.2.16 which come with a new method on the SettingsPlugin API to allow defining restricted paths.