Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
7.3-milestone-1
-
Unit
-
Medium
-
Hard
-
N/A
-
N/A
-
Pull Request accepted
-
Description
We need to check the obfuscation parameter and obfuscate the email if on.
Reproduction steps:
- Create a user U1
- Set an email
- Activate email obfuscation
- Query http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/XWiki/pages/U1/objects/XWiki.XWikiUsers/0 (the query must be done with a user with no edit rights on XWiki.U1 as we don't obfuscate emails for users with edit rights)
Expected
- The mail is obfuscated
Actual:
- The mail is displayed un-obfuscated
Actually what's really bad is that the same is true for password that are returned (hashed) to the end user, making them very easily breakable offline (e.g., rainbow tables and such)
Attachments
Issue Links
- links to