-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
3.7.1
-
MOODLE_37_STABLE
As a Moodle Partner this is a request from one of our customers regarding security concerns.
Request: Information such as the outgoing mail SMTP password should be encrypted when stored and should not be able to be recover by simply clicking the eye button.
Whilst administrators should be trusted users, it is a potential security concern having a password reveal-able by clicking an eye icon. Similar to how user passwords are not reveal-able in the front end of Moodle.
Upon entering information into the SMTP password field, the password should be saved/encrypted and no longer reveal-able. If the password is wrong or needs to be changed, an administrator can simply re-enter a new password field to overwrite the old password, into this field. It is also worth considering whether any ability to reveal information by clicking an eye icon, could be removed.
- will be (partly) resolved by
-
MDL-66445 All admin_setting_configpassword should not show forced config items
- Closed