rnwood
Smtp creds are visible to end user - Security Risk
Hello,
If we set LockSettings = true
The window for the settings shows and if the user has provided smtp credentials (under message relay tab) they can open dev tools and remove the type="password" to expose the smtp password.
In previous versions of this tool, the ability to open the window was disabled altogether via LockSettings = true.
Could the frontend be updated to not include the actual values when LockSettings = true ?
This is a design choice at the moment. The passwords are deliberately available to the user and no effort is made to hide them. Even in the previous versions, the locks settings simply prevent users from changing settings, but existing values were available via the API.
If settings are locked, omit the passwords from the API response. In the UI, show with ***s placeholder control to make it clear