aboutsummaryrefslogtreecommitdiff
path: root/doc/todo
diff options
context:
space:
mode:
authorhttp://christian.amsuess.com/chrysn <chrysn@web>2011-01-28 21:08:13 +0000
committerJoey Hess <joey@kitenet.net>2011-01-28 21:08:13 +0000
commit37fc7b3dcd4c2c51010da77dd7b636da48da32ad (patch)
tree5ab0437d53d969df51af551e00bbc61837d6ceb9 /doc/todo
parentb1f82ab327a26803c1cb95b6b60134348206f8e9 (diff)
downloadikiwiki-37fc7b3dcd4c2c51010da77dd7b636da48da32ad.tar
ikiwiki-37fc7b3dcd4c2c51010da77dd7b636da48da32ad.tar.gz
security issue with credentials page
Diffstat (limited to 'doc/todo')
-rw-r--r--doc/todo/credentials_page.mdwn2
1 files changed, 2 insertions, 0 deletions
diff --git a/doc/todo/credentials_page.mdwn b/doc/todo/credentials_page.mdwn
index 161f63a80..6b90af144 100644
--- a/doc/todo/credentials_page.mdwn
+++ b/doc/todo/credentials_page.mdwn
@@ -29,3 +29,5 @@ such a page could have a form as described in [[todo/structured page data]] and
>> and yes, you're right about the word misusage; thanks for pointing it out and fixing it.
>>
>> --[[chrysn]]
+
+an issue to be considered: for ways of authentication that don't explicitly mention the user name (and that would be everything but password; especially OpenID), there has to be a way to prevent users from hijacking an admin's account. the user wouldn't get more privileges, but the admin could find himself logged in as a user instead of an admin when he logs in using his OpenID, for example. he could fix it by removing the openid from the user's ("his") page, but it has to be taken care of nevertheless. --[[chrysn]]