Details
-
Type:
Improvement
-
Status: Done/Fixed
-
Priority:
Minor
-
Resolution: Fixed/Completed
-
Affects Version/s: 3.2.5, 3.3.6, 3.3.7, 3.4.alpha, 3.4.beta, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8
-
Fix Version/s: 3.2.5
-
Component/s: CiviMail
-
Labels:None
-
Documentation Required?:None
-
Funding Source:Needs Funding
Description
Due to CMS permissions, CiviMail currently requires users to hardcode a username/password in to the cron script in plaintext, for a user with admin rights.
This is not ideal from a security or user management perspective.
Two possible solutions:
1) alter permissions so this configured user has minimal rights, or perhaps no rights if the key is not provided, and thus can't do any damage if the password was used in the HTTP interface anyway
2) remove the password requirement and have the script force elevate to the required user