This espace has timers log in with plain text userid/password that is stored in the site properties. I have a few concerns with this....
1) Is this even necessary? - This should run just fine without a user login, from what I can tell...
2) Storing a username/password in plain text is extremely insecure, why are you doing it this way?
3) If it were even necessary, you could log the user in without password with the System 'Login' action with just an ID.... A least this way you wouldn't be storing a password as plain text.
4) Given all of the above, is there any real benefit to logging a user in at all?
Hi Braxton
I believe there is a need for elevated user privileges/role when performing some of the maintenance tasks. It does not however excuse bad practice.
Thank you for pointing out the possible security risk. It has been a while since I worked on this component but will definitely review in light of your comments.
Hanno
I can confirm that there are some advanced roles required for some operations.
I'll attempt to use the System login action to see if it will work for granting these privileges.
Braxton wrote:
I have updated the module to use the system login action and it seems to be working okay with user accounts. I have to still test a scenario using a service account though.
Thank you for your suggestion.