Proposal: hide DjangoCMS version in toolbar for non-admin users
114 views
Skip to first unread message
Sylvain Fankhauser
Nov 12, 2016, 5:42:40 AM11/12/16
to django CMS developers
Hello,
The current behaviour of the toolbar is to show the DjangoCMS version on hover, which means you can go to most DjangoCMS websites, add a "?edit" querystring, and see if they're using an outdated DjangoCMS version. I think that security-wise it would be better to only show the version when the user is logged in and is a staff user.
What do you think?
Cheers,
Sylvain
The current behaviour of the toolbar is to show the DjangoCMS version on hover, which means you can go to most DjangoCMS websites, add a "?edit" querystring, and see if they're using an outdated DjangoCMS version. I think that security-wise it would be better to only show the version when the user is logged in and is a staff user.
What do you think?
Cheers,
Sylvain
Iacopo Spalletti
Nov 12, 2016, 7:15:50 AM11/12/16
to django-cms...@googlegroups.com
Hiding information, while not a security measure per se, makes life
harder to any malicious visitor.
Even if it's easy to change the ?edit trigger, I don't see any reason to
expose the CMS version to unauthenticated users.
Iacopo
>
> Cheers,
> Sylvain
>
> --
> Message URL: *MailScanner has detected definite fraud in the website at
> "groups.google.com". Do /not/ trust this website:*
> https://groups.google.com/d/msg/django-cms-developers/topic-id/message-id <https://groups.google.com/d/msg/django-cms-developers/topic-id/message-id>
> Unsubscribe: send a message to
> django-cms-devel...@googlegroups.com
> ---
> You received this message because you are subscribed to the Google
> Groups "django CMS developers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-cms-devel...@googlegroups.com
> <mailto:django-cms-devel...@googlegroups.com>.
> To view this discussion on the web, visit *MailScanner has detected
> definite fraud in the website at "groups.google.com". Do /not/ trust
> this website:*
> https://groups.google.com/d/msgid/django-cms-developers/83d83ece-fb38-49d5-9ed9-ee0a38f165f5%40googlegroups.com
> <https://groups.google.com/d/msgid/django-cms-developers/83d83ece-fb38-49d5-9ed9-ee0a38f165f5%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit *MailScanner has detected definite fraud in the
> website at "groups.google.com". Do /not/ trust this website:*
> https://groups.google.com/d/optout <https://groups.google.com/d/optout>.
--
Iacopo Spalletti
Nephila s.a.s. - Firenze
Telefono: +39 055 5357189
Assistenza Tecnica: +39 055 3985730
http://nephi.la
czpython
Nov 12, 2016, 4:30:29 PM11/12/16
to django CMS developers
Thanks for following up :)
+1
Angelo Dini
Nov 14, 2016, 3:18:44 AM11/14/16
to django CMS developers
+ 1
Reply all
Reply to author
Forward
0 new messages