-
-
Notifications
You must be signed in to change notification settings - Fork 127
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove session_key from admin by default #64
Conversation
IMO exposing the session key via the admin interface is unnecessary and just makes it easier to impersonate a user which is, arguably, a security risk.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@naggie thank you. I think it's sufficient to exclude that field by default (non-optional). If one wants the old behaviour back, a custom admin page could be created. Also there's no need to change setup.py; that will be handled as part of the release process. If you can make these changes, I'll merge the PR.
Great -- thanks for responding so fast! |
Exposing the session key via the admin interface could be considered unnecessary and
just makes it easier to impersonate a user which is, arguably, a
security risk.
The following PR makes this optional. I'd appreciate your opinion.
Thanks!
Callan Bryant