Do not prompt for password when in DEBUG mode

[thyseus]

No description provided.

[thiagotalma]

I think a little strange.

I do not see much practical application.
Easier and guaranteed to create a bookmarklet.

[thyseus]

It´s extremely practical to be able to jump between different users quickly while developing.
I often come into a case where i don´t have the password of a user ready, and it takes time and nerves to search for it. This feature is also standard in yii-user-management (yii1 legacy).

[thiagotalma]

I understand. But this is dangerous, you can open security holes.

Follow my suggestion of bookmarklets. I use for years and help a lot.

[schmunk42]

I also think this is critical and may lead to serious security issues.

But isn't it possible just to disable the password validator somehow, eg. by dependency injection?

[thyseus]

I personally do not see a security hole or any danger of it. The Module will disable this feature automatically once the application leaves YII_DEBUG mode. And even if the administrator forgets to disable YII_DEBUG mode and uploads the files to the production server accidentally, the feature is still disabled by default.

The chances of compromising the system are equal with or without this feature; as long as an attacker has got physical access or virtual access to the source code, it can do whatever he wants.

Of course using techniques like DI would be great !

What are bookmarklets? I only know about "Swap my Cookies" as Chrome extension, which i use to quickly switch users while developing. But the problem this PR solves is another one.

[thiagotalma]

http://en.wikipedia.org/wiki/Bookmarklet

Create a bookmark and edit the url to:

javascript:(function()%7B%24("%23login-form-login").val('YOURUSERNAME')%3B%24("%23login-form-password").val('YOURPASSWORD')%3B%24(".login-submit").click()%7D)()

In login page, click on the icon and see the magic

[dmeroff]

Thank you for your contribution! As I've already said this may be useful sometimes. However this feature should be carefully covered with tests in order to keep it safe after updates/refactoring/etc. That is why IMO it's better to use bookmarklets. Also they dont make you to remember usernames, you just click the bookmarklet. I think special article should be added to documentation, I'll handle it on weekend. However this PR may be added as the "How-to" to the docs too.

[thyseus]

OK, i agree. Once i get the time to get the test suite running on my local dev machine, i will add proper test coverage for this feature. It´s fine for me if it does not get merged into master branch, i will use it for my development though.

Btw: Thanks for that bookmarklet advice! Didn´t knew about this. Just made my life easier :-)