Summary

Add render_value to various PasswordInput fields.

Review Request #5346 — Created Jan. 28, 2014 and submitted Jan. 29, 2014, 1:52 p.m.

Information

Owner

david

Repository

Review Board

Branch

release-1.7.x

Bugs

3037, 3167

Depends On

Reviewers

Groups

reviewboard

People

Description

Add render_value to various PasswordInput fields.

For password inputs that are part of settings (LDAP auth, mail host, and
repository), the password wasn't pre-populated into the form, which meant that
if you changed said settings, you'd need to re-enter the password. This is
highly annoying. I've added render_value=True to the affected PasswordInput
ctors.

Testing Done

Checked that saving a password was "sticky".

Looks fine.

I remember this being the default a long time ago and people complaining about the security of it. Is the password in the HTML when this is on? I think ideally, we'd just not save the password or require it if we already have one stored and it's blank, and show some junk placeholder to make the field not appear empty.

david Jan. 29, 2014, 12:27 a.m.

So, it is included in the HTML, but I think given that it's admin-only (and people who are security-conscious should be using HTTPS), I'd much rather trade off the slight security impact for the significant usability gain.

Possibly we could do some hijinks to show a junk placeholder (not requiring it would mean you couldn't clear it out), but that seems like a lot of complexity for little gain.

Status:: Completed
Change Summary:: Pushed to release-1.7.x (a0eaf37).