Problem/Motivation

The Drupal State lease storage plugin stores plugins in cleartext.
The Encrypted state plugin is preferred, however it requires the Encrypt module.

Steps to reproduce

Proposed resolution

Provide warning when choosing the Drupal State plugin that it stores leases in cleartext, and that the encrypted plugin should be chosen whenever possible.

we should also consider a hook_requirements warning.

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork vault-3485169

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

cmlara created an issue. See original summary.

cmlara opened merge request !13

cmlara’s picture

cmlara
he/him
commented
Status: Active » Needs review

Adding a requirement check might be a bit excessive for this change so decided against it for the time being. Long term we may want to add such a check and deprecate the cleartext plugin.

While we could technically do so now as we are in Alpha, the plugin has been around since the original 1.x alpha branches, it would be aggressive to remove it at this juncture when trying to bring the module to a stable release, especially with consideration that the Lockr module will go unsupported at the end of November when the service shuts down.

Added a new static memory plugin that can be used instead of encrypted storage for sites that do not expect to use Leases frequently (some/many? sites may never use them) to avoid the need for setting up the Encrypt module.

cmlara’s picture

cmlara
he/him
commented
Status: Needs review » Fixed

  • cmlara committed 91e9bdcf on 3.x 
    Issue #3485169 by cmlara: Provide more warning against using the...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.