Module should have it's own permissions or hide password in a *password* field

Module *should* definitely have its own user permissions and should not rely on users with 'administer site config' permission. If only for the fact that as a superuser, I set up sites for people but definitely don't want them to see my own email address and especially my password for it...

Pobster

I believe this is already being discussed here (since February 9, 2007 - 10:31): http://drupal.org/node/117450

I guess a permissions field for this module did not make it into the most recent version. Wish I could provide help but do not possess the necessary skills.

It does bother me that any other user is able to see the mail server password and they can't be blocked with a simple permissions check box, but maybe that is not so simple.

What do you mean with "any user" ? The user must have the 'administer site configuration' permission to go into the settings page.

BTW, I commited the other bug's fix, which hides the password in a proper password field.

I'm not bothered about the password field at all, I think that's actually a bad thing. Think of this situation, I make a site for someone and that site resides on my own server. The site isn't for myself, therefore I have to grant the 'administer site configuration' permission for the client. They will then see the smtp settings page which will now have a blank field where the password should be (it's just the way Drupal does it in case anyone is following this thread) my admin user is then able to save the settings on this page, or even reset them to defaults. I DO NOT want this!!! I would think it's much more logical to hide the settings page from them completely by having a separate permission for the settings page?

Pobster

I've commited the patch from #2.

Also, I prevented the password from being reset when the settings page is submitted with it's value set as empty (with a short explanation on the field description.)

I'm still not very happy with this, specially because of the empty field being displayed. Any suggestions?

Well... Now there is a permission specifically to view this page, is there any need to hide the field any more? You'd generally only use a password field to hide publicly viewable passwords anyway but well, you're configuring a server using admin rights? It's not exactly public!

Else if you really want the password field to stay; you are able to manipulate the value in the validation phase, why not form_set_value the field using variable_get so if it's blank it'll save the previous value anyway (meaning the password won't get overridden).

Pobster

I did this on validation.

The password field was requested just to improve over-the-shoulder privacy.

Ah right so all you're bothered about is that it's blank to begin with? It doesn't overwrite the password with a blank value when you save? Hmmm... I'm not sure there is anything you can do about that... I'm afraid I think that's just how Drupal handles password fields?

Pobster

ya... I believe we're a bit out of options here... Either we go back to displaying the password or we just leave it as it is...

I reckon leave it as it is... It's how all other (Drupal) password fields work?

Pobster

at least, this shouldn't be critical anymore

Sounds like the decision was to leave it as-is.