Project

Profile

Help

Task #8202

Updated by bmbouter almost 4 years ago

## Make these fields `write_only=True` ### Potentially needing to be write_only 
 * username 
 * password 
 * proxy_url 
 * proxy_username - not yet merged, but soon https://pulp.plan.io/issues/8167 
 * proxy_password - not yet merged, but soon https://pulp.plan.io/issues/8167 
 * client_cert 
 * client_key 

 ### bmbouter's recommendations 
 * username - yes because this can be significant 
 * password - yes, definitely 
 * proxy_url - no, but it's debatable. Users could set username/password in this. Perhaps we could have the validation disable users from doing that. That would be good. Being able to read back the proxy_url is important for users I think. 
 * proxy_username - yes because this can be significant 
 * proxy_password - yes, definitly 
 * client_cert - no, certs aren't useful without the key 
 * client_key - yes, definitly 

 ### Filter implications 

 To not leak data we can no longer offer filtering of these fields. The FilterSet needs to be adjusted with this work to disinclude these fields. 

 ### Update the docs 

 There are scary banners that say that Pulp is unsafe to use because it returns this kind of data in the responses. The banners should still exist, but they should no longer give examples of username and password becase that is no longer in the API. It should say instead that it could read data from objects from other users (or something like that). 

Back