security issue with credentials page

author http://christian.amsuess.com/chrysn <chrysn@web>

Fri, 28 Jan 2011 21:08:13 +0000 (21:08 +0000)

committer Joey Hess <joey@kitenet.net>

Fri, 28 Jan 2011 21:08:13 +0000 (21:08 +0000)
author http://christian.amsuess.com/chrysn <chrysn@web>
Fri, 28 Jan 2011 21:08:13 +0000 (21:08 +0000)
committer Joey Hess <joey@kitenet.net>
Fri, 28 Jan 2011 21:08:13 +0000 (21:08 +0000)
diff --git a/doc/todo/credentials_page.mdwn b/doc/todo/credentials_page.mdwn

index 161f63a8050ffc42392f2f7d7077451541f58a41..6b90af1441bd2de25ffd6a735ea6800da6725c5e 100644 (file)
--- a/doc/todo/credentials_page.mdwn
+++ b/doc/todo/credentials_page.mdwn
@@ -29,3 +29,5 @@ such a page could have a form as described in [[todo/structured page data]] and
  >> and yes, you're right about the word misusage; thanks for pointing it out and fixing it.
  >>
  >> --[[chrysn]]
+
+an issue to be considered: for ways of authentication that don't explicitly mention the user name (and that would be everything but password; especially OpenID), there has to be a way to prevent users from hijacking an admin's account. the user wouldn't get more privileges, but the admin could find himself logged in as a user instead of an admin when he logs in using his OpenID, for example. he could fix it by removing the openid from the user's ("his") page, but it has to be taken care of nevertheless. --[[chrysn]]
author	http://christian.amsuess.com/chrysn <chrysn@web>
	Fri, 28 Jan 2011 21:08:13 +0000 (21:08 +0000)
committer	Joey Hess <joey@kitenet.net>
	Fri, 28 Jan 2011 21:08:13 +0000 (21:08 +0000)