On 12/11/2016 11:42, Sylvain Fankhauser wrote: > Hello, > > The current behaviour of the toolbar is to show the DjangoCMS version on > hover, which means you can go to most DjangoCMS websites, add a "?edit" > querystring, and see if they're using an outdated DjangoCMS version. I > think that security-wise it would be better to only show the version > when the user is logged in and is a staff user. > > What do you think?
I am +1 on this. Hiding information, while not a security measure per se, makes life harder to any malicious visitor. Even if it's easy to change the ?edit trigger, I don't see any reason to expose the CMS version to unauthenticated users. Iacopo > > Cheers, > Sylvain > > -- > Message URL: *MailScanner has detected definite fraud in the website at > "groups.google.com". Do /not/ trust this website:* > https://groups.google.com/d/msg/django-cms-developers/topic-id/message-id > <https://groups.google.com/d/msg/django-cms-developers/topic-id/message-id> > Unsubscribe: send a message to > [email protected] > --- > You received this message because you are subscribed to the Google > Groups "django CMS developers" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web, visit *MailScanner has detected > definite fraud in the website at "groups.google.com". Do /not/ trust > this website:* > https://groups.google.com/d/msgid/django-cms-developers/83d83ece-fb38-49d5-9ed9-ee0a38f165f5%40googlegroups.com > <https://groups.google.com/d/msgid/django-cms-developers/83d83ece-fb38-49d5-9ed9-ee0a38f165f5%40googlegroups.com?utm_medium=email&utm_source=footer>. > For more options, visit *MailScanner has detected definite fraud in the > website at "groups.google.com". Do /not/ trust this website:* > https://groups.google.com/d/optout <https://groups.google.com/d/optout>. -- Iacopo Spalletti Nephila s.a.s. - Firenze Telefono: +39 055 5357189 Assistenza Tecnica: +39 055 3985730 http://nephi.la -- Message URL: https://groups.google.com/d/msg/django-cms-developers/topic-id/message-id Unsubscribe: send a message to [email protected] --- You received this message because you are subscribed to the Google Groups "django CMS developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web, visit https://groups.google.com/d/msgid/django-cms-developers/46cb2ac8-c2ff-4b94-ef38-3a783acc8082%40nephila.it. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
