Merge branch 'rc/maintenance' into staging/maintenance

2017-05-24 12:33:40 +02:00 · 2017-05-24 12:33:40 +02:00 · bd1d0e6073
commit bd1d0e6073
parent ff89cdf6d0 4a84fa95e4
1 changed files with 10 additions and 2 deletions
--- a/src/octoprint/plugin/types.py
+++ b/src/octoprint/plugin/types.py
@ -1377,6 +1377,14 @@ class SettingsPlugin(OctoPrintPlugin):
 	Of course, you are always free to completely override both :func:`on_settings_load` and :func:`on_settings_save` if the
 	default implementations do not fit your requirements.

+
+	.. warning::
+
+	   Make sure to protect sensitive information stored by your plugin that only logged in administrators (or users)
+	   should have access to via :meth:`~octoprint.plugin.SettingsPlugin.get_settings_restricted_paths`. OctoPrint will
+	   return its settings on the REST API even to anonymous clients, but will filter out fields it know are restricted,
+	   therefore you **must** make sure that you specify sensitive information accordingly to limit access as required!
+
 	.. attribute:: _settings

 	   The :class:`~octoprint.plugin.PluginSettings` instance to use for accessing the plugin's settings. Injected by
@ -1548,8 +1556,8 @@ class SettingsPlugin(OctoPrintPlugin):
 		                                field="field"),
 		                   path=dict(to=dict(never=dict(return="return"))))

-		   def get_settings_restricted_path(self):
-		       return dict(admin=[["some", "admin_only", "path"], ["another", "admin_only", "path"],
+		   def get_settings_restricted_paths(self):
+		       return dict(admin=[["some", "admin_only", "path"], ["another", "admin_only", "path"],],
 		                   user=[["some", "user_only", "path"],],
 		                   never=[["path", "to", "never", "return"],])