From 10cb60acca299932204796b01a2a0f4b713d8406 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gina=20H=C3=A4u=C3=9Fge?= Date: Mon, 22 May 2017 19:24:20 +0200 Subject: [PATCH 1/3] [docs] Warn about the need to protect sensitive settings in plugins --- src/octoprint/plugin/types.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/octoprint/plugin/types.py b/src/octoprint/plugin/types.py index ae54df94..c9be6153 100644 --- a/src/octoprint/plugin/types.py +++ b/src/octoprint/plugin/types.py @@ -1377,6 +1377,14 @@ class SettingsPlugin(OctoPrintPlugin): Of course, you are always free to completely override both :func:`on_settings_load` and :func:`on_settings_save` if the default implementations do not fit your requirements. + + .. warning:: + + Make sure to protect sensitive information stored by your plugin that only logged in administrators (or users) + should have access to via :meth:`~octoprint.plugin.SettingsPlugin.get_settings_restricted_paths`. OctoPrint will + return its settings on the REST API even to anonymous clients, but will filter out fields it know are restricted, + therefore you **must** make sure that you specify sensitive information accordingly to limit access as required! + .. attribute:: _settings The :class:`~octoprint.plugin.PluginSettings` instance to use for accessing the plugin's settings. Injected by From 557c761e805d1096e584701157aa5dd1050ab02c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gina=20H=C3=A4u=C3=9Fge?= Date: Tue, 23 May 2017 10:13:04 +0200 Subject: [PATCH 2/3] [docs] Fix a typo in the SettingsPlugin docs --- src/octoprint/plugin/types.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/octoprint/plugin/types.py b/src/octoprint/plugin/types.py index c9be6153..5732f3c0 100644 --- a/src/octoprint/plugin/types.py +++ b/src/octoprint/plugin/types.py @@ -1556,7 +1556,7 @@ class SettingsPlugin(OctoPrintPlugin): field="field"), path=dict(to=dict(never=dict(return="return")))) - def get_settings_restricted_path(self): + def get_settings_restricted_paths(self): return dict(admin=[["some", "admin_only", "path"], ["another", "admin_only", "path"], user=[["some", "user_only", "path"],], never=[["path", "to", "never", "return"],]) From 4a84fa95e481147937216e99ead5b0206df52698 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gina=20H=C3=A4u=C3=9Fge?= Date: Tue, 23 May 2017 10:15:04 +0200 Subject: [PATCH 3/3] [docs] Fix another typo in the SettingsPlugin docs --- src/octoprint/plugin/types.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/octoprint/plugin/types.py b/src/octoprint/plugin/types.py index 5732f3c0..098688f6 100644 --- a/src/octoprint/plugin/types.py +++ b/src/octoprint/plugin/types.py @@ -1557,7 +1557,7 @@ class SettingsPlugin(OctoPrintPlugin): path=dict(to=dict(never=dict(return="return")))) def get_settings_restricted_paths(self): - return dict(admin=[["some", "admin_only", "path"], ["another", "admin_only", "path"], + return dict(admin=[["some", "admin_only", "path"], ["another", "admin_only", "path"],], user=[["some", "user_only", "path"],], never=[["path", "to", "never", "return"],])