I've notice that upon entering arbitrary credentials on the Drupal login form, the phpbbforum module returns an error in addition to Drupal's default callback which is greatly concerning me. You could categories it as a security issue because the module is disclosing the calls that are being made on the backend as well as indicating that phpbb is being used (although not so hard to guess) but the good news is that regardless of the username you enter, you get the same error message as an anonymous user "The phpBB username is not found in phpBB.", while intentionally providing the wrong password for a valid user.

In addition, once you successfully auth, now as a registered user you get yet another info message saying that "Data user_password => ****, for synced to phpBB." This is great if you have admin privileges and you want to know such details but for simply registered users, the preferred way is to hide this info.

A few obvious questions to follow:

1. The immediate question is - how do I go about disabling the notice from the anonymous view.
2. I would like to disable the notice for the registered users as well.

Both of these issues could be replicated right on the Demo site of this module http://drupalbridge.org/phpbbforum

Thanks in advance for any inside!
Mike

Comments

mike15’s picture

mike15 commented

I jumped the gun too quickly and didn't see the option under ../admin/settings/phpbbforum to hide the module messages under "Display phpBBForum module messages". Sorry for not paying attention.

The only thing I would mention here is that if this option was set to "Yes" by default, I would suggest to set it to "No" which will alleviate this issue in the future. Of'course during the deployment phase, it is very helpful to see the debug messages which might be the someone's though process here?

Thanks,
Mike

fizk’s picture

fizk commented
Status: Active » Closed (fixed)