[Mailman-Developers] REST API returning value of password field in user record

[Barry Warsaw]

On Jan 10, 2015, at 10:58 AM, Andrew Stuart wrote:

>I’m aware that it’s not the actual cleartext password.
>
>From a security perspective should even salted and hashed passwords should
>stay behind the API or might there be a need for something on the other side
>of the API to access that field?

Keeping in mind that the core's REST API is a privileged API, only to be
exposed over localhost, it is intended to make the hashed password field
available.  For a public facing proxy, I would expect this field to be
filtered out.

Cheers,
-Barry