XML-RPC and AtomPub Endpoints Should Respect FORCE_SSL_ADMIN and FORCE_SSL_LOGIN
|Reported by:||josephscott||Owned by:||josephscott|
External APIs (XML-RPC and AtomPub) should force SSL access if FORCE_SSL_ADMIN or FORCE_SSL_LOGIN is set to true.
I think it makes sense to redirect to HTTPS if either FORCE_SSL_ADMIN or FORCE_SSL_ADMIN is set to true since both end points pass usernames and passwords in the clear (or near clear in the case of AtomPub which generally uses HTTP Basic Auth) and expose administrative functions.
I've got patches for -trunk and the 2.8 branch in hopes that we can get this included in the 2.8.1 release as well.