Exposing the WiFi password in the API irked me (instead of having an endpoint that can check that the provided password is valid), but as I saw in the RADIUS integration it is necessary for FreeRadius to perform the authentication itself.
In this case, I would prefer if it was not in the user partial because it is used in the index template, so you can extract all passwords for all users in a single call. Can you move it to the show template instead?
Note for later: make sure when we improve the permissions for tokens to have a specific permission to read passwords, to make sure we don't expose them to anyone; maybe even prevent it to be selectable in the SQL query. Add a TODO here or create an issue?
Originally posted by @nymous in #521 (comment)
This might require us to change our authorization lib (candidates: action_policy, pundit)
Originally posted by @nymous in #521 (comment)
This might require us to change our authorization lib (candidates: action_policy, pundit)