You need to log in before you can comment on or make changes to this bug.
I noticed that the javascript generated by the JSAPI widget includes all the layer information from my map file including connection parameters for Postgis layers which includes the user name and password! According to Paul Spencer this can be fixed by editing: chameleon/htdocs/widgets/cwcjsapi/cwcjsapi.widget.php and removing line 208 which reads: $szLayerInfo .="aLayerconnection[".$i."] = '" . $poLayer->connection . "';\n";
Reassigning this one to myself, this should really be fixed before the 2.4 release.
Fixed this one in 2.4 branch and CVS head.