Hi Stuart,
Initially we were going to provide a mechanism to encrypt the plugin code, and use a password / passphrase / token to be supplied in order to view or edit plugins. But, we backed away from that idea as we feared it may cause more problems than it solved.
The long term vision is to provide some form of security for this, but for now it's clear text.
There are a few approaches you can take to secure sensitive information.
In your case of a plugin containing credentials to a wages database, you could do away with SQL authentication when making the connection to the wages database and instead use Windows authentication. You would need to make sure a windows user is created with sufficient access to the wages database, and that the plugin scheduler service is configured to use that windows user. This will allow the plugin to operate, but anybody viewing the plugin will not be able to glean sensitive credential information.
Another layer of security is to use the built-in permissions in Jiwa to not let unprivileged users load the plugin maintenance form at all.
Another layer above that, if you want to restrict view/edit access to certain plugins, but not all plugins is to make another plugin which hooks into the plugin maintenance form and if the user is trying to read the "Wages Integration Plugin" - or any other nominated plugin, prompt for a username and password of a user with a the appropriate custom abstract permission. This will allow only certain plugins to be viewed or edited by nominated users.
An example of a permission override plugin is posted
here - it's hooked into the sales order form, but can easily be modified to hook into the plugin maintenance form instead. Creating a custom abstract permissions is as simple as a single insert query into the appropriate table (SY_FormAbstractPermissions I think?) and then setting the permission to the groups you want.
Hope this is of some help,
Mike
