dhis2-devs-core team mailing list archive
-
dhis2-devs-core team
-
Mailing list archive
-
Message #00576
Re: DHIS2 demo admin password
I don't think so, since it seems the entire object is written by Hibernate
update users set uid=$1, code=$2, created=$3, lastUpdated=$4,
creatoruserid=$5, username=$6, password=$7, externalauth=$8, openid=$9,
ldapid=$10, passwordLastUpdated=$11, lastLogin=$12, restoreToken=$13,
restoreCode=$14, restoreExpiry=$15, selfRegistered=$16, invitation=$17,
disabled=$18 where userid=$19
On Tue, May 24, 2016 at 10:44 AM, Morten Olav Hansen <morten@xxxxxxxxx>
wrote:
> Would it be possible to disregard updates on column password only?
>
> --
> Morten Olav Hansen
> Senior Engineer, DHIS 2
> University of Oslo
> http://www.dhis2.org
>
> On Tue, May 24, 2016 at 3:43 PM, Jason Pickering <
> jason.p.pickering@xxxxxxxxx> wrote:
>
>> Someone who wishes to remain anonymous requested some useful logging.
>>
>> create or replace function cant_touch_this() returns trigger language
>> plpgsql as $$
>> begin
>> RAISE EXCEPTION 'Hammertime!';
>> return null;
>>
>> end $$;
>>
>> create trigger prevent_changing_password before update on users
>> FOR EACH ROW
>> execute procedure cant_touch_this();
>>
>>
>>
>> On Tue, May 24, 2016 at 10:01 AM, Jason Pickering <
>> jason.p.pickering@xxxxxxxxx> wrote:
>>
>>> I think this will work. Tested it locally
>>>
>>> create or replace function cant_touch_this() returns trigger language
>>> plpgsql as $$
>>> begin
>>>
>>> return null;
>>>
>>> end $$;
>>>
>>> create trigger prevent_changing_password before update on users for each
>>> row execute procedure cant_touch_this();
>>>
>>> On Tue, May 24, 2016 at 9:39 AM, Morten Olav Hansen <morten@xxxxxxxxx>
>>> wrote:
>>>
>>>> There are at least 4-5 different ways of doing it though...
>>>> /api/userAccount, /api/me, any kind of user import etc...
>>>>
>>>> --
>>>> Morten Olav Hansen
>>>> Senior Engineer, DHIS 2
>>>> University of Oslo
>>>> http://www.dhis2.org
>>>>
>>>> On Tue, May 24, 2016 at 2:39 PM, Jason Pickering <
>>>> jason.p.pickering@xxxxxxxxx> wrote:
>>>>
>>>>> That sounds like perhaps the best way to me.
>>>>>
>>>>> Just block POST to
>>>>>
>>>>> https://play.dhis2.org/dhis-web-commons-about/updateUserAccount.action
>>>>>
>>>>> and perhaps its API equivalent if it exists?
>>>>>
>>>>> Are there other ways?
>>>>>
>>>>>
>>>>> On Tue, May 24, 2016 at 9:34 AM, Bob Jolliffe <bobjolliffe@xxxxxxxxx>
>>>>> wrote:
>>>>>
>>>>>> Could we use nginx to prevent access to the action. Redirect to
>>>>>> somewhere punitive :-)
>>>>>> On 24 May 2016 03:38, "Morten Olav Hansen" <morten@xxxxxxxxx> wrote:
>>>>>>
>>>>>>> I agree that it would be helpful. A couple of issues:
>>>>>>>
>>>>>>> 1) If using the web-api, it would require it to be a valid password,
>>>>>>> so "district" would no longer work (District1?)
>>>>>>>
>>>>>>> 2) If instead injecting with SQL, one would also have to clear the
>>>>>>> cache
>>>>>>>
>>>>>>> --
>>>>>>> Morten Olav Hansen
>>>>>>> Senior Engineer, DHIS 2
>>>>>>> University of Oslo
>>>>>>> http://www.dhis2.org
>>>>>>>
>>>>>>> On Tue, May 24, 2016 at 3:37 AM, John Mukulu <
>>>>>>> john.f.mukulu@xxxxxxxxx> wrote:
>>>>>>>
>>>>>>>> I concur,
>>>>>>>> Or even a simple repeated 5 mins cronjob script to reset the
>>>>>>>> password via API.
>>>>>>>>
>>>>>>>> On Mon, May 23, 2016 at 9:19 PM, Jim Grace <jim@xxxxxxxxx> wrote:
>>>>>>>>
>>>>>>>>> Sounds reasonable to me.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Mon, May 23, 2016 at 1:16 PM, Jason Pickering <
>>>>>>>>> jason.p.pickering@xxxxxxxxx> wrote:
>>>>>>>>>
>>>>>>>>>> Increasingly people change the password of the demo server.
>>>>>>>>>>
>>>>>>>>>> Can we put a database trigger in place to prevent this from being
>>>>>>>>>> changed? It causes problems for people in general.
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Jason
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Jason P. Pickering
>>>>>>>>>> email: jason.p.pickering@xxxxxxxxx
>>>>>>>>>> tel:+46764147049
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>>>>>>>>>> Post to : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>>>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>>>>>>>>>> More help : https://help.launchpad.net/ListHelp
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Jim Grace
>>>>>>>>> Core developer, DHIS 2
>>>>>>>>> HISP US Inc.
>>>>>>>>> http://www.dhis2.org <https://www.dhis2.org/>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>>>>>>>>> Post to : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>>>>>>>>> More help : https://help.launchpad.net/ListHelp
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> *http://mukulu.me <http://mukulu.me>*
>>>>>>>> *Open source developer*
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>>>>>>>> Post to : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>>>>>>>> More help : https://help.launchpad.net/ListHelp
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>>>>>>> Post to : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>>>>>>> More help : https://help.launchpad.net/ListHelp
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>>>>>> Post to : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>>>>>> More help : https://help.launchpad.net/ListHelp
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Jason P. Pickering
>>>>> email: jason.p.pickering@xxxxxxxxx
>>>>> tel:+46764147049
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Jason P. Pickering
>>> email: jason.p.pickering@xxxxxxxxx
>>> tel:+46764147049
>>>
>>
>>
>>
>> --
>> Jason P. Pickering
>> email: jason.p.pickering@xxxxxxxxx
>> tel:+46764147049
>>
>
>
--
Jason P. Pickering
email: jason.p.pickering@xxxxxxxxx
tel:+46764147049
Follow ups
References
-
DHIS2 demo admin password
From: Jason Pickering, 2016-05-23
-
Re: DHIS2 demo admin password
From: Jim Grace, 2016-05-23
-
Re: DHIS2 demo admin password
From: John Mukulu, 2016-05-23
-
Re: DHIS2 demo admin password
From: Morten Olav Hansen, 2016-05-24
-
Re: DHIS2 demo admin password
From: Bob Jolliffe, 2016-05-24
-
Re: DHIS2 demo admin password
From: Jason Pickering, 2016-05-24
-
Re: DHIS2 demo admin password
From: Morten Olav Hansen, 2016-05-24
-
Re: DHIS2 demo admin password
From: Jason Pickering, 2016-05-24
-
Re: DHIS2 demo admin password
From: Jason Pickering, 2016-05-24
-
Re: DHIS2 demo admin password
From: Morten Olav Hansen, 2016-05-24