dhis2-devs-core team mailing list archive

Thread
Date

Re: DHIS2 demo admin password

To: Jason Pickering <jason.p.pickering@xxxxxxxxx>
From: Morten Olav Hansen <morten@xxxxxxxxx>
Date: Tue, 24 May 2016 15:47:56 +0700
Cc: DHIS 2 Core developers list <dhis2-devs-core@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CADsNmhs7EunkVtBhgnbN20QM-6oy1hjCAsQxmfu0gM4BPorTWA@mail.gmail.com>

Hm ok, not sure how all the triggers work. Just sucks a bit that people
can't change openid/ldap etc, if they want to try it out.

-- 
Morten Olav Hansen
Senior Engineer, DHIS 2
University of Oslo
http://www.dhis2.org

On Tue, May 24, 2016 at 3:46 PM, Jason Pickering <
jason.p.pickering@xxxxxxxxx> wrote:

> I don't think so, since it seems the entire object is written by Hibernate
>
> update users set uid=$1, code=$2, created=$3, lastUpdated=$4,
> creatoruserid=$5, username=$6, password=$7, externalauth=$8, openid=$9,
> ldapid=$10, passwordLastUpdated=$11, lastLogin=$12, restoreToken=$13,
> restoreCode=$14, restoreExpiry=$15, selfRegistered=$16, invitation=$17,
> disabled=$18 where userid=$19
>
>
> On Tue, May 24, 2016 at 10:44 AM, Morten Olav Hansen <morten@xxxxxxxxx>
> wrote:
>
>> Would it be possible to disregard updates on column password only?
>>
>> --
>> Morten Olav Hansen
>> Senior Engineer, DHIS 2
>> University of Oslo
>> http://www.dhis2.org
>>
>> On Tue, May 24, 2016 at 3:43 PM, Jason Pickering <
>> jason.p.pickering@xxxxxxxxx> wrote:
>>
>>> Someone who wishes to remain anonymous requested some useful logging.
>>>
>>> create or replace function cant_touch_this() returns trigger language
>>> plpgsql as $$
>>> begin
>>>   RAISE EXCEPTION 'Hammertime!';
>>>   return null;
>>>
>>> end $$;
>>>
>>> create trigger prevent_changing_password before update on users
>>> FOR EACH ROW
>>> execute procedure cant_touch_this();
>>>
>>>
>>>
>>> On Tue, May 24, 2016 at 10:01 AM, Jason Pickering <
>>> jason.p.pickering@xxxxxxxxx> wrote:
>>>
>>>> I think this will work. Tested it locally
>>>>
>>>> create or replace function cant_touch_this() returns trigger language
>>>> plpgsql as $$
>>>> begin
>>>>
>>>>   return null;
>>>>
>>>> end $$;
>>>>
>>>> create trigger prevent_changing_password before update on users for
>>>> each row execute procedure cant_touch_this();
>>>>
>>>> On Tue, May 24, 2016 at 9:39 AM, Morten Olav Hansen <morten@xxxxxxxxx>
>>>> wrote:
>>>>
>>>>> There are at least 4-5 different ways of doing it though...
>>>>> /api/userAccount, /api/me, any kind of user import etc...
>>>>>
>>>>> --
>>>>> Morten Olav Hansen
>>>>> Senior Engineer, DHIS 2
>>>>> University of Oslo
>>>>> http://www.dhis2.org
>>>>>
>>>>> On Tue, May 24, 2016 at 2:39 PM, Jason Pickering <
>>>>> jason.p.pickering@xxxxxxxxx> wrote:
>>>>>
>>>>>> That sounds like perhaps the best way to me.
>>>>>>
>>>>>> Just block POST to
>>>>>>
>>>>>> https://play.dhis2.org/dhis-web-commons-about/updateUserAccount.action
>>>>>>
>>>>>> and perhaps its API equivalent if it exists?
>>>>>>
>>>>>> Are there other ways?
>>>>>>
>>>>>>
>>>>>> On Tue, May 24, 2016 at 9:34 AM, Bob Jolliffe <bobjolliffe@xxxxxxxxx>
>>>>>> wrote:
>>>>>>
>>>>>>> Could we use nginx to prevent access to the action. Redirect to
>>>>>>> somewhere punitive :-)
>>>>>>> On 24 May 2016 03:38, "Morten Olav Hansen" <morten@xxxxxxxxx> wrote:
>>>>>>>
>>>>>>>> I agree that it would be helpful. A couple of issues:
>>>>>>>>
>>>>>>>> 1) If using the web-api, it would require it to be a valid
>>>>>>>> password, so "district" would no longer work (District1?)
>>>>>>>>
>>>>>>>> 2) If instead injecting with SQL, one would also have to clear the
>>>>>>>> cache
>>>>>>>>
>>>>>>>> --
>>>>>>>> Morten Olav Hansen
>>>>>>>> Senior Engineer, DHIS 2
>>>>>>>> University of Oslo
>>>>>>>> http://www.dhis2.org
>>>>>>>>
>>>>>>>> On Tue, May 24, 2016 at 3:37 AM, John Mukulu <
>>>>>>>> john.f.mukulu@xxxxxxxxx> wrote:
>>>>>>>>
>>>>>>>>> I concur,
>>>>>>>>> Or even a simple repeated 5 mins cronjob script to reset the
>>>>>>>>> password via API.
>>>>>>>>>
>>>>>>>>> On Mon, May 23, 2016 at 9:19 PM, Jim Grace <jim@xxxxxxxxx> wrote:
>>>>>>>>>
>>>>>>>>>> Sounds reasonable to me.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Mon, May 23, 2016 at 1:16 PM, Jason Pickering <
>>>>>>>>>> jason.p.pickering@xxxxxxxxx> wrote:
>>>>>>>>>>
>>>>>>>>>>> Increasingly people change the password of the demo server.
>>>>>>>>>>>
>>>>>>>>>>> Can we put a database trigger in place to prevent this from
>>>>>>>>>>> being changed? It causes problems for people in general.
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>> Jason
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Jason P. Pickering
>>>>>>>>>>> email: jason.p.pickering@xxxxxxxxx
>>>>>>>>>>> tel:+46764147049
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>>>>>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>>>>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>>>>>>>>>>> More help   : https://help.launchpad.net/ListHelp
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Jim Grace
>>>>>>>>>> Core developer, DHIS 2
>>>>>>>>>> HISP US Inc.
>>>>>>>>>> http://www.dhis2.org <https://www.dhis2.org/>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>>>>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>>>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>>>>>>>>>> More help   : https://help.launchpad.net/ListHelp
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> *http://mukulu.me <http://mukulu.me>*
>>>>>>>>> *Open source developer*
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>>>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>>>>>>>>> More help   : https://help.launchpad.net/ListHelp
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>>>>>>>> More help   : https://help.launchpad.net/ListHelp
>>>>>>>>
>>>>>>>>
>>>>>>> --
>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>>>>>>> More help   : https://help.launchpad.net/ListHelp
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Jason P. Pickering
>>>>>> email: jason.p.pickering@xxxxxxxxx
>>>>>> tel:+46764147049
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Jason P. Pickering
>>>> email: jason.p.pickering@xxxxxxxxx
>>>> tel:+46764147049
>>>>
>>>
>>>
>>>
>>> --
>>> Jason P. Pickering
>>> email: jason.p.pickering@xxxxxxxxx
>>> tel:+46764147049
>>>
>>
>>
>
>
> --
> Jason P. Pickering
> email: jason.p.pickering@xxxxxxxxx
> tel:+46764147049
>

Follow ups

Re: DHIS2 demo admin password
From: Jason Pickering, 2016-05-24

References

DHIS2 demo admin password
From: Jason Pickering, 2016-05-23
Re: DHIS2 demo admin password
From: Jim Grace, 2016-05-23
Re: DHIS2 demo admin password
From: John Mukulu, 2016-05-23
Re: DHIS2 demo admin password
From: Morten Olav Hansen, 2016-05-24
Re: DHIS2 demo admin password
From: Bob Jolliffe, 2016-05-24
Re: DHIS2 demo admin password
From: Jason Pickering, 2016-05-24
Re: DHIS2 demo admin password
From: Morten Olav Hansen, 2016-05-24
Re: DHIS2 demo admin password
From: Jason Pickering, 2016-05-24
Re: DHIS2 demo admin password
From: Jason Pickering, 2016-05-24
Re: DHIS2 demo admin password
From: Morten Olav Hansen, 2016-05-24
Re: DHIS2 demo admin password
From: Jason Pickering, 2016-05-24