dhis2-devs-core team mailing list archive

[Bob Jolliffe <bobjolliffe@xxxxxxxxx>]

That one looks good

On 24 May 2016 at 09:57, Jason Pickering <jason.p.pickering@xxxxxxxxx> wrote:
> Maybe this. Seems to work.
>
> create or replace function cant_touch_this() returns trigger language
> plpgsql as $$
> begin
> IF NEW.username != 'admin' THEN
> RETURN NEW;
> ELSE
> RAISE EXCEPTION 'Hammertime!';
> RETURN null;
> END IF;
>
> end $$;
>
> create trigger prevent_changing_password before update on users
> FOR EACH ROW
> execute procedure cant_touch_this();
>
> On Tue, May 24, 2016 at 10:47 AM, Morten Olav Hansen <morten@xxxxxxxxx>
> wrote:
>>
>> Hm ok, not sure how all the triggers work. Just sucks a bit that people
>> can't change openid/ldap etc, if they want to try it out.
>>
>> --
>> Morten Olav Hansen
>> Senior Engineer, DHIS 2
>> University of Oslo
>> http://www.dhis2.org
>>
>> On Tue, May 24, 2016 at 3:46 PM, Jason Pickering
>> <jason.p.pickering@xxxxxxxxx> wrote:
>>>
>>> I don't think so, since it seems the entire object is written by
>>> Hibernate
>>>
>>> update users set uid=$1, code=$2, created=$3, lastUpdated=$4,
>>> creatoruserid=$5, username=$6, password=$7, externalauth=$8, openid=$9,
>>> ldapid=$10, passwordLastUpdated=$11, lastLogin=$12, restoreToken=$13,
>>> restoreCode=$14, restoreExpiry=$15, selfRegistered=$16, invitation=$17,
>>> disabled=$18 where userid=$19
>>>
>>>
>>> On Tue, May 24, 2016 at 10:44 AM, Morten Olav Hansen <morten@xxxxxxxxx>
>>> wrote:
>>>>
>>>> Would it be possible to disregard updates on column password only?
>>>>
>>>> --
>>>> Morten Olav Hansen
>>>> Senior Engineer, DHIS 2
>>>> University of Oslo
>>>> http://www.dhis2.org
>>>>
>>>> On Tue, May 24, 2016 at 3:43 PM, Jason Pickering
>>>> <jason.p.pickering@xxxxxxxxx> wrote:
>>>>>
>>>>> Someone who wishes to remain anonymous requested some useful logging.
>>>>>
>>>>> create or replace function cant_touch_this() returns trigger language
>>>>> plpgsql as $$
>>>>> begin
>>>>>   RAISE EXCEPTION 'Hammertime!';
>>>>>   return null;
>>>>>
>>>>> end $$;
>>>>>
>>>>> create trigger prevent_changing_password before update on users
>>>>> FOR EACH ROW
>>>>> execute procedure cant_touch_this();
>>>>>
>>>>>
>>>>>
>>>>> On Tue, May 24, 2016 at 10:01 AM, Jason Pickering
>>>>> <jason.p.pickering@xxxxxxxxx> wrote:
>>>>>>
>>>>>> I think this will work. Tested it locally
>>>>>>
>>>>>> create or replace function cant_touch_this() returns trigger language
>>>>>> plpgsql as $$
>>>>>> begin
>>>>>>
>>>>>>   return null;
>>>>>>
>>>>>> end $$;
>>>>>>
>>>>>> create trigger prevent_changing_password before update on users for
>>>>>> each row execute procedure cant_touch_this();
>>>>>>
>>>>>> On Tue, May 24, 2016 at 9:39 AM, Morten Olav Hansen <morten@xxxxxxxxx>
>>>>>> wrote:
>>>>>>>
>>>>>>> There are at least 4-5 different ways of doing it though...
>>>>>>> /api/userAccount, /api/me, any kind of user import etc...
>>>>>>>
>>>>>>> --
>>>>>>> Morten Olav Hansen
>>>>>>> Senior Engineer, DHIS 2
>>>>>>> University of Oslo
>>>>>>> http://www.dhis2.org
>>>>>>>
>>>>>>> On Tue, May 24, 2016 at 2:39 PM, Jason Pickering
>>>>>>> <jason.p.pickering@xxxxxxxxx> wrote:
>>>>>>>>
>>>>>>>> That sounds like perhaps the best way to me.
>>>>>>>>
>>>>>>>> Just block POST to
>>>>>>>>
>>>>>>>>
>>>>>>>> https://play.dhis2.org/dhis-web-commons-about/updateUserAccount.action
>>>>>>>>
>>>>>>>> and perhaps its API equivalent if it exists?
>>>>>>>>
>>>>>>>> Are there other ways?
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, May 24, 2016 at 9:34 AM, Bob Jolliffe
>>>>>>>> <bobjolliffe@xxxxxxxxx> wrote:
>>>>>>>>>
>>>>>>>>> Could we use nginx to prevent access to the action. Redirect to
>>>>>>>>> somewhere punitive :-)
>>>>>>>>>
>>>>>>>>> On 24 May 2016 03:38, "Morten Olav Hansen" <morten@xxxxxxxxx>
>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> I agree that it would be helpful. A couple of issues:
>>>>>>>>>>
>>>>>>>>>> 1) If using the web-api, it would require it to be a valid
>>>>>>>>>> password, so "district" would no longer work (District1?)
>>>>>>>>>>
>>>>>>>>>> 2) If instead injecting with SQL, one would also have to clear the
>>>>>>>>>> cache
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Morten Olav Hansen
>>>>>>>>>> Senior Engineer, DHIS 2
>>>>>>>>>> University of Oslo
>>>>>>>>>> http://www.dhis2.org
>>>>>>>>>>
>>>>>>>>>> On Tue, May 24, 2016 at 3:37 AM, John Mukulu
>>>>>>>>>> <john.f.mukulu@xxxxxxxxx> wrote:
>>>>>>>>>>>
>>>>>>>>>>> I concur,
>>>>>>>>>>> Or even a simple repeated 5 mins cronjob script to reset the
>>>>>>>>>>> password via API.
>>>>>>>>>>>
>>>>>>>>>>> On Mon, May 23, 2016 at 9:19 PM, Jim Grace <jim@xxxxxxxxx> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Sounds reasonable to me.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, May 23, 2016 at 1:16 PM, Jason Pickering
>>>>>>>>>>>> <jason.p.pickering@xxxxxxxxx> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Increasingly people change the password of the demo server.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Can we put a database trigger in place to prevent this from
>>>>>>>>>>>>> being changed? It causes problems for people in general.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>> Jason
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Jason P. Pickering
>>>>>>>>>>>>> email: jason.p.pickering@xxxxxxxxx
>>>>>>>>>>>>> tel:+46764147049
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>>>>>>>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>>>>>>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>>>>>>>>>>>>> More help   : https://help.launchpad.net/ListHelp
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Jim Grace
>>>>>>>>>>>> Core developer, DHIS 2
>>>>>>>>>>>> HISP US Inc.
>>>>>>>>>>>> http://www.dhis2.org
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>>>>>>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>>>>>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>>>>>>>>>>>> More help   : https://help.launchpad.net/ListHelp
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> http://mukulu.me
>>>>>>>>>>> Open source developer
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>>>>>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>>>>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>>>>>>>>>>> More help   : https://help.launchpad.net/ListHelp
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>>>>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>>>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>>>>>>>>>> More help   : https://help.launchpad.net/ListHelp
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>>>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>>>>>>>>> More help   : https://help.launchpad.net/ListHelp
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Jason P. Pickering
>>>>>>>> email: jason.p.pickering@xxxxxxxxx
>>>>>>>> tel:+46764147049
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Jason P. Pickering
>>>>>> email: jason.p.pickering@xxxxxxxxx
>>>>>> tel:+46764147049
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Jason P. Pickering
>>>>> email: jason.p.pickering@xxxxxxxxx
>>>>> tel:+46764147049
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Jason P. Pickering
>>> email: jason.p.pickering@xxxxxxxxx
>>> tel:+46764147049
>>
>>
>
>
>
> --
> Jason P. Pickering
> email: jason.p.pickering@xxxxxxxxx
> tel:+46764147049