dhis2-devs-core team mailing list archive

Thread
Date

Re: DHIS2 demo admin password

To: Bob Jolliffe <bobjolliffe@xxxxxxxxx>
From: Jason Pickering <jason.p.pickering@xxxxxxxxx>
Date: Tue, 24 May 2016 18:47:31 +0000
Cc: DHIS 2 Core developers list <dhis2-devs-core@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CACd=f9cJ+v4o4Tkyy7pDPwOic+YTjS9Z2B+duMvZ1qWh_KxBKQ@mail.gmail.com>

So unless there are any objections, could we implement this on the demo and
dev site as part of the deploy?

I don't have details of the deploy so it's difficult for me to script, but
assume this chunk of SQL can be injected after the normal database restore.

On Tue, May 24, 2016, 11:18 Bob Jolliffe <bobjolliffe@xxxxxxxxx> wrote:

> That one looks good
>
> On 24 May 2016 at 09:57, Jason Pickering <jason.p.pickering@xxxxxxxxx>
> wrote:
> > Maybe this. Seems to work.
> >
> > create or replace function cant_touch_this() returns trigger language
> > plpgsql as $$
> > begin
> > IF NEW.username != 'admin' THEN
> > RETURN NEW;
> > ELSE
> > RAISE EXCEPTION 'Hammertime!';
> > RETURN null;
> > END IF;
> >
> > end $$;
> >
> > create trigger prevent_changing_password before update on users
> > FOR EACH ROW
> > execute procedure cant_touch_this();
> >
> > On Tue, May 24, 2016 at 10:47 AM, Morten Olav Hansen <morten@xxxxxxxxx>
> > wrote:
> >>
> >> Hm ok, not sure how all the triggers work. Just sucks a bit that people
> >> can't change openid/ldap etc, if they want to try it out.
> >>
> >> --
> >> Morten Olav Hansen
> >> Senior Engineer, DHIS 2
> >> University of Oslo
> >> http://www.dhis2.org
> >>
> >> On Tue, May 24, 2016 at 3:46 PM, Jason Pickering
> >> <jason.p.pickering@xxxxxxxxx> wrote:
> >>>
> >>> I don't think so, since it seems the entire object is written by
> >>> Hibernate
> >>>
> >>> update users set uid=$1, code=$2, created=$3, lastUpdated=$4,
> >>> creatoruserid=$5, username=$6, password=$7, externalauth=$8, openid=$9,
> >>> ldapid=$10, passwordLastUpdated=$11, lastLogin=$12, restoreToken=$13,
> >>> restoreCode=$14, restoreExpiry=$15, selfRegistered=$16, invitation=$17,
> >>> disabled=$18 where userid=$19
> >>>
> >>>
> >>> On Tue, May 24, 2016 at 10:44 AM, Morten Olav Hansen <morten@xxxxxxxxx
> >
> >>> wrote:
> >>>>
> >>>> Would it be possible to disregard updates on column password only?
> >>>>
> >>>> --
> >>>> Morten Olav Hansen
> >>>> Senior Engineer, DHIS 2
> >>>> University of Oslo
> >>>> http://www.dhis2.org
> >>>>
> >>>> On Tue, May 24, 2016 at 3:43 PM, Jason Pickering
> >>>> <jason.p.pickering@xxxxxxxxx> wrote:
> >>>>>
> >>>>> Someone who wishes to remain anonymous requested some useful logging.
> >>>>>
> >>>>> create or replace function cant_touch_this() returns trigger language
> >>>>> plpgsql as $$
> >>>>> begin
> >>>>>   RAISE EXCEPTION 'Hammertime!';
> >>>>>   return null;
> >>>>>
> >>>>> end $$;
> >>>>>
> >>>>> create trigger prevent_changing_password before update on users
> >>>>> FOR EACH ROW
> >>>>> execute procedure cant_touch_this();
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Tue, May 24, 2016 at 10:01 AM, Jason Pickering
> >>>>> <jason.p.pickering@xxxxxxxxx> wrote:
> >>>>>>
> >>>>>> I think this will work. Tested it locally
> >>>>>>
> >>>>>> create or replace function cant_touch_this() returns trigger
> language
> >>>>>> plpgsql as $$
> >>>>>> begin
> >>>>>>
> >>>>>>   return null;
> >>>>>>
> >>>>>> end $$;
> >>>>>>
> >>>>>> create trigger prevent_changing_password before update on users for
> >>>>>> each row execute procedure cant_touch_this();
> >>>>>>
> >>>>>> On Tue, May 24, 2016 at 9:39 AM, Morten Olav Hansen <
> morten@xxxxxxxxx>
> >>>>>> wrote:
> >>>>>>>
> >>>>>>> There are at least 4-5 different ways of doing it though...
> >>>>>>> /api/userAccount, /api/me, any kind of user import etc...
> >>>>>>>
> >>>>>>> --
> >>>>>>> Morten Olav Hansen
> >>>>>>> Senior Engineer, DHIS 2
> >>>>>>> University of Oslo
> >>>>>>> http://www.dhis2.org
> >>>>>>>
> >>>>>>> On Tue, May 24, 2016 at 2:39 PM, Jason Pickering
> >>>>>>> <jason.p.pickering@xxxxxxxxx> wrote:
> >>>>>>>>
> >>>>>>>> That sounds like perhaps the best way to me.
> >>>>>>>>
> >>>>>>>> Just block POST to
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> https://play.dhis2.org/dhis-web-commons-about/updateUserAccount.action
> >>>>>>>>
> >>>>>>>> and perhaps its API equivalent if it exists?
> >>>>>>>>
> >>>>>>>> Are there other ways?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On Tue, May 24, 2016 at 9:34 AM, Bob Jolliffe
> >>>>>>>> <bobjolliffe@xxxxxxxxx> wrote:
> >>>>>>>>>
> >>>>>>>>> Could we use nginx to prevent access to the action. Redirect to
> >>>>>>>>> somewhere punitive :-)
> >>>>>>>>>
> >>>>>>>>> On 24 May 2016 03:38, "Morten Olav Hansen" <morten@xxxxxxxxx>
> >>>>>>>>> wrote:
> >>>>>>>>>>
> >>>>>>>>>> I agree that it would be helpful. A couple of issues:
> >>>>>>>>>>
> >>>>>>>>>> 1) If using the web-api, it would require it to be a valid
> >>>>>>>>>> password, so "district" would no longer work (District1?)
> >>>>>>>>>>
> >>>>>>>>>> 2) If instead injecting with SQL, one would also have to clear
> the
> >>>>>>>>>> cache
> >>>>>>>>>>
> >>>>>>>>>> --
> >>>>>>>>>> Morten Olav Hansen
> >>>>>>>>>> Senior Engineer, DHIS 2
> >>>>>>>>>> University of Oslo
> >>>>>>>>>> http://www.dhis2.org
> >>>>>>>>>>
> >>>>>>>>>> On Tue, May 24, 2016 at 3:37 AM, John Mukulu
> >>>>>>>>>> <john.f.mukulu@xxxxxxxxx> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>> I concur,
> >>>>>>>>>>> Or even a simple repeated 5 mins cronjob script to reset the
> >>>>>>>>>>> password via API.
> >>>>>>>>>>>
> >>>>>>>>>>> On Mon, May 23, 2016 at 9:19 PM, Jim Grace <jim@xxxxxxxxx>
> wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>> Sounds reasonable to me.
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> On Mon, May 23, 2016 at 1:16 PM, Jason Pickering
> >>>>>>>>>>>> <jason.p.pickering@xxxxxxxxx> wrote:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Increasingly people change the password of the demo server.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Can we put a database trigger in place to prevent this from
> >>>>>>>>>>>>> being changed? It causes problems for people in general.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Regards,
> >>>>>>>>>>>>> Jason
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> --
> >>>>>>>>>>>>> Jason P. Pickering
> >>>>>>>>>>>>> email: jason.p.pickering@xxxxxxxxx
> >>>>>>>>>>>>> tel:+46764147049
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> --
> >>>>>>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
> >>>>>>>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
> >>>>>>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
> >>>>>>>>>>>>> More help   : https://help.launchpad.net/ListHelp
> >>>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> --
> >>>>>>>>>>>> Jim Grace
> >>>>>>>>>>>> Core developer, DHIS 2
> >>>>>>>>>>>> HISP US Inc.
> >>>>>>>>>>>> http://www.dhis2.org
> >>>>>>>>>>>>
> >>>>>>>>>>>> --
> >>>>>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
> >>>>>>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
> >>>>>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
> >>>>>>>>>>>> More help   : https://help.launchpad.net/ListHelp
> >>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> --
> >>>>>>>>>>> http://mukulu.me
> >>>>>>>>>>> Open source developer
> >>>>>>>>>>>
> >>>>>>>>>>> --
> >>>>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
> >>>>>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
> >>>>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
> >>>>>>>>>>> More help   : https://help.launchpad.net/ListHelp
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> --
> >>>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
> >>>>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
> >>>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
> >>>>>>>>>> More help   : https://help.launchpad.net/ListHelp
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
> >>>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
> >>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
> >>>>>>>>> More help   : https://help.launchpad.net/ListHelp
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Jason P. Pickering
> >>>>>>>> email: jason.p.pickering@xxxxxxxxx
> >>>>>>>> tel:+46764147049
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Jason P. Pickering
> >>>>>> email: jason.p.pickering@xxxxxxxxx
> >>>>>> tel:+46764147049
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Jason P. Pickering
> >>>>> email: jason.p.pickering@xxxxxxxxx
> >>>>> tel:+46764147049
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> Jason P. Pickering
> >>> email: jason.p.pickering@xxxxxxxxx
> >>> tel:+46764147049
> >>
> >>
> >
> >
> >
> > --
> > Jason P. Pickering
> > email: jason.p.pickering@xxxxxxxxx
> > tel:+46764147049
>

Follow ups

Re: DHIS2 demo admin password
From: Morten Olav Hansen, 2016-05-25

References

DHIS2 demo admin password
From: Jason Pickering, 2016-05-23
Re: DHIS2 demo admin password
From: Jim Grace, 2016-05-23
Re: DHIS2 demo admin password
From: John Mukulu, 2016-05-23
Re: DHIS2 demo admin password
From: Morten Olav Hansen, 2016-05-24
Re: DHIS2 demo admin password
From: Bob Jolliffe, 2016-05-24
Re: DHIS2 demo admin password
From: Jason Pickering, 2016-05-24
Re: DHIS2 demo admin password
From: Morten Olav Hansen, 2016-05-24
Re: DHIS2 demo admin password
From: Jason Pickering, 2016-05-24
Re: DHIS2 demo admin password
From: Jason Pickering, 2016-05-24
Re: DHIS2 demo admin password
From: Morten Olav Hansen, 2016-05-24
Re: DHIS2 demo admin password
From: Jason Pickering, 2016-05-24
Re: DHIS2 demo admin password
From: Morten Olav Hansen, 2016-05-24
Re: DHIS2 demo admin password
From: Jason Pickering, 2016-05-24
Re: DHIS2 demo admin password
From: Bob Jolliffe, 2016-05-24