dhis2-devs-core team mailing list archive

[Morten Olav Hansen <morten@xxxxxxxxx>]

Yeah, we have a `reinit-db-instance.sh` script, I assume it should be added
there..

-- 
Morten Olav Hansen
Senior Engineer, DHIS 2
University of Oslo
http://www.dhis2.org

On Wed, May 25, 2016 at 1:47 AM, Jason Pickering <
jason.p.pickering@xxxxxxxxx> wrote:

> So unless there are any objections, could we implement this on the demo
> and dev site as part of the deploy?
>
> I don't have details of the deploy so it's difficult for me to script, but
> assume this chunk of SQL can be injected after the normal database restore.
>
>
> On Tue, May 24, 2016, 11:18 Bob Jolliffe <bobjolliffe@xxxxxxxxx> wrote:
>
>> That one looks good
>>
>> On 24 May 2016 at 09:57, Jason Pickering <jason.p.pickering@xxxxxxxxx>
>> wrote:
>> > Maybe this. Seems to work.
>> >
>> > create or replace function cant_touch_this() returns trigger language
>> > plpgsql as $$
>> > begin
>> > IF NEW.username != 'admin' THEN
>> > RETURN NEW;
>> > ELSE
>> > RAISE EXCEPTION 'Hammertime!';
>> > RETURN null;
>> > END IF;
>> >
>> > end $$;
>> >
>> > create trigger prevent_changing_password before update on users
>> > FOR EACH ROW
>> > execute procedure cant_touch_this();
>> >
>> > On Tue, May 24, 2016 at 10:47 AM, Morten Olav Hansen <morten@xxxxxxxxx>
>> > wrote:
>> >>
>> >> Hm ok, not sure how all the triggers work. Just sucks a bit that people
>> >> can't change openid/ldap etc, if they want to try it out.
>> >>
>> >> --
>> >> Morten Olav Hansen
>> >> Senior Engineer, DHIS 2
>> >> University of Oslo
>> >> http://www.dhis2.org
>> >>
>> >> On Tue, May 24, 2016 at 3:46 PM, Jason Pickering
>> >> <jason.p.pickering@xxxxxxxxx> wrote:
>> >>>
>> >>> I don't think so, since it seems the entire object is written by
>> >>> Hibernate
>> >>>
>> >>> update users set uid=$1, code=$2, created=$3, lastUpdated=$4,
>> >>> creatoruserid=$5, username=$6, password=$7, externalauth=$8,
>> openid=$9,
>> >>> ldapid=$10, passwordLastUpdated=$11, lastLogin=$12, restoreToken=$13,
>> >>> restoreCode=$14, restoreExpiry=$15, selfRegistered=$16,
>> invitation=$17,
>> >>> disabled=$18 where userid=$19
>> >>>
>> >>>
>> >>> On Tue, May 24, 2016 at 10:44 AM, Morten Olav Hansen <
>> morten@xxxxxxxxx>
>> >>> wrote:
>> >>>>
>> >>>> Would it be possible to disregard updates on column password only?
>> >>>>
>> >>>> --
>> >>>> Morten Olav Hansen
>> >>>> Senior Engineer, DHIS 2
>> >>>> University of Oslo
>> >>>> http://www.dhis2.org
>> >>>>
>> >>>> On Tue, May 24, 2016 at 3:43 PM, Jason Pickering
>> >>>> <jason.p.pickering@xxxxxxxxx> wrote:
>> >>>>>
>> >>>>> Someone who wishes to remain anonymous requested some useful
>> logging.
>> >>>>>
>> >>>>> create or replace function cant_touch_this() returns trigger
>> language
>> >>>>> plpgsql as $$
>> >>>>> begin
>> >>>>>   RAISE EXCEPTION 'Hammertime!';
>> >>>>>   return null;
>> >>>>>
>> >>>>> end $$;
>> >>>>>
>> >>>>> create trigger prevent_changing_password before update on users
>> >>>>> FOR EACH ROW
>> >>>>> execute procedure cant_touch_this();
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> On Tue, May 24, 2016 at 10:01 AM, Jason Pickering
>> >>>>> <jason.p.pickering@xxxxxxxxx> wrote:
>> >>>>>>
>> >>>>>> I think this will work. Tested it locally
>> >>>>>>
>> >>>>>> create or replace function cant_touch_this() returns trigger
>> language
>> >>>>>> plpgsql as $$
>> >>>>>> begin
>> >>>>>>
>> >>>>>>   return null;
>> >>>>>>
>> >>>>>> end $$;
>> >>>>>>
>> >>>>>> create trigger prevent_changing_password before update on users for
>> >>>>>> each row execute procedure cant_touch_this();
>> >>>>>>
>> >>>>>> On Tue, May 24, 2016 at 9:39 AM, Morten Olav Hansen <
>> morten@xxxxxxxxx>
>> >>>>>> wrote:
>> >>>>>>>
>> >>>>>>> There are at least 4-5 different ways of doing it though...
>> >>>>>>> /api/userAccount, /api/me, any kind of user import etc...
>> >>>>>>>
>> >>>>>>> --
>> >>>>>>> Morten Olav Hansen
>> >>>>>>> Senior Engineer, DHIS 2
>> >>>>>>> University of Oslo
>> >>>>>>> http://www.dhis2.org
>> >>>>>>>
>> >>>>>>> On Tue, May 24, 2016 at 2:39 PM, Jason Pickering
>> >>>>>>> <jason.p.pickering@xxxxxxxxx> wrote:
>> >>>>>>>>
>> >>>>>>>> That sounds like perhaps the best way to me.
>> >>>>>>>>
>> >>>>>>>> Just block POST to
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> https://play.dhis2.org/dhis-web-commons-about/updateUserAccount.action
>> >>>>>>>>
>> >>>>>>>> and perhaps its API equivalent if it exists?
>> >>>>>>>>
>> >>>>>>>> Are there other ways?
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> On Tue, May 24, 2016 at 9:34 AM, Bob Jolliffe
>> >>>>>>>> <bobjolliffe@xxxxxxxxx> wrote:
>> >>>>>>>>>
>> >>>>>>>>> Could we use nginx to prevent access to the action. Redirect to
>> >>>>>>>>> somewhere punitive :-)
>> >>>>>>>>>
>> >>>>>>>>> On 24 May 2016 03:38, "Morten Olav Hansen" <morten@xxxxxxxxx>
>> >>>>>>>>> wrote:
>> >>>>>>>>>>
>> >>>>>>>>>> I agree that it would be helpful. A couple of issues:
>> >>>>>>>>>>
>> >>>>>>>>>> 1) If using the web-api, it would require it to be a valid
>> >>>>>>>>>> password, so "district" would no longer work (District1?)
>> >>>>>>>>>>
>> >>>>>>>>>> 2) If instead injecting with SQL, one would also have to clear
>> the
>> >>>>>>>>>> cache
>> >>>>>>>>>>
>> >>>>>>>>>> --
>> >>>>>>>>>> Morten Olav Hansen
>> >>>>>>>>>> Senior Engineer, DHIS 2
>> >>>>>>>>>> University of Oslo
>> >>>>>>>>>> http://www.dhis2.org
>> >>>>>>>>>>
>> >>>>>>>>>> On Tue, May 24, 2016 at 3:37 AM, John Mukulu
>> >>>>>>>>>> <john.f.mukulu@xxxxxxxxx> wrote:
>> >>>>>>>>>>>
>> >>>>>>>>>>> I concur,
>> >>>>>>>>>>> Or even a simple repeated 5 mins cronjob script to reset the
>> >>>>>>>>>>> password via API.
>> >>>>>>>>>>>
>> >>>>>>>>>>> On Mon, May 23, 2016 at 9:19 PM, Jim Grace <jim@xxxxxxxxx>
>> wrote:
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> Sounds reasonable to me.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> On Mon, May 23, 2016 at 1:16 PM, Jason Pickering
>> >>>>>>>>>>>> <jason.p.pickering@xxxxxxxxx> wrote:
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>> Increasingly people change the password of the demo server.
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>> Can we put a database trigger in place to prevent this from
>> >>>>>>>>>>>>> being changed? It causes problems for people in general.
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>> Regards,
>> >>>>>>>>>>>>> Jason
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>> --
>> >>>>>>>>>>>>> Jason P. Pickering
>> >>>>>>>>>>>>> email: jason.p.pickering@xxxxxxxxx
>> >>>>>>>>>>>>> tel:+46764147049
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>> --
>> >>>>>>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>> >>>>>>>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>> >>>>>>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>> >>>>>>>>>>>>> More help   : https://help.launchpad.net/ListHelp
>> >>>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> --
>> >>>>>>>>>>>> Jim Grace
>> >>>>>>>>>>>> Core developer, DHIS 2
>> >>>>>>>>>>>> HISP US Inc.
>> >>>>>>>>>>>> http://www.dhis2.org
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> --
>> >>>>>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>> >>>>>>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>> >>>>>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>> >>>>>>>>>>>> More help   : https://help.launchpad.net/ListHelp
>> >>>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>> --
>> >>>>>>>>>>> http://mukulu.me
>> >>>>>>>>>>> Open source developer
>> >>>>>>>>>>>
>> >>>>>>>>>>> --
>> >>>>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>> >>>>>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>> >>>>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>> >>>>>>>>>>> More help   : https://help.launchpad.net/ListHelp
>> >>>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>>
>> >>>>>>>>>> --
>> >>>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>> >>>>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>> >>>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>> >>>>>>>>>> More help   : https://help.launchpad.net/ListHelp
>> >>>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>> --
>> >>>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs-core
>> >>>>>>>>> Post to     : dhis2-devs-core@xxxxxxxxxxxxxxxxxxx
>> >>>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs-core
>> >>>>>>>>> More help   : https://help.launchpad.net/ListHelp
>> >>>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> --
>> >>>>>>>> Jason P. Pickering
>> >>>>>>>> email: jason.p.pickering@xxxxxxxxx
>> >>>>>>>> tel:+46764147049
>> >>>>>>>
>> >>>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> --
>> >>>>>> Jason P. Pickering
>> >>>>>> email: jason.p.pickering@xxxxxxxxx
>> >>>>>> tel:+46764147049
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> --
>> >>>>> Jason P. Pickering
>> >>>>> email: jason.p.pickering@xxxxxxxxx
>> >>>>> tel:+46764147049
>> >>>>
>> >>>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Jason P. Pickering
>> >>> email: jason.p.pickering@xxxxxxxxx
>> >>> tel:+46764147049
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > Jason P. Pickering
>> > email: jason.p.pickering@xxxxxxxxx
>> > tel:+46764147049
>>
>