weixin_39877050
weixin_39877050
2021-01-11 07:03

Force the generated admin user to change the password on the first login

When running db:seed we create an admin user with username admin and password admin. It is dangerous to have such default credentials (because users tend to forget to change the defaults).

This PR aims to make the admin change his password after his/her first login.

relates to: https://www.openproject.org/work_packages/5606

该提问来源于开源项目:opf/openproject

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

17条回答

  • weixin_39730284 weixin_39730284 4月前

    Tomato tomato. Doesn't really matter which way we do it. Of course it's no problem.

    点赞 评论 复制链接分享
  • weixin_39788740 weixin_39788740 4月前

    Tomato tomato. Doesn't really matter which way we do it.

    Don't know the tomato joke, but as tessi explained there is a reason ^^ Otherwise my rationale would be to have things where they belong and not everywhere they do not belong.

    点赞 评论 复制链接分享
  • weixin_39730284 weixin_39730284 4月前

    Ah yes, Tessi actually gave a good reason not to do it in production. So there you go. We're gonna do it MY WAY.

    点赞 评论 复制链接分享
  • weixin_39877050 weixin_39877050 4月前

    The password-change is not enforced in dev-mode now.

    点赞 评论 复制链接分享
  • weixin_39730284 weixin_39730284 4月前

    Now I'm just wondering whether there are tests that rely on the seeded admin user and which might break if the admin has to change their password upon login. But I guess if travis is green this is not the case. So IMO we can merge it as soon as Travis gives their thumbs up.

    点赞 评论 复制链接分享
  • weixin_39877050 weixin_39877050 4月前

    Thought about this too. But tests don't seed the database don't they? anyways, travis was green on the last commit :)

    However, I wonder if I should somehow test the changes in this PR. But I'm not sure how to tests seeds.

    点赞 评论 复制链接分享
  • weixin_39730284 weixin_39730284 4月前

    I suppose they don't. Perhaps you can write a test in which you require seeds.rb while stubbing the Rails.env to be development and production respectively to check if the flag is correct.

    点赞 评论 复制链接分享
  • weixin_39730284 weixin_39730284 4月前

    Then again that test would run forever for development. So better don't.

    点赞 评论 复制链接分享
  • weixin_39730284 weixin_39730284 4月前

    I say if you have tried this locally by hand it is good enough.

    点赞 评论 复制链接分享
  • weixin_39877050 weixin_39877050 4月前

    I say: "I have tried this locally by hand" :D

    点赞 评论 复制链接分享
  • weixin_39730284 weixin_39730284 4月前

    Good. I will push the merge button as soon as travis shows green again.

    点赞 评论 复制链接分享
  • weixin_39795292 weixin_39795292 4月前

    This looks like a pretty good idea for production, but would be a pain for development - resetting the password to a 10-character or longer password after each database reset.

    Any way we could not do this in development?

    点赞 评论 复制链接分享
  • weixin_39730284 weixin_39730284 4月前

    Could we put code in seeds/development.rb that resets the flag so that you only have to change your password in production mode?

    点赞 评论 复制链接分享
  • weixin_39788740 weixin_39788740 4月前

    No idea about ruby here, but my intution was: If there is all.rb, development.rb and production.rb and I want some behaviour to be present in my production environment, then I would add something to the production.rb rather than adding it to all.rb and removing it in development.rb afterwards.

    But this is just my intuition... And you might say it is better to edit many files...

    点赞 评论 复制链接分享
  • weixin_39730284 weixin_39730284 4月前

    The reason the admin is in all.rb surely is not wanting to copy that code for each environment. You want an admin for both development and production.

    点赞 评论 复制链接分享
  • weixin_39877050 weixin_39877050 4月前

    Sounds like a good idea. gonna try this.

    We don't need to care about the test env, don't we? What about testing this PR? I don't know a way to test seeds.

    We create the admin user in all.rb if it does not exist yet. In production.rb we don't know whether the admin user was recently created (but does not have the password-change-flag set) or if the user already existed and has it's password already changed.

    The seed-command is executed after every update. And since we don't want to force an admin password change after every update, we can just follow 's approach.

    点赞 评论 复制链接分享
  • weixin_39788740 weixin_39788740 4月前

    Could we put code in seeds/development.rb that resets the flag so that you only have to change your password in production mode?

    ~~If you are able to find the admin-user in development.rb and remove the flag, I don't see why it should be a problem to find him in production.rb and remove the flag.~~

    Thanks for the explanation ^^

    点赞 评论 复制链接分享

相关推荐