プロジェクト

全般

プロフィール

編集 操作
リンクをコピー

Vote #77333

完了

Require password reset on initial setup for default admin account

Admin Redmine さんが3年以上前に追加. 3年以上前に更新.

ステータス:
Closed
優先度:
通常
担当者:
-
カテゴリ:
Security_51
対象バージョン:
3.3.0_110
開始日:
2022/05/09
期日:
進捗率:

0%

予定工数:
Redmineorg_URL:
https://www.redmine.org/issues/22381
category_id:
51
version_id:
110
issue_org_id:
22381
author_id:
14446
assigned_to_id:
1
comments:
4
status_id:
5
tracker_id:
2
plus1:
0
affected_version:
closed_on:
affected_version_id:
ステータス-->[Closed]
引用

説明

To improve the security of a fresh Redmine installation, I propose to force a password reset for the default admin account on first login.

If this change is applied, the installation instructions would need to be updated accordingly.

Unit test should not be affected, since they solely rely on fixtures and not default data created using migrations.

The attached patch, adds a migration which sets the @must_change_passwd@ field to @true@ for the default Admin Redmine@ account, if it was not used yet (@last_login_on: nil@). This should make sure, that existing installations are not affected and the changes are only applied during the initial @rake db:migrate@ run.

journals

--------------------------------------------------------------------------------
Thanks for pointing me to the other ticket. Before creating this issue, I was trying to find a similar ticket, but I guess, I was using the wrong search terms.

I just had a look at the patch, you proposed in #3858. It looks, like we both had the same idea. :) Therefore I would propose to close this issue in favour of #3858. (Unfortunately I cannot do that on my own.)

I just wanted to briefly explain, that I was hesitant to create a User instance within the migration, since that sometimes leads to errors involving outdated column caches within ActiveRecord.
--------------------------------------------------------------------------------
Gregor Schmidt wrote:

> I just wanted to briefly explain, that I was hesitant to create a User instance within the migration, since that sometimes leads to errors involving outdated column caches within ActiveRecord.

Agreed, using model instances in migrations should be avoided as much as possible. Patch committed.
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

related_issues

relates,Closed,3858,Force the 'admin' account to change the default password

操作
リンクをコピー
 #1

Admin Redmine さんが3年以上前に更新

  • カテゴリSecurity_51 にセット
  • 対象バージョン3.3.0_110 にセット
編集 操作
リンクをコピー

他の形式にエクスポート: Atom PDF

いいね!0
いいね!0

demo1.unofficial-redmine.org