Project

General

Profile

Actions
Copy link

Feature #22381

closed

Require password reset on initial setup for default admin account

Added by Gregor Schmidt over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jean-Philippe Lang
Category:
Security
Target version:
3.3.0
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed

Description

To improve the security of a fresh Redmine installation, I propose to force a password reset for the default admin account on first login.

If this change is applied, the installation instructions would need to be updated accordingly.

Unit test should not be affected, since they solely rely on fixtures and not default data created using migrations.

The attached patch, adds a migration which sets the must_change_passwd field to true for the default admin account, if it was not used yet (last_login_on: nil). This should make sure, that existing installations are not affected and the changes are only applied during the initial rake db:migrate run.

Files

0001-Force-password-reset-for-default-admin-user.patch (1020 Bytes) 0001-Force-password-reset-for-default-admin-user.patch Gregor Schmidt, 2016-04-04 11:13

Related issues

Related to Redmine - Patch #3858: Force the 'admin' account to change the default password Closed2009-09-13

Actions
Actions
Copy link
 #1

Updated by Go MAEDA over 8 years ago

  • Related to Patch #3858: Force the 'admin' account to change the default password added
Actions
Copy link
 #2

Updated by Gregor Schmidt over 8 years ago

Thanks for pointing me to the other ticket. Before creating this issue, I was trying to find a similar ticket, but I guess, I was using the wrong search terms.

I just had a look at the patch, you proposed in #3858. It looks, like we both had the same idea. :) Therefore I would propose to close this issue in favour of #3858. (Unfortunately I cannot do that on my own.)

I just wanted to briefly explain, that I was hesitant to create a User instance within the migration, since that sometimes leads to errors involving outdated column caches within ActiveRecord.

Actions
Copy link
 #3

Updated by Jean-Philippe Lang over 8 years ago

  • Status changed from New to Closed
  • Assignee set to Jean-Philippe Lang
  • Target version set to 3.3.0
  • Resolution set to Fixed

Gregor Schmidt wrote:

I just wanted to briefly explain, that I was hesitant to create a User instance within the migration, since that sometimes leads to errors involving outdated column caches within ActiveRecord.

Agreed, using model instances in migrations should be avoided as much as possible. Patch committed.

Actions
Copy link
 #4

Updated by Jean-Philippe Lang over 8 years ago

  • Subject changed from Require password reset on initial setup to Require password reset on initial setup for default admin account
Actions
Copy link

Also available in: Atom PDF