Feature #22381

Require password reset on initial setup for default admin account

Added by Gregor Schmidt over 1 year ago. Updated over 1 year ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Security
Target version:3.3.0
Resolution:Fixed

Description

To improve the security of a fresh Redmine installation, I propose to force a password reset for the default admin account on first login.

If this change is applied, the installation instructions would need to be updated accordingly.

Unit test should not be affected, since they solely rely on fixtures and not default data created using migrations.

The attached patch, adds a migration which sets the must_change_passwd field to true for the default admin account, if it was not used yet (last_login_on: nil). This should make sure, that existing installations are not affected and the changes are only applied during the initial rake db:migrate run.

0001-Force-password-reset-for-default-admin-user.patch Magnifier (1020 Bytes) Gregor Schmidt, 2016-04-04 11:13


Related issues

Related to Redmine - Patch #3858: Force the 'admin' account to change the default password Closed 2009-09-13

Associated revisions

Revision 15321
Added by Jean-Philippe Lang over 1 year ago

Force password reset for default admin user (#22381).

Patch by Gregor Schmidt.

History

#1 Updated by Go MAEDA over 1 year ago

  • Related to Patch #3858: Force the 'admin' account to change the default password added

#2 Updated by Gregor Schmidt over 1 year ago

Thanks for pointing me to the other ticket. Before creating this issue, I was trying to find a similar ticket, but I guess, I was using the wrong search terms.

I just had a look at the patch, you proposed in #3858. It looks, like we both had the same idea. :) Therefore I would propose to close this issue in favour of #3858. (Unfortunately I cannot do that on my own.)

I just wanted to briefly explain, that I was hesitant to create a User instance within the migration, since that sometimes leads to errors involving outdated column caches within ActiveRecord.

#3 Updated by Jean-Philippe Lang over 1 year ago

  • Status changed from New to Closed
  • Assignee set to Jean-Philippe Lang
  • Target version set to 3.3.0
  • Resolution set to Fixed

Gregor Schmidt wrote:

I just wanted to briefly explain, that I was hesitant to create a User instance within the migration, since that sometimes leads to errors involving outdated column caches within ActiveRecord.

Agreed, using model instances in migrations should be avoided as much as possible. Patch committed.

#4 Updated by Jean-Philippe Lang over 1 year ago

  • Subject changed from Require password reset on initial setup to Require password reset on initial setup for default admin account

Also available in: Atom PDF