Force the 'admin' account to change the default password
|Category:||Accounts / authentication|
It's considered generally good security practice to change the default user to something other than 'admin.' While I'm nowhere close to being a RoR expert (in fact, I think I'm a RoR n00b), this patch forces the default username (admin) to set a password on first login that isn't the password 'admin.'
I'd like someone to look at/review the patch, provide feedback, and, if the feedback is positive, consider inclusion into the development version of Redmine.
I should clarify (after re-reading my initial description): This doesn't force the user to change their username, this only forces the admin user to change the password to something other than the word 'admin.'
It seems that it redirects to the password change form but does not actually force to change the password.
Ah, very true -- I didn't think about that. I'll submit an updated diff later that should address this.
+1 and attaching a new patch.
This can be implemented by adding a migration script, without changing any web application code.
- Target version set to Candidate for next major release
- Related to Feature #22381: Require password reset on initial setup for default admin account added
- Status changed from New to Closed
- Target version deleted (
Candidate for next major release)
Patch provided in #22381 committed.
Also available in: Atom