So I want to added the ability to set a user's password directly from the
user capabilities .csv file. Adding the functionality for reading from the
.csv file is easy enough, but how to I go about actually setting the
password? From what I can see in the ExecuteChangePasswordButton.java
file some javascript is executed to change the password of a user from the
password popup. Would I have to use this or is there some better way.
My reasoning for adding this password functionality is that at various
intervals chunks of users are created. It would make it very easy to set
the password from the .csv file instead of manually doing it for each user.
I understand that it's easier to load passwords in this way, but I
think the reason Aggregate doesn't do that is because it's not secure
to send or store passwords in plaintext.
Yaw
ยทยทยท
On Tue, Apr 11, 2017 at 4:48 AM, Johann van Eeden wrote:
> Hello
>
> So I want to added the ability to set a user's password directly from the
> user capabilities .csv file. Adding the functionality for reading from the
> .csv file is easy enough, but how to I go about actually setting the
> password? From what I can see in the ExecuteChangePasswordButton.java file
> some javascript is executed to change the password of a user from the
> password popup. Would I have to use this or is there some better way.
>
> My reasoning for adding this password functionality is that at various
> intervals chunks of users are created. It would make it very easy to set the
> password from the .csv file instead of manually doing it for each user.
>
> Thanks
>
> --
> You received this message because you are subscribed to the Google Groups
> "ODK Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to opendatakit-developers+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Are you referring to the passwords that will be in the .csv file? In that
case the whole Password column can be made an optional one, so if people
don't want to use it they don't have to. If they do use it it's at their
own risk.
For when actually saving the password in the system, from what I can see
from the change password popup workings it hashes the password before
actually sending it. So that is already save. This is only if I would use
this approach to set the password for users.
ยทยทยท
On Tuesday, April 11, 2017 at 5:12:09 PM UTC+2, Yaw Anokwa wrote:
>
> Hi Johann,
>
> I understand that it's easier to load passwords in this way, but I
> think the reason Aggregate doesn't do that is because it's not secure
> to send or store passwords in plaintext.
>
> Yaw
>
> On Tue, Apr 11, 2017 at 4:48 AM, Johann van Eeden <vanee...@gmail.com > wrote:
> > Hello
> >
> > So I want to added the ability to set a user's password directly from
> the
> > user capabilities .csv file. Adding the functionality for reading from
> the
> > .csv file is easy enough, but how to I go about actually setting the
> > password? From what I can see in the ExecuteChangePasswordButton.java
> file
> > some javascript is executed to change the password of a user from the
> > password popup. Would I have to use this or is there some better way.
> >
> > My reasoning for adding this password functionality is that at various
> > intervals chunks of users are created. It would make it very easy to set
> the
> > password from the .csv file instead of manually doing it for each user.
> >
> > Thanks
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups
> > "ODK Developers" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to opendatakit-developers+unsubscribe@googlegroups.com
> .
> > For more options, visit https://groups.google.com/d/optout.
>
In general, changing passwords outside of an HTTPS session is NOT safe.
It works fine on AppEngine, but on privately hosted servers, you should
have an SSL certificate or only change passwords via a browser running on
your server.
ยทยทยท
On Tue, Apr 11, 2017 at 11:23 PM, Johann van Eeden wrote:
Are you referring to the passwords that will be in the .csv file? In that
case the whole Password column can be made an optional one, so if people
don't want to use it they don't have to. If they do use it it's at their
own risk.
For when actually saving the password in the system, from what I can see
from the change password popup workings it hashes the password before
actually sending it. So that is already save. This is only if I would use
this approach to set the password for users.
On Tuesday, April 11, 2017 at 5:12:09 PM UTC+2, Yaw Anokwa wrote:
Hi Johann,
I understand that it's easier to load passwords in this way, but I
think the reason Aggregate doesn't do that is because it's not secure
to send or store passwords in plaintext.
Yaw
On Tue, Apr 11, 2017 at 4:48 AM, Johann van Eeden vanee...@gmail.com wrote:
Hello
So I want to added the ability to set a user's password directly from
the
user capabilities .csv file. Adding the functionality for reading from
the
.csv file is easy enough, but how to I go about actually setting the
password? From what I can see in the ExecuteChangePasswordButton.java
file
some javascript is executed to change the password of a user from the
password popup. Would I have to use this or is there some better way.
My reasoning for adding this password functionality is that at various
intervals chunks of users are created. It would make it very easy to
set the
password from the .csv file instead of manually doing it for each user.
Would you be open to a PR that loads passwords from CSV? And maybe
warns if you aren't on HTTPS?
Yaw
ยทยทยท
On Fri, Apr 14, 2017 at 6:15 PM, Mitch Sundt wrote:
> In general, changing passwords outside of an HTTPS session is NOT safe.
>
> It works fine on AppEngine, but on privately hosted servers, you should have
> an SSL certificate or only change passwords via a browser running on your
> server.
>
>
> On Tue, Apr 11, 2017 at 11:23 PM, Johann van Eeden wrote:
>>
>> Are you referring to the passwords that will be in the .csv file? In that
>> case the whole Password column can be made an optional one, so if people
>> don't want to use it they don't have to. If they do use it it's at their own
>> risk.
>>
>> For when actually saving the password in the system, from what I can see
>> from the change password popup workings it hashes the password before
>> actually sending it. So that is already save. This is only if I would use
>> this approach to set the password for users.
>>
>> On Tuesday, April 11, 2017 at 5:12:09 PM UTC+2, Yaw Anokwa wrote:
>>>
>>> Hi Johann,
>>>
>>> I understand that it's easier to load passwords in this way, but I
>>> think the reason Aggregate doesn't do that is because it's not secure
>>> to send or store passwords in plaintext.
>>>
>>> Yaw
>>>
>>> On Tue, Apr 11, 2017 at 4:48 AM, Johann van Eeden wrote:
>>> > Hello
>>> >
>>> > So I want to added the ability to set a user's password directly from
>>> > the
>>> > user capabilities .csv file. Adding the functionality for reading from
>>> > the
>>> > .csv file is easy enough, but how to I go about actually setting the
>>> > password? From what I can see in the ExecuteChangePasswordButton.java
>>> > file
>>> > some javascript is executed to change the password of a user from the
>>> > password popup. Would I have to use this or is there some better way.
>>> >
>>> > My reasoning for adding this password functionality is that at various
>>> > intervals chunks of users are created. It would make it very easy to
>>> > set the
>>> > password from the .csv file instead of manually doing it for each user.
>>> >
>>> > Thanks
>>> >
>>> > --
>>> > You received this message because you are subscribed to the Google
>>> > Groups
>>> > "ODK Developers" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> > an
>>> > email to opendatakit-developers+unsubscribe@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "ODK Developers" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to opendatakit-developers+unsubscribe@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
> --
> Mitch Sundt
> Software Engineer
> University of Washington
> mitchellsundt@gmail.com
>
> --
> You received this message because you are subscribed to the Google Groups
> "ODK Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to opendatakit-developers+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
I'm working with Johann on this so am chipping in here:
Agreed that we don't want to be setting passwords via HTTP. We're on
AppEngine for now, and have implemented SSL certs on a self-hosted ODK in
the past so are able to do that again if needed.
(Side-note - I seem to remember that Collect wouldn't allow submission
to a non-SSL certified Aggregate, or maybe couldn't connect to download a
blank form - we were forced to use an SSL cert)
Yaw, assuming an HTTPS session, does that not make the passwords in the
Excel non-plaintext, and thus an acceptable route to go? (referring to your
first response to Johann)
Our longer-term goal is actually to be able to add a user AND set a
password using a script on our end (Either python or JS running locally or on another server). There
was an earlier discussion (before the Excel capabilities were added) here https://groups.google.com/d/msg/opendatakit-developers/hg8Fyfeux-o/oBgR3Z2_AgAJ.
Quoted from that:
The passwords for the users must be individually set through a different
API:
*Question: *Is it possible to use python/JS/java code to run on my PC to
replicate the calls made by the browser to create a user and set the
password? (i.e. THe existing code can serve as an API, if we tweak it a
bit) Or must there be an actual browser involved?
Thanks,
Andrew
ยทยทยท
On Saturday, 15 April 2017 20:45:10 UTC+2, Yaw Anokwa wrote:
>
> Mitch,
>
> Would you be open to a PR that loads passwords from CSV? And maybe
> warns if you aren't on HTTPS?
>
> Yaw
>
> On Fri, Apr 14, 2017 at 6:15 PM, Mitch Sundt <mitche...@gmail.com > wrote:
> > In general, changing passwords outside of an HTTPS session is NOT safe.
> >
> > It works fine on AppEngine, but on privately hosted servers, you should
> have
> > an SSL certificate or only change passwords via a browser running on
> your
> > server.
> >
> >
> > On Tue, Apr 11, 2017 at 11:23 PM, Johann van Eeden <vanee...@gmail.com > wrote:
> >>
> >> Are you referring to the passwords that will be in the .csv file? In
> that
> >> case the whole Password column can be made an optional one, so if
> people
> >> don't want to use it they don't have to. If they do use it it's at
> their own
> >> risk.
> >>
> >> For when actually saving the password in the system, from what I can
> see
> >> from the change password popup workings it hashes the password before
> >> actually sending it. So that is already save. This is only if I would
> use
> >> this approach to set the password for users.
> >>
> >> On Tuesday, April 11, 2017 at 5:12:09 PM UTC+2, Yaw Anokwa wrote:
> >>>
> >>> Hi Johann,
> >>>
> >>> I understand that it's easier to load passwords in this way, but I
> >>> think the reason Aggregate doesn't do that is because it's not secure
> >>> to send or store passwords in plaintext.
> >>>
> >>> Yaw
> >>>
> >>> On Tue, Apr 11, 2017 at 4:48 AM, Johann van Eeden wrote:
> >>> > Hello
> >>> >
> >>> > So I want to added the ability to set a user's password directly
> from
> >>> > the
> >>> > user capabilities .csv file. Adding the functionality for reading
> from
> >>> > the
> >>> > .csv file is easy enough, but how to I go about actually setting the
> >>> > password? From what I can see in the
> ExecuteChangePasswordButton.java
> >>> > file
> >>> > some javascript is executed to change the password of a user from
> the
> >>> > password popup. Would I have to use this or is there some better
> way.
> >>> >
> >>> > My reasoning for adding this password functionality is that at
> various
> >>> > intervals chunks of users are created. It would make it very easy to
> >>> > set the
> >>> > password from the .csv file instead of manually doing it for each
> user.
> >>> >
> >>> > Thanks
> >>> >
> >>> > --
> >>> > You received this message because you are subscribed to the Google
> >>> > Groups
> >>> > "ODK Developers" group.
> >>> > To unsubscribe from this group and stop receiving emails from it,
> send
> >>> > an
> >>> > email to opendatakit-developers+unsubscribe@googlegroups.com
> .
> >>> > For more options, visit https://groups.google.com/d/optout.
> >>
> >> --
> >> You received this message because you are subscribed to the Google
> Groups
> >> "ODK Developers" group.
> >> To unsubscribe from this group and stop receiving emails from it, send
> an
> >> email to opendatakit-developers+unsubscribe@googlegroups.com
> .
> >> For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> >
> > --
> > Mitch Sundt
> > Software Engineer
> > University of Washington
> > mitche...@gmail.com
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups
> > "ODK Developers" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to opendatakit-developers+unsubscribe@googlegroups.com
> .
> > For more options, visit https://groups.google.com/d/optout.
>
If you have an HTTPS session, then yes, it'd be safer. And if you want
to automate it, something like headless Chrome or some scripting
language could load the Aggregate page and set the passwords.
ยทยทยท
On Tue, May 16, 2017 at 4:13 AM, Andrew wrote:
> Hi Mitch and Yaw,
>
> I'm working with Johann on this so am chipping in here:
>
> 1. Agreed that we don't want to be setting passwords via HTTP. We're on
> AppEngine for now, and have implemented SSL certs on a self-hosted ODK in
> the past so are able to do that again if needed.
> (Side-note - I seem to remember that Collect wouldn't allow submission
> to a non-SSL certified Aggregate, or maybe couldn't connect to download a
> blank form - we were forced to use an SSL cert)
>
> 2. Yaw, assuming an HTTPS session, does that not make the passwords in the
> Excel non-plaintext, and thus an acceptable route to go? (referring to your
> first response to Johann)
>
> 3. Our longer-term goal is actually to be able to add a user AND set a
> password using a script on our end (Either python or JS to reuse existing ODK code> running locally or on another server). There was
> an earlier discussion (before the Excel capabilities were added) here.
> Quoted from that:
>>
>> The passwords for the users must be individually set through a different
>> API:
>>
>> https://github.com/opendatakit/aggregate/blob/master/src/main/java/org/opendatakit/common/security/server/SecurityServiceUtil.java#L602
>>
>> That is called from the web page via a servlet:
>>
>> https://github.com/opendatakit/aggregate/blob/master/src/main/java/org/opendatakit/aggregate/servlet/UserManagePasswordsServlet.java
>>
>> When you add a new servlet, in addition to changing web.xml, you need to
>> update the site security rules here:
>
> https://github.com/opendatakit/aggregate/blob/master/war-base/WEB-INF/applicationContext-security.xml
>
>
> Question: Is it possible to use python/JS/java code to run on my PC to
> replicate the calls made by the browser to create a user and set the
> password? (i.e. THe existing code can serve as an API, if we tweak it a bit)
> Or must there be an actual browser involved?
>
>
> Thanks,
> Andrew
>
>
> On Saturday, 15 April 2017 20:45:10 UTC+2, Yaw Anokwa wrote:
>>
>> Mitch,
>>
>> Would you be open to a PR that loads passwords from CSV? And maybe
>> warns if you aren't on HTTPS?
>>
>> Yaw
>>
>> On Fri, Apr 14, 2017 at 6:15 PM, Mitch Sundt wrote:
>> > In general, changing passwords outside of an HTTPS session is NOT safe.
>> >
>> > It works fine on AppEngine, but on privately hosted servers, you should
>> > have
>> > an SSL certificate or only change passwords via a browser running on
>> > your
>> > server.
>> >
>> >
>> > On Tue, Apr 11, 2017 at 11:23 PM, Johann van Eeden wrote:
>> >>
>> >> Are you referring to the passwords that will be in the .csv file? In
>> >> that
>> >> case the whole Password column can be made an optional one, so if
>> >> people
>> >> don't want to use it they don't have to. If they do use it it's at
>> >> their own
>> >> risk.
>> >>
>> >> For when actually saving the password in the system, from what I can
>> >> see
>> >> from the change password popup workings it hashes the password before
>> >> actually sending it. So that is already save. This is only if I would
>> >> use
>> >> this approach to set the password for users.
>> >>
>> >> On Tuesday, April 11, 2017 at 5:12:09 PM UTC+2, Yaw Anokwa wrote:
>> >>>
>> >>> Hi Johann,
>> >>>
>> >>> I understand that it's easier to load passwords in this way, but I
>> >>> think the reason Aggregate doesn't do that is because it's not secure
>> >>> to send or store passwords in plaintext.
>> >>>
>> >>> Yaw
>> >>>
>> >>> On Tue, Apr 11, 2017 at 4:48 AM, Johann van Eeden wrote:
>> >>> > Hello
>> >>> >
>> >>> > So I want to added the ability to set a user's password directly
>> >>> > from
>> >>> > the
>> >>> > user capabilities .csv file. Adding the functionality for reading
>> >>> > from
>> >>> > the
>> >>> > .csv file is easy enough, but how to I go about actually setting the
>> >>> > password? From what I can see in the
>> >>> > ExecuteChangePasswordButton.java
>> >>> > file
>> >>> > some javascript is executed to change the password of a user from
>> >>> > the
>> >>> > password popup. Would I have to use this or is there some better
>> >>> > way.
>> >>> >
>> >>> > My reasoning for adding this password functionality is that at
>> >>> > various
>> >>> > intervals chunks of users are created. It would make it very easy to
>> >>> > set the
>> >>> > password from the .csv file instead of manually doing it for each
>> >>> > user.
>> >>> >
>> >>> > Thanks
>> >>> >
>> >>> > --
>> >>> > You received this message because you are subscribed to the Google
>> >>> > Groups
>> >>> > "ODK Developers" group.
>> >>> > To unsubscribe from this group and stop receiving emails from it,
>> >>> > send
>> >>> > an
>> >>> > email to opendatakit-developers+unsubscribe@googlegroups.com.
>> >>> > For more options, visit https://groups.google.com/d/optout.
>> >>
>> >> --
>> >> You received this message because you are subscribed to the Google
>> >> Groups
>> >> "ODK Developers" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send
>> >> an
>> >> email to opendatakit-developers+unsubscribe@googlegroups.com.
>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> >
>> >
>> >
>> > --
>> > Mitch Sundt
>> > Software Engineer
>> > University of Washington
>> > mitche...@gmail.com
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ODK Developers" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to opendatakit-developers+unsubscribe@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups
> "ODK Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to opendatakit-developers+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Thanks for the feedback. We do currently have a hacky solution where we're
running Python scripts with Selenium webdriver, and are hoping to improve
this to something less hacky.
Thanks for the API discussion link - I think that's the more effective way
forward. We'll jump in there to add our 5c and take the discussion further,
and hopefully contribute some code if we are able.
If you have an HTTPS session, then yes, it'd be safer. And if you want
to automate it, something like headless Chrome or some scripting
language could load the Aggregate page and set the passwords.
It's all pretty hacky, and that points to a real need for a better
Aggregate API. Matt White has been drawing one up at https://groups.google.com/d/msg/opendatakit-developers/
apE33LMmWZI/b0WfYyw0AQAJ.
Can you take a look and add some of your use-cases?
I'm working with Johann on this so am chipping in here:
Agreed that we don't want to be setting passwords via HTTP. We're on
AppEngine for now, and have implemented SSL certs on a self-hosted ODK in
the past so are able to do that again if needed.
(Side-note - I seem to remember that Collect wouldn't allow
submission
to a non-SSL certified Aggregate, or maybe couldn't connect to download a
blank form - we were forced to use an SSL cert)
Yaw, assuming an HTTPS session, does that not make the passwords in
the
Excel non-plaintext, and thus an acceptable route to go? (referring to
your
first response to Johann)
Our longer-term goal is actually to be able to add a user AND set a
password using a script on our end (Either python or JS running locally or on another server). There
was
an earlier discussion (before the Excel capabilities were added) here.
Quoted from that:
The passwords for the users must be individually set through a different
API:
Question: Is it possible to use python/JS/java code to run on my PC to
replicate the calls made by the browser to create a user and set the
password? (i.e. THe existing code can serve as an API, if we tweak it a
bit)
Or must there be an actual browser involved?
Thanks,
Andrew
On Saturday, 15 April 2017 20:45:10 UTC+2, Yaw Anokwa wrote:
Mitch,
Would you be open to a PR that loads passwords from CSV? And maybe
warns if you aren't on HTTPS?
In general, changing passwords outside of an HTTPS session is NOT
safe.
It works fine on AppEngine, but on privately hosted servers, you
should
have
an SSL certificate or only change passwords via a browser running on
your
server.
On Tue, Apr 11, 2017 at 11:23 PM, Johann van Eeden < vanee...@gmail.com> wrote:
Are you referring to the passwords that will be in the .csv file? In
that
case the whole Password column can be made an optional one, so if
people
don't want to use it they don't have to. If they do use it it's at
their own
risk.
For when actually saving the password in the system, from what I can
see
from the change password popup workings it hashes the password before
actually sending it. So that is already save. This is only if I would
use
this approach to set the password for users.
On Tuesday, April 11, 2017 at 5:12:09 PM UTC+2, Yaw Anokwa wrote:
Hi Johann,
I understand that it's easier to load passwords in this way, but I
think the reason Aggregate doesn't do that is because it's not
secure
to send or store passwords in plaintext.
Yaw
On Tue, Apr 11, 2017 at 4:48 AM, Johann van Eeden < vanee...@gmail.com> wrote:
Hello
So I want to added the ability to set a user's password directly
from
the
user capabilities .csv file. Adding the functionality for reading
from
the
.csv file is easy enough, but how to I go about actually setting
the
password? From what I can see in the
ExecuteChangePasswordButton.java
file
some javascript is executed to change the password of a user from
the
password popup. Would I have to use this or is there some better
way.
My reasoning for adding this password functionality is that at
various
intervals chunks of users are created. It would make it very easy
to
set the
password from the .csv file instead of manually doing it for each
user.
