Hi Yaw,
Thanks for the feedback. We do currently have a hacky solution where we're
running Python scripts with Selenium webdriver, and are hoping to improve
this to something less hacky. 
Thanks for the API discussion link - I think that's the more effective way
forward. We'll jump in there to add our 5c and take the discussion further,
and hopefully contribute some code if we are able.
Regards,
Andrew
···
---------------------On 19 May 2017 at 21:50, Yaw Anokwa yanokwa@nafundi.com wrote:
Hi Andrew,
If you have an HTTPS session, then yes, it'd be safer. And if you want
to automate it, something like headless Chrome or some scripting
language could load the Aggregate page and set the passwords.It's all pretty hacky, and that points to a real need for a better
Aggregate API. Matt White has been drawing one up at
https://groups.google.com/d/msg/opendatakit-developers/
apE33LMmWZI/b0WfYyw0AQAJ.
Can you take a look and add some of your use-cases?Thanks,
Yaw
On Tue, May 16, 2017 at 4:13 AM, Andrew acawood777@gmail.com wrote:
Hi Mitch and Yaw,
I'm working with Johann on this so am chipping in here:
Agreed that we don't want to be setting passwords via HTTP. We're on
AppEngine for now, and have implemented SSL certs on a self-hosted ODK in
the past so are able to do that again if needed.
(Side-note - I seem to remember that Collect wouldn't allow
submission
to a non-SSL certified Aggregate, or maybe couldn't connect to download a
blank form - we were forced to use an SSL cert)Yaw, assuming an HTTPS session, does that not make the passwords in
the
Excel non-plaintext, and thus an acceptable route to go? (referring to
your
first response to Johann)Our longer-term goal is actually to be able to add a user AND set a
password using a script on our end (Either python or JS running locally or on another server). There
was
an earlier discussion (before the Excel capabilities were added) here.
Quoted from that:The passwords for the users must be individually set through a different
API:https://github.com/opendatakit/aggregate/blob/master/src/main/java/org/
opendatakit/common/security/server/SecurityServiceUtil.java#L602That is called from the web page via a servlet:
https://github.com/opendatakit/aggregate/blob/master/src/main/java/org/
opendatakit/aggregate/servlet/UserManagePasswordsServlet.javaWhen you add a new servlet, in addition to changing web.xml, you need to
update the site security rules here:https://github.com/opendatakit/aggregate/blob/master/war-base/WEB-INF/
applicationContext-security.xmlQuestion: Is it possible to use python/JS/java code to run on my PC to
replicate the calls made by the browser to create a user and set the
password? (i.e. THe existing code can serve as an API, if we tweak it a
bit)
Or must there be an actual browser involved?Thanks,
AndrewOn Saturday, 15 April 2017 20:45:10 UTC+2, Yaw Anokwa wrote:
Mitch,
Would you be open to a PR that loads passwords from CSV? And maybe
warns if you aren't on HTTPS?Yaw
On Fri, Apr 14, 2017 at 6:15 PM, Mitch Sundt mitche...@gmail.com wrote:
In general, changing passwords outside of an HTTPS session is NOT
safe.It works fine on AppEngine, but on privately hosted servers, you
should
have
an SSL certificate or only change passwords via a browser running on
your
server.On Tue, Apr 11, 2017 at 11:23 PM, Johann van Eeden < vanee...@gmail.com> wrote:
Are you referring to the passwords that will be in the .csv file? In
that
case the whole Password column can be made an optional one, so if
people
don't want to use it they don't have to. If they do use it it's at
their own
risk.For when actually saving the password in the system, from what I can
see
from the change password popup workings it hashes the password before
actually sending it. So that is already save. This is only if I would
use
this approach to set the password for users.On Tuesday, April 11, 2017 at 5:12:09 PM UTC+2, Yaw Anokwa wrote:
Hi Johann,
I understand that it's easier to load passwords in this way, but I
think the reason Aggregate doesn't do that is because it's not
secure
to send or store passwords in plaintext.Yaw
On Tue, Apr 11, 2017 at 4:48 AM, Johann van Eeden < vanee...@gmail.com> wrote:
Hello
So I want to added the ability to set a user's password directly
from
the
user capabilities .csv file. Adding the functionality for reading
from
the
.csv file is easy enough, but how to I go about actually setting
the
password? From what I can see in the
ExecuteChangePasswordButton.java
file
some javascript is executed to change the password of a user from
the
password popup. Would I have to use this or is there some better
way.My reasoning for adding this password functionality is that at
various
intervals chunks of users are created. It would make it very easy
to
set the
password from the .csv file instead of manually doing it for each
user.Thanks
--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it,
send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.--
Mitch Sundt
Software Engineer
University of Washington
mitche...@gmail.com--
You received this message because you are subscribed to the Google
Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.--
You received this message because you are subscribed to a topic in the
Google Groups "ODK Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/
topic/opendatakit-developers/i-Ng2Ez4vX8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.