I'm just curious Why do you need access to the admin/appadmin apps in a production environment?
I've never used them there. I use in development, but never production -Jim On Friday, September 1, 2023 at 11:54:02 AM UTC-5 Clemens wrote: > Removing the admin app as well as the appadmin controllers should kill all > options of administration. Move these to two to a folder away from web2py. > And then you can still call https://.../admin/site or https://.../appadmin? > > On Friday, September 1, 2023 at 6:44:31 PM UTC+2 Ramos wrote: > >> yes i tried it on the admin app and it just does not work. >> :) >> >> >> Em sex., 1 de set. de 2023 às 16:53, Jim S <[email protected]> escreveu: >> >>> So, are you trying to protect the 'admin' application with 2fa? >>> >>> If so, can you add the 2fa code to the admin app? >>> >>> I haven't tried this before >>> >>> On Friday, September 1, 2023 at 10:24:29 AM UTC-5 Ramos wrote: >>> >>>> this admin >>>> >>>> https://mysite.com/admin >>>> >>>> Em sex., 1 de set. de 2023 às 16:08, Jim S <[email protected]> >>>> escreveu: >>>> >>>>> What does 'administrator password' mean to you? >>>>> >>>>> I'm not sure what you're referring to >>>>> >>>>> -Jim >>>>> >>>>> On Friday, September 1, 2023 at 9:53:43 AM UTC-5 Ramos wrote: >>>>> >>>>>> Hello Jim >>>>>> this line of code >>>>>> *auth.settings.auth_two_factor_enabled = True* >>>>>> *does not protect the administrator password. Only created users.* >>>>>> *That is my question, how to force administrator to use 2fa ?* >>>>>> *regards* >>>>>> *António* >>>>>> >>>>>> Em sex., 1 de set. de 2023 às 15:00, Jim S <[email protected]> >>>>>> escreveu: >>>>>> >>>>>>> Here is the code I wrote that only enforced 2fa for users outside >>>>>>> our local networks. >>>>>>> >>>>>>> There is some commented out code there that additionally allowed me >>>>>>> to specify users in a group so only that group was force to 2fa >>>>>>> >>>>>>> def _two_factor_required(auth_user): >>>>>>> """ >>>>>>> check whether we need to enforce MFA on this login >>>>>>> >>>>>>> We enforce MFA only on logins external to our network. >>>>>>> >>>>>>> Returns >>>>>>> ------- >>>>>>> bool - enforce MFA >>>>>>> - True means this login requires MFA >>>>>>> - False means we will not enforce MFA for this login >>>>>>> """ >>>>>>> import ipaddress >>>>>>> >>>>>>> return False # temp use to disable mfa >>>>>>> >>>>>>> if len(request.args) > 0 and request.args[0] == "login": >>>>>>> if auth_user.mfa_override and datetime.datetime.now() <= >>>>>>> auth_user.mfa_override: >>>>>>> # no mfa required if the user override is set - we >>>>>>> added a field in auth_user to allow us to override if a user was having >>>>>>> trouble or lost their phone or something >>>>>>> return False >>>>>>> >>>>>>> qlf_networks = [ >>>>>>> "9.9.9.9/22", >>>>>>> "9.9.9.0/24", >>>>>>> "9.9.9.101/24", >>>>>>> ] >>>>>>> >>>>>>> ip_list = [] >>>>>>> for range in qlf_networks: >>>>>>> ip_list.extend(ipaddress.IPv4Network(unicode(range))) >>>>>>> >>>>>>> if ipaddress.IPv4Address(unicode(request.client)) in ip_list: >>>>>>> # if the client address is in the local address list, >>>>>>> then do NOT require MFA so set to False >>>>>>> return_value = False >>>>>>> >>>>>>> # build the MFA Required group members >>>>>>> # if return_value: >>>>>>> # print(datetime.datetime.now()) >>>>>>> # ag = db(db.auth_group.role == "MFA Required >>>>>>> (web2py)").select().first() >>>>>>> # if not ag: >>>>>>> # ag = db.auth_group.insert("MFA Required (web2py)") >>>>>>> # for ou in db( >>>>>>> # (db.auth_user.active == True) >>>>>>> # | ( >>>>>>> # (db.auth_user.mfa_override == None) >>>>>>> # & (db.auth_user.mfa_override <= >>>>>>> datetime.datetime.now()) >>>>>>> # ) >>>>>>> # ).select(): >>>>>>> # db.auth_membership.update_or_insert(user_id=ou.id, >>>>>>> group_id=ag) >>>>>>> # >>>>>>> # # clear out any members that are currently exempt >>>>>>> from MFA >>>>>>> # if ag: >>>>>>> # for exempt_user in db( >>>>>>> # (db.auth_user.mfa_override >= >>>>>>> datetime.datetime.now()) >>>>>>> # & (db.auth_user.active == True) >>>>>>> # ).select(): >>>>>>> # db( >>>>>>> # (db.auth_membership.group_id == ag.id) >>>>>>> # & (db.auth_membership.user_id == >>>>>>> exempt_user.id) >>>>>>> # ).delete() >>>>>>> # db.commit() >>>>>>> # >>>>>>> # print(datetime.datetime.now()) >>>>>>> # >>>>>>> # # set to False to force web2py to check the >>>>>>> two_factor_authentication group >>>>>>> # return_value = False >>>>>>> >>>>>>> That code is in db.py >>>>>>> >>>>>>> Then.... >>>>>>> >>>>>>> auth.settings.auth_two_factor_enabled = lambda user: >>>>>>> _two_factor_required(user) >>>>>>> auth.messages.two_factor_comment = "QLF MFA - you have been sent a >>>>>>> code" >>>>>>> auth.settings.two_factor_methods = [ >>>>>>> lambda user, auth_two_factor: _send_sms(user, auth_two_factor) >>>>>>> ] >>>>>>> >>>>>>> My _send_sms code built and sms and sent it via Twilio or RingCentral >>>>>>> >>>>>>> I wrote this code, but then we ended up not implementing. The >>>>>>> web2py code is going away for us. All the same concepts work in py4web >>>>>>> (nudge wink wink) >>>>>>> >>>>>>> -Jim >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Friday, September 1, 2023 at 5:24:53 AM UTC-5 Ramos wrote: >>>>>>> >>>>>>>> Anyone can help me ? >>>>>>>> >>>>>>>> Em qua., 30 de ago. de 2023 às 10:14, António Ramos < >>>>>>>> [email protected]> escreveu: >>>>>>>> >>>>>>>>> in other words, how do i protect the administrator password? it >>>>>>>>> does not have a username , just a password. This is scary :) >>>>>>>>> >>>>>>>>> >>>>>>>>> Em ter., 29 de ago. de 2023 às 19:44, António Ramos < >>>>>>>>> [email protected]> escreveu: >>>>>>>>> >>>>>>>>>> But that is for everyone, i just want to start with users with >>>>>>>>>> admin powers >>>>>>>>>> >>>>>>>>>> Clemens <[email protected]> escreveu em ter., >>>>>>>>>> 29/08/2023 às 18:25 : >>>>>>>>>> >>>>>>>>>>> Try enabling 2FA via the following setting, since this is for >>>>>>>>>>> all users: >>>>>>>>>>> *auth.settings.auth_two_factor_enabled = True* >>>>>>>>>>> >>>>>>>>>>> Regards >>>>>>>>>>> Clemens >>>>>>>>>>> >>>>>>>>>>> On Tuesday, August 29, 2023 at 6:09:26 PM UTC+2 Ramos wrote: >>>>>>>>>>> >>>>>>>>>>>> i just activated the two step auth with this >>>>>>>>>>>> >>>>>>>>>>>> auth.settings.two_factor_authentication_group = "auth2step" >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> but now how do i include the administrator user ? >>>>>>>>>>>> >>>>>>>>>>>> regards >>>>>>>>>>>> António >>>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Resources: >>>>>>>>>>> - http://web2py.com >>>>>>>>>>> - http://web2py.com/book (Documentation) >>>>>>>>>>> - http://github.com/web2py/web2py (Source code) >>>>>>>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>>>>>>>> --- >>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>> Google Groups "web2py-users" group. >>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>> it, send an email to [email protected]. >>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>> https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com >>>>>>>>>>> >>>>>>>>>>> <https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>>>>>> . >>>>>>>>>>> >>>>>>>>>> -- >>>>>>> Resources: >>>>>>> - http://web2py.com >>>>>>> - http://web2py.com/book (Documentation) >>>>>>> - http://github.com/web2py/web2py (Source code) >>>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "web2py-users" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> >>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/d/msgid/web2py/f92a15ab-45f6-41ae-b285-6b717abd3d7fn%40googlegroups.com >>>>>>> >>>>>>> <https://groups.google.com/d/msgid/web2py/f92a15ab-45f6-41ae-b285-6b717abd3d7fn%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> -- >>>>> Resources: >>>>> - http://web2py.com >>>>> - http://web2py.com/book (Documentation) >>>>> - http://github.com/web2py/web2py (Source code) >>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "web2py-users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> >>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/web2py/c8187486-ebdd-4f18-a4d6-b9a45381fad9n%40googlegroups.com >>>>> >>>>> <https://groups.google.com/d/msgid/web2py/c8187486-ebdd-4f18-a4d6-b9a45381fad9n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>> Resources: >>> - http://web2py.com >>> - http://web2py.com/book (Documentation) >>> - http://github.com/web2py/web2py (Source code) >>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "web2py-users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/web2py/4d5dc6cd-66c9-42d7-ab5d-78f089987d65n%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/web2py/4d5dc6cd-66c9-42d7-ab5d-78f089987d65n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/f72db160-49d9-45d8-84ba-b254d1b1aba8n%40googlegroups.com.
