I don't and I that's why I (re)move these to a hidden folder on system level :-) What I need is to give customers the option to add new users by themselves. For that I've written a small controller under the control of 2FA and so on.
Regards Clemens On Friday, September 1, 2023 at 7:40:19 PM UTC+2 Jim S wrote: > I'm just curious > > Why do you need access to the admin/appadmin apps in a production > environment? > > I've never used them there. I use in development, but never production > > -Jim > > > On Friday, September 1, 2023 at 11:54:02 AM UTC-5 Clemens wrote: > >> Removing the admin app as well as the appadmin controllers should kill >> all options of administration. Move these to two to a folder away from >> web2py. And then you can still call https://.../admin/site or >> https://.../appadmin? >> >> On Friday, September 1, 2023 at 6:44:31 PM UTC+2 Ramos wrote: >> >>> yes i tried it on the admin app and it just does not work. >>> :) >>> >>> >>> Em sex., 1 de set. de 2023 às 16:53, Jim S <[email protected]> escreveu: >>> >>>> So, are you trying to protect the 'admin' application with 2fa? >>>> >>>> If so, can you add the 2fa code to the admin app? >>>> >>>> I haven't tried this before >>>> >>>> On Friday, September 1, 2023 at 10:24:29 AM UTC-5 Ramos wrote: >>>> >>>>> this admin >>>>> >>>>> https://mysite.com/admin >>>>> >>>>> Em sex., 1 de set. de 2023 às 16:08, Jim S <[email protected]> >>>>> escreveu: >>>>> >>>>>> What does 'administrator password' mean to you? >>>>>> >>>>>> I'm not sure what you're referring to >>>>>> >>>>>> -Jim >>>>>> >>>>>> On Friday, September 1, 2023 at 9:53:43 AM UTC-5 Ramos wrote: >>>>>> >>>>>>> Hello Jim >>>>>>> this line of code >>>>>>> *auth.settings.auth_two_factor_enabled = True* >>>>>>> *does not protect the administrator password. Only created users.* >>>>>>> *That is my question, how to force administrator to use 2fa ?* >>>>>>> *regards* >>>>>>> *António* >>>>>>> >>>>>>> Em sex., 1 de set. de 2023 às 15:00, Jim S <[email protected]> >>>>>>> escreveu: >>>>>>> >>>>>>>> Here is the code I wrote that only enforced 2fa for users outside >>>>>>>> our local networks. >>>>>>>> >>>>>>>> There is some commented out code there that additionally allowed me >>>>>>>> to specify users in a group so only that group was force to 2fa >>>>>>>> >>>>>>>> def _two_factor_required(auth_user): >>>>>>>> """ >>>>>>>> check whether we need to enforce MFA on this login >>>>>>>> >>>>>>>> We enforce MFA only on logins external to our network. >>>>>>>> >>>>>>>> Returns >>>>>>>> ------- >>>>>>>> bool - enforce MFA >>>>>>>> - True means this login requires MFA >>>>>>>> - False means we will not enforce MFA for this login >>>>>>>> """ >>>>>>>> import ipaddress >>>>>>>> >>>>>>>> return False # temp use to disable mfa >>>>>>>> >>>>>>>> if len(request.args) > 0 and request.args[0] == "login": >>>>>>>> if auth_user.mfa_override and datetime.datetime.now() <= >>>>>>>> auth_user.mfa_override: >>>>>>>> # no mfa required if the user override is set - we >>>>>>>> added a field in auth_user to allow us to override if a user was >>>>>>>> having >>>>>>>> trouble or lost their phone or something >>>>>>>> return False >>>>>>>> >>>>>>>> qlf_networks = [ >>>>>>>> "9.9.9.9/22", >>>>>>>> "9.9.9.0/24", >>>>>>>> "9.9.9.101/24", >>>>>>>> ] >>>>>>>> >>>>>>>> ip_list = [] >>>>>>>> for range in qlf_networks: >>>>>>>> ip_list.extend(ipaddress.IPv4Network(unicode(range))) >>>>>>>> >>>>>>>> if ipaddress.IPv4Address(unicode(request.client)) in >>>>>>>> ip_list: >>>>>>>> # if the client address is in the local address list, >>>>>>>> then do NOT require MFA so set to False >>>>>>>> return_value = False >>>>>>>> >>>>>>>> # build the MFA Required group members >>>>>>>> # if return_value: >>>>>>>> # print(datetime.datetime.now()) >>>>>>>> # ag = db(db.auth_group.role == "MFA Required >>>>>>>> (web2py)").select().first() >>>>>>>> # if not ag: >>>>>>>> # ag = db.auth_group.insert("MFA Required (web2py)") >>>>>>>> # for ou in db( >>>>>>>> # (db.auth_user.active == True) >>>>>>>> # | ( >>>>>>>> # (db.auth_user.mfa_override == None) >>>>>>>> # & (db.auth_user.mfa_override <= >>>>>>>> datetime.datetime.now()) >>>>>>>> # ) >>>>>>>> # ).select(): >>>>>>>> # db.auth_membership.update_or_insert(user_id=ou.id, >>>>>>>> group_id=ag) >>>>>>>> # >>>>>>>> # # clear out any members that are currently exempt >>>>>>>> from MFA >>>>>>>> # if ag: >>>>>>>> # for exempt_user in db( >>>>>>>> # (db.auth_user.mfa_override >= >>>>>>>> datetime.datetime.now()) >>>>>>>> # & (db.auth_user.active == True) >>>>>>>> # ).select(): >>>>>>>> # db( >>>>>>>> # (db.auth_membership.group_id == ag.id) >>>>>>>> # & (db.auth_membership.user_id == >>>>>>>> exempt_user.id) >>>>>>>> # ).delete() >>>>>>>> # db.commit() >>>>>>>> # >>>>>>>> # print(datetime.datetime.now()) >>>>>>>> # >>>>>>>> # # set to False to force web2py to check the >>>>>>>> two_factor_authentication group >>>>>>>> # return_value = False >>>>>>>> >>>>>>>> That code is in db.py >>>>>>>> >>>>>>>> Then.... >>>>>>>> >>>>>>>> auth.settings.auth_two_factor_enabled = lambda user: >>>>>>>> _two_factor_required(user) >>>>>>>> auth.messages.two_factor_comment = "QLF MFA - you have been sent a >>>>>>>> code" >>>>>>>> auth.settings.two_factor_methods = [ >>>>>>>> lambda user, auth_two_factor: _send_sms(user, auth_two_factor) >>>>>>>> ] >>>>>>>> >>>>>>>> My _send_sms code built and sms and sent it via Twilio or >>>>>>>> RingCentral >>>>>>>> >>>>>>>> I wrote this code, but then we ended up not implementing. The >>>>>>>> web2py code is going away for us. All the same concepts work in >>>>>>>> py4web >>>>>>>> (nudge wink wink) >>>>>>>> >>>>>>>> -Jim >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Friday, September 1, 2023 at 5:24:53 AM UTC-5 Ramos wrote: >>>>>>>> >>>>>>>>> Anyone can help me ? >>>>>>>>> >>>>>>>>> Em qua., 30 de ago. de 2023 às 10:14, António Ramos < >>>>>>>>> [email protected]> escreveu: >>>>>>>>> >>>>>>>>>> in other words, how do i protect the administrator password? it >>>>>>>>>> does not have a username , just a password. This is scary :) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Em ter., 29 de ago. de 2023 às 19:44, António Ramos < >>>>>>>>>> [email protected]> escreveu: >>>>>>>>>> >>>>>>>>>>> But that is for everyone, i just want to start with users with >>>>>>>>>>> admin powers >>>>>>>>>>> >>>>>>>>>>> Clemens <[email protected]> escreveu em ter., >>>>>>>>>>> 29/08/2023 às 18:25 : >>>>>>>>>>> >>>>>>>>>>>> Try enabling 2FA via the following setting, since this is for >>>>>>>>>>>> all users: >>>>>>>>>>>> *auth.settings.auth_two_factor_enabled = True* >>>>>>>>>>>> >>>>>>>>>>>> Regards >>>>>>>>>>>> Clemens >>>>>>>>>>>> >>>>>>>>>>>> On Tuesday, August 29, 2023 at 6:09:26 PM UTC+2 Ramos wrote: >>>>>>>>>>>> >>>>>>>>>>>>> i just activated the two step auth with this >>>>>>>>>>>>> >>>>>>>>>>>>> auth.settings.two_factor_authentication_group = "auth2step" >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> but now how do i include the administrator user ? >>>>>>>>>>>>> >>>>>>>>>>>>> regards >>>>>>>>>>>>> António >>>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Resources: >>>>>>>>>>>> - http://web2py.com >>>>>>>>>>>> - http://web2py.com/book (Documentation) >>>>>>>>>>>> - http://github.com/web2py/web2py (Source code) >>>>>>>>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>>>>>>>>> --- >>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>> Google Groups "web2py-users" group. >>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>>> it, send an email to [email protected]. >>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>> https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com >>>>>>>>>>>> >>>>>>>>>>>> <https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>> . >>>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>> Resources: >>>>>>>> - http://web2py.com >>>>>>>> - http://web2py.com/book (Documentation) >>>>>>>> - http://github.com/web2py/web2py (Source code) >>>>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "web2py-users" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> >>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/d/msgid/web2py/f92a15ab-45f6-41ae-b285-6b717abd3d7fn%40googlegroups.com >>>>>>>> >>>>>>>> <https://groups.google.com/d/msgid/web2py/f92a15ab-45f6-41ae-b285-6b717abd3d7fn%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> >>>>>>> -- >>>>>> Resources: >>>>>> - http://web2py.com >>>>>> - http://web2py.com/book (Documentation) >>>>>> - http://github.com/web2py/web2py (Source code) >>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "web2py-users" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> >>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/web2py/c8187486-ebdd-4f18-a4d6-b9a45381fad9n%40googlegroups.com >>>>>> >>>>>> <https://groups.google.com/d/msgid/web2py/c8187486-ebdd-4f18-a4d6-b9a45381fad9n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> -- >>>> Resources: >>>> - http://web2py.com >>>> - http://web2py.com/book (Documentation) >>>> - http://github.com/web2py/web2py (Source code) >>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "web2py-users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> >>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/web2py/4d5dc6cd-66c9-42d7-ab5d-78f089987d65n%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/web2py/4d5dc6cd-66c9-42d7-ab5d-78f089987d65n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/38706abb-9568-4152-8a8d-f033ec9e0b7an%40googlegroups.com.
