And to second your comment, I too have a controller method that allows users with the proper access, the ability to add additional users.
The only other reason I would want to access admin is to look at error messages/tickets. But, I have some method in place to read the error messages and forward them to me in an email. -Jim On Friday, September 1, 2023 at 1:04:47 PM UTC-5 Jim S wrote: > If I try to go to admin/appadmin web2py returns: > > Admin is disabled because insecure channel > > Isn't that just the default behavior? > > -Jim > > On Friday, September 1, 2023 at 1:00:08 PM UTC-5 Clemens wrote: > >> I don't and I that's why I (re)move these to a hidden folder on system >> level :-) What I need is to give customers the option to add new users by >> themselves. For that I've written a small controller under the control of >> 2FA and so on. >> >> Regards >> Clemens >> >> >> On Friday, September 1, 2023 at 7:40:19 PM UTC+2 Jim S wrote: >> >>> I'm just curious >>> >>> Why do you need access to the admin/appadmin apps in a production >>> environment? >>> >>> I've never used them there. I use in development, but never production >>> >>> -Jim >>> >>> >>> On Friday, September 1, 2023 at 11:54:02 AM UTC-5 Clemens wrote: >>> >>>> Removing the admin app as well as the appadmin controllers should kill >>>> all options of administration. Move these to two to a folder away from >>>> web2py. And then you can still call https://.../admin/site or >>>> https://.../appadmin? >>>> >>>> On Friday, September 1, 2023 at 6:44:31 PM UTC+2 Ramos wrote: >>>> >>>>> yes i tried it on the admin app and it just does not work. >>>>> :) >>>>> >>>>> >>>>> Em sex., 1 de set. de 2023 às 16:53, Jim S <[email protected]> >>>>> escreveu: >>>>> >>>>>> So, are you trying to protect the 'admin' application with 2fa? >>>>>> >>>>>> If so, can you add the 2fa code to the admin app? >>>>>> >>>>>> I haven't tried this before >>>>>> >>>>>> On Friday, September 1, 2023 at 10:24:29 AM UTC-5 Ramos wrote: >>>>>> >>>>>>> this admin >>>>>>> >>>>>>> https://mysite.com/admin >>>>>>> >>>>>>> Em sex., 1 de set. de 2023 às 16:08, Jim S <[email protected]> >>>>>>> escreveu: >>>>>>> >>>>>>>> What does 'administrator password' mean to you? >>>>>>>> >>>>>>>> I'm not sure what you're referring to >>>>>>>> >>>>>>>> -Jim >>>>>>>> >>>>>>>> On Friday, September 1, 2023 at 9:53:43 AM UTC-5 Ramos wrote: >>>>>>>> >>>>>>>>> Hello Jim >>>>>>>>> this line of code >>>>>>>>> *auth.settings.auth_two_factor_enabled = True* >>>>>>>>> *does not protect the administrator password. Only created users.* >>>>>>>>> *That is my question, how to force administrator to use 2fa ?* >>>>>>>>> *regards* >>>>>>>>> *António* >>>>>>>>> >>>>>>>>> Em sex., 1 de set. de 2023 às 15:00, Jim S <[email protected]> >>>>>>>>> escreveu: >>>>>>>>> >>>>>>>>>> Here is the code I wrote that only enforced 2fa for users outside >>>>>>>>>> our local networks. >>>>>>>>>> >>>>>>>>>> There is some commented out code there that additionally allowed >>>>>>>>>> me to specify users in a group so only that group was force to 2fa >>>>>>>>>> >>>>>>>>>> def _two_factor_required(auth_user): >>>>>>>>>> """ >>>>>>>>>> check whether we need to enforce MFA on this login >>>>>>>>>> >>>>>>>>>> We enforce MFA only on logins external to our network. >>>>>>>>>> >>>>>>>>>> Returns >>>>>>>>>> ------- >>>>>>>>>> bool - enforce MFA >>>>>>>>>> - True means this login requires MFA >>>>>>>>>> - False means we will not enforce MFA for this login >>>>>>>>>> """ >>>>>>>>>> import ipaddress >>>>>>>>>> >>>>>>>>>> return False # temp use to disable mfa >>>>>>>>>> >>>>>>>>>> if len(request.args) > 0 and request.args[0] == "login": >>>>>>>>>> if auth_user.mfa_override and datetime.datetime.now() <= >>>>>>>>>> auth_user.mfa_override: >>>>>>>>>> # no mfa required if the user override is set - we >>>>>>>>>> added a field in auth_user to allow us to override if a user was >>>>>>>>>> having >>>>>>>>>> trouble or lost their phone or something >>>>>>>>>> return False >>>>>>>>>> >>>>>>>>>> qlf_networks = [ >>>>>>>>>> "9.9.9.9/22", >>>>>>>>>> "9.9.9.0/24", >>>>>>>>>> "9.9.9.101/24", >>>>>>>>>> ] >>>>>>>>>> >>>>>>>>>> ip_list = [] >>>>>>>>>> for range in qlf_networks: >>>>>>>>>> ip_list.extend(ipaddress.IPv4Network(unicode(range))) >>>>>>>>>> >>>>>>>>>> if ipaddress.IPv4Address(unicode(request.client)) in >>>>>>>>>> ip_list: >>>>>>>>>> # if the client address is in the local address >>>>>>>>>> list, then do NOT require MFA so set to False >>>>>>>>>> return_value = False >>>>>>>>>> >>>>>>>>>> # build the MFA Required group members >>>>>>>>>> # if return_value: >>>>>>>>>> # print(datetime.datetime.now()) >>>>>>>>>> # ag = db(db.auth_group.role == "MFA Required >>>>>>>>>> (web2py)").select().first() >>>>>>>>>> # if not ag: >>>>>>>>>> # ag = db.auth_group.insert("MFA Required >>>>>>>>>> (web2py)") >>>>>>>>>> # for ou in db( >>>>>>>>>> # (db.auth_user.active == True) >>>>>>>>>> # | ( >>>>>>>>>> # (db.auth_user.mfa_override == None) >>>>>>>>>> # & (db.auth_user.mfa_override <= >>>>>>>>>> datetime.datetime.now()) >>>>>>>>>> # ) >>>>>>>>>> # ).select(): >>>>>>>>>> # db.auth_membership.update_or_insert(user_id= >>>>>>>>>> ou.id, group_id=ag) >>>>>>>>>> # >>>>>>>>>> # # clear out any members that are currently exempt >>>>>>>>>> from MFA >>>>>>>>>> # if ag: >>>>>>>>>> # for exempt_user in db( >>>>>>>>>> # (db.auth_user.mfa_override >= >>>>>>>>>> datetime.datetime.now()) >>>>>>>>>> # & (db.auth_user.active == True) >>>>>>>>>> # ).select(): >>>>>>>>>> # db( >>>>>>>>>> # (db.auth_membership.group_id == ag.id) >>>>>>>>>> # & (db.auth_membership.user_id == >>>>>>>>>> exempt_user.id) >>>>>>>>>> # ).delete() >>>>>>>>>> # db.commit() >>>>>>>>>> # >>>>>>>>>> # print(datetime.datetime.now()) >>>>>>>>>> # >>>>>>>>>> # # set to False to force web2py to check the >>>>>>>>>> two_factor_authentication group >>>>>>>>>> # return_value = False >>>>>>>>>> >>>>>>>>>> That code is in db.py >>>>>>>>>> >>>>>>>>>> Then.... >>>>>>>>>> >>>>>>>>>> auth.settings.auth_two_factor_enabled = lambda user: >>>>>>>>>> _two_factor_required(user) >>>>>>>>>> auth.messages.two_factor_comment = "QLF MFA - you have been sent >>>>>>>>>> a code" >>>>>>>>>> auth.settings.two_factor_methods = [ >>>>>>>>>> lambda user, auth_two_factor: _send_sms(user, auth_two_factor) >>>>>>>>>> ] >>>>>>>>>> >>>>>>>>>> My _send_sms code built and sms and sent it via Twilio or >>>>>>>>>> RingCentral >>>>>>>>>> >>>>>>>>>> I wrote this code, but then we ended up not implementing. The >>>>>>>>>> web2py code is going away for us. All the same concepts work in >>>>>>>>>> py4web >>>>>>>>>> (nudge wink wink) >>>>>>>>>> >>>>>>>>>> -Jim >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Friday, September 1, 2023 at 5:24:53 AM UTC-5 Ramos wrote: >>>>>>>>>> >>>>>>>>>>> Anyone can help me ? >>>>>>>>>>> >>>>>>>>>>> Em qua., 30 de ago. de 2023 às 10:14, António Ramos < >>>>>>>>>>> [email protected]> escreveu: >>>>>>>>>>> >>>>>>>>>>>> in other words, how do i protect the administrator password? it >>>>>>>>>>>> does not have a username , just a password. This is scary :) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Em ter., 29 de ago. de 2023 às 19:44, António Ramos < >>>>>>>>>>>> [email protected]> escreveu: >>>>>>>>>>>> >>>>>>>>>>>>> But that is for everyone, i just want to start with users with >>>>>>>>>>>>> admin powers >>>>>>>>>>>>> >>>>>>>>>>>>> Clemens <[email protected]> escreveu em ter., >>>>>>>>>>>>> 29/08/2023 às 18:25 : >>>>>>>>>>>>> >>>>>>>>>>>>>> Try enabling 2FA via the following setting, since this is for >>>>>>>>>>>>>> all users: >>>>>>>>>>>>>> *auth.settings.auth_two_factor_enabled = True* >>>>>>>>>>>>>> >>>>>>>>>>>>>> Regards >>>>>>>>>>>>>> Clemens >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Tuesday, August 29, 2023 at 6:09:26 PM UTC+2 Ramos wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> i just activated the two step auth with this >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> auth.settings.two_factor_authentication_group = "auth2step" >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> but now how do i include the administrator user ? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> regards >>>>>>>>>>>>>>> António >>>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Resources: >>>>>>>>>>>>>> - http://web2py.com >>>>>>>>>>>>>> - http://web2py.com/book (Documentation) >>>>>>>>>>>>>> - http://github.com/web2py/web2py (Source code) >>>>>>>>>>>>>> - https://code.google.com/p/web2py/issues/list (Report >>>>>>>>>>>>>> Issues) >>>>>>>>>>>>>> --- >>>>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>>>> Google Groups "web2py-users" group. >>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>>>>> it, send an email to [email protected]. >>>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>>> https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com >>>>>>>>>>>>>> >>>>>>>>>>>>>> <https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>>> . >>>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>> Resources: >>>>>>>>>> - http://web2py.com >>>>>>>>>> - http://web2py.com/book (Documentation) >>>>>>>>>> - http://github.com/web2py/web2py (Source code) >>>>>>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>>>>>>> --- >>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>> Google Groups "web2py-users" group. >>>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>>> send an email to [email protected]. >>>>>>>>>> >>>>>>>>> To view this discussion on the web visit >>>>>>>>>> https://groups.google.com/d/msgid/web2py/f92a15ab-45f6-41ae-b285-6b717abd3d7fn%40googlegroups.com >>>>>>>>>> >>>>>>>>>> <https://groups.google.com/d/msgid/web2py/f92a15ab-45f6-41ae-b285-6b717abd3d7fn%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>>>>> . >>>>>>>>>> >>>>>>>>> -- >>>>>>>> Resources: >>>>>>>> - http://web2py.com >>>>>>>> - http://web2py.com/book (Documentation) >>>>>>>> - http://github.com/web2py/web2py (Source code) >>>>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "web2py-users" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> >>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/d/msgid/web2py/c8187486-ebdd-4f18-a4d6-b9a45381fad9n%40googlegroups.com >>>>>>>> >>>>>>>> <https://groups.google.com/d/msgid/web2py/c8187486-ebdd-4f18-a4d6-b9a45381fad9n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> >>>>>>> -- >>>>>> Resources: >>>>>> - http://web2py.com >>>>>> - http://web2py.com/book (Documentation) >>>>>> - http://github.com/web2py/web2py (Source code) >>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "web2py-users" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> >>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/web2py/4d5dc6cd-66c9-42d7-ab5d-78f089987d65n%40googlegroups.com >>>>>> >>>>>> <https://groups.google.com/d/msgid/web2py/4d5dc6cd-66c9-42d7-ab5d-78f089987d65n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/25db3ffd-e478-4ec1-b54f-4c1ab23ee717n%40googlegroups.com.
