If I try to go to admin/appadmin web2py returns: Admin is disabled because insecure channel
Isn't that just the default behavior? -Jim On Friday, September 1, 2023 at 1:00:08 PM UTC-5 Clemens wrote: > I don't and I that's why I (re)move these to a hidden folder on system > level :-) What I need is to give customers the option to add new users by > themselves. For that I've written a small controller under the control of > 2FA and so on. > > Regards > Clemens > > > On Friday, September 1, 2023 at 7:40:19 PM UTC+2 Jim S wrote: > >> I'm just curious >> >> Why do you need access to the admin/appadmin apps in a production >> environment? >> >> I've never used them there. I use in development, but never production >> >> -Jim >> >> >> On Friday, September 1, 2023 at 11:54:02 AM UTC-5 Clemens wrote: >> >>> Removing the admin app as well as the appadmin controllers should kill >>> all options of administration. Move these to two to a folder away from >>> web2py. And then you can still call https://.../admin/site or >>> https://.../appadmin? >>> >>> On Friday, September 1, 2023 at 6:44:31 PM UTC+2 Ramos wrote: >>> >>>> yes i tried it on the admin app and it just does not work. >>>> :) >>>> >>>> >>>> Em sex., 1 de set. de 2023 às 16:53, Jim S <ato....@gmail.com> >>>> escreveu: >>>> >>>>> So, are you trying to protect the 'admin' application with 2fa? >>>>> >>>>> If so, can you add the 2fa code to the admin app? >>>>> >>>>> I haven't tried this before >>>>> >>>>> On Friday, September 1, 2023 at 10:24:29 AM UTC-5 Ramos wrote: >>>>> >>>>>> this admin >>>>>> >>>>>> https://mysite.com/admin >>>>>> >>>>>> Em sex., 1 de set. de 2023 às 16:08, Jim S <ato....@gmail.com> >>>>>> escreveu: >>>>>> >>>>>>> What does 'administrator password' mean to you? >>>>>>> >>>>>>> I'm not sure what you're referring to >>>>>>> >>>>>>> -Jim >>>>>>> >>>>>>> On Friday, September 1, 2023 at 9:53:43 AM UTC-5 Ramos wrote: >>>>>>> >>>>>>>> Hello Jim >>>>>>>> this line of code >>>>>>>> *auth.settings.auth_two_factor_enabled = True* >>>>>>>> *does not protect the administrator password. Only created users.* >>>>>>>> *That is my question, how to force administrator to use 2fa ?* >>>>>>>> *regards* >>>>>>>> *António* >>>>>>>> >>>>>>>> Em sex., 1 de set. de 2023 às 15:00, Jim S <ato....@gmail.com> >>>>>>>> escreveu: >>>>>>>> >>>>>>>>> Here is the code I wrote that only enforced 2fa for users outside >>>>>>>>> our local networks. >>>>>>>>> >>>>>>>>> There is some commented out code there that additionally allowed >>>>>>>>> me to specify users in a group so only that group was force to 2fa >>>>>>>>> >>>>>>>>> def _two_factor_required(auth_user): >>>>>>>>> """ >>>>>>>>> check whether we need to enforce MFA on this login >>>>>>>>> >>>>>>>>> We enforce MFA only on logins external to our network. >>>>>>>>> >>>>>>>>> Returns >>>>>>>>> ------- >>>>>>>>> bool - enforce MFA >>>>>>>>> - True means this login requires MFA >>>>>>>>> - False means we will not enforce MFA for this login >>>>>>>>> """ >>>>>>>>> import ipaddress >>>>>>>>> >>>>>>>>> return False # temp use to disable mfa >>>>>>>>> >>>>>>>>> if len(request.args) > 0 and request.args[0] == "login": >>>>>>>>> if auth_user.mfa_override and datetime.datetime.now() <= >>>>>>>>> auth_user.mfa_override: >>>>>>>>> # no mfa required if the user override is set - we >>>>>>>>> added a field in auth_user to allow us to override if a user was >>>>>>>>> having >>>>>>>>> trouble or lost their phone or something >>>>>>>>> return False >>>>>>>>> >>>>>>>>> qlf_networks = [ >>>>>>>>> "9.9.9.9/22", >>>>>>>>> "9.9.9.0/24", >>>>>>>>> "9.9.9.101/24", >>>>>>>>> ] >>>>>>>>> >>>>>>>>> ip_list = [] >>>>>>>>> for range in qlf_networks: >>>>>>>>> ip_list.extend(ipaddress.IPv4Network(unicode(range))) >>>>>>>>> >>>>>>>>> if ipaddress.IPv4Address(unicode(request.client)) in >>>>>>>>> ip_list: >>>>>>>>> # if the client address is in the local address list, >>>>>>>>> then do NOT require MFA so set to False >>>>>>>>> return_value = False >>>>>>>>> >>>>>>>>> # build the MFA Required group members >>>>>>>>> # if return_value: >>>>>>>>> # print(datetime.datetime.now()) >>>>>>>>> # ag = db(db.auth_group.role == "MFA Required >>>>>>>>> (web2py)").select().first() >>>>>>>>> # if not ag: >>>>>>>>> # ag = db.auth_group.insert("MFA Required >>>>>>>>> (web2py)") >>>>>>>>> # for ou in db( >>>>>>>>> # (db.auth_user.active == True) >>>>>>>>> # | ( >>>>>>>>> # (db.auth_user.mfa_override == None) >>>>>>>>> # & (db.auth_user.mfa_override <= >>>>>>>>> datetime.datetime.now()) >>>>>>>>> # ) >>>>>>>>> # ).select(): >>>>>>>>> # db.auth_membership.update_or_insert(user_id= >>>>>>>>> ou.id, group_id=ag) >>>>>>>>> # >>>>>>>>> # # clear out any members that are currently exempt >>>>>>>>> from MFA >>>>>>>>> # if ag: >>>>>>>>> # for exempt_user in db( >>>>>>>>> # (db.auth_user.mfa_override >= >>>>>>>>> datetime.datetime.now()) >>>>>>>>> # & (db.auth_user.active == True) >>>>>>>>> # ).select(): >>>>>>>>> # db( >>>>>>>>> # (db.auth_membership.group_id == ag.id) >>>>>>>>> # & (db.auth_membership.user_id == >>>>>>>>> exempt_user.id) >>>>>>>>> # ).delete() >>>>>>>>> # db.commit() >>>>>>>>> # >>>>>>>>> # print(datetime.datetime.now()) >>>>>>>>> # >>>>>>>>> # # set to False to force web2py to check the >>>>>>>>> two_factor_authentication group >>>>>>>>> # return_value = False >>>>>>>>> >>>>>>>>> That code is in db.py >>>>>>>>> >>>>>>>>> Then.... >>>>>>>>> >>>>>>>>> auth.settings.auth_two_factor_enabled = lambda user: >>>>>>>>> _two_factor_required(user) >>>>>>>>> auth.messages.two_factor_comment = "QLF MFA - you have been sent a >>>>>>>>> code" >>>>>>>>> auth.settings.two_factor_methods = [ >>>>>>>>> lambda user, auth_two_factor: _send_sms(user, auth_two_factor) >>>>>>>>> ] >>>>>>>>> >>>>>>>>> My _send_sms code built and sms and sent it via Twilio or >>>>>>>>> RingCentral >>>>>>>>> >>>>>>>>> I wrote this code, but then we ended up not implementing. The >>>>>>>>> web2py code is going away for us. All the same concepts work in >>>>>>>>> py4web >>>>>>>>> (nudge wink wink) >>>>>>>>> >>>>>>>>> -Jim >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Friday, September 1, 2023 at 5:24:53 AM UTC-5 Ramos wrote: >>>>>>>>> >>>>>>>>>> Anyone can help me ? >>>>>>>>>> >>>>>>>>>> Em qua., 30 de ago. de 2023 às 10:14, António Ramos < >>>>>>>>>> ramst...@gmail.com> escreveu: >>>>>>>>>> >>>>>>>>>>> in other words, how do i protect the administrator password? it >>>>>>>>>>> does not have a username , just a password. This is scary :) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Em ter., 29 de ago. de 2023 às 19:44, António Ramos < >>>>>>>>>>> ramst...@gmail.com> escreveu: >>>>>>>>>>> >>>>>>>>>>>> But that is for everyone, i just want to start with users with >>>>>>>>>>>> admin powers >>>>>>>>>>>> >>>>>>>>>>>> Clemens <clemens....@claret-clover.de> escreveu em ter., >>>>>>>>>>>> 29/08/2023 às 18:25 : >>>>>>>>>>>> >>>>>>>>>>>>> Try enabling 2FA via the following setting, since this is for >>>>>>>>>>>>> all users: >>>>>>>>>>>>> *auth.settings.auth_two_factor_enabled = True* >>>>>>>>>>>>> >>>>>>>>>>>>> Regards >>>>>>>>>>>>> Clemens >>>>>>>>>>>>> >>>>>>>>>>>>> On Tuesday, August 29, 2023 at 6:09:26 PM UTC+2 Ramos wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> i just activated the two step auth with this >>>>>>>>>>>>>> >>>>>>>>>>>>>> auth.settings.two_factor_authentication_group = "auth2step" >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> but now how do i include the administrator user ? >>>>>>>>>>>>>> >>>>>>>>>>>>>> regards >>>>>>>>>>>>>> António >>>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Resources: >>>>>>>>>>>>> - http://web2py.com >>>>>>>>>>>>> - http://web2py.com/book (Documentation) >>>>>>>>>>>>> - http://github.com/web2py/web2py (Source code) >>>>>>>>>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>>>>>>>>>> --- >>>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>>> Google Groups "web2py-users" group. >>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>>>> it, send an email to web2py+un...@googlegroups.com. >>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>> https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com >>>>>>>>>>>>> >>>>>>>>>>>>> <https://groups.google.com/d/msgid/web2py/5fe99103-1d14-4b91-80eb-194402c08453n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>>>>>>>> . >>>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>> Resources: >>>>>>>>> - http://web2py.com >>>>>>>>> - http://web2py.com/book (Documentation) >>>>>>>>> - http://github.com/web2py/web2py (Source code) >>>>>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>>>>>> --- >>>>>>>>> You received this message because you are subscribed to the Google >>>>>>>>> Groups "web2py-users" group. >>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>> send an email to web2py+un...@googlegroups.com. >>>>>>>>> >>>>>>>> To view this discussion on the web visit >>>>>>>>> https://groups.google.com/d/msgid/web2py/f92a15ab-45f6-41ae-b285-6b717abd3d7fn%40googlegroups.com >>>>>>>>> >>>>>>>>> <https://groups.google.com/d/msgid/web2py/f92a15ab-45f6-41ae-b285-6b717abd3d7fn%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>>>> . >>>>>>>>> >>>>>>>> -- >>>>>>> Resources: >>>>>>> - http://web2py.com >>>>>>> - http://web2py.com/book (Documentation) >>>>>>> - http://github.com/web2py/web2py (Source code) >>>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "web2py-users" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to web2py+un...@googlegroups.com. >>>>>>> >>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/d/msgid/web2py/c8187486-ebdd-4f18-a4d6-b9a45381fad9n%40googlegroups.com >>>>>>> >>>>>>> <https://groups.google.com/d/msgid/web2py/c8187486-ebdd-4f18-a4d6-b9a45381fad9n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> -- >>>>> Resources: >>>>> - http://web2py.com >>>>> - http://web2py.com/book (Documentation) >>>>> - http://github.com/web2py/web2py (Source code) >>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "web2py-users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to web2py+un...@googlegroups.com. >>>>> >>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/web2py/4d5dc6cd-66c9-42d7-ab5d-78f089987d65n%40googlegroups.com >>>>> >>>>> <https://groups.google.com/d/msgid/web2py/4d5dc6cd-66c9-42d7-ab5d-78f089987d65n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/22816594-43e8-4513-af63-2edfea531061n%40googlegroups.com.