Secure create-user command #127
Conversation
Ask the user for the password Fixes #123
|
Do you want to have an option to pass the password as parameter? Imho this could only be useful for demo installation or so... |
|
Yes please, an additional option for automated installer would be great :-) |
src/Command/CreateUserCommand.php
Outdated
| @@ -79,9 +79,24 @@ protected function execute(InputInterface $input, OutputInterface $output) | |||
| { | |||
| $io = new SymfonyStyle($input, $output); | |||
|
|
|||
| /* @var \Symfony\Component\Console\Helper\QuestionHelper $helper */ | |||
There was a problem hiding this comment.
Please extract this part as method - e.g protected function askForPassword()
simonschaufi
force-pushed
the
secure-user-command
branch
from
9623446 to
cd554cf
Compare
|
ready to merge |
| $helper = $this->getHelper('question'); | ||
|
|
||
| $passwordQuestion = new Question('Please enter the password'); | ||
| $passwordQuestion->setHidden(true); |
There was a problem hiding this comment.
Either we add a repeat question or we display the password. Otherwise its to easy to accidentaly create a user with a wrong password.
There was a problem hiding this comment.
using mysqldump works the same way. I'm against it. you can enter 3 times an empty password until it stops.
There was a problem hiding this comment.
Then lets leave it for now, can still be improved if user complain
README.md
Outdated
| @@ -118,7 +118,7 @@ bin/console cache:warmup --env=prod | |||
| Create your first user: | |||
|
|
|||
| ```bash | |||
| bin/console kimai:create-user username password [email protected] ROLE_SUPER_ADMIN | |||
| bin/console kimai:create-user username [email protected] ROLE_SUPER_ADMIN | |||
There was a problem hiding this comment.
+bin/console kimai:create-user username [email protected] ROLE_SUPER_ADMIN password
Either you can enter the password as optional last argument or you can enter it interactively for protecting your bash history
There was a problem hiding this comment.
I would prefer not to write that in the Readme but in the full documentation. We don't want to encourage people for the first install to append it. For most of the people its just for the installation. then they will continue adding new users via the admin panel anyway.
There was a problem hiding this comment.
Fine for me, but currently there is nothing documented. Then don't add the last argument but add a sentence that the user is asked for the password.
src/Command/CreateUserCommand.php
Outdated
| ->addArgument('username', InputArgument::REQUIRED, 'The username of the user to be created (must be unique)') | ||
| ->addArgument('email', InputArgument::REQUIRED, 'Email address of the user to be created (must be unique)') | ||
| ->addArgument('role', InputArgument::OPTIONAL, 'A comma separated list of roles to assign. Examples: "ROLE_USER,ROLE_SUPER_ADMIN"', User::DEFAULT_ROLE) | ||
| ->addArgument('password', InputArgument::OPTIONAL, 'Password of the user to be created') |
| @@ -115,16 +115,16 @@ | |||
| }, | |||
| { | |||
| "name": "beberlei/DoctrineExtensions", | |||
| "version": "v1.0.20", | |||
| "version": "v1.0.21", | |||
There was a problem hiding this comment.
Why did you run composer update?
There was a problem hiding this comment.
why not? if something breaks, I don't want to be responsible for that.
There was a problem hiding this comment.
I am against composer update during some random PR. Even though most of the packages have trusted developers behind them and use proper semver versioning, there is still a risk in upgrading packages without retesting the complete app.
There was a problem hiding this comment.
so when is the best time to do it? since we have unit tests, we should know when something breaks.
There was a problem hiding this comment.
with the current state of the unit tests, there is not a lot of trust. too many tests are using - btw. i will add a test to this PR later
again, lets leave it for now, but we should be careful later on when the app is in use
|
Wanna check my commit? |
|
|
||
| protected function createUser($username, $email, $role, $password) | ||
| { | ||
|
|
There was a problem hiding this comment.
remove empty line
|
|
||
| $command = $this->application->find('kimai:create-user'); | ||
| $commandTester = new CommandTester($command); | ||
| $commandTester->execute(array( |
There was a problem hiding this comment.
use short array syntax
src/Command/CreateUserCommand.php
Outdated
| if (trim($value) == '') { | ||
| throw new \Exception('The password cannot be empty'); | ||
| $password = trim($value); | ||
| if (empty($password) || strlen($password) < 6) { |
There was a problem hiding this comment.
shouldn't we require not at least 8 chars? Well, it has to be in sync as creating users via the admin interface.
There was a problem hiding this comment.
Yeah, I don't know. Its the same as in the entity right now. I am not sure if we should force users to use a strong password, which they will then just stick to their monitor ;-)
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Ask the user for the password
Fixes #123