pypingou
commented
8 years ago hm, do we really want this since I expect fas-admin will be also used in prod?
Closed skrzepto closed 8 years ago
pypingou
commented
8 years ago hm, do we really want this since I expect fas-admin will be also used in prod?
skrzepto
commented
8 years ago Is the concern that this is too risky on a prod server? My thought is that someone malicious needs to break into the server to run fas-admin commands. So if they have access to the server then this method isn't really that big of a deal :/ let me know otherwise
pypingou
commented
8 years ago I'm told that only -main have access to all the FAS server so this might be ok, but tbh, it makes me a little chilly
skrzepto
commented
8 years ago Well I'm much more concerned about the script below which wipes all the users and groups
if opts.gen_fake_data:
people = DBSession.query(People).all()
if len(people) > 2:
print 'Cleaning up People data.'
DBSession.query(People).delete()
DBSession.query(Groups).delete()
laxathom
commented
8 years ago Oh I see what you actually wanted to do here.
I think the option name should be something more like --[activate|enable]-account <person_login>.
Regarding the security concern, this is an administration script thus aims to do critical things on the software just like any other command-line on the system. I don't see any big issue providing such thing. It's up to the admin not to let this script around or to restrict its usage from other system account.
skrzepto
commented
8 years ago Is this functionality still desired? If so I can update it to what was commented in this pr
puiterwijk
commented
8 years ago How about instead of directly modifying the database, you just make it use the API?
Purpose: Authenticate users manually in a local dev env
Usage:
fas-admin -c development.ini --authenticate-user usernamereplace username with what you entered.