search

gramps-project / gramps-web-api

A RESTful web API for Gramps
GNU Affero General Public License v3.0
78 stars 40 forks source link

Disable registration #475

Closed andrewvaughan closed 7 months ago

andrewvaughan commented 9 months ago

Apologies if this is already a feature and I'm just somehow missing it - my family hopes to have a private (but publicly available) Gramps installation. This would mean disabling the Registration form in the login page. Is this possible? If not, please consider it as a feature, as I imagine this is a significant use-case.

DavidMStraub commented 9 months ago

Hi, you could hide the link using hideRegisterLink (see here) from the login page. This would techncally still allow registrations via the API though. But registered users are disabled until the tree owner manually enables them, so I'm not sure why anyone not entitled to access should do it.

zeitchef commented 9 months ago

Not sure about OP but I've installed via Docker and I would really love a environment variable to disable the registration link - would something like that be feasible?

andrewvaughan commented 9 months ago

Not sure about OP but I've installed via Docker and I would really love a environment variable to disable the registration link - would something like that be feasible?

You could extend the Dockerfile to copy the config.js file in with the configuration. Thats what I ended up doing. I definitely would like to see it completely disable registration, though, as this is a portal to a LOT of PII.

Thanks all!

zeitchef commented 9 months ago

I'm using Docker Compose and I was able to copy a config.js into the container with the following:

volumes:
  - '/path/to/data/config.js:/app/static/config.js'

but this is having no effect. I've confirmed the file is copied correctly and has the following config:

window.grampsjsConfig = {
  hideRegisterLink: true
}

~Am I missing something?~ EDIT: Nevermind, this was a caching issue. Works fine for me 👍🏻

DavidMStraub commented 9 months ago

as this is a portal to a LOT of PII

Can you please elaborate? Would like to understand better.

DavidMStraub commented 8 months ago

I'm still waiting for a rationale why registrations via the API (but disabled in the frontend) are an issue, given that unconfirmed users have no rights. In any case, since this is a backend issue, I think this one here can be closed.

andrewvaughan commented 8 months ago

I'm still waiting for a rationale why registrations via the API (but disabled in the frontend) are an issue, given that unconfirmed users have no rights. In any case, since this is a backend issue, I think this one here can be closed.

When you say "Unconfirmed users have no rights" does that mean they have no access to any PII? Maybe that's where I'm missing.

In regards to closing - it still seems like this is an inconsistency or vector for attack if someone wanted to flood account registration and make an admin nightmare. Maybe just make it a parking lot item for later?

DavidMStraub commented 8 months ago

When you say "Unconfirmed users have no rights" does that mean they have no access to any PII? Maybe that's where I'm missing.

Yes. Authorization works via JSON web tokens, and a disabled user cannot obtain one, so cannot access anything else than the public internet.

lucaberti commented 8 months ago

I'm still waiting for a rationale why registrations via the API (but disabled in the frontend) are an issue, given that unconfirmed users have no rights. In any case, since this is a backend issue, I think this one here can be closed.

Hello, since I asked to remove registration in another post, let me post here my take on this question. Lest's do ite with example: a while ago I created a new wordpress site, forgetting to disable user registration. When I noticed that - some 2 hours later - I already had 5 new user to accept. No harm done, since WP does it the same way: users don't have permission if not accepted. But, still, they populated my DB and I had to remove them. If the 2 hours-5 scamuser is the initial ratio, I'm quite concerned on how many scam-user I would have to refuse and how often I have to maitain the Gramps installation. This is my reason for asking a way to disable the signup feature alltoghether. Thank you

DavidMStraub commented 8 months ago

Hi, ok got it. I never got any scam user on Gramps Web but then again it's not as popular as Wordpress :laughing:

I think it's fine to add a new feature to Web API if someone is willing to contribute it. Shifting the issue to the appropriate repo.

hdholm commented 8 months ago

@lucaberti That was a concern for me as well, although I don't want to disable registration entirely - I do want to allow family to "refer" others. Which just now makes me think some sort of referral system might be interesting, but that's not what I came to say. I have Gramps Web running from an nginx reverse proxy with nginx listening on a high, non-standard port. nginx is set up to only proxy requests from the proper vhost name, so even if you just hit the port with IP scan you get a 404. So far no random registration requests. It doesn't look like scanners are even finding IP to be honest. Scanning all the high ports is a lot of work for scammers looking for low-hanging fruit. Although the site has only been up a few weeks. Just something for you to consider.

lucaberti commented 8 months ago

@DavidMStraub ...and it is a pity that Gramps is not popular as Wordpress ;) Thank you for having takan seriously my request: I tend to consider all software whos security policy is this-will-never-happen-to-us-because-no-one-is-interested-in-hacking-us as a foundamental bad deigned software, thus, not trustworty. Thank you for not beeing that type of programmer. That said, I'm afraid I cannot be te contributor you are looking for. Not yet, at least. @hdholm Thank you for sharing your experienced. It's reasuring and gives me some ideas on how to implement. Currently I'm using nginx reverse proxy to reroute to my internal docker the domain call.

DavidMStraub commented 8 months ago

I do want to allow family to "refer" others.

Actually, there is a simple way to achieve that which might also be sufficient for your @lucaberti: in the multi-tree setup, which is meant for hosting multiple Gramps databases in parallel (but you can limit yourself to a single one...), an additional tree ID is required for registration. This tree ID is a UUIDv4, so it is impossible to guess. In Gramps Web, the administrator will see the registration link in the settings (it has the form https://somehost/register/<uuid>. See https://www.grampsweb.org/user-guide/registration/. (Although a warning, it might be not all subtleties of the multi-tree setup are well documented yet, given that it's a relatively new feature meant for advanced users.)

lucaberti commented 8 months ago

I do want to allow family to "refer" others.

Actually, there is a simple way to achieve that which might also be sufficient for your @lucaberti: in the multi-tree setup, which is meant for hosting multiple Gramps databases in parallel (but you can limit yourself to a single one...), an additional tree ID is required for registration. This tree ID is a UUIDv4, so it is impossible to guess. In Gramps Web, the administrator will see the registration link in the settings (it has the form https://somehost/register/<uuid>. See https://www.grampsweb.org/user-guide/registration/. (Although a warning, it might be not all subtleties of the multi-tree setup are well documented yet, given that it's a relatively new feature meant for advanced users.)

Indeed this seems a good solution. I will try it when I have some spare time. Thank you!