New Install needs an admin user

[kmclellan]

Is there a plan for how to create an admin user for new installations?

I would normally hack the database or rail console but I have no idea how I would go about doing this on a new Heroku installation

[wbland-dev]

Hi kelly,

This can be done with the seeds.rb file located in the db folder. I currently have an admin user and 50 auto-generated test users using this method. There's some information displayed on the current home page regarding these users (for testing purposes).

Example admin user in seeds.rb:

User.create!(firstname: 'William', lastname: 'Bland', email: 'admin@email.com', password: '12345678', password_confirmation: '12345678', admin: true, activated: true, activated_at: Time.zone.now)

Run via the following command: "bundle exec rake db:seed"

The seeds.rb file can then be deleted after initial user generation on production installations for security purposes. The password with be saved in an encrypted format in the db.

[kmclellan]

Great! Thanks William!

[kmclellan]

I need to add this to the documentation.

[kmclellan]

I shouldn't have unassigned William from this issue for posterity's sake (as he provided the solution).

[kmclellan]

seed.rb is specifically for development use. I think we should have a single user equivalent to run for deployment on a production server. i.e. a bit like the WordPress wp-config.php file.

setup.rb? first_user.rb? initiation.rb?

If we need more than this to set up a production application then we should try to put initiation stuff all in one place.

[wbland-dev]

Good point. We can use something like the "seedbank" gem to split our seeds for development and production.

https://github.com/james2m/seedbank

I think this is perfect for this use case.

[kmclellan]

I agree, it is perfect for seed data and it seems to have been maintained for a long time.

A future issue arising: I am thinking that most centres would want to keep their repositories for the app on GitHub. Some seed data can be publicly maintained but a permanent admin cannot be.

I realise that a seed file can be edited locally, this may not always be possible e.g. on Heroku. (I wouldn't intend for the app to be deployed to Heroku for production but...) Also, a file with a master admin login details that isn't removed is a vulnerability that we probably can't assume end users will fix.

I wouldn't want to set up a new production app with a default admin user as these are notorious for never being deleted.
What do you think of an initial setup wizard?
Or perhaps a mechanism to force the default admin to be changed/deleted when it is used the first time?

Whichever solution we pick would be low priority as Seedbank and a production seeds.rb fixes the immediate initiation issue.

[wbland-dev]

Hi Kelly, sorry I've just seen your reply.

Since initial installation requires using the command line to pull the repo to the webserver (assuming the webserver is configured with only cli/no gui), I could write a one time use bash script that allows the admin to choose his own login credentials (as well as options to install and configure ruby/rails/postgresql automatically if needed). A lot of linux based apps with web interfaces uses this method of installation to great effect.

The script would require user input via the command line, for instance "Would you like to install Ruby? (Y/n)", "Please enter a default admin username", etc. The script will then be automatically deleted once successfully run, and the admin db table would be configured to only allow one entry (or a set amount of entries depending on how many admin users you require) so that additional admins are not allowed to be created (for added security). This would be easier to implement and provide a more indepth automated installation process. A web based wizard can always be added on top of this later on.

Let me know what you think of this idea.

[kmclellan]

I like this idea William. This seems like a solid way to set up the application. My original thoughts had been in this direction but, at that point, I forgot that Heroku had a cli...