Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add register user function #164

Closed
kevinpapst opened this issue Jun 13, 2018 · 6 comments · Fixed by #216
Closed

Add register user function #164

kevinpapst opened this issue Jun 13, 2018 · 6 comments · Fixed by #216
Labels
feature request security
Milestone
0.3

Comments

@kevinpapst
Copy link
Member

kevinpapst commented Jun 13, 2018
edited
Loading

Add functionality for self-registration
@kevinpapst kevinpapst mentioned this issue Jun 13, 2018
Closed
@kevinpapst kevinpapst added this to the 0.3 milestone Jul 14, 2018
@kevinpapst kevinpapst mentioned this issue Jul 14, 2018
Merged
19 tasks
@sideeffect42
Copy link

While I agree that a registration function is nice to have I disagree about it being enabled by default.
I would argue that in most situations where Kimai is used the users are managed by some person in the company or there is only one user at all.

I consider registration being enabled by default an unnecessary security hole that might give people access to Kimai that shouldn't.
In addition self-registration should be easy to enable or disable.

The procedure to disable self-registration described in the docs didn't work for me.
Are there any additional steps required after adjusting the configuration?

I had to patch the .htaccess to ensure no new users could register:

RewriteRule ^\w+/register - [F]  # forbid self-registration
RewriteRule ^\w+/resetting - [F]  # forbid password reset

@kevinpapst
Copy link
Member Author

Okay, I have to adjust the documentation I guess.
Please try to execute bin/console cache:clear so the new configuration will be used.

Depending on your setup, you might have to switch the user in order to re-generate the cache, please check the UPGRADING docs on how to do that.

Regarding enabling/disabling feature, I think this is a crucial setting and should only be changeable by the administrator. But I'll check if its possible to add a one line config to enable/disable it in the local.yaml so it won't be lost during upgrade.

@kevinpapst kevinpapst reopened this Aug 9, 2018
kevinpapst added a commit that referenced this issue Aug 9, 2018
@kevinpapst
improved security documentation #164
100762c
kevinpapst added a commit that referenced this issue Aug 9, 2018
@kevinpapst
config setting to disable user-registration and password-reset #164
0cdc3ab
@kevinpapst
Copy link
Member Author

kevinpapst commented Aug 9, 2018
edited
Loading

@sideeffect42 I checked the documentation and you were right, it was not complete / outdated. I improved it, see the linked commits.

I also added two config settings that you can have in the file config/packages/local.yaml to be safe for upgrades, which can be used to disable password-reset and user-registration.

For now I will keep these features active by default, as disabling it is only a minimal change in one config file.

@sideeffect42
Copy link

sideeffect42 commented Aug 9, 2018
edited
Loading

@kevinpapst Thank you very much for your rapid response.
After clearing the cache it now works.

With the latest version I could successfully disable both registration and password resets by adding these lines to config/packages/local.yaml:

kimai:
    user:
        registration: false
        password_reset: false

Now I get a 404 page when going to the registration/resetting pages.

@kevinpapst
Copy link
Member Author

Thanks for your quick feedback!
Please post any idea as new issue, I want to develop Kimai 2 together with the community and every feedback is highly appreciated.

@lock
Copy link

lock bot commented Nov 18, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Nov 18, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
feature request security
Projects
None yet
Milestone
0.3
Development

Successfully merging a pull request may close this issue.

Integrated FOSUserBundle kimai/kimai
2 participants
@kevinpapst @sideeffect42