Application access control: Rolambert_dev_07202020 #174
Conversation
|
had to install extra modules for python: flask-sqlalchemy After installing, I was required to enter user name and password before system would allow any control from the web page. I registered a user name, email, and password, then put me back at the login screen and I logged in and it appears to work. |
gpiozero was not remove just version was explicitly defined, what are your thoughts? |
|
If left, it will install the current version and that should be fine.
…On Thu, Jul 23, 2020, 8:15 PM Robert Lambert ***@***.***> wrote:
gpiozero removed from requirements.txt and I think it should be reinserted.
gpiozero was not remove just version was explicitly defined, what are your
thought?
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#174 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOGADD5UCLK3XQCUN5KXRX3R5DOEJANCNFSM4PDYVEUQ>
.
|
|
For the record, I think it is a cool feature and it certainly took some work to get it to function, which I can certainly appreciate, but after trying it out, it isn't something that I want to have mandated on my machine. I don't want a sign-in required to access from my phone because then I have to fat finger another password to get access. For those with systems in public spaces, I can see why this is useful and certainly if the system is exposed to the web in general (which I think is a bad idea anyway). Is there a way to disable this password wall without having to log in each device? Perhaps we can put an activation toggle in the maslow settings to enable or disable this option? I could help add one. |
TY, I like your points, lets do it.
I see two possible ways this
or.
I think 2. would be easier to implement and is more industry standard. Thoughts? |
|
That approach sounds reasonable to me. Attached is what it shows on my
phone. The login prompt is tiny, but it works.
…On Fri, Jul 24, 2020, 11:31 AM Robert Lambert ***@***.***> wrote:
For the record, I think it is a cool feature and it certainly took some
work to get it to function, which I can certainly appreciate, but after
trying it out, it isn't something that I want to have mandated on my
machine. I don't want a sign-in required to access from my phone because
then I have to fat finger another password to get access. For those with
systems in public spaces, I can see why this is useful and certainly if the
system is exposed to the web in general (which I think is a bad idea
anyway). Is there a way to disable this password wall without having to log
in each device? Perhaps we can put an activation toggle in the maslow
settings to enable or disable this option? I could help add one.
TY, I like your points, lets do it.
- I would still like to 'initialize' with the a user for db creation
this makes available a bunch of fun stats and use case things available.
I see two possible ways this disable can be done (other than password
manager did you test mobile?)
1. A settings toggle at first login to enable password logins if
required
or.
1. After initial sign-up and login the initial 'admin account' can
disable login feature
Thoughts?
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#174 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOGADDZJV4PWXZK6ADG35ULR5GZOPANCNFSM4PDYVEUQ>
.
|
There was a problem hiding this comment.
@rolambert, Thank you for contributing this great feature. I whole heatedly support implementing login. In multi-user environments such as hacker/maker spaces it is required. Even in home/single user environments it is good to lock things down so other household members do not cause havoc.
I don't want to discourage your effort but this feature is not is a state to be committed. With your current code a user can click the create_user link, provide info, and immediately login, without validation/approval. This renders the whole login feature redundant as it can be bypassed in seconds.
I see you have laid the framework for storing accountlevel but have not implemented it. I don't see anything that could store approved user account state that allows or denies login.
It does not look like making login an optional feature is easy? If you think it is then please let me know as some Maslow user may not want mandatory login.
For those that want login perhaps you could code it so:
If user accounts = 0, then create admin level (1) account, and grant immediate access.
Otherwise if user accounts > 0, then create second level (2), and deny access by default.
There is also no UI to manage users. In the least there should be a page that lists all users accounts and has UI to change their approved state that is only accessible to admin users.
Alternatively new user account creation page could be disabled once an admin account is created. So only admins can access the page, set access level, and approve them.
This leads on to problems with forgotten passwords. Email is collected but there does not seem to be any system in place to send emails or recover passwords. What happens if the admin account password is forgotten/lost? Can this instance send email?
This also calls into question the hard coded SECRET_KEY for the database which should be user configurable. Perhaps during first Admin account creation?
Finally the the login and register pages are not mobile responsive and currently break UI making them difficult to use. I think I have fixed most UI issue in PR #117. Added blocks for HEAD, JAVASCRIPT, CONTENT in appropriate places. If you have the time please test it and let me know if anything needs to be changed. I am eager to help in fixing UI issues which have been overlooked. I think your login UI code could be easily fixed once PR #117 is committed.
To summarize: I welcome the addition of login feature but this code does not accomplish basic minimum user access control to make it worth while. I completely support login access control and hope to see it implemented. Happy to help in making this happen.
| <h6 class="card-category"> | ||
| {% if msg %} | ||
| <span class="text-danger">{{ msg | safe }}</span> | ||
| {% else %} |
There was a problem hiding this comment.
Typo "wellcome" and poor wording. Consider removing the {else} block as this link and text is already provided lower on line 67.
|
|
||
| <button type="submit" name="login" class="btn btn-primary pull-left">Login</button> | ||
|
|
||
| |
There was a problem hiding this comment.
Remove unnecessary
application access control
application create user, login user
intent:
The intent is increase CNC safety by availability control i.e. application access control. This will ultimately give the ability to control the access to the CNC through application access control. However there are many other additional capabilities such as:
features:
future: