added a warning message in ConfigBasic in case that the default password

was not changed.
1 year ago · 4da320bebf
parent 7830268be1
commit 4da320bebf
4 changed files with 218 additions and 198 deletions
--- a/htroot/ConfigBasic.html
+++ b/htroot/ConfigBasic.html
@ -24,6 +24,12 @@
    #(reconnect)#::
    <p><strong>Your port has changed. Please wait 10 seconds.</strong></p>
    #(/reconnect)#
+    #(changedfltpw)#::
+    <div class="alert alert-danger" role="alert">
+        <b>WARNING</b> This YaCy instance can be administered with the account "admin" and the default password "yacy". 
+        Open the <a href="ConfigAccounts_p.html" class="alert-link">User Administration</a> and change the password as soon as possible!
+    </div>
+    #(/changedfltpw)#
    <p>
      Your YaCy Peer needs some basic information to operate properly
    </p>
--- a/source/net/yacy/data/TransactionManager.java
+++ b/source/net/yacy/data/TransactionManager.java
@ -70,7 +70,7 @@ public class TransactionManager {
            final String adminAccountUserName = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_USER_NAME, "admin");
            if (adminAccountBase64MD5.equals(sb.emptyPasswordAdminAccount)) {
                // admin users with empty passwords do not need to authentify, thus do not have
-                // this header present. We just consoder the name is "admin"
+                // this header present. We just consider the name is "admin"
                userName = adminAccountUserName;
            }

@ -145,7 +145,6 @@ public class TransactionManager {
        final String token = new HmacUtils(HmacAlgorithms.HMAC_SHA_1, SIGNING_KEY)
                        .hmacHex(TOKEN_SEED + userName + path);

-        
        return token;
    }

--- a/source/net/yacy/htroot/ConfigBasic.java
+++ b/source/net/yacy/htroot/ConfigBasic.java
@ -69,13 +69,6 @@ public class ConfigBasic {
        final File langPath = new File(sb.getAppPath("locale.source", "locales").getAbsolutePath());
        String lang = env.getConfig("locale.language", "browser");

-        final int authentication = sb.adminAuthenticated(header);
-        if (authentication < 2) {
-            // must authenticate
-        	prop.authenticationRequired();
-            return prop;
-        }
-
        /* For authenticated users only : acquire a transaction token for the next POST form submission */
        try {
            prop.put(TransactionManager.TRANSACTION_TOKEN_PARAM, TransactionManager.getTransactionToken(header));
@ -95,6 +88,14 @@ public class ConfigBasic {
        boolean ssl = env.getConfigBool("server.https", false);
        boolean upnp = false;
        if (post != null) {
+
+            final int authentication = sb.adminAuthenticated(header);
+            if (authentication < 2) {
+                // must authenticate
+                prop.authenticationRequired();
+                return prop;
+            }
+
            /* Settings will be modified : check this is a valid transaction using HTTP POST method */
            TransactionManager.checkPostTransaction(header, post);

@ -189,11 +190,24 @@ public class ConfigBasic {
            prop.put("reconnect", "0");
        }

+        // set a warning in case that the default password was not changed
+        String currpw = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5, "");
+        String dfltpw = sb.getConfig(SwitchboardConstants.ADMIN_ACCOUNT_B64MD5_DEFAULT, "");
+        prop.put("changedfltpw", currpw.equals(dfltpw) ? "1" : "0");
+
        // set a use case
        prop.put("setUseCase_switchError", 0);
        prop.put("setUseCase_switchWarning", 0);
        String networkName = sb.getConfig(SwitchboardConstants.NETWORK_NAME, "");
        if (post != null && post.containsKey("usecase")) {
+
+            final int authentication = sb.adminAuthenticated(header);
+            if (authentication < 2) {
+                // must authenticate
+                prop.authenticationRequired();
+                return prop;
+            }
+
            /* Settings will be modified : check this is a valid transaction using HTTP POST method */
            TransactionManager.checkPostTransaction(header, post);

--- a/source/net/yacy/search/SwitchboardConstants.java
+++ b/source/net/yacy/search/SwitchboardConstants.java
@ -50,8 +50,9 @@ public final class SwitchboardConstants {

    // this holds the credential "MD5:" + Digest.encodeMD5Hex(adminAccountUserName + ":" + adminRealm + ":" + password)
    // or the depreciated old style MapTools.encodeMD5Hex( Base64Order.standardCoder.encode(adminAccountUserName + ":" + password) )
-    public static final String ADMIN_ACCOUNT_B64MD5         = "adminAccountBase64MD5";
    public static final String ADMIN_ACCOUNT_USER_NAME      = "adminAccountUserName"; // by default 'admin'
+    public static final String ADMIN_ACCOUNT_B64MD5         = "adminAccountBase64MD5"; // by default the encoding of 'yacy' (MD5:8cffbc0d66567a0987a4aba1ec46d63c)
+    public static final String ADMIN_ACCOUNT_B64MD5_DEFAULT = "MD5:8cffbc0d66567a0987a4aba1ec46d63c"; // use this to check if the default setting was overwritten
    public static final String ADMIN_ACCOUNT_FOR_LOCALHOST  = "adminAccountForLocalhost";
    public static final String ADMIN_ACCOUNT_All_PAGES      = "adminAccountAllPages";
    public static final String ADMIN_REALM                  = "adminRealm";