[open-ils-commits] r19243 - trunk/Open-ILS/src/sql/Pg (dbs)

[svn at svn.open-ils.org]

Author: dbs
Date: 2011-01-20 22:13:14 -0500 (Thu, 20 Jan 2011)
New Revision: 19243

Modified:
   trunk/Open-ILS/src/sql/Pg/950.data.seed-values.sql
Log:
Part 3 of a more secure default set up

With this commit, the hardcoded default barcode is replaced by an
MD5 hash of a random string of numbers, preventing the barcode from
being used as a known login name in the OPAC interface (which would
remove one of the factors required in a brute forcing of the account
credentials).

You probably don't want to change the barcode for the admin user,
but if you feel the need you can use the usual patron editor in
the staff client.

Thanks to Thomas Berezansky for suggesting this additional change.


Modified: trunk/Open-ILS/src/sql/Pg/950.data.seed-values.sql
===================================================================
--- trunk/Open-ILS/src/sql/Pg/950.data.seed-values.sql	2011-01-20 23:06:42 UTC (rev 19242)
+++ trunk/Open-ILS/src/sql/Pg/950.data.seed-values.sql	2011-01-21 03:13:14 UTC (rev 19243)
@@ -1600,8 +1600,8 @@
 INSERT INTO actor.usr ( profile, card, usrname, passwd, first_given_name, family_name, dob, master_account, super_user, ident_type, ident_value, home_ou ) VALUES ( 1, 1, md5(random()::text), md5(random()::text), 'Administrator', 'System Account', '1979-01-22', TRUE, TRUE, 1, 'identification', 1 );
 
 -- Admin user barcode
-INSERT INTO actor.card (usr, barcode) VALUES (1,'101010101010101');
-UPDATE actor.usr SET card = (SELECT id FROM actor.card WHERE barcode = '101010101010101') WHERE id = 1;
+INSERT INTO actor.card (usr, barcode) VALUES (1,md5(random()::text));
+UPDATE actor.usr SET card = (SELECT currval('actor.card_id_seq')) WHERE id = 1;
 
 -- Admin user permissions
 INSERT INTO permission.usr_perm_map (usr,perm,depth) VALUES (1,-1,0);