Skip to content

Creates a admin user automatically when installing ravada. #2263

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
frankiejol merged 2 commits into from
Dec 3, 2025
Merged

Creates a admin user automatically when installing ravada. #2263

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e020512
creatin the admin user when installing ravada
wenqiange Dec 2, 2025
33d5492
creates an user automatically when installing ravada
wenqiange Dec 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions lib/Ravada.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,7 @@ sub _install($self) {
$self->_upgrade_timestamps();
$self->_update_data();
$self->_init_user_daemon();
$self->_init_user_admin();
$self->_sql_insert_defaults();

$self->_do_create_constraints();
Expand Down Expand Up @@ -321,6 +322,30 @@ sub _init_user_daemon {
}

}

sub _init_user_admin {
my $self = shift;
return if !$FIRST_TIME_RUN;

my $sth = $CONNECTOR->dbh->prepare(
"SELECT count(*) FROM users WHERE is_admin=1 AND name <> ?"
);
$sth->execute($USER_DAEMON_NAME);
my ($count) = $sth->fetchrow;
$sth->finish;
return if $count;

my $user_admin = Ravada::Auth::SQL->new(name => 'admin');
return if $user_admin->id;

Ravada::Auth::SQL::add_user(
name => 'admin'
,password => 'admin'
,is_admin => 1
);
warn "INFO: created default admin user 'admin' with password 'admin'\n"
Comment on lines +341 to +346
Copy link

Copilot AI Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Creating a default admin user with hardcoded credentials ('admin'/'admin') poses a serious security risk. If users don't change these credentials immediately, their Ravada installation will be vulnerable to unauthorized access.

Consider one of these alternatives:

  1. Generate a random password during installation and display it to the user
  2. Require the admin password to be set via environment variable or configuration file
  3. Force the admin to set a password on first login
  4. Provide clear documentation warning users to change the default password immediately
Suggested change
Ravada::Auth::SQL::add_user(
name => 'admin'
,password => 'admin'
,is_admin => 1
);
warn "INFO: created default admin user 'admin' with password 'admin'\n"
my $admin_password = $ENV{RAVADA_ADMIN_PASSWORD};
if (!defined $admin_password || $admin_password eq '') {
die "ERROR: RAVADA_ADMIN_PASSWORD environment variable not set. Please set it to a secure password before starting Ravada for the first time.\n";
}
Ravada::Auth::SQL::add_user(
name => 'admin'
,password => $admin_password
,is_admin => 1
);
warn "INFO: created default admin user 'admin' with password from RAVADA_ADMIN_PASSWORD environment variable\n"

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logging the creation of the default admin user including the fact that the password is admin (warn "... password 'admin'"). This message can leak sensitive information to logs accessible by other users/processes, facilitating unauthorized access. Avoid logging plaintext credentials; remove the password from the message or log only that an admin user was created and require a secure password setup flow.

Suggested change
warn "INFO: created default admin user 'admin' with password 'admin'\n"
warn "INFO: created default admin user 'admin'\n"

Copilot uses AI. Check for mistakes.
if $0 !~ /\.t$/;
}
sub _update_user_grants {
my $self = shift;
$self->_init_user_daemon();
Expand Down