Cvat: How to disable self sign-up in the login page

Created on 17 Mar 2020  路  20Comments  路  Source: openvinotoolkit/cvat

I am preparing a CVAT server for work-from-home colleagues due to the coronavirus outbreak.
HTTPS support is added by putting Nginx reverse proxy+certbot in front of CVAT.
However, I am surprised to see that anyone can self sign up via login page and he can immediately see all tasks and images/videos. This is big security hole.
Do we have a way to disable the self-signup feature in the login page?

bug duplicate

Most helpful comment

Hi all,
I use E-Mail verification as a workaround without having my mail server connected yet.
Once a user has done the self registration I can just unlock the user in the Admin panel.

cd ~/cvat/cvat/settings
cp base.py base.py.backup
nano base.py

OLD lines:
ACCOUNT_EMAIL_VERIFICATION = 'none'

NEW lines:
ACCOUNT_AUTHENTICATION_METHOD = 'username'
ACCOUNT_CONFIRM_EMAIL_ON_GET = True
ACCOUNT_EMAIL_REQUIRED = True
ACCOUNT_EMAIL_VERIFICATION = 'mandatory'

cd ~/cvat
docker-compose -f docker-compose.yml -f docker-compose.override.yml down
docker-compose build
docker-compose -f docker-compose.yml -f docker-compose.override.yml up -d

https://github.com/openvinotoolkit/cvat/blob/develop/cvat/apps/documentation/installation.md#email-verification

All 20 comments

Consider using VPN for non-public network resources.

Even when we put it in intranet, anyone can self sign up and use CVAT is still not a good idea.

Known issue #1030, #1114
CVAT team is working to present new permission system.

Workaround is for example just delete API methods to register from the server. Files
cvat/apps/authentication/urls.py and cvat/apps/authentication/api_urls.py.
It is not the best solution, but it should help.

Very glad to hear that. Let me try your workaround first and post result here.

Hi bsekachev,
After I commented out the last three lines in urls.py, and the following line in api_url.py:

path('register', RegisterView.as_view(), name='rest_register'),

when you submit your sign-up form, you will get an 404 response.
Ugly, but it does work.

Hi bsekachev, you workaround does help!
However, after some further check, I come to understand why you say you are working on new permission system: the current access and privilege control mechanism is too simple from security perspective. There is no role based access control to resources and operations among different groups. Hope the new mechanism solve these issue.

@bsekachev @Onion-Skins I made your changes in both files, ran docker-compose down and up but still can create account! What did you do after commenting out those lines? Should rebuild images maybe?

@MahdiEsf
Rather than running just up and down, run:

docker-compose down
docker-compose build
docker-compose up -d

(see installation guide)

@FilipLangr Thanks, worked. I doubted whether I have to rebuild or not after making these changes.

Need to add into restrictions app.

Following this issue as well, this would be useful for a deployment I'm doing! For the time being I've also just disabled the endpoint.

Hi all,
I use E-Mail verification as a workaround without having my mail server connected yet.
Once a user has done the self registration I can just unlock the user in the Admin panel.

cd ~/cvat/cvat/settings
cp base.py base.py.backup
nano base.py

OLD lines:
ACCOUNT_EMAIL_VERIFICATION = 'none'

NEW lines:
ACCOUNT_AUTHENTICATION_METHOD = 'username'
ACCOUNT_CONFIRM_EMAIL_ON_GET = True
ACCOUNT_EMAIL_REQUIRED = True
ACCOUNT_EMAIL_VERIFICATION = 'mandatory'

cd ~/cvat
docker-compose -f docker-compose.yml -f docker-compose.override.yml down
docker-compose build
docker-compose -f docker-compose.yml -f docker-compose.override.yml up -d

https://github.com/openvinotoolkit/cvat/blob/develop/cvat/apps/documentation/installation.md#email-verification

@nmanovic Hi, it would be great if we can just remove the 'register-page' rendered view. Is there an out-of-the-box option of simply removing this registration page component? As well as disabling registration completely (not even with email verification) ..

@hashishoya

Hi,
There is not out-of-the-box solution to getting rid of registration page. Only presented workaround at this moment.

@bsekachev cvat/apps/authentication/api_urls.py is not anymore there, so just commented out
path('register', RegisterView.as_view(), name='rest_register'),
Would this be enough or do I have to comment more things out?

@hashishoya

Yes, it would be enough.

Looks like api_urls.py was renamed to urls.py and previous urls.py has been removed in #1964.

Theoretically (but I am not sure) you can also change Django setup DJANGO_AUTH_TYPE (override Django settings) to any custom value and it would disable server methods to registration, password reset, password change and email confirmation.

@bsekachev
It should be enough overriding REGISTRATION_OPEN = FALSE according to the documentation. But couldn't find the settings.py file and where exactly I should insert it. Do you know if it is possible to add this django setting in CVAT source code?

@bsekachev
It should be enough overriding REGISTRATION_OPEN = FALSE according to the documentation. But couldn't find the settings.py file and where exactly I should insert it. Do you know if it is possible to add this django setting in CVAT source code?

We do not use default Django authorization and I do not expect this setting to work.
Settings files are located in cvat/settings/*.py

I believe this ticket should call not only for the setting for disabling the self sign-up, but also for a group permission to view any of the data.

I tried

docker-compose down
docker-compose build
docker-compose up -d

but the changes won't take place. I still can register a user and see the tasks list. Any ideas ?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

cbasavaraj picture cbasavaraj  路  4Comments

Miguelistan picture Miguelistan  路  5Comments

oostap1 picture oostap1  路  3Comments

LinLidi picture LinLidi  路  6Comments

syonekura picture syonekura  路  4Comments