Skip to content

[WPB-4556] document internal user creation #3596

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fisx merged 4 commits into from
Sep 21, 2023
Merged

[WPB-4556] document internal user creation #3596

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d45ecb2
Cleanup docs inaccuracies.
fisx Sep 21, 2023
4b4e638
Elaborate on internal user creation in prod.
fisx Sep 21, 2023
3f4fa59
Changelog.
fisx Sep 21, 2023
aea091d
Fixup
fisx Sep 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/4-docs/WPB-4556-internal-user-creation
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Elaborate on internal user creation in prod
4 changes: 1 addition & 3 deletions docs/src/understand/block-user-creation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ optSettings:

If `setRestrictUserCreation` is `true`, creating new personal users or new teams on your instance from outside your backend installation is impossible. (If you want to be more technical: requests to `/register` that create a new personal account or a new team are answered with `403 forbidden`.)

On instances with restricted user creation, the site operator with access to the internal REST API can still circumvent the restriction: just log into a brig service pod via ssh and follow the steps in `hack/bin/create_test_team_admins.sh.`
On instances with restricted user creation, the site operator with access to the internal REST API can still circumvent the restriction: just log into a brig service pod and run the curl commands like `hack/bin/create_test_team_admins.sh` does it. (Running the script is also an option: this will give you a team with a random admin account, and you can use that account to give yourself access under the desired credentials.)

```{note}
Once the creation of new users and teams has been disabled, it will still be possible to use the [team creation process](https://support.wire.com/hc/en-us/articles/115003858905-Create-a-team) (enter the new team name, email, password, etc), but it will fail/refuse creation late in the creation process (after the «Create team» button is clicked).
Expand All @@ -30,5 +30,3 @@ FEATURE_ENABLE_ACCOUNT_REGISTRATION: "false"
```{note}
If you only disable the creation of users in the webapp, but do not do so in Brig/the backend, a malicious user would be able to use the API to create users, so make sure to disable both.
```


3 changes: 3 additions & 0 deletions hack/bin/create_test_team_admins.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ USAGE="
This bash script can be used to create active team admin users and
their teams.

This is the way to create teams if you have set
'setRestrictUserCreation' to 'true' in your 'values.yaml'.

Note that this uses an internal brig endpoint. It is not exposed over
nginz and can only be used if you have direct access to brig.

Expand Down