Hello,
i’ve noted that the secret key is hardcoded into in src/usr/lib/libre-workspace/portal/lac/settings.py
specifically this line here: SECRET_KEY = ‘django-insecure-c7&zjd(1l0)(&z2n4&t=g8im6$(tconv@y-$3ic+hhlo%x3fh-’
this means that everyone has the same secret key after install
A workaround is to use this extra lines of code on the install.sh file. the code comes with a guard so upgrading, in theory, shouldn’t kick all users out of session:
Generate a unique SECRET_KEY if still using the insecure default
if grep -q “django-insecure” /usr/lib/libre-workspace/portal/lac/settings.py; then SECRET_KEY=$(libre-workspace-generate-secret 50)
sed -i “s/SECRET_KEY = ‘.*’/SECRET_KEY = ‘$SECRET_KEY’/” /usr/lib/libre-workspace/portal/lac/settings.py
fi
i’ve uploaded the a file you can replace your install.sh please let me know if there is a better method, if not we would need to wait for Jean to fix it without this addtional code.
EDIT: I’ve also added into the install.sh file to auto disable django admin panel (it should be disabled by default for production) but it will re-enable again once you sudo update if you only set it to “False”. the code that gets modified located in the settings.sh file. specifically:
# To be disabled in production
ADMIN_ENABLED = True
added code to install.sh:
Disable Django admin panel
sed -i “s/ADMIN_ENABLED = True/ADMIN_ENABLED = False/” /usr/lib/libre-workspace/portal/lac/settings.py
install.sh.txt (2.1 KB)
Kind regards
