Hi,
We have set Users on ZM for login control.
When we have a browser that is not logged in and you click on the link provided in the notification email you get a "Zone Minder Error" "You do no have sufficient permissions to access this resource...."
You have to goto root page, login and then hit the link again.
Should this not redirect to a login page rather than an error page, and even better then go back to the link you were trying to access?
For now we will disable the login in zm and use apache .htaccess, but we can then anyone logged in would have full rights.
Seems an improvement bug required, but dont know where to file that.
James
Notifying Email Link does not goto a Login Page
-
jamesarbrown
- Posts: 2
- Joined: Sun Dec 28, 2014 3:16 pm
-
jamesarbrown
- Posts: 2
- Joined: Sun Dec 28, 2014 3:16 pm
Re: Notifying Email Link does not goto a Login Page
Ok my solution was (a bodge) to create a guest user and guess password with streaming enabled only and use a Hash, but simplying functions.php, so I can used a "fixed" hash and not one that would need to be generated time dependant...
It does pass the hash key via email, that is a security threat, but then the access given was stream only. If someone watches the streams, so what? was my view, at least they can not change the configs.
1/ Settings
AUTH_HASH_SECRET = myhashkey
AUTH_HASH_IPS = unticked
AUTH_HASH_LOGINS = ticked.
2/ Email add an &auth= to the end
This alarm was matched by the %FN% filter and can be viewed at %EPS%&auth=093b446e81aea309557242b4a93xxxx
Where the auth key is MD5 (I generated by mysql using command 'Select MD5("myhashkey");' )
3/ Modify functions php to remove the time dependant stuff
# $authKey = ZM_AUTH_HASH_SECRET.$user['Username'].$user['Password'].$remoteAddr.$time[2].$time[3].$time[4].$time[5];
$authKey = ZM_AUTH_HASH_SECRET.$user['guestuser'].$user['guestpass'];
This link gave me the key information to do this
blog
chapus
net/zoneminder-hash-logins/
But clearly some form of "real" solution is needed.
James
It does pass the hash key via email, that is a security threat, but then the access given was stream only. If someone watches the streams, so what? was my view, at least they can not change the configs.
1/ Settings
AUTH_HASH_SECRET = myhashkey
AUTH_HASH_IPS = unticked
AUTH_HASH_LOGINS = ticked.
2/ Email add an &auth= to the end
This alarm was matched by the %FN% filter and can be viewed at %EPS%&auth=093b446e81aea309557242b4a93xxxx
Where the auth key is MD5 (I generated by mysql using command 'Select MD5("myhashkey");' )
3/ Modify functions php to remove the time dependant stuff
# $authKey = ZM_AUTH_HASH_SECRET.$user['Username'].$user['Password'].$remoteAddr.$time[2].$time[3].$time[4].$time[5];
$authKey = ZM_AUTH_HASH_SECRET.$user['guestuser'].$user['guestpass'];
This link gave me the key information to do this
blog
chapus
net/zoneminder-hash-logins/
But clearly some form of "real" solution is needed.
James
-
knight-of-ni
- Posts: 2406
- Joined: Thu Oct 18, 2007 1:55 pm
- Location: Shiloh, IL
Re: Notifying Email Link does not goto a Login Page
This was fixed. The next version of zoneminder with redirect to the login page and should redirect back to the original page if the login was successful.
Visit my blog for ZoneMinder related projects using the Raspberry Pi, Orange Pi, Odroid, and the ESP8266
All of these can be found at https://zoneminder.blogspot.com/
All of these can be found at https://zoneminder.blogspot.com/