starred/ArchiveBox

Fork 0

mirror of https://github.com/ArchiveBox/ArchiveBox.git synced 2026-04-25 09:06:02 +03:00

[GH-ISSUE #1060] Feature Request: Support non-admin users with more granular permissions #2173

New issue

Open

opened 2026-03-01 17:57:02 +03:00 by kerem · 4 comments

kerem commented

2026-03-01 17:57:02 +03:00

Owner

Originally created by @gitwittidbit on GitHub (Dec 8, 2022).
Original GitHub issue: https://github.com/ArchiveBox/ArchiveBox/issues/1060

Hi,

first of all, thank you for this cool project!

I was able to easily install it using docker-compose. And I could also register as admin and do some test archivals.

But I am failing to set up a user to use for actual archival jobs. What I mean is, I set up the user on the GUI, log out as admin, try to log in as the user but get an error message telling me that the user or password are incorrect (and that both could be case sensitive).

Well, I double and triple checked the name and the password - still nothing.
I reset the password using the CLI - still nothing.
I tried making the user "staff" - still nothing.
I tried making the user "superuser" - still nothing.
I wanted to try and add the user to some group - but I can't find any group and can't create any.

So can anybody tell me why my user can't log in?

And what does "staff" mean? Or, to turn it around: What would be the use for a user that is not staff and, hence, cannot log in. What could such user do? And how do I create groups?

Thanks!

Originally created by @gitwittidbit on GitHub (Dec 8, 2022). Original GitHub issue: https://github.com/ArchiveBox/ArchiveBox/issues/1060 Hi, first of all, thank you for this cool project! I was able to easily install it using docker-compose. And I could also register as admin and do some test archivals. But I am failing to set up a user to use for actual archival jobs. What I mean is, I set up the user on the GUI, log out as admin, try to log in as the user but get an error message telling me that the user or password are incorrect (and that both could be case sensitive). Well, I double and triple checked the name and the password - still nothing. I reset the password using the CLI - still nothing. I tried making the user "staff" - still nothing. I tried making the user "superuser" - still nothing. I wanted to try and add the user to some group - but I can't find any group and can't create any. So can anybody tell me why my user can't log in? And what does "staff" mean? Or, to turn it around: What would be the use for a user that is not staff and, hence, cannot log in. What could such user do? And how do I create groups? Thanks!

kerem added the

touches: configuration

size: medium

status: idea-phase

expected: maybe someday

labels

2026-03-01 17:57:02 +03:00

kerem commented

2026-03-01 17:57:02 +03:00

Author

Owner

@pirate commented on GitHub (Dec 9, 2022):

The PUBLIC_* config options determine what users need to be logged in to do. Right now the only meaningful distinction is anonymous user (not logged in at all) vs staff superuser logged in. We may add more granular permissions and support for groups permissions in the future, but for now just make sure your new user is both staff and superuser, otherwise they're effectively anonymous/have no privileges.

If setting your new user to staff+superuser doesn't fix it, show me a screenshot of the users page in the admin , and the output of archivebox version and I'll see if there's anything out of the ordinary.

@pirate commented on GitHub (Dec 9, 2022): The PUBLIC_* config options determine what users need to be logged in to do. Right now the only meaningful distinction is anonymous user (not logged in at all) vs staff superuser logged in. We may add more granular permissions and support for groups permissions in the future, but for now just make sure your new user is both staff and superuser, otherwise they're effectively anonymous/have no privileges. If setting your new user to staff+superuser doesn't fix it, show me a screenshot of the users page in the admin , and the output of `archivebox version` and I'll see if there's anything out of the ordinary.

kerem commented

2026-03-01 17:57:02 +03:00

Author

Owner

@p6002 commented on GitHub (Feb 18, 2023):

Did you find a way to create user?

@p6002 commented on GitHub (Feb 18, 2023): Did you find a way to create user?

kerem commented

2026-03-01 17:57:03 +03:00

Author

Owner

@thestupidestthing commented on GitHub (Feb 28, 2024):

I just ran into this problem as well.
Looking back at the admin user I created through docker run... and archivebox manage createsuperuser in the WebUI, it looks like the Password field stores and displays the password hash (in the form pbkdf2-sha256$216000$$Z21uKIfK67gw2VSDfXSks02qrcb3shexylxoLNuEgrM=), and so entering a fresh password into the field for a newly created user will never successfully compare with the same password entered during login because that gets hashed and no longer matches the password. I tried hashing 'test' as a password (above) but evidently it's salted ~~so that still doesn't work~~ with any salt.

Also, it seems kind of dangerous to have the hashed password stored in an editable field like it is, since there's no utility to editing it and accidentally editing it (thinking it's being reset) will lock the admin out.

EDIT: Okay, I used https://www.dcode.fr/pbkdf2-hash to create hashes of my test passwords and it's apparently salted with anything - so: Hashing Algo = SHA-256, Salt = <some string as salt>, # of iterations = 216000 and Output format = Django PBKDF2_ >> profit.

@thestupidestthing commented on GitHub (Feb 28, 2024): I just ran into this problem as well. Looking back at the admin user I created through `docker run...` and `archivebox manage createsuperuser` in the WebUI, it looks like the Password field stores and displays the password hash (in the form pbkdf2-sha256$216000$$Z21uKIfK67gw2VSDfXSks02qrcb3shexylxoLNuEgrM=), and so entering a fresh password into the field for a newly created user will never successfully compare with the same password entered during login because that gets hashed and no longer matches the password. I tried hashing 'test' as a password (above) but evidently it's salted ~~so that still doesn't work~~ with any salt. Also, it seems kind of dangerous to have the hashed password stored in an editable field like it is, since there's no utility to editing it and accidentally editing it (thinking it's being reset) will lock the admin out. EDIT: Okay, I used https://www.dcode.fr/pbkdf2-hash to create hashes of my test passwords and it's apparently salted with anything - so: Hashing Algo = SHA-256, Salt = \<some string as salt\>, # of iterations = 216000 and Output format = Django PBKDF2_ >> profit.

kerem commented

2026-03-01 17:57:03 +03:00

Author

Owner

@pirate commented on GitHub (Feb 28, 2024):

If you click Account in the upper right it takes you to the password editing page: /admin/password_change/. No need to ever manually pbkdf2 your password, that would be wild to expect users to do haha 😅

Also, it seems kind of dangerous to have the hashed password stored in an editable field like it is, since there's no utility to editing it and accidentally editing it (thinking it's being reset) will lock the admin out.

The one utility of having it editable is that an admin can help migrate users between archivebox instances by copy pasting their hashed passwords without ever having to know the cleartext password. This is a thing our government/corporate users do sometimes when they have multiple archivebox instances and need to clone user accounts between them.

@pirate commented on GitHub (Feb 28, 2024): <img width="260" alt="image" src="https://github.com/ArchiveBox/ArchiveBox/assets/511499/d91a66b2-17ed-4401-8d72-a36f939a08a3"> If you click `Account` in the upper right it takes you to the password editing page: `/admin/password_change/`. No need to ever manually pbkdf2 your password, that would be wild to expect users to do haha 😅 <img width="865" alt="image" src="https://github.com/ArchiveBox/ArchiveBox/assets/511499/c0cb40c3-e5de-449e-a879-d5fa92caa4b5"> --- > Also, it seems kind of dangerous to have the hashed password stored in an editable field like it is, since there's no utility to editing it and accidentally editing it (thinking it's being reset) will lock the admin out. The one utility of having it editable is that an admin can help migrate users between archivebox instances by copy pasting their hashed passwords without ever having to know the cleartext password. This is a thing our government/corporate users do sometimes when they have multiple archivebox instances and need to clone user accounts between them.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ArchiveBox#2173

No description provided.

Rows
Columns