System Constants and Settings Requiring Future Updates¶
The following settings are embedded in configuration files or source code and will require deliberate updates when the system moves to production or when business details change.
Security-Critical — Must Address Before Production¶
| Setting | Location | Current Value | Action Required |
|---|---|---|---|
| Master password bypass | App_Code/custom/Rules/ApplicationServices.Override.cs |
"Administrator123%" bypasses authentication for any account |
Remove this code block entirely before going live. |
| Localhost login bypass | App_Code/custom/Rules/ApplicationServices.Override.cs |
admin and offline1 can log in without a password on localhost |
Review and remove if not needed on the production server. |
| REST API static key | touch-settings.json → server.rest.authorization.keys |
94b79da7-e3a9-4152-9213-886f4c810bec mapped to admin |
Rotate or remove. This key grants API-level access as admin. |
| Database password in plaintext | web.config → <connectionStrings> |
Password stored in clear text | Consider encrypting the connectionStrings section using ASP.NET protected configuration (aspnet_regiis -pe). |
| SMTP password in plaintext | web.config → <system.net><mailSettings> |
Password stored in clear text | Encrypt or use environment-level secrets management. |
Branding and Identity¶
| Setting | Location | Current Value | When to Update |
|---|---|---|---|
| Application name in UI | touch-settings.json → appName |
"ConproSoft (Development)" |
Remove (Development) suffix for production. |
| Copyright notice | App_Code/Handlers/Site.cs → SiteBase.Copyright |
"© BMH Africa - 2015 - 2025. All rights reserved." |
Update year or entity name when needed. |
| Site domain | web.config → Forms auth, email from address, controller XML email rules |
bmh-crp.co.za / conprosoft.co.za |
Update all occurrences if the domain changes. |
NOTE: To update the header logo, replace the Logo image in the Company Information module under System Admin. This requires Admin-level access.
NOTE: Logo rendering also depends on a virtual application or virtual directory that points to the application's images folder.
- Physical path:
\bmh.conprosoft.co.za\wwwroot\images - Virtual path:
report-images
The framework resolves logo.jpeg from that location and uses it as the primary application branding throughout the system.
Compilation Mode¶
| Setting | Location | Current Value | Action Required |
|---|---|---|---|
| Debug compilation | web.config → <compilation debug="true"> |
true |
Set to false for production. Debug mode impacts performance significantly. |
Hardcoded Email Recipients¶
Several email rules contain hardcoded recipient addresses inside controller XML files. These are not configurable via web.config and must be edited in the XML directly:
| Address | Controllers | How to Change |
|---|---|---|
finance@bmhafrica.co.za |
PurchaseOrders.xml, Requisition.xml, Payments.xml |
Edit To: line in the relevant <rule type="Email"> block |
admin@conprosoft.co.za |
TimeSheetHeader.xml |
Edit To: line in the relevant <rule type="Email"> block |
admin@bmh-crp.co.za |
TimeSheet.xml |
Edit To: line in the relevant <rule type="Email"> block |
Session Timeout¶
| Setting | Location | Current Value | Notes |
|---|---|---|---|
| Forms auth timeout | web.config → <forms timeout="725"/> |
725 minutes (~12 hours) | Adjust to match the client's security policy. |
NOTE: The configured server-side timeout is not always the only factor controlling session duration. In practice, modern browsers may terminate an idle session before the database-backed session record has expired. This means a user can be logged out due to browser inactivity handling even while the server-side session is still technically valid.
User Self-Registration > Approval¶
Self-registered users are created with isApproved = false (enforced in Custom.cs). An Administrator must manually approve accounts via the Membership Manager module (~/pages/membership-applications). This behaviour is intentional and requires no change unless open registration is desired.