| changeset | 5cba36e42b8f |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | chore: refactor replace urlparse with urlsplit and use urllib_ Python docs recommend use of urlsplit() rather than urlparse(). urlsplit() is a little faster and doesn't try to split the path into path and params using the rules from an obsolete RFC. actions.py, demo.py, rest.py, client.py Replace urlparse() with urlsplit() actions.py urlsplit() produces a named tuple with one fewer elements (no .param). So fixup calls to urlunparse() so they have the proper number of elements in the tuple. also merge url filtering for param and path. demo.py, rest.py: Replace imports from urlparse/urllib.parse with roundup.anypy.urllib_ so we use the same interface throughout the code base. test/test_cgi.py: Since actions.py filtering for invali urls not split by path/param, fix tests for improperly quoted url's. |
| files |
| changeset | 166cb2632315 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2551413 - Broken MultiLink columns in CSV export (take 2) Changed how I solved this. Restored the original line that cmeerw took out, but use the 'id' field rather than the 'name' field. The if statements folowing the line change it to the 'name' field (realname if it's a user object): if there is one. Updated the tests to test for this error and exercise the code. I had to change the test to create/add messages to an issue. This required that I suppress the sending of nosy messages using SENDMAILDEBUG env var. |
| files |
| changeset | 918792e35e0c |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2551413 - Broken MultiLink columns in CSV export cmeerw found a crash and bug. While investigating CSV export using names with a multilink field that doesn't have a label field (name or realname for user class). cmeerw's patch displays a multilink like messages as "['12', '23']" as when exporting csv with id. I changes code so this displays as "12;23" to match the list format output of the other fields in export csv (with names). |
| files |
| changeset | 0663a7bcef6c |
|---|---|
| branch | reauth-confirm_id |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | feat: finish reauth docs, enhance code. Decided to keep name Reauth for now. admin_guide.txt: add reference mark to roundup admin help. Used for template command reference in upgrading.txt. customizing.txt: added worked example of adding a reauth auditor for address and password. Also links to OWASP recommendations. Added link to example code in design.doc on detectors. glossary.txt: reference using roundup-admin template command in def for tracker templates. pydoc.txt: Added methods for Client class. Added class and methods for (cgi) Action, LoginAction and ReauthAction. reference.txt Edited and restructured detector section. Added section on registering a detector and priority use/execution order. (reference to design doc was used before). Added/enhanced description of exception an auditor can raise (includes Reauth). Added section on Reauth implementation and use (Confirming the User). Also has paragraph on future ideas. upgrading.txt Stripped down the original section. Moved a lot to reference.txt. Referenced customizing example, mention installation of _generic.reauth.html and reference reference.txt. cgi/actions.py: fixed bad ReST that was breaking pydoc.txt processing changed doc on limitations of Reauth code. added docstring for Reauth::verifyPassword cgi/client.py: fix ReST for a method breaking pydoc.py processing cgi/templating.py: fix docstring on embed_form_fields templates/*/html/_generic.reauth.html disable spelling for password field add timing info to the javascript function that processes file data. reformat javascript IIFE templates/jinja2/html/_generic.reauth.html create a valid jinja2 template. Looks like my original jinja template got overwritten and committed. feature parity with the other reauth templates. test/test_liveserver.py add test case for Reauth workflow. Makefile add doc. |
| files |
| changeset | ef1ea918b07a |
|---|---|
| branch | reauth-confirm_id |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | feat(security): Add user confirmation/reauth for sensitive changes Auditors can raise Reauth(reason) exception to require the user to enter a token (e.g. account password) to verify the user is performing the change. Naming is subject to change. actions.py: New ReauthAction class handler and verifyPassword() method for overriding if needed. client.py: Handle Reauth exception by calling Client:reauth() method. Default client:reauth method. Add 'reauth' action declaration. exceptions.py: Define and document Reauth exception as a subclass of RoundupCGIException. templating.py: Define method utils.embed_form_fields(). The original form making a change to the database has a lot of form fields. These need to be resubmitted to Roundup as part of the form submission that verifies the user's password. This method turns all non file form fields into type=hidden inputs. It escapes the names and values to prevent XSS. For file form fields, it base64 encodes the contents and puts them in hidden pre blocks. The pre blocks have data attributes for the filename, filetype and the original field name. (Note the original field name is not used.) This stops the file content data (maybe binary e.g. jpegs) from breaking the html page. The reauth template runs JavaScript that turns the encoded data inside the pre tags back into a file. Then it adds a multiple file input control to the page and attaches all the files to it. This file input is submitted with the rest of the fields. _generic.reauth.html (multiple tracker templates): Generates a form with id=reauth_form to: display any message from the Reauth exception to the user (e.g. why user is asked to auth). get the user's password submit the form embed all the form data that triggered the reauth recreate any file data that was submitted as part of the form and generate a new file input to push the data to the back end It has the JavaScript routine (as an IIFE) that regenerates a file input without user intervention. All the TAL based tracker templates use the same form. There is also one for the jinja2 template. The JavaScript for both is the same. reference.txt: document embed_form_fields utility method. upgrading.txt: initial upgrading docs. TODO: Finalize naming. I am leaning toward ConfirmID rather than Reauth. Still looking for a standard name for this workflow. Externalize the javascript in _generic.reauth.html to a seperate file and use utils.readfile() to embed it or change the script to load it from a @@file url. Clean up upgrading.txt with just steps to implement and less feature detail/internals. Document internals/troubleshooting in reference.txt. Add tests using live server. |
| files |
| changeset | e882a5d52ae5 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | refactor: move RateLimitExceeded to roundup.cgi.exceptions RateLimitExceeded is an HTTP exception that raises code 429. Move it to roundup.cgi.exceptions where all the other exceptions that result in http status codes are located. Also make it inherit from HTTPException since it is one. Also add docstrings for all HTTP exceptions and order HTTPExceptions by status code. BREAKING CHANGE: if somebody is importing RateLimitExceeded they will need to change their import. I consider it unlikely anybody is using RateLimitExceeded. Detectors and extensions are unlikely to raise RateLimitExceeded. So I am leaving it out of the upgrading doc. Just doc in change log. |
| files |
| changeset | a81a3cd067fa |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Ralf Schlatterbeck <rsc@runtux.com> |
| description | Generate savepoint only if necessary Now some methods got an additional 'allow_abort' parameter. By default this is True. When False the postgres backend generates a savepoint. The methods are called with allow_abort=False from some of the cgi methods which can produce a traceback when called with data from the web-interface. |
| files |
| changeset | 261438b9c91c |
|---|---|
| branch | permission-performance |
| bookmark | |
| tag | |
| user | Ralf Schlatterbeck <rsc@runtux.com> |
| description | Use new filtering for csv export variants |
| files |
| changeset | 19cef1e285b0 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | fix: remove delay when using csv export actions. The CSV file is written incrementally, so we can't determine the Content-Length. When using HTTP/1.1, this causes a delay while the browser waits for a timeout. Forcing the connection to close after the CSV file is written removes the delay. Ideally we should shift to chunked transfer encoding for these two actions, but that is much more invasive and when posting a request for CSV, it is unlikely that another request will be sent over the same socket. |
| files |
| changeset | 978285986b2c |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | fix: issue2551193 - Fix roundup for removal of cgi and cgitb ... standard python modules (and FieldStorage/MiniFieldStorage). Vendor cgi.py and modify imports. Details: roundup/anypy/cgi_.py import that accesses a working cgi.py. All imports dealing with cgi now use cgi_. roundup/anypy/vendored/cgi.py vendored version 2.6 of cgi.py from: https://pypi.org/project/legacy-cgi/ CHANGES.txt change note added COPYING.txt added license for cgi.py doc/rest.txt change example to use cgi_ doc/upgrading.txt doc removal and how to rework local code using cgi.py. frontends/roundup.cgi remove unneeded cgi import roundup/cgi/actions.py roundup/cgi/apache.py roundup/cgi/client.py roundup/cgi/templating.py roundup/cgi/TAL/TALGenerator.py test/db_test_base.py test/rest_common.py test/test_cgi.py remove import cgi and replace with from roundup.anypy.cgi_ import cgi test/test_actions.py test/test_templating.py modify import to get *FieldStorage test/test_admin.py test/test_hyperdbvals.py test/test_xmlrpc.py remove unneeded cgi import |
| files |
| changeset | 273c8c2b5042 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | fix(api): - issue2551063 - Rest/Xmlrpc interfaces needs failed login protection. Failed API login rate limiting with expiring lockout added. |
| files |
| changeset | 804cc66692ac |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Add comment. lookup on a username doesn't return retired users. |
| files |
| changeset | db06d4aeb978 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | unshadow stdlib token from roundup's token. This bites me every now and again when running pytest and pdb. Some submodules want to load the stdlib python and end up getting roundup's python and thing break with N_TOKENS not defined etc. So rename token.py to token_r.py (token_r(oundup)... hey naming things is hard) an change code as needed. |
| files |
| changeset | 970cd6d2b8ea |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2551251 - migrate pbkdf2 passwords if more rounds configured migrate/re-encrypt PBKDF2 password if stored password used a smaller number of rounds than set in password_pbkdf2_default_rounds. Also increase fallback number of rounds (when not set in config) to 2,000,000. |
| files |
| changeset | 0b52ee664580 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | tests are breaking with last commit. Restore a hopefully working tree while I figure out what's going on |
| files |
| changeset | cfdcaf8b5936 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2551251 - migrate pbkdf2 passwords if more rounds configured migrate/re-encrypt PBKDF2 password if stored password used a smaller number of rounds than set in password_pbkdf2_default_rounds. Also increase fallback number of rounds (when not set in config) to 2,000,000. |
| files |
| changeset | 9fe29682dca2 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Fix internationalized strings with multiple unlabeled % replacements. Get rid of warnings from gettext about untranslatable strings. |
| files |
| changeset | 075d8c6626b0 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | flake8 fixes |
| files |
| changeset | fe0091279f50 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Refactor session db logging and key generation for sessions/otks While I was working on the redis sessiondb stuff, I noticed that log_wanrning, get_logger ... was duplicated. Also there was code to generate a unique key for otks that was duplicated. Changes: creating new sessions_common.py and SessionsCommon class to provide methods: log_warning, log_info, log_debug, get_logger, getUniqueKey getUniqueKey method is closer to the method used to make session keys in client.py. sessions_common.py now report when random_.py chooses a weak random number generator. Removed same from rest.py. get_logger reconciles all logging under roundup.hyperdb.backends.<name of BasicDatabase class> some backends used to log to root logger. have BasicDatabase in other sessions_*.py modules inherit from SessionCommon. change logging to use log_* methods. In addition: remove unused imports reported by flake8 and other formatting changes modify actions.py, rest.py, templating.py to use getUniqueKey method. add tests for new methods test_redis_session.py swap out ModuleNotFoundError for ImportError to prevent crash in python2 when redis is not present. allow injection of username:password or just password into redis connection URL. set pytest_redis_pw envirnment variable to password or user:password when running test. |
| files |
| changeset | 3f60a71b0812 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Summary: Support selecion session/otk data store. Add redis as data store. Allow admin to select the backend data store. Compatibility matrix: main\/ session>| anydbm | sqlite | redis | mysql | postgresql | anydbm | D | | X | | | sqlite | X | D | X | | | mysql | | | | D | | postgresql | | | | | D | --------------------------------------------------------------+ D - default if unconfigured, X - compatible choice DETAILS roundup/configuration.py: add config.ini section sessiondb with settings: backend and redis_url. CHANGES.txt, doc/admin_guide.txt, doc/installation.txt, doc/upgrading.txt: doc on config of session db and redis. Plus some other fixes: admin - clarified why we do not drop __words and __testids table in native-fts conversion. TYpo fix. upgrading - doc how you can keep using anydbm for session data with sqlite. Fix dupe sentence in an upgrading config.ini section. roundup/backends/back_anydbm.py, roundup/backends/back_sqlite.py: code to support redis, redis/anydbm backends respectively. roundup/backends/sessions_redis.py new storage backend for redis. roundup/rest.py, roundup/cgi/actions.py, roundup/cgi/templating.py redis uses a different way of calculating lifetime/timestamp. Since expiration of an item occurred if its timestamp was more than 1 week old, code would calculate: now - 1 week + lifetime. But this results in faster expiration in redis if used for lifetime/timestamp. Convert code to use the lifetime() method in BasicDatabase that generates the right timestamp for each backend. test/session_common.py: added tests for more cases, get without default, getall non-existing key etc. timestamp test changed to use new self.get_ts which is overridden in other tests. Test that datatypes survive storage. test/test_redis_session.py: test redis session store with sqlite and anydbm primary databases test/test_anydbm.py, test/test_sqlite.py add test to make sure the databases are properly set up sqlite - add test cases where anydbm is used as datastore anydbm - remove updateTimestamp override add get_ts(). test/test_config.py tests on redis_url and compatibility on choice of sessiondb backend .travis.yml: add redis db and redis-py |
| files |
| changeset | 9ca5cbffa0c4 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Switch off using blank passwords for login There is now a config.ini setting [web] login_empty_passwords to enable logins for users without a password set. By default it's off and every user must have a password. |
| files |
| changeset | b336cc98d9d2 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Mark strings for password reset and registration for translation Reported on: https://sourceforge.net/p/roundup/mailman/message/37652424/ by Thomas Arendsen Hein. Fixed in actions.py and roundup.pot and .po files updated. |
| files |
| changeset | e70e2789bc2c |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2551189 - increase text search maxlength This removes I think all the magic references to 25 and 30 (varchar size) and replaces them with references to maxlength or maxlength+5. I am not sure why the db column is 5 characters larger than the size of what should be the max size of a word, but I'll keep the buffer of 5 as making it 1/5 the size of maxlength makes less sense. Also added tests for fts search in templating which were missing. Added postgres, mysql and sqlite native indexing backends in which to test fts. Added fts test to native-fts as well to make sure it's working. I want to commit this now for CI. Todo: add test cases for the use of FTS in the csv output in actions.py. There is no test coverage of the match case there. change maxlength to a higher value (50) as requested in the ticket. Modify existing extremewords test cases to allow words > 25 and < 51 write code to migrate column sizes for mysql and postgresql to match maxlength I will roll this into the version 7 schema update that supports use of database fts support. |
| files |
| changeset | 91ab3e0ffcd0 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Summary: Add test cases for sqlite fts Add support for using the FTS5 full text query engine for sqlite. Also stubbed out some sections for adding postgresql FTS support as well. Added nee indexer type native-fts. It is not selected by default. The indexer=native is used if no indexer is set. This prevents an upgrade from seeming to wipe out the native index if upgraded and indexer=native is not explicitly set. Docs updated. Also changed section headers to sentence case for the current release notes. Indexing backend can control if the full text search phrase is broken into a list of words or passed intact. For backends with query languages (sqlite and can be enabled for whoosh and xapian) we do not want the phrase "tokenized" on whitespace. This also updates the rdbms database version to version 7 to add FTS table. I will be using the same version when I add postgresql. If somebody runs this version on postgresql, they will have to manually add the fts tables for postgresql if they want to use it. Added a new renderError method to client. This allows errors to be reported still using page.html rather than raw html. It also supports templates for any error code. If no template for the error code (e.g. 400) is found, the error in raw html with no page frame is shown. New IndexerQueryError exception to pass back message about query syntax errors. |
| files |
| changeset | 20d4ca71d458 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Fix unwanted redirect from search index to edit on login error The search action saves searches including: @template=index|search The code strips: @template=index but not the error condition template. So when an non-logged in user uses a search with @template=index|search and fails to log in, their displayed page is the search edit page (template search) not the search display (template index). This change strips both forms when saving. I don't know if this needs to be generalized to strip additional templates. But it solves te orignal issue with search displays jumping to edit mode on login failure. |
| files |
| changeset | 37b57da3374f |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | aburke |
| description | issue2550917 - Add a: "Welcome user, you have logged in" ok_message on login. |
| files |
| changeset | ada96db8ec62 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Ignore blank lines when editing class via CSV |
| files |
| changeset | c4371ec7d1c0 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Call verifyPassword even if user does not exist. Address timing attack caused by not doing the password check if the user doesn't exist. Can expose valid usernames. Really only useful for a tracker that doesn't allow anonymous access to issues. Issues usually show usernames as part of the message display. |
| files |
| changeset | 45ba6b71f1cf |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | actions.py translation. Using mapping rather than tuple for args. Format an error message in handleCollision using named tokens '%(props)s' rather than printf positional format specifier %s. Regenerate roundup.pot and update all .po files to use named tokens in their trnslations. Test handleCollision as well. |
| files |
| changeset | 15fd91fd3c4c |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Quote all exported CSV data Quote all non-numeric data in csv export functions. Report that a title like '=a2+b3' could be interpreted as a function in Excel and executed. csv.writer now includes quoting=csv.QUOTE_NONNUMERIC to generate quoted values for all fields. This should make the string starting with = be interpreted as a string and not a formula. |
| files |
| changeset | f74d078cfd9a |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Christof Meerwald <cmeerw@cmeerw.org> |
| description | issue2551019 needs to be handled in the action code itself, not the WSGI handler for Python 3 we always need to encode the output in the client character set |
| files |
| changeset | b011e5ac06d5 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Flake8 whitespace; add translate; change use 'is None' not = Changed out some strings like: _("foo bar bas....") into _( "foo" "bar bas") to handle long lines. Verified both forms result in the same string extraction using locale tools xgettext/xpot. Added a couple of translation marks. |
| files |
| changeset | 8128ca0cb764 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Remove useless assert assert is called on props, but we can only get to assert if props is true. bandit audit flagged the statement, so I removed it since it wasn't needed. |
| files |
| changeset | 71c68961d9f4 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | - issue2550920 - Optionally detect duplicate username at registration. Added config option to allow detection of duplicate username when the user tries to register. Previously user was rejected when dupliate name found at confirmation step. Optional as it can make username guessing easier. Testing is in place for this. Also attempted to make the unfriendly error message: 'node with key "username" exists' into a translatable friendly error: "Username 'username' already exists." This is missing any test. It is also fragile as I capture the ValueError exception and see that the exception matches: 'node with key "username" exists' If it does reassert the friendly message. Otherwise just re-raise existing exception. If the "node with key..." message is translated the friendly override will not trigger. |
| files |
| changeset | fe334430ca07 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2550919 - Anti-bot signup using 4 second delay Took the code by erik forsberg and massaged it into the core. So this is no longer needed in the tracker. Updated devel and responsive trackers to remove timestamp.py and update input field name. Docs, changes and tests complete. Hopefully these tracker changes won't cause an issue for other tests. |
| files |
| changeset | 5d0873a4de4a |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | fix rate limit headers - were ints/floats need to be strings Running under gunicorn rest requests were crashing. Not all of the values for the rate limit headers were strings. Some were numbers. This caused the header generation for wsgi to fail. Now the values are all strings. |
| files |
| changeset | 883c9e90b403 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Fix problem with cgi.escape being depricated a different way. This way uses anypy and is cleaner. Also fixes incorrect/incomplete change that resulted in escaped in TAL generated by TALInterpreter.py. The escaped quotes break javascript etc. defined using tal string: values. TODO: add test cases for TAL. This wouldn't have snuck through for a month if we had good coverage of that library. |
| files |
| changeset | bd6d41f21a5a |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | More extensive EditCSV testing. Uses test object to cover all types defined by database. Also check for an error with a row that's too short. CSV starts with blank line to verify that it recognises header line. Changes password, date, int, link and other fields. Deletes row and verified that it is retired. Make actions.py properly handle emptying of password field. |
| files |
| changeset | 1a835db41674 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Call cgi.escape only on python 2. Replace with html.escapeif it can be found. |
| files |
| changeset | 8dbe307bdb57 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Finish up login rate limit code. Set config item to 0 disables, make sure config item can't be negative integer. |
| files |
| changeset | 2f116ba7e7cf |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Rename Store class in rate_limit.py to Gcra. The name Store makes no sense since the class implements a Gcra, I'll call it Gcra.... |
| files |
| changeset | 842252c3ee22 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Change access to config from dict to property. This makes doing the mock for testing easier and unbreaks the changes to the tests that I did earlier. |
| files |
| changeset | cad18de2b988 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2550949: Rate limit password guesses/login attempts. Generic rate limit mechanism added. Deployed for web page logins. Default is 3 login attempts/minute for a user. After which one login attempt every 20 seconds can be done. Uses gcra algorithm so all I need to store is a username and timestamp in the one time key database. This does mean I don't have a list of all failed login attempts as part of the rate limiter. Set up config setting as well so admin can tune the rate. Maybe 1 every 10 seconds is ok at a site with poor typists who need 6 attempts to get the password right 8-). The gcra method can also be used to limit the rest and xmlrpc interfaces if needed. The mechanism I added also supplies a status method that calculates the expected values for http headers returned as part of rate limiting. Also tests added to test all code paths I hope. |
| files |
| changeset | 9689d1bf9bb0 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | python2/python3 normalization. When exporting CSV, sort lists as they are ordered differently in python3 vs python2. Also python 3 list element order seems to not be stable/repeatable between runs. Sometimes the tests would pass sometimes they wouldn't. |
| files |
| changeset | be99aa02c616 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2550833 enhance the export csv action to include the keys for liked items rather than id's. So for nosy list display usernames and not numbers. The original code was renamed and also made available. See change document. |
| files |
| changeset | cd0ceb2afdb8 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Christof Meerwald <cmeerw@cmeerw.org> |
| description | fixed issue2550993 and added test case |
| files |
| changeset | 4f6e1ce89557 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Christof Meerwald <cmeerw@cmeerw.org> |
| description | always encode query parameters in sorted order |
| files |
| changeset | 52cb53eedf77 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Christof Meerwald <cmeerw@cmeerw.org> |
| description | reworked random number use prefer secrets module from Python 3.6+, random.SystemRandom and finally plain random |
| files |
| changeset | b50a4c85c270 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Christof Meerwald <cmeerw@cmeerw.org> |
| description | fixed incorrect usage of BytesIO |
| files |
| changeset | 23b8e6067f7c |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Joseph Myers <jsm@polyomino.org.uk> |
| description | Python 3 preparation: update calls to dict methods. Tool-assisted patch. Changes of iterkeys / itervalues / iteritems to keys / values / items are fully automated, but may make things less efficient in Python 2. Automated tools want to add list() around many calls to keys / values / items, but I thought most such list() additions were unnecessary because it seemed the result of keys / values / items was just iterated over while the set of dict keys remained unchanged, rather than used in a way requiring an actual list, or used while the set of keys in the dict could change. It's quite possible I missed some cases where list() was really needed, or left in some unnecessary list() calls. In cases where list() was only needed because the resulting list was then sorted in-place, I changed the code to use calls to sorted(). |
| files |
| changeset | 1556b39fde7c |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Joseph Myers <jsm@polyomino.org.uk> |
| description | Python 3 preparation: use != instead of <>. Tool-generated patch. |
| files |
| changeset | 35ea9b1efc14 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Joseph Myers <jsm@polyomino.org.uk> |
| description | Python 3 preparation: "raise" syntax. Changing "raise Exception, value" to "raise Exception(value)". Tool-assisted patch. Particular cases to check carefully are the one place in frontends/ZRoundup/ZRoundup.py where a string exception needed to be fixed, and the one in roundup/cgi/client.py involving raising an exception with a traceback (requires three-argument form of raise in Python 2, which as I understand it requires exec() to avoid a Python 3 syntax error). |
| files |
| changeset | 91954be46a66 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | A real fix for the problem where: import random would result in every call to random() returning the same value in the web interface. While cgi/client.py:Client::__init.py__ was calling random.seed(), on most systems random was SystemRandom and not the default random. As a result the random as you would get from: import random was never being seeded. I added a function to access and seed the random bound instance of random.Random that is called during init. This fixes all three places where I saw the broken randomness. It should also fix: http://psf.upfronthosting.co.za/roundup/meta/issue644 I also removed the prior code that would bail if systemRandom was not available. |
| files |
| changeset | 66a17c80e035 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Force all uses of random to use SystemRandom and abort if pseudorandom random.Random would be used rather than Random.SystemRandom. random.Random is returning the same value time after time. Even when being seeded after instantiation, calls to the random.random() function return the same value like it's not advanceing the state of the generator. So "fix" is to force use of system random generator to generate: one time keys for password reset (action.py) random passwords when resetting passwords (password.py) serial number for auto ssl cert generation (roundup_server.py) Message-ID's in email: mailgw.py, client.py anti-csrf nonces (templating.py) |
| files |
| changeset | ed6153d3ee6a |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Ralf Schlatterbeck <rsc@runtux.com> |
| description | Fix password reset Fix issue2550963: After refactoring one-time keys from the main database we need to commit the password change in the password reset mechanism separately. This used to be committed by the otk commit. |
| files |
| changeset | 875605281b02 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Fix collision link to open in new window: target should be _blank not new. |
| files |
| changeset | 62de601bdf6f |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Ralf Schlatterbeck <rsc@runtux.com> |
| description | Fix commits although a Reject exception is raised Fix the problem that changes are committed to the database (due to commits to otk handling) even when a Reject exception occurs. The fix implements separate database connections for otk/session handling and normal database operation. |
| files |
| changeset | 3639f4b55936 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Issue2550716 Email address displayed after password reset request (fix) Change the message displayed upon password reset using an account name to no longer expose the email address. Password reset triggered using an email address will still display the user supplied email address. |
| files |
| changeset | 28b6bfd303c3 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Suppress the "... - nothing changed" status banner presented when a form is submitted. This is triggered only when only quiet properties are changed. See: https://sourceforge.net/p/roundup/mailman/roundup-users/thread/20170421012107.E 040180690%40vm71.cs.umb.edu/ with subject: [Roundup-users] Does anybody think feedback saying "nothing changed" is useful? |
| files |
| changeset | 2d61e39b89c8 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Issue2550716 Email address displayed after password reset request (fix) Change the message displayed upon password reset using an account name to no longer expose the email address. Password reset triggered using an email address will still display the user supplied email address. |
| files |