Mercurial > p > roundup > code
comparison doc/customizing.txt @ 8412:0663a7bcef6c reauth-confirm_id
feat: finish reauth docs, enhance code.
Decided to keep name Reauth for now.
admin_guide.txt:
add reference mark to roundup admin help. Used for template command
reference in upgrading.txt.
customizing.txt:
added worked example of adding a reauth auditor for address and password.
Also links to OWASP recommendations.
Added link to example code in design.doc on detectors.
glossary.txt:
reference using roundup-admin template command in def for tracker
templates.
pydoc.txt:
Added methods for Client class.
Added class and methods for (cgi) Action, LoginAction and ReauthAction.
reference.txt
Edited and restructured detector section.
Added section on registering a detector and priority use/execution order.
(reference to design doc was used before).
Added/enhanced description of exception an auditor can
raise (includes Reauth).
Added section on Reauth implementation and use (Confirming the User).
Also has paragraph on future ideas.
upgrading.txt
Stripped down the original section. Moved a lot to reference.txt.
Referenced customizing example, mention installation of
_generic.reauth.html and reference reference.txt.
cgi/actions.py:
fixed bad ReST that was breaking pydoc.txt processing
changed doc on limitations of Reauth code.
added docstring for Reauth::verifyPassword
cgi/client.py:
fix ReST for a method breaking pydoc.py processing
cgi/templating.py:
fix docstring on embed_form_fields
templates/*/html/_generic.reauth.html
disable spelling for password field
add timing info to the javascript function that processes file data.
reformat javascript IIFE
templates/jinja2/html/_generic.reauth.html
create a valid jinja2 template. Looks like my original jinja
template got overwritten and committed.
feature parity with the other reauth templates.
test/test_liveserver.py
add test case for Reauth workflow.
Makefile
add doc.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Wed, 13 Aug 2025 23:52:49 -0400 |
| parents | 5eb470cbcc08 |
| children | 370689471a08 056061cfe135 |
comparison
equal
deleted
inserted
replaced
| 8411:ef1ea918b07a | 8412:0663a7bcef6c |
|---|---|
| 1813 | 1813 |
| 1814 Some simple javascript might help in the last step. If you have high volume | 1814 Some simple javascript might help in the last step. If you have high volume |
| 1815 you could search for all currently-Pending users and do a bulk edit of all | 1815 you could search for all currently-Pending users and do a bulk edit of all |
| 1816 their roles at once (again probably with some simple javascript help). | 1816 their roles at once (again probably with some simple javascript help). |
| 1817 | 1817 |
| 1818 .. _sensitive_changes: | |
| 1819 | |
| 1820 Confirming Users Making Sensitive Account Changes | |
| 1821 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| 1822 | |
| 1823 Some changes to account data: user passwords or email addresses are | |
| 1824 particularly sensitive. The `OWASP Authentication`_ recommendations | |
| 1825 include asking for a re-authentication or confirmation step when making | |
| 1826 these changes. This can be easily implemented using an auditor. | |
| 1827 | |
| 1828 Create a file in your detectors directory with the following | |
| 1829 contents:: | |
| 1830 | |
| 1831 from roundup.cgi.exceptions import Reauth | |
| 1832 | |
| 1833 def confirmid(db, cl, nodeid, newvalues): | |
| 1834 | |
| 1835 if hasattr(db, 'reauth_done'): | |
| 1836 # the user has confirmed their identity | |
| 1837 return | |
| 1838 | |
| 1839 # if the password or email are changing, require id confirmation | |
| 1840 if 'password' in newvalues: | |
| 1841 raise Reauth('Add an optional message to the user') | |
| 1842 | |
| 1843 if 'address' in newvalues: | |
| 1844 raise Reauth('Add an optional message to the user') | |
| 1845 | |
| 1846 def init(db): | |
| 1847 db.user.audit('set', confirmid, priority=110) | |
| 1848 | |
| 1849 If a change is made to any user's password or address fields, the user | |
| 1850 making the change will be shown a page where they have to enter an | |
| 1851 identity verifier (by default the invoking user's account password). | |
| 1852 If the verifier is successfully verified it will set the | |
| 1853 ``reauth_done`` attribute on the db object and reprocess the change. | |
| 1854 | |
| 1855 The default auditor priority is 100. This auditor is set to run | |
| 1856 **after** most other auditors. This allows the user to correct any | |
| 1857 failing information on the form before being asked to confirm their | |
| 1858 identity. Once they confirm their identity the change is expected to | |
| 1859 be committed without issue. See :ref:`Confirming the User` for | |
| 1860 details on customizing the verification operation. | |
| 1861 | |
| 1862 Also you could use an existing auditor and add:: | |
| 1863 | |
| 1864 if 'someproperty' in newvalues and not hasattr(db, 'reauth_done'): | |
| 1865 raise Reauth('Need verification before changing someproperty') | |
| 1866 | |
| 1867 at the end of the auditor (after all checks are done) to force user | |
| 1868 verification. Just make sure you import Reauth at the top of the file. | |
| 1869 | |
| 1870 .. _`OWASP Authentication`: | |
| 1871 https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#require-re-authentication-for-sensitive-features | |
| 1818 | 1872 |
| 1819 Changes to the Web User Interface | 1873 Changes to the Web User Interface |
| 1820 --------------------------------- | 1874 --------------------------------- |
| 1821 | 1875 |
| 1822 Adding action links to the index page | 1876 Adding action links to the index page |
| 2434 | 2488 |
| 2435 * `Extending the configuration file | 2489 * `Extending the configuration file |
| 2436 <reference.html#extending-the-configuration-file>`_. | 2490 <reference.html#extending-the-configuration-file>`_. |
| 2437 * `Adding a new Permission <reference.html#adding-a-new-permission>`_ | 2491 * `Adding a new Permission <reference.html#adding-a-new-permission>`_ |
| 2438 | 2492 |
| 2493 as does the design document: | |
| 2494 | |
| 2495 * `detector examples <design.html#detector-example>`_ | |
| 2496 | |
| 2439 Examples on the Wiki | 2497 Examples on the Wiki |
| 2440 ==================== | 2498 ==================== |
| 2441 | 2499 |
| 2442 Even more examples of customisation have been contributed by | 2500 Even more examples of customisation have been contributed by |
| 2443 users. They can be found on the `wiki | 2501 users. They can be found on the `wiki |