Mercurial > p > roundup > code
view doc/FAQ.txt @ 8411:ef1ea918b07a reauth-confirm_id
feat(security): Add user confirmation/reauth for sensitive changes
Auditors can raise Reauth(reason) exception to require the user to
enter a token (e.g. account password) to verify the user is performing
the change.
Naming is subject to change.
actions.py: New ReauthAction class handler and verifyPassword() method
for overriding if needed.
client.py: Handle Reauth exception by calling Client:reauth() method.
Default client:reauth method. Add 'reauth' action declaration.
exceptions.py: Define and document Reauth exception as a subclass of
RoundupCGIException.
templating.py: Define method utils.embed_form_fields().
The original form making a change to the database has a lot of form
fields. These need to be resubmitted to Roundup as part of the form
submission that verifies the user's password.
This method turns all non file form fields into type=hidden inputs.
It escapes the names and values to prevent XSS.
For file form fields, it base64 encodes the contents and puts them
in hidden pre blocks. The pre blocks have data attributes for the
filename, filetype and the original field name. (Note the original
field name is not used.)
This stops the file content data (maybe binary e.g. jpegs) from
breaking the html page. The reauth template runs JavaScript that
turns the encoded data inside the pre tags back into a file. Then
it adds a multiple file input control to the page and attaches all
the files to it. This file input is submitted with the rest of the
fields.
_generic.reauth.html (multiple tracker templates): Generates a form
with id=reauth_form to:
display any message from the Reauth exception to the user (e.g. why
user is asked to auth).
get the user's password
submit the form
embed all the form data that triggered the reauth
recreate any file data that was submitted as part of the form and
generate a new file input to push the data to the back end
It has the JavaScript routine (as an IIFE) that regenerates a file
input without user intervention.
All the TAL based tracker templates use the same form. There is also
one for the jinja2 template. The JavaScript for both is the same.
reference.txt: document embed_form_fields utility method.
upgrading.txt: initial upgrading docs.
TODO:
Finalize naming. I am leaning toward ConfirmID rather than Reauth.
Still looking for a standard name for this workflow.
Externalize the javascript in _generic.reauth.html to a seperate file
and use utils.readfile() to embed it or change the script to load it
from a @@file url.
Clean up upgrading.txt with just steps to implement and less feature
detail/internals.
Document internals/troubleshooting in reference.txt.
Add tests using live server.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Mon, 11 Aug 2025 14:01:12 -0400 |
| parents | 692242b3effd |
| children |
line wrap: on
line source
=========== Roundup FAQ =========== .. contents:: :local: Installation ------------ Living without a mailserver ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remove the nosy reactor - delete the tracker file ``detectors/nosyreactor.py`` from your tracker home. You do need to configure the ``[mail]`` section of config.ini. Specifically the ``domain`` and ``host`` settings have to have a value. The values don't matter, but the config parser will complain if they are not set. The cgi-bin is very slow! ~~~~~~~~~~~~~~~~~~~~~~~~~ Yep, it sure is. It has to start up Python and load all of the support libraries for *every* request. The solution is to use the built in server (or possibly mod_wsgi or other WSGI support). To make Roundup more seamless with your website, you may place the built in server behind apache and link it into your web tree (see below). How do I put Roundup behind Apache ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ We have a project (foo) running on ``tracker.example:8080``. We want ``http://tracker.example/issues`` to use the roundup server, so we set that up on port 8080 on ``tracker.example`` with the ``config.ini`` line:: [tracker] ... web = 'http://tracker.example/issues/' We have a "foo_issues" tracker and we run the server with:: roundup-server -p 8080 issues=/home/roundup/trackers/issues Then, on the Apache machine (eg. redhat 7.3 with apache 1.3), in ``/etc/httpd/conf/httpd.conf`` uncomment:: LoadModule proxy_module modules/libproxy.so and:: AddModule mod_proxy.c Then add:: # roundup stuff (added manually) <IfModule mod_proxy.c> # proxy through one tracker ProxyPass /issues/ http://tracker.example:8080/issues/ # proxy through all tracker(*) #ProxyPass /roundup/ http://tracker.example:8080/ </IfModule> Then restart Apache. Now Apache will proxy the request on to the roundup-server. Note that if you're proxying multiple trackers, you'll need to use the second ProxyPass rule described above. It will mean that your TRACKER_WEB will change to:: TRACKER_WEB = 'http://tracker.example/roundup/issues/' Once you're done, you can firewall off port 8080 from the rest of the world. Note that in some situations (eg. virtual hosting) you might need to use a more complex rewrite rule instead of the simpler ProxyPass above. The following should be useful as a starting template:: # roundup stuff (added manually) <IfModule mod_proxy.c> RewriteEngine on # General Roundup RewriteRule ^/roundup$ roundup/ [R] RewriteRule ^/roundup/(.*)$ http://tracker.example:8080/$1 [P,L] # Handle Foo Issues RewriteRule ^/issues$ issues/ [R] RewriteRule ^/issues/(.*)$ http://tracker.example:8080/issues/$1 [P,L] </IfModule> How do I run Roundup through SSL (HTTPS)? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The preferred way of using SSL is to proxy through apache and use its SSL service. See the previous question on how to proxy through apache. The standalone roundup-server now also has SSL support which is still considered experimental. For details refer to the documentation of roundup server, in particular to the generated configuration file generated with :: roundup-server --save-config that describes the needed option in detail. With the standalone server now XMLRPC over SSL works, too. Templates --------- What is that stuff in the tracker html directory? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is the template code that Roundup uses to display the various pages. This is based upon the template markup language in Zope called, oddly enough, "Zope Page Templates". There's documentation in the Roundup reference_ documentation. For more information have a look at: https://zope.readthedocs.io/en/latest/zopebook/ZPT.html specifically the chapter (10) on "Using Zope Page Templates" and the chapter (13) on "Advanced Page Templates". (Note the link above is for a newer version of Zope, so some of the info may not apply to version 2 of Zope which is used in roundup. The version 2 docs appear to not be available anymore.) But I just want a select/option list for .... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Really easy... edit ``html/issue.item.html``. For ``nosy``, change the line (around line 69) from:: <span tal:replace="structure context/nosy/field" /> to:: <span tal:replace="structure context/nosy/menu" /> For ``assigned to``, this is already done around line 77:: <td tal:content="structure context/assignedto/menu">assignedto menu</td> Great! But now the select/option list is too big ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ That is a little harder (but only a little ;^) Again, edit ``html/issue.item``. For nosy, change line (around line 69) from:: <span tal:replace="structure context/nosy/field" /> to:: <span tal:replace="structure python:context.nosy.menu(height=3)" /> for more information, go and read about Zope Page Templates. I want to link version identifiers from my messages to svn/mercurial/git ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ See: the LinkFormatingExample at: https://wiki.roundup-tracker.org/LinkFormattingExample?highlight=%28local%5C_replace%29 There are examples in the devel and responsive templates. Search for LocalReplace to find the extension file and the change that has to be made to the item template. I can see values in a multilink but not display the items ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Make sure that you have allowed the user to view the labelprop for the multilink class. Look for the setlabelprop explanation in the Roundup reference_ documentation. Using Roundup ------------- I got an error and I cannot reload it! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you're using Netscape/Mozilla, try holding shift and pressing reload. If you're using IE then install Mozilla and try again ;^) I keep getting logged out ~~~~~~~~~~~~~~~~~~~~~~~~~ Make sure that the ``tracker`` -> ``web`` setting in your tracker's config.ini is set to the URL of the tracker. I'm getting infinite redirects in the browser ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A wrong value for the ``tracker`` -> ``web`` setting may also result in infinite redirects, see https://issues.roundup-tracker.org/issue2537286 How is sorting performed, and why does it seem to fail sometimes? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When we sort items in the hyperdb, we use one of a number of methods, depending on the properties being sorted on: 1. If it's a String, Integer, Number, Date or Interval property, we just sort the scalar value of the property. Strings are sorted case-sensitively. 2. If it's a Link property, we sort by either the linked item's "order" property (if it has one) or the linked item's "id". 3. Mulitlinks sort similar to #2, but we start with the first Multilink list item, and if they're the same, we sort by the second item, and so on. Note that if an "order" property is defined on a Class that is used for sorting, all items of that Class *must* have a value against the "order" property, or sorting will result in random ordering. How do I filter roundup emails? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When roundup emails users, it provides an email header:: X-Roundup-(class)-(property): values for every property that is a link or multilink (usually things set by a dropdown or selection in the web interface). For example, assume you have a category field for issues in your tracker. You respond to issues that fall into the catagories: Network and Security. You will see headers like: X-Roundup-issue-category: Network or X-Roundup-issue-category: Network, Security, Linux Then you can set up a filter looking for X-Roundup-issue-category followed by Network or Security in your mail program. Also for newer (post version 1.6.X) releases there is also a header: X-Roundup-issue-Id: 22 for messages from issue22. Directions on using your mail program are beyond the scope of this FAQ entry. (If you don't see a header for a multilink or link property, look for msg_header_property in the roundup docs. In some cases you have to explicitly enable the header.) .. _`reference`: reference.html