2009-03-08T00:00:52 <ThomasWaldmann> then don't do it :)
2009-03-08T00:01:15 *** grzywacz has quit IRC
2009-03-08T00:02:20 <dreimark> sure. but why not juswt disable the password change form for auth = [HTTPAuth(autocreate=True)] on all places
2009-03-08T00:07:41 <ThomasWaldmann> because the user profile code does not know which auth method another user will use
2009-03-08T00:07:57 *** dimazest has joined #moin-dev
2009-03-08T00:08:04 <dreimark> seems I don't understand this part
2009-03-08T00:08:36 <dreimark> how can he do this? if auth = is given in wikiconfig?
2009-03-08T00:09:06 <ThomasWaldmann> (of course, if there is only one, we could check that, but what if you have multiple ones? that's pointless.)
2009-03-08T00:09:38 <ThomasWaldmann> btw, use GivenAuth
2009-03-08T00:09:45 <dreimark> ok
2009-03-08T00:11:04 <dreimark> http_auth can ccause another session problem if you close the browser before you switched back to your account
2009-03-08T00:11:42 <dreimark> then a new login returns to the one you have su before
2009-03-08T00:12:05 <dreimark> (I am not sure if this is new)
2009-03-08T00:12:10 <ThomasWaldmann> is the new login a superuser?
2009-03-08T00:12:18 <dreimark> yes
2009-03-08T00:12:26 <ThomasWaldmann> then it is legitimate
2009-03-08T00:12:31 <dreimark> yes
2009-03-08T00:12:50 <dreimark> the only prblem is that it is not indicated, we should do this later
2009-03-08T00:13:21 <ThomasWaldmann> but reusing same session for another user should get fixed
2009-03-08T00:14:27 <dreimark> it is also if the new login is not a superuser
2009-03-08T00:14:49 <dreimark> I guess that becomes fixed then too
2009-03-08T00:19:55 <dreimark> again, I think multiple auth together with http_auth is not a good idea
2009-03-08T00:20:48 <dreimark> my feeling is that if one enables http_auth he don't want other backdoors
2009-03-08T00:22:48 <ThomasWaldmann> what you mean with http_auth is called GivenAuth now
2009-03-08T00:23:22 <ThomasWaldmann> and you get what you configure. if you just want GivenAuth, you don't configure anything else.
2009-03-08T00:23:45 <ThomasWaldmann> moin can now do http auth on its own, btw.
2009-03-08T00:24:15 *** dimazest_ has quit IRC
2009-03-08T00:24:28 <dreimark> I know, sorry I have not fixed the test wiki for the changes.
2009-03-08T00:24:43 <ThomasWaldmann> (which will use the password from the profile, btw)
2009-03-08T00:27:14 <dreimark> ok, I'll look at this tom. if the su user is able to change his own passwd
2009-03-08T00:30:37 <dreimark> ThomasWaldmann: do you have seen my note about twikidraw too?
2009-03-08T00:31:28 <ThomasWaldmann> was a bit vague :)
2009-03-08T00:32:29 <dreimark> http://master19.moinmo.in/WikiSandBox the drawing is just not shown
2009-03-08T00:32:48 <dreimark> attachments tells both files are there
2009-03-08T00:33:52 <dreimark> it shows http://master19.moinmo.in/WikiSandBox?action=AttachFile&rename=mytest.tdraw&drawing=mytest
2009-03-08T00:34:09 <ThomasWaldmann> i need to convert that wiki to 1.9
2009-03-08T00:34:36 <dreimark> ah ok, may be that's the reason that it does also look the same in my local wikis
2009-03-08T00:35:02 <ThomasWaldmann> use test19 and make a new drawing
2009-03-08T00:40:41 <dreimark> why always me. another problem it pushes me to a http://test19.moinmo.in/`�� page
2009-03-08T00:40:54 <dreimark> but the drawing is there
2009-03-08T00:41:45 <dreimark> http://test19.moinmo.in/%A0%02d%E0%5D%7F may be it is icedtea
2009-03-08T00:44:37 <dreimark> good night
2009-03-08T01:01:57 <ThomasWaldmann> gn
2009-03-08T02:18:02 *** dimazest_ has joined #moin-dev
2009-03-08T02:35:32 *** dimazest has quit IRC
2009-03-08T02:42:08 *** dimazest has joined #moin-dev
2009-03-08T02:48:24 *** dimazest_ has quit IRC
2009-03-08T03:08:13 *** dimazest_ has joined #moin-dev
2009-03-08T03:24:57 *** dimazest has quit IRC
2009-03-08T03:52:18 *** dimazest has joined #moin-dev
2009-03-08T04:10:03 *** dimazest_ has quit IRC
2009-03-08T05:52:23 *** dimazest_ has joined #moin-dev
2009-03-08T06:09:29 *** dimazest has quit IRC
2009-03-08T06:36:33 *** dimazest has joined #moin-dev
2009-03-08T06:54:01 *** dimazest_ has quit IRC
2009-03-08T08:06:39 *** dimazest_ has joined #moin-dev
2009-03-08T08:24:08 *** dimazest has quit IRC
2009-03-08T08:32:44 *** dimazest has joined #moin-dev
2009-03-08T08:42:59 <dreimark> moin
2009-03-08T08:50:09 *** dimazest_ has quit IRC
2009-03-08T08:58:05 <dreimark> hmm in 1.9 in my http_auth environment wiki (with auth = [GivenAuth(autocreate=True)]) a user can't change a setting (General options) if he doesn't have an email address
2009-03-08T08:59:38 <dreimark> he has first to add an email adress. once added you are not able to remove it
2009-03-08T09:00:27 <dreimark> you can replace it by a different one
2009-03-08T09:33:17 <dreimark> ThomasWaldmann: the session bug is easier to investigate with the standalone server
2009-03-08T09:33:44 <dreimark> sorry haven't seen that yesterday because I was only looking at http_auth
2009-03-08T10:02:49 *** dimazest_ has joined #moin-dev
2009-03-08T10:20:03 *** dimazest has quit IRC
2009-03-08T10:20:35 *** johill has joined #moin-dev
2009-03-08T10:46:16 *** grzywacz has joined #moin-dev
2009-03-08T10:51:09 *** dimazest has joined #moin-dev
2009-03-08T11:07:27 *** dimazest_ has quit IRC
2009-03-08T11:43:16 <ThomasWaldmann> moin
2009-03-08T11:44:19 <ThomasWaldmann> johill: welcome back :)
2009-03-08T11:44:43 <johill> heh
2009-03-08T11:44:55 <johill> tbh, that was unintended, my server was rebooted and irssi remembered my wrong channels ;)
2009-03-08T12:03:14 <dreimark> heh
2009-03-08T12:03:30 <dreimark> don't change that config
2009-03-08T12:23:26 <ThomasWaldmann> dreimark: yes, i can reproduce the stored session files proplem. but only 1 file per request
2009-03-08T12:26:26 * dreimark will try later a ram disk, I guess that can be a timeing lag
2009-03-08T12:55:52 <dreimark> bbl
2009-03-08T13:02:03 <johill> looks like someone has discovered my moin server and is creating bogus accounts
2009-03-08T13:15:26 <ThomasWaldmann> textchas?
2009-03-08T13:19:55 *** |mmk[null]| has joined #moin-dev
2009-03-08T13:26:31 <johill> are not enabled right now
2009-03-08T13:47:45 <johill> can I enable them only for signup?
2009-03-08T13:50:12 <ThomasWaldmann> no
2009-03-08T13:51:02 <ThomasWaldmann> and that might be of limited effectivity
2009-03-08T14:04:28 <johill> in theory
2009-03-08T14:40:40 <dennda> o/ johill
2009-03-08T15:12:33 <dreimark> re
2009-03-08T16:31:14 *** dimazest_ has joined #moin-dev
2009-03-08T16:47:05 *** dimazest has quit IRC
2009-03-08T16:57:59 <CIA-38> Thomas Waldmann <tw AT waldmann-edv DOT de> default * 4637:ff5be6bb7a49 1.9/MoinMoin/web/session.py: only save session data if we also have a cookie establishing a session
2009-03-08T17:07:22 <ThomasWaldmann> dreimark: ^^
2009-03-08T17:45:20 *** dimazest has joined #moin-dev
2009-03-08T18:01:45 *** dimazest_ has quit IRC
2009-03-08T18:08:13 <dreimark> yeah
2009-03-08T18:11:25 *** dimazest_ has joined #moin-dev
2009-03-08T18:13:41 <dreimark> ThomasWaldmann: is that http://moinmo.in/MoinMoinBugs/1.9_remote_auth_should_never_allow_password_change patch ok ?
2009-03-08T18:17:04 <ThomasWaldmann> i am currently debugging the suid stuff
2009-03-08T18:23:22 *** |mmk[null]| has quit IRC
2009-03-08T18:23:26 <CIA-38> Thomas Waldmann <tw AT waldmann-edv DOT de> default * 4638:7bc4d1571f8f 1.9/MoinMoin/ (auth/__init__.py userprefs/suid.py): suid: simplify and fix, bigger selection box
2009-03-08T18:24:23 <ThomasWaldmann> dreimark: no
2009-03-08T18:27:25 *** dimazest has quit IRC
2009-03-08T19:32:49 *** Noya has joined #moin-dev
2009-03-08T20:31:27 *** Noya has quit IRC
2009-03-08T21:25:30 *** dimazest has joined #moin-dev
2009-03-08T21:42:52 *** dimazest_ has quit IRC
2009-03-08T21:47:42 <ThomasWaldmann> mitsuhiko recommends using SecureCookie instead of sessions for what we do.
2009-03-08T21:47:49 <ThomasWaldmann> comments?
2009-03-08T21:48:10 <TheSheep> cookies have a limit on data size
2009-03-08T21:48:15 <TheSheep> 4k I think
2009-03-08T21:50:35 <ThomasWaldmann> the biggest thing we store (iirc) is the trail
2009-03-08T21:50:47 <ThomasWaldmann> could be in a separate cookie
2009-03-08T21:52:06 <johill> openid stuff is large
2009-03-08T21:52:14 <johill> or can be
2009-03-08T21:56:05 <ThomasWaldmann> larger than few KB?
2009-03-08T21:58:36 <waldi> johill: which openid stuff?
2009-03-08T21:59:51 <waldi> openid themself does not use cookies at all
2009-03-08T22:02:29 <TheSheep> waldi: moin has to store some auth info per user
2009-03-08T22:09:52 <waldi> 4 things, three uri and one key. the key must be secure
2009-03-08T22:11:55 <waldi> deflate/base64 is a often used variant
2009-03-08T22:12:44 <ThomasWaldmann> werkzeug.contrib.securecookie looks ok, afaics
2009-03-08T22:13:12 <ThomasWaldmann> at least it avoids tampering with the cookie content
2009-03-08T22:14:09 <waldi> it is not secure
2009-03-08T22:14:17 <waldi> hmac is no encryption
2009-03-08T22:14:28 <ThomasWaldmann> contents will be readable at the client
2009-03-08T22:15:13 <ThomasWaldmann> so, do we have anything, that must not be readable by the client?
2009-03-08T22:15:18 <waldi> openid key
2009-03-08T22:16:52 <ThomasWaldmann> btw, if the current session cookie gets stolen, i guess you can takeover the session anyway
2009-03-08T22:18:33 <dreimark> ut that is only local if you steal the openid key it is global or ?
2009-03-08T22:18:36 <ThomasWaldmann> waldi: is the openid key better than just having the complete cookie?
2009-03-08T22:20:33 <waldi> yes, it is used to secure the communication between the authenticator and the relaying party and it may not expire
2009-03-08T22:22:49 <ThomasWaldmann> ok, that sounds like we want to keep it server-side :)
2009-03-08T22:25:12 <ThomasWaldmann> ok, that means we need sessions anyway, at least for such features
2009-03-08T22:26:50 <ThomasWaldmann> we could still think about moving trail from session to cookie, though
2009-03-08T22:28:35 <ThomasWaldmann> but I think that's less attractive if we need session storage anyway
2009-03-08T22:43:30 *** Noya has joined #moin-dev
2009-03-08T23:08:47 <dreimark> hi Noya
2009-03-08T23:09:42 <Noya> dreimark: hey
2009-03-08T23:20:00 <dreimark> do you also test 1.9 ?
2009-03-08T23:29:06 *** dimazest has quit IRC
MoinMoin: MoinMoinChat/Logs/moin-dev/2009-03-08 (last edited 2009-03-07 23:15:02 by IrcLogImporter)