MoinMoin: MoinMoinChat/Logs/moin-dev/2009-03-08

2009-03-08T00:00:52  <ThomasWaldmann> then don't do it :)
2009-03-08T00:01:15  *** grzywacz has quit IRC
2009-03-08T00:02:20  <dreimark> sure. but why not juswt disable the password change form for auth = [HTTPAuth(autocreate=True)] on all places
2009-03-08T00:07:41  <ThomasWaldmann> because the user profile code does not know which auth method another user will use
2009-03-08T00:07:57  *** dimazest has joined #moin-dev
2009-03-08T00:08:04  <dreimark> seems I don't understand this part
2009-03-08T00:08:36  <dreimark> how can he do this? if auth = is given in wikiconfig?
2009-03-08T00:09:06  <ThomasWaldmann> (of course, if there is only one, we could check that, but what if you have multiple ones? that's pointless.)
2009-03-08T00:09:38  <ThomasWaldmann> btw, use GivenAuth
2009-03-08T00:09:45  <dreimark> ok
2009-03-08T00:11:04  <dreimark> http_auth can ccause another session problem if you close the browser before you switched back to your account
2009-03-08T00:11:42  <dreimark> then a new login returns to the one you have su before
2009-03-08T00:12:05  <dreimark> (I am not sure if this is new)
2009-03-08T00:12:10  <ThomasWaldmann> is the new login a superuser?
2009-03-08T00:12:18  <dreimark> yes
2009-03-08T00:12:26  <ThomasWaldmann> then it is legitimate
2009-03-08T00:12:31  <dreimark> yes
2009-03-08T00:12:50  <dreimark> the only prblem is that it is not indicated, we should do this later
2009-03-08T00:13:21  <ThomasWaldmann> but reusing same session for another user should get fixed
2009-03-08T00:14:27  <dreimark> it is also if the new login is not a superuser
2009-03-08T00:14:49  <dreimark> I guess that becomes fixed then too
2009-03-08T00:19:55  <dreimark> again, I think multiple auth together with http_auth is not a good idea
2009-03-08T00:20:48  <dreimark> my feeling is that if one enables http_auth he don't want other backdoors
2009-03-08T00:22:48  <ThomasWaldmann> what you mean with http_auth is called GivenAuth now
2009-03-08T00:23:22  <ThomasWaldmann> and you get what you configure. if you just want GivenAuth, you don't configure anything else.
2009-03-08T00:23:45  <ThomasWaldmann> moin can now do http auth on its own, btw.
2009-03-08T00:24:15  *** dimazest_ has quit IRC
2009-03-08T00:24:28  <dreimark> I know, sorry I have not fixed the test wiki for the changes.
2009-03-08T00:24:43  <ThomasWaldmann> (which will use the password from the profile, btw)
2009-03-08T00:27:14  <dreimark> ok, I'll look at this tom. if the su user is able to change his own passwd
2009-03-08T00:30:37  <dreimark> ThomasWaldmann: do you have seen my note about twikidraw too?
2009-03-08T00:31:28  <ThomasWaldmann> was a bit vague :)
2009-03-08T00:32:29  <dreimark> http://master19.moinmo.in/WikiSandBox the drawing is just not shown
2009-03-08T00:32:48  <dreimark> attachments tells both files are there
2009-03-08T00:33:52  <dreimark> it shows http://master19.moinmo.in/WikiSandBox?action=AttachFile&rename=mytest.tdraw&drawing=mytest
2009-03-08T00:34:09  <ThomasWaldmann> i need to convert that wiki to 1.9
2009-03-08T00:34:36  <dreimark> ah ok, may be that's the reason that it does also look the same in my local wikis
2009-03-08T00:35:02  <ThomasWaldmann> use test19 and make a new drawing
2009-03-08T00:40:41  <dreimark> why always me. another problem it pushes me to a http://test19.moinmo.in/`�� page
2009-03-08T00:40:54  <dreimark> but the drawing is there
2009-03-08T00:41:45  <dreimark> http://test19.moinmo.in/%A0%02d%E0%5D%7F may be it is icedtea
2009-03-08T00:44:37  <dreimark> good night
2009-03-08T01:01:57  <ThomasWaldmann>  gn
2009-03-08T02:18:02  *** dimazest_ has joined #moin-dev
2009-03-08T02:35:32  *** dimazest has quit IRC
2009-03-08T02:42:08  *** dimazest has joined #moin-dev
2009-03-08T02:48:24  *** dimazest_ has quit IRC
2009-03-08T03:08:13  *** dimazest_ has joined #moin-dev
2009-03-08T03:24:57  *** dimazest has quit IRC
2009-03-08T03:52:18  *** dimazest has joined #moin-dev
2009-03-08T04:10:03  *** dimazest_ has quit IRC
2009-03-08T05:52:23  *** dimazest_ has joined #moin-dev
2009-03-08T06:09:29  *** dimazest has quit IRC
2009-03-08T06:36:33  *** dimazest has joined #moin-dev
2009-03-08T06:54:01  *** dimazest_ has quit IRC
2009-03-08T08:06:39  *** dimazest_ has joined #moin-dev
2009-03-08T08:24:08  *** dimazest has quit IRC
2009-03-08T08:32:44  *** dimazest has joined #moin-dev
2009-03-08T08:42:59  <dreimark> moin
2009-03-08T08:50:09  *** dimazest_ has quit IRC
2009-03-08T08:58:05  <dreimark> hmm in 1.9 in my http_auth environment wiki (with auth = [GivenAuth(autocreate=True)]) a user can't change a setting (General options) if he doesn't have an email address
2009-03-08T08:59:38  <dreimark> he has first to add an email adress. once added you are not able to remove it
2009-03-08T09:00:27  <dreimark> you can replace it by a different one
2009-03-08T09:33:17  <dreimark> ThomasWaldmann: the session bug is easier to investigate with the standalone server
2009-03-08T09:33:44  <dreimark> sorry haven't seen that yesterday because I was only looking at http_auth
2009-03-08T10:02:49  *** dimazest_ has joined #moin-dev
2009-03-08T10:20:03  *** dimazest has quit IRC
2009-03-08T10:20:35  *** johill has joined #moin-dev
2009-03-08T10:46:16  *** grzywacz has joined #moin-dev
2009-03-08T10:51:09  *** dimazest has joined #moin-dev
2009-03-08T11:07:27  *** dimazest_ has quit IRC
2009-03-08T11:43:16  <ThomasWaldmann> moin
2009-03-08T11:44:19  <ThomasWaldmann> johill: welcome back :)
2009-03-08T11:44:43  <johill> heh
2009-03-08T11:44:55  <johill> tbh, that was unintended, my server was rebooted and irssi remembered my wrong channels ;)
2009-03-08T12:03:14  <dreimark> heh
2009-03-08T12:03:30  <dreimark> don't change that config
2009-03-08T12:23:26  <ThomasWaldmann> dreimark: yes, i can reproduce the stored session files proplem. but only 1 file per request
2009-03-08T12:26:26  * dreimark will try later a ram disk, I guess that can be a timeing lag
2009-03-08T12:55:52  <dreimark> bbl
2009-03-08T13:02:03  <johill> looks like someone has discovered my moin server and is creating bogus accounts
2009-03-08T13:15:26  <ThomasWaldmann> textchas?
2009-03-08T13:19:55  *** |mmk[null]| has joined #moin-dev
2009-03-08T13:26:31  <johill> are not enabled right now
2009-03-08T13:47:45  <johill> can I enable them only for signup?
2009-03-08T13:50:12  <ThomasWaldmann> no
2009-03-08T13:51:02  <ThomasWaldmann> and that might be of limited effectivity
2009-03-08T14:04:28  <johill> in theory
2009-03-08T14:40:40  <dennda> o/ johill
2009-03-08T15:12:33  <dreimark> re
2009-03-08T16:31:14  *** dimazest_ has joined #moin-dev
2009-03-08T16:47:05  *** dimazest has quit IRC
2009-03-08T16:57:59  <CIA-38> Thomas Waldmann <tw AT waldmann-edv DOT de> default * 4637:ff5be6bb7a49 1.9/MoinMoin/web/session.py: only save session data if we also have a cookie establishing a session
2009-03-08T17:07:22  <ThomasWaldmann> dreimark: ^^
2009-03-08T17:45:20  *** dimazest has joined #moin-dev
2009-03-08T18:01:45  *** dimazest_ has quit IRC
2009-03-08T18:08:13  <dreimark> yeah
2009-03-08T18:11:25  *** dimazest_ has joined #moin-dev
2009-03-08T18:13:41  <dreimark> ThomasWaldmann: is that http://moinmo.in/MoinMoinBugs/1.9_remote_auth_should_never_allow_password_change patch ok ?
2009-03-08T18:17:04  <ThomasWaldmann> i am currently debugging the suid stuff
2009-03-08T18:23:22  *** |mmk[null]| has quit IRC
2009-03-08T18:23:26  <CIA-38> Thomas Waldmann <tw AT waldmann-edv DOT de> default * 4638:7bc4d1571f8f 1.9/MoinMoin/ (auth/__init__.py userprefs/suid.py): suid: simplify and fix, bigger selection box
2009-03-08T18:24:23  <ThomasWaldmann> dreimark: no
2009-03-08T18:27:25  *** dimazest has quit IRC
2009-03-08T19:32:49  *** Noya has joined #moin-dev
2009-03-08T20:31:27  *** Noya has quit IRC
2009-03-08T21:25:30  *** dimazest has joined #moin-dev
2009-03-08T21:42:52  *** dimazest_ has quit IRC
2009-03-08T21:47:42  <ThomasWaldmann> mitsuhiko recommends using SecureCookie instead of sessions for what we do.
2009-03-08T21:47:49  <ThomasWaldmann> comments?
2009-03-08T21:48:10  <TheSheep> cookies have a limit on data size
2009-03-08T21:48:15  <TheSheep> 4k I think
2009-03-08T21:50:35  <ThomasWaldmann> the biggest thing we store (iirc) is the trail
2009-03-08T21:50:47  <ThomasWaldmann> could be in a separate cookie
2009-03-08T21:52:06  <johill> openid stuff is large
2009-03-08T21:52:14  <johill> or can be
2009-03-08T21:56:05  <ThomasWaldmann> larger than few KB?
2009-03-08T21:58:36  <waldi> johill: which openid stuff?
2009-03-08T21:59:51  <waldi> openid themself does not use cookies at all
2009-03-08T22:02:29  <TheSheep> waldi: moin has to store some auth info per user
2009-03-08T22:09:52  <waldi> 4 things, three uri and one key. the key must be secure
2009-03-08T22:11:55  <waldi> deflate/base64 is a often used variant
2009-03-08T22:12:44  <ThomasWaldmann> werkzeug.contrib.securecookie looks ok, afaics
2009-03-08T22:13:12  <ThomasWaldmann> at least it avoids tampering with the cookie content
2009-03-08T22:14:09  <waldi> it is not secure
2009-03-08T22:14:17  <waldi> hmac is no encryption
2009-03-08T22:14:28  <ThomasWaldmann> contents will be readable at the client
2009-03-08T22:15:13  <ThomasWaldmann> so, do we have anything, that must not be readable by the client?
2009-03-08T22:15:18  <waldi> openid key
2009-03-08T22:16:52  <ThomasWaldmann> btw, if the current session cookie gets stolen, i guess you can takeover the session anyway
2009-03-08T22:18:33  <dreimark> ut that is only local if you steal the openid key it is global or ?
2009-03-08T22:18:36  <ThomasWaldmann> waldi: is the openid key better than just having the complete cookie?
2009-03-08T22:20:33  <waldi> yes, it is used to secure the communication between the authenticator and the relaying party and it may not expire
2009-03-08T22:22:49  <ThomasWaldmann> ok, that sounds like we want to keep it server-side :)
2009-03-08T22:25:12  <ThomasWaldmann> ok, that means we need sessions anyway, at least for such features
2009-03-08T22:26:50  <ThomasWaldmann> we could still think about moving trail from session to cookie, though
2009-03-08T22:28:35  <ThomasWaldmann> but I think that's less attractive if we need session storage anyway
2009-03-08T22:43:30  *** Noya has joined #moin-dev
2009-03-08T23:08:47  <dreimark> hi Noya
2009-03-08T23:09:42  <Noya> dreimark: hey
2009-03-08T23:20:00  <dreimark> do you also test 1.9 ?
2009-03-08T23:29:06  *** dimazest has quit IRC