2008-05-24T00:05:15 <ThomasWaldmann> johill: http://moinmo.in/MoinMoinBugs/AuthSessionShouldCheckUserName did you have a look at this?
2008-05-24T00:08:06 <dreimark> good night
2008-05-24T00:08:31 <ThomasWaldmann> gn dreimark
2008-05-24T00:24:02 <CIA-49> Thomas Waldmann <tw AT waldmann-edv DOT de> default * 3639:776b338ccc2d 1.7/docs/CHANGES: updated CHANGES
2008-05-24T09:23:57 <ThomasWaldmann> moin
2008-05-24T12:21:47 <CIA-49> Reimar Bauer <rb.proj AT googlemail DOT com> default * 30:f28165322ad3 1.7-extensions/data/plugin/action/arnica_slides.py: arnica_slides: reject access to unknown cache files
2008-05-24T12:21:47 <CIA-49> Reimar Bauer <rb.proj AT googlemail DOT com> default * 31:b9bc86ad2445 1.7-extensions/data/plugin/action/arnica_slides.py: arnica_slides: removed various definitions of msg = None parameter
2008-05-24T12:21:48 <CIA-49> Reimar Bauer <rb.proj AT googlemail DOT com> default * 32:03db81d282ce 1.7-extensions/data/plugin/ (action/arnica_slides.py parser/text_x_arnica.py): added for VS mode a list of images by a new image form element (target should be used only for the current image)
2008-05-24T12:21:50 <CIA-49> Reimar Bauer <rb.proj AT googlemail DOT com> default * 33:e8b445ed922d 1.7-extensions/data/plugin/action/arnica_slides.py: arnica_slides: use list instead of or
2008-05-24T12:21:53 <CIA-49> Reimar Bauer <rb.proj AT googlemail DOT com> default * 34:864fba4e90f3 1.7-extensions/data/plugin/parser/text_x_arnica.py: text_x_arnica: fixed VS mode in tools_html
2008-05-24T12:21:56 <CIA-49> Reimar Bauer <rb.proj AT googlemail DOT com> default * 35:f8e8abce7208 1.7-extensions/data/plugin/action/arnica_slides.py: arnica_slides: small refactoring (renaming parameter)
2008-05-24T12:21:59 <CIA-49> Reimar Bauer <rb.proj AT googlemail DOT com> default * 36:3f042c1e2509 1.7-extensions/data/plugin/action/arnica_slides.py: arnica_slides: image_rotate refactored to a function
2008-05-24T12:22:04 <CIA-49> Reimar Bauer <rb.proj AT googlemail DOT com> default * 37:ad1d433589e4 1.7-extensions/data/plugin/ (action/arnica_slides.py parser/text_x_arnica.py): moved test for PIL to a better place
2008-05-24T12:22:07 <CIA-49> Reimar Bauer <rb.proj AT googlemail DOT com> default * 38:e6bd98eea9f5 1.7-extensions/data/plugin/action/arnica_slides.py: arnica_slides: some comments added
2008-05-24T13:04:31 <dreimark> bbl
2008-05-24T14:18:15 <ThomasWaldmann> TheSheep: could you have a look at the stuff you fixed for modern (see 1.7 changesets c02522af6533 and 2b577967030b ) for the other builtin themes as well?
2008-05-24T14:24:34 <TheSheep> ThomasWaldmann: ok
2008-05-24T14:24:53 <ThomasWaldmann> thanks :)
2008-05-24T14:25:17 * ThomasWaldmann plans to make rc2 today evening or tomorrow
2008-05-24T14:30:01 <ThomasWaldmann> gizmo__: btw, did you manage to get moin to talk to ldap now?
2008-05-24T14:30:39 <ThomasWaldmann> (== use ldap for user authentication)
2008-05-24T14:31:11 <ThomasWaldmann> dreimark: or you?
2008-05-24T14:35:54 <dreimark> ThomasWaldmann: we both did
2008-05-24T14:36:21 <dreimark> that was the reason i do found that stored ldap password thing
2008-05-24T14:36:29 <dreimark> (had)
2008-05-24T14:37:50 <ThomasWaldmann> did you also test multiple ldap authenticators?
2008-05-24T14:38:08 <ThomasWaldmann> (for both use cases?)
2008-05-24T14:40:47 <ThomasWaldmann> dreimark:
2008-05-24T14:41:03 <dreimark> no I don't have two ldap services
2008-05-24T14:41:39 <dreimark> ThomasWaldmann:
2008-05-24T14:41:42 <ThomasWaldmann> (i guess a second one could just run on another port)
2008-05-24T14:42:32 <ThomasWaldmann> maybe you don't even need a 2nd ldap authenticator, just another auth object, could be the moin_login auth
2008-05-24T14:43:04 <ThomasWaldmann> there are 2 use cases, but I am not sure that stuff works with the current code and configurability:
2008-05-24T14:43:35 <ThomasWaldmann> 1. having a 2nd ldap server mirroring the 1st one, so if the first one fails, it uses the 2nd one
2008-05-24T14:43:40 <dreimark> I tried that already ldap + moin_auth. it is only ldap then used.
2008-05-24T14:44:03 <dreimark> if I remove ldap the moin_auth user can login again
2008-05-24T14:44:09 <dreimark> and currently i do prefer this
2008-05-24T14:44:24 <ThomasWaldmann> this can be simulated by [LDAPAuth(..), MoinAuth()]
2008-05-24T14:44:28 <dreimark> because otherwise all previous "ldap" users do have two accounts
2008-05-24T14:44:39 <ThomasWaldmann> and just switching off the ldap server
2008-05-24T14:44:54 <ThomasWaldmann> what happens then is the question...
2008-05-24T14:45:22 <dreimark> tried this too, last time it respons that it can't login because no ldap server reachable
2008-05-24T14:46:31 <ThomasWaldmann> there should be some means to have it use the next auth method (which could be another ldap server or anything else)
2008-05-24T14:47:13 <dreimark> we can't do that currently with ldap otherwise we have a problem with auto created ldap users
2008-05-24T14:47:22 <ThomasWaldmann> 2. the 2nd use case is to have ldap servers with different content (e.g. one per department)
2008-05-24T14:47:54 <ThomasWaldmann> so it should first ask the 1st and then ask the 2nd
2008-05-24T14:48:53 <ThomasWaldmann> what problem?
2008-05-24T14:49:27 <dreimark> if the second auth in the list is MoinAuth() and you kill or block the ldap server
2008-05-24T14:49:46 <dreimark> everyone can log in with an auto created ldap user name
2008-05-24T14:50:01 <ThomasWaldmann> that has to get fixed anyway :)
2008-05-24T14:50:02 <dreimark> of xours if we change the current behaviour)
2008-05-24T14:50:16 <dreimark> s/xours/course/
2008-05-24T14:53:06 <ThomasWaldmann> can you add your findings to http://moinmo.in/FeatureRequests/LdapMultipleAuth page?
2008-05-24T14:53:29 <ThomasWaldmann> and if that groups stuff is in the way, it should be split off to another feature request
2008-05-24T14:54:42 <dreimark> killing the slapd process and auth = [ldap_authenticator1, authmodule.MoinLogin()]
2008-05-24T14:55:13 <dreimark> gives no error msg and no login
2008-05-24T14:56:49 <ThomasWaldmann> that might be because the current ldap stuff is hardcoded to be authoritative. if it tells no, the no is final.
2008-05-24T14:57:57 <ThomasWaldmann> that could be just another param to the constructor
2008-05-24T14:58:42 <dreimark> I don't know how much changes in the auth module have to been done to get this problem fixed
2008-05-24T15:00:10 * dreimark comments on that page
2008-05-24T15:00:37 <ThomasWaldmann> i didn't try yet, but I think it should be easy. It is just about the value of that "continue" flag that is returned.
2008-05-24T15:01:07 <dreimark> I meant the security problem that is caused by this change
2008-05-24T15:01:49 <ThomasWaldmann> what happens if you just remove that {SHA}NotStored stuff?
2008-05-24T15:02:44 <ThomasWaldmann> and why does it still accept SHA "hashes"?
2008-05-24T15:02:57 <ThomasWaldmann> btw, is there alread a bug report about that?
2008-05-24T15:04:23 <dreimark> no only mail, and irc talk, will add one too
2008-05-24T15:04:59 <dreimark> johill: ping
2008-05-24T15:06:11 <dreimark> I think johill found it already
2008-05-24T15:11:09 <ThomasWaldmann> brb
2008-05-24T15:13:10 <dreimark> removing the passowort can be a slotion but I 'm not sure
2008-05-24T15:27:13 <ThomasWaldmann> well, either it is, or some other auth methods share this problem
2008-05-24T15:28:11 <dreimark> well there is some related stuff
2008-05-24T15:28:29 <dreimark> e.g. if it is empty aou can send an email with a valid ticket ...
2008-05-24T15:29:02 <dreimark> (I'm not sure about that but I think that is not protected)
2008-05-24T15:29:52 <dreimark> http://moinmo.in/MoinMoinBugs/DummyPasswordInAutoCreatedLdapUserProfiles
2008-05-24T15:30:57 <ThomasWaldmann> it's not a dummy password, but password hash
2008-05-24T15:31:51 <dreimark> I don't want to write the password at that place
2008-05-24T15:32:08 <dreimark> and it is not a hash
2008-05-24T15:35:46 <ThomasWaldmann> it starts with {SHA} so it is a (invalid) SHA hash
2008-05-24T15:36:01 <ThomasWaldmann> "Currently it is not possible to use ldap_auth and moin_auth together."
2008-05-24T15:36:08 <ThomasWaldmann> sure it is
2008-05-24T15:36:23 <dreimark> not here
2008-05-24T15:36:29 <dreimark> I can only login with ldap users
2008-05-24T15:36:36 <ThomasWaldmann> but then you will have that issue
2008-05-24T15:36:58 <ThomasWaldmann> ok, it is because ldap is authoritative, but that is unrelated to this bug.
2008-05-24T15:37:06 <dreimark> right
2008-05-24T15:38:19 <dreimark> as I discussed with johill some days ago you do want to know from which auth a userprofile was created
2008-05-24T15:41:34 <ThomasWaldmann> clarified it
2008-05-24T15:41:47 <ThomasWaldmann> (the bug)
2008-05-24T15:44:05 <dreimark> ok
2008-05-24T15:46:28 * dreimark hopes noone has done this hack already
2008-05-24T15:49:38 <ThomasWaldmann> i guess if someone switches off a company ldap server, that would get noticed rather fast :)
2008-05-24T15:50:45 <ThomasWaldmann> hmm, no, that wouldn't work anyway.
2008-05-24T15:51:40 <dreimark> curently noone can login, was one of the first tests I did.
2008-05-24T15:54:02 <ThomasWaldmann> so there is no hack. someone with access to the moin configuration can do more evil hacks anyway.
2008-05-24T15:54:27 <dreimark> yeah
2008-05-24T15:55:17 <dreimark> gizmo__: see http://moinmo.in/MoinMoinBugs/DummyPasswordInAutoCreatedLdapUserProfiles
2008-05-24T15:56:24 <ThomasWaldmann> btw, that ldap server simulation I talked about with melita would be nice to be able to test such stuff without having a real ldap setup.
2008-05-24T16:05:53 <dreimark> seems I missed that, however i do prefer a simulated ldap server too. while we currently try to standardize deployment with wsgi which makes testing a bit easier we fo expand the auth, group stuff which makes it again complicated to test each setup
2008-05-24T16:13:06 <dreimark> bbl
2008-05-24T19:33:56 <johill> pong
2008-05-24T19:51:02 <kikka> Huhu
2008-05-24T20:20:40 <ThomasWaldmann> re
2008-05-24T20:21:09 <johill> ThomasWaldmann: yeah I looked but didn't have an idea immediately
2008-05-24T20:21:48 <johill> it's not very clear how to do that in 1.6, nor how to in 1.7
2008-05-24T20:22:27 <johill> the auth framework isn't too suited to external logouts
2008-05-24T20:22:31 <johill> (like this is)
2008-05-24T20:22:40 <ThomasWaldmann> well, if the session code gets a username from auth methods, it maybe should not create a session for another username
2008-05-24T20:23:21 <johill> but I think the auth isn't even invoked when you don't hit the login/logout links
2008-05-24T20:24:09 <johill> dreimark: strictly speaking, a csv file with empty lines isn't a valid csv file ;) but yeah, I guess we want that patch
2008-05-24T20:24:50 <ThomasWaldmann> johill: if there is no username from auth, it of course keeps the session
2008-05-24T20:25:25 <johill> I don't think there even is a concept of 'username from auth'
2008-05-24T20:25:29 <johill> in a regular request
2008-05-24T20:25:29 <ThomasWaldmann> but if a auth method that is invoked anyway (like http) and gives a username with every request, it could react when it gets an unexpected username
2008-05-24T20:25:48 <johill> I need to check the request code
2008-05-24T20:27:08 <johill> ok it looks like auth is invoked all the time
2008-05-24T20:27:13 <johill> I guess it has to anyway
2008-05-24T20:27:31 <johill> yeah I agree, http auth should fix it up, not the session code
2008-05-24T20:28:40 <ThomasWaldmann> that's not what i meant
2008-05-24T20:28:56 <johill> what did you mean then?
2008-05-24T20:29:12 <johill> the http auth should invalidate it, no?
2008-05-24T20:29:31 <johill> in fact, in 1.7 it does as far as I can tlel
2008-05-24T20:30:06 <ThomasWaldmann> auth happens before session, right?
2008-05-24T20:30:14 <johill> in 1.6, yes
2008-05-24T20:30:16 <johill> in 1.7, no
2008-05-24T20:30:54 <johill> well actually
2008-05-24T20:30:57 <johill> in 1.6 you configure it
2008-05-24T20:31:06 <ThomasWaldmann> ok, then i have to look at 1.7 :)
2008-05-24T20:31:25 <johill> maybe he can just configure [moin_session, http] but I'm not sure that works quite right
2008-05-24T20:31:29 <johill> probably not
2008-05-24T20:31:52 <johill> well in 1.7 you have
2008-05-24T20:31:57 <johill> session.start() (before auth)
2008-05-24T20:32:04 <johill> session.after_auth() (after auth)
2008-05-24T20:32:09 <johill> session.finish() (after request)
2008-05-24T20:32:32 <johill> in 1.6 it's still mashed up into the auth framework which makes this really difficult
2008-05-24T20:32:39 <johill> hence, I think 1.7 doesn't have this problem
2008-05-24T20:32:56 <johill> it loads the session in start(), lets auth verify it and then kills iit in after_auth() if necessary
2008-05-24T20:35:39 <johill> I suppose in 1.6 the if cookie_valid part could verify against the user object
2008-05-24T20:35:45 <dennda> johill: I can recommend that talk I pointed you at the other day
2008-05-24T20:35:49 <johill> no, it cannot
2008-05-24T20:35:51 <dennda> Just watched it entirely
2008-05-24T20:36:03 <johill> dennda: cool. got the url again?
2008-05-24T20:36:12 <dennda> http://video.google.com/videoplay?docid=-3733345136856180693
2008-05-24T20:36:16 <johill> it cannot verify the user object because it doens't get one!
2008-05-24T20:36:20 <johill> dennda: thanks
2008-05-24T20:36:39 <dennda> "When in doubt, leave it out"
2008-05-24T20:37:00 <johill> :)
2008-05-24T20:37:45 <johill> ThomasWaldmann: the crux of the matter is that the session cannot know that http auth re-checks every request
2008-05-24T20:38:02 <johill> ThomasWaldmann: in 1.7, that isn't a problem because the session is loaded before auth (start) and the http auth can kick it out
2008-05-24T20:38:12 <johill> but in 1.6, the whole session code runs afterwards
2008-05-24T20:38:19 <johill> I think the only sensible fix for the bug is 'upgrade'
2008-05-24T20:42:04 <ThomasWaldmann> if it is fixed in 1,7 :)
2008-05-24T20:44:03 <johill> I'm pretty sure it is, but I can't really test easily
2008-05-24T20:44:37 <johill> if user_obj and user_obj.valid:
2008-05-24T20:44:37 <johill> if 'user.id' in session and session['user.id'] != user_obj.id:
2008-05-24T20:44:37 <johill> session.delete()
2008-05-24T20:44:46 <johill> (moin 1.7 session.py, after_auth())
2008-05-24T20:45:17 <johill> else:
2008-05-24T20:45:17 <johill> if 'user.id' in session:
2008-05-24T20:45:17 <johill> session.delete()
2008-05-24T20:45:20 <dennda> oh my gosh. py.test is so much better than junit
2008-05-24T20:45:21 <johill> (which probably hits in this case)
2008-05-24T21:09:13 * ThomasWaldmann does some xapian debugging
2008-05-24T21:10:58 <johill> again? :)
2008-05-24T21:16:48 <ThomasWaldmann> :P
2008-05-24T23:18:29 <CIA-49> Thomas Waldmann <tw AT waldmann-edv DOT de> default * 3640:e54b2e843990 1.7/MoinMoin/search/Xapian.py: Xapian indexing: remove crappy num regex from WikiAnalyzer MoinMoin: MoinMoinChat/Logs/moin-dev/2008-05-24 (last edited 2008-05-23 22:15:02 by IrcLogImporter)
