The EmailActivation Plugin
Here is the readme file:
1 The EmailActivation MoinMoin Plugin 2 =================================== 3 4 Overview of what it does 5 ------------------------ 6 7 This plugin alters the way new accounts are created by the 8 UserPreferences page. Newly created accounts are initially 9 disabled and must be enabled via a special URL. The URL is 10 emailed to the address entered when the account was created. 11 Once the account has been activated the user is sent a 12 second email inviting them to log in. 13 14 A MoinMoin superuser can view all unactivated accounts and 15 activate or cancel them. If the account isn't activated 16 with one week it will expire and be cancelled. Cancelling 17 an unactivated account deletes it, thus freeing the account 18 name and email address for re-use. An unactivated account 19 can also be cancelled via the emailed URL. 20 21 This default install can be customised in several ways by 22 providing a single function in wiki configuration script. 23 The details of how to do this are described below. 24 25 The most useful thing to change is who gets the email. 26 Typical usage is to allow people you trust to activate 27 themselves, forwarding the rest onto the wiki administrator. 28 Example: you might choose to let people who entered an 29 email address from your company activate themselves, but 30 require you to authorise the rest. 31 32 The plugin was developed and tested with MoinMoin 1.5.6. 33 It was altered to work with 1.5.8. It is moderately 34 intrusive and so may not work with other versions. 35 36 37 Installation 38 ------------ 39 40 To install: 41 42 tar xpfz emailActivation-plugin-VERSION.tar.gz 43 cp -a emailActivation-plugin-VERSION/* /var/www/mywiki 44 45 Replace /var/www/mywiki with the installation directory of 46 your wiki. 47 48 To be safe it is wise to uninstall the previous version 49 before installing a new one. To uninstall the plugin 50 just remove the files and directories created by the tar 51 install file. 52 53 Upgrading from version 1.0.x: this upgrade is not backward 54 compatible. To upgrade Cancel all unactivated accounts 55 before upgrading, and be sure to do an uninstall first! 56 57 Since this plugin relies on email ensure you have defined 58 the 'mail_smarthost' parameter in the wiki configuration. 59 See HelpOnConfiguration for more information on how to do 60 that. 61 62 63 Customisation 64 ------------- 65 66 It is a good idea to change the UserPreferences page to say 67 what will happen when the user creates the account. The 68 default one says they will be able to use the account as 69 soon as it is created. That won't be the case after you 70 install this plugin. 71 72 The plugin installs a page called EmailActivation. It 73 should be OK but you might what to add more information to 74 it. The only thing it must contain somewhere is: 75 76 [[EmailActivation]] 77 78 Finally there is the customisation script. This is where 79 the real action happens. It lives in the wiki instance 80 script. You created this script when you followed the 81 instructions in HelpOnInstalling/WikiInstanceCreation. 82 Those instructions refer to it as $INSTANCE, and in the 83 examples it is called 'wikiconfig.py'. This script is also 84 the file you modify when following the help in 85 HelpOnConfiguration. 86 87 The customisation script is a function called: 88 EmailActivation_email 89 You add it to the 'Config' class already defined in the wiki 90 instance script. Usually this just means appending a few 91 lines to the end of the script file. Be careful to keep the 92 indentation as is: it is important! A typical example of a 93 modified wikiconfig.py: 94 95 # 96 # : 97 # : Here lives lots of comments and stuff that come with the 98 # : default version of wikiconfig.py. 99 # : 100 # 101 102 # now we subclass that config (inherit from it) and change what's different: 103 class Config(FarmConfig): 104 # basic options (you normally need to change these) 105 sitename = u'MyWiki' # [Unicode] 106 interwikiname = 'MyWiki' 107 # 108 # : 109 # : other stuff defined in wikiconfig.py that doesn't concern us 110 # : 111 # 112 # ------------ Lines below are the ones added ----------- 113 def EmailActivation_email(self, action, request, user, url): 114 if action != 'create': 115 return  116 if user.email.endswith("@my-company.com") or user.email.endswith("@my-company.com>"): 117 to = user.email 118 else: 119 to = request.cfg.mail_from 120 return [to] 121 122 In this example if the email address entered by the user 123 ended in "@my-company.com", the email would be sent straight 124 to him so he can activate it. Otherwise it would go to the 125 wiki administrator. This example should happily work if you 126 just paste it into your wikiconfig.py file, and alter the 127 email address to suite. Again, be sure to get the 128 indentation right. Use spaces for indenting to avoid 129 confusion. 130 131 The parameters to EmailActivation_email are: 132 133 action - This is the string 'create' if the account is 134 being created, 'activate' if the account 135 has been successfully activated, or 'cancel' 136 if the activation has been cancelled. 'cancel' 137 is sent when the new account is explicitly 138 cancelled. No email is sent if the unactivated 139 account expires. 140 141 request - The request instance. It is moinmoin's central 142 data structure. You will need it if you are 143 going to do something tricky. 144 145 user - An instance of MoinMoin.user.User(). This 146 holds the data entered by the user into the 147 UserPreferences page when the account was 148 created. 149 150 url - For 'create' this is the URL that will enable 151 the account. It should be present in the email 152 sent. It is a string. For 'activated' this is 153 the url the user should use to login. For 154 'cancelled' this is the empty string. 155 156 If the function returns None then the account things proceed 157 as if the plugin wasn't installed. This means the account 158 is created normally (ie not disabled) and no email is sent. 159 160 Otherwise the return value must be a list containing up to 5 161 values. If values on the end of the list are omitted (ie 162 the list contains less that 5 values) or if a value is None 163 then the default will be used instead. The default is 164 usually what you would get if you didn't supply a 165 customisation script. In fact not supplying a script is 166 identical to having one that returns . The default is to 167 not send an email when an activation request is cancelled. 168 You can change this to send a reasonable email by returning 169 [None]. 170 171 The elements of the returned list are: 172 173 [to, subject, text, expire, message] 174 175 They are used like this: 176 177 to - The email addresses to send the email to. This 178 can be a single string containing one email 179 address, or a list of them. 180 181 subject - The subject of the email. This is a string. 182 183 text - The body of the email. It must be normal text 184 (ie conform to mine type text/plain). This is 185 a string. 186 187 expire - How long before the unactivated account will 188 expire, in seconds. This is an integer. It 189 is ignored when the action parameter isn't 190 'create'. 191 192 message - The message MoinMoin will display when the user 193 clicks the 'Save' button. This is a string. 194 This is ignored when the action parameter isn't 195 'create'. 196 197 198 Other Notes 199 =========== 200 201 1. Here are the configuration parameters used by the 202 script. These are the parameters defined in 203 wikiconfig.py. See HelpOnConfiguration for more 204 information what they do. 205 206 data_dir 207 mail_from 208 mail_smarthost 209 sitename 210 211 2. This plugin overrides the userform Action. If you have 212 installed other plugin's that also override userform it 213 is likely something will break. 214 215 3. If a superuser visits: 216 217 http://www.mywiki.site/mywiki/EmailActivation 218 219 they will see all unactivated accounts and can confirm 220 or cancel them. 221 222 4. Expired accounts that have not been activated are 223 deleted the next time someone tries to activate or cancel 224 a new account. 225 226 5. Anybody can delete an unactivated account by going to 227 this URL: 228 229 http://www.mywiki.site/mywiki/EmailActivation?n=UserName 230 231 where UserName is the name entered the UserPreferences 232 for the page you wish to delete. 233 234 235 236 -- 237 Russell Stuart 238 2007-09-27 239 240 241 242 243 ChangeLog 244 ========= 245 246 emailActivation-1.1.4 2007-11-24 247 248 - A couple of spelling mistakes spotted by Peter Chubb fixed. 249 250 emailActivation-1.1.3 2007-11-22 251 252 - By faking a create user account request a spammer could by-pass 253 EmailActivation. Not quite so trusting of the form variables 254 sent by the browser now. 255 256 emailActivation-1.1.2 2007-09-26 257 258 - Made changes as described by StephenEdwards so it would work 259 under MoinMoin 1.5.8. 260 261 emailActivation-1.1.1 2007-04-10 262 263 - Reformatted code to bring it in line with MoinMoin coding style 264 as per ThomasWaldmann's request. No functional changes. 265 266 emailActivation-1.1.0 2007-04-07 267 268 - Fixed bug in account expiry. This bug probably meant it 269 didn't work at all - sorry! 270 - If a superuser views the EmailActivation page a 271 list of outstanding activations is shown, and they can 272 be confirmed or cancelled. 273 - An email is now sent when the account is activated. 274 - An email can now be sent when the account activation is 275 cancelled. 276 - Renamed lots of things to create a more consistent 277 naming scheme. 278 279 emailActivation-1.0.1 2007-04-03 280 281 - Allowed email destination to be a list. 282 - Cleaned up wording in README.
Comments / Suggestions
Russell, thanks for writing that code!
I guess we could look at integrating this into moin, but maybe you could help changing some things first:
- needs to be updated to target 1.7 or 1.8
- indentation needs to be 4 blanks per level (there must not be TABs in the files)
macro/EmailActivation.py:userform_action uses /dev/urandom - maybe you can just use util.random_string() [1.8]?
strange exception handlers for EnvironmentError - can this be made more specific?
- os.remove(os.path.join(u._cfg.data_dir, "cache/user/name2id")) - see caching module
- check the userform stuff, it was made more modular in 1.7
- cleanup this page and remove stuff you already fixed / that is outdated
- misc. minor PEP8 errors
foo != None should be changed to foo is not None
type is a builtin, you shouldn't use it as variable name
- i18n is (mostly) missing - all translateable strings need to be used _("like this")
- finally, the code should be modified so it can be optionally used instead of the normal moin behaviour
-- ThomasWaldmann 2008-09-07 13:42:43
Nice code. I had to modify it to work with 1.5.8. Symptoms: KeyError exceptions on logout, plus new account passwords being erased. Also, file errors under non-*nix OSes. Three fixes:
- in userform.py action:
- userName = form['name'] This line works fine for account creation, but for logout actions, there is no name key in the form data. To fix this, I just wrapped an "if form.has_key()" guard around the line, and made similar changes to later lines that depended on the user name.
- u = user.User(request, auth_username=userName) This line creates a user object. Unfortunately, if no password is specified, the password data in the user object will be empty. The next save will clobber any stored enc_password. To fix this, I added "password=form['password']" as an extra parameter in this constructor call.
in EmailActivation.py macro:
- userform_action() uses /dev/urandom, but that does not exist on all platforms. To fix this, I replaced it with random.randint() to generate 8 bytes of random data. There's probably a nicer way to do this, but I wanted to change it as little as possible.
-- -- StephenEdwards 2007-09-25 16:01:17
I've installed this on my Wiki, but am still seeing spammers creating accounts and spam pages. If I try to create a new account, I get activation email (and I've seen a few spammers stopped at this stage). However, some spam bots seem to be able to bypass account creation. It looks as if the spammers are sending a login reply (somehow) automatically --- the apache logs show a GET for UserPreferences, then a POST immediately afterwards, then the new page edit requests. I'm wondering if the reply from the spammers contains a full UserPreferences reply, and includes the Account disabling flag?? Is this possible? I'm not a python hacker, so need help to debug this.
-- -- PeterChubb 2013-12-05 21:14:19
-- -- RussellStuart 2007-11-04 23:18:00
- Your email antispam system is fighting with mine. The `email to postmaster' check in yours, is failing because your MX's IP is listed in dsbl.org. I've temporarily whitelisted the address you're coming from.
-- -- PeterChubb 2013-12-05 21:14:19
I added this trivial patch to make the plugin work with moinmoin 1.6.2. This plugin is really useful for my setup - is there is a perspective when this feature is integrated into mainline? After a quick glance, I couldn't find an open 'ticket' at the Feature-Request 'bug-tracker' (I mean this Feature-Request bug, which looks like a substitute bug-tracker ...).
-- -- GeorgSauthoff 2013-12-05 21:14:19
is there any plan to integrate EmailActivation into 1.7.1? We use this plugin for our Moin wiki and losing it would be a showstopper for us.
-- -- JohnJHarrison 2013-12-05 21:14:19
John, it also think it would be nice to have a current version - as a plugin. About integration into moin distribution: I would like to do have that functionality, but there are quite some issues with the code not resolved yet / still unclear. After they are resolved (see my comments above), we can think about integration. -- ThomasWaldmann 2008-09-07 13:42:43
I am upgrading my system to Debian Lenny, which has MoinMoin 1.7. As a consequence EmailActivation will be ported to 1.7. But I don't have a timetable. As I would prefer to not have to maintain this for every moinmoin release, I will be implementing all of Thomas's requests in the hope it one day becomes a standard part of MoinMoin. It seems to be popular enough to justify that. I will probably make some changes, so that no Python coding is required to use it. -- RussellStuart 2008-09-11 03:09:00
-- Hi, a current version of this plugin for 1.7 / 1.8 would be very much appreciated. Incorporation into Moinmoin main would be a good thing too, but as a temporary fix it would be great to have this plugin working again in current moin version. Thanks a lot for your work! -- -- DanielBachler 2013-12-05 21:14:19
I suddenly have spammers somehow bypassing this plugin. They are creating accounts outside the accepted email domains and without me being notified. This has worked for a long time but apparently a security hole has been discovered by spammers. I am running Moin 1.5.8 and EmailActivation 1.1.4 -- -- JohnJHarrison 2013-12-05 21:14:19
JohnJHarrison, could you contact me directly via email please. You can find my email address here: RussellStuart. I'll try and fix it as quickly as possible. If you have difficulties with email leave a message here. -- -- RussellStuart 2008-11-15 05:49:00
Apparently I am the first to report anything like this. So let me make sure I am being responsible and have not misdiagnosed the problem. For example, perhaps the new spam was created by very old accounts set up before EmailActivation was installed --- accounts that I had not noticed before and are now being reactivated by spammers. I am watching our wiki hourly for new content and especially new users. If I can confirm 100% that spammers are creating accounts now by bypassing the email activation, I will post a note here confirming and contact RussellStuart via email. If that doesn't happen within the next week, I must have misdiagnosed so I post here an apology for the false alarm.
-- -- JohnJHarrison 2013-12-05 21:14:19
I have found the problem and it is a security vulnerability with moin 1.5.8 and has nothing to do with EmailActivation. More information. Sorry about the false alarm. I will disable user creation entirely until i have updated to 1.6.2 --- since 1.6.2 is the latest that moin that supports EmailActivation
-- -- JohnJHarrison 2013-12-05 21:14:19
at http://moinmo.in/SecurityFixes I found the security patch for 1.5.8. I have applied this patch and hopefully this will solve my problem. Sorry again for thinking the problem was EmailActivation when it was not.
-- -- JohnJHarrison 2008-11-15 16:52:43
Just as an FYI, Debian Stable (Etch) fixed this vulnerability on 20-Jan-2008 in moinmoin-common 1.5.3-1.2etch1. see: http://patch-tracking.debian.net/patch/series/view/moin/1.5.3-1.2etch1/014_CVE-2008-0782_cookie_directory_traversal.patch
Is there any current summary of whether/when/how this functionality might be interested into MoinMoin 1.9.0+? I couldn't find any discussion of this other than here; apologies if I just missed something obvious!
-- -- StephanDeibel, Dec 24, 2009
I also am interested in a 1.9 version. -- -- PeterChubb, 2010-01-24 00:10:30