The EmailActivation Plugin
To make emailActivation 1.1.4 work with MoinMoin 1.6.2 I created a trivial patch: email.activataion.1.1.4-1.6.diff
Download the current version for MoinMoin 1.5.8: emailActivation-1.1.4.tar.gz
Here is the readme file:
1 The EmailActivation MoinMoin Plugin
2 ===================================
3
4 Overview of what it does
5 ------------------------
6
7 This plugin alters the way new accounts are created by the
8 UserPreferences page. Newly created accounts are initially
9 disabled and must be enabled via a special URL. The URL is
10 emailed to the address entered when the account was created.
11 Once the account has been activated the user is sent a
12 second email inviting them to log in.
13
14 A MoinMoin superuser can view all unactivated accounts and
15 activate or cancel them. If the account isn't activated
16 with one week it will expire and be cancelled. Cancelling
17 an unactivated account deletes it, thus freeing the account
18 name and email address for re-use. An unactivated account
19 can also be cancelled via the emailed URL.
20
21 This default install can be customised in several ways by
22 providing a single function in wiki configuration script.
23 The details of how to do this are described below.
24
25 The most useful thing to change is who gets the email.
26 Typical usage is to allow people you trust to activate
27 themselves, forwarding the rest onto the wiki administrator.
28 Example: you might choose to let people who entered an
29 email address from your company activate themselves, but
30 require you to authorise the rest.
31
32 The plugin was developed and tested with MoinMoin 1.5.6.
33 It was altered to work with 1.5.8. It is moderately
34 intrusive and so may not work with other versions.
35
36
37 Installation
38 ------------
39
40 To install:
41
42 tar xpfz emailActivation-plugin-VERSION.tar.gz
43 cp -a emailActivation-plugin-VERSION/* /var/www/mywiki
44
45 Replace /var/www/mywiki with the installation directory of
46 your wiki.
47
48 To be safe it is wise to uninstall the previous version
49 before installing a new one. To uninstall the plugin
50 just remove the files and directories created by the tar
51 install file.
52
53 Upgrading from version 1.0.x: this upgrade is not backward
54 compatible. To upgrade Cancel all unactivated accounts
55 before upgrading, and be sure to do an uninstall first!
56
57 Since this plugin relies on email ensure you have defined
58 the 'mail_smarthost' parameter in the wiki configuration.
59 See HelpOnConfiguration for more information on how to do
60 that.
61
62
63 Customisation
64 -------------
65
66 It is a good idea to change the UserPreferences page to say
67 what will happen when the user creates the account. The
68 default one says they will be able to use the account as
69 soon as it is created. That won't be the case after you
70 install this plugin.
71
72 The plugin installs a page called EmailActivation. It
73 should be OK but you might what to add more information to
74 it. The only thing it must contain somewhere is:
75
76 [[EmailActivation]]
77
78 Finally there is the customisation script. This is where
79 the real action happens. It lives in the wiki instance
80 script. You created this script when you followed the
81 instructions in HelpOnInstalling/WikiInstanceCreation.
82 Those instructions refer to it as $INSTANCE, and in the
83 examples it is called 'wikiconfig.py'. This script is also
84 the file you modify when following the help in
85 HelpOnConfiguration.
86
87 The customisation script is a function called:
88 EmailActivation_email
89 You add it to the 'Config' class already defined in the wiki
90 instance script. Usually this just means appending a few
91 lines to the end of the script file. Be careful to keep the
92 indentation as is: it is important! A typical example of a
93 modified wikiconfig.py:
94
95 #
96 # :
97 # : Here lives lots of comments and stuff that come with the
98 # : default version of wikiconfig.py.
99 # :
100 #
101
102 # now we subclass that config (inherit from it) and change what's different:
103 class Config(FarmConfig):
104 # basic options (you normally need to change these)
105 sitename = u'MyWiki' # [Unicode]
106 interwikiname = 'MyWiki'
107 #
108 # :
109 # : other stuff defined in wikiconfig.py that doesn't concern us
110 # :
111 #
112 # ------------ Lines below are the ones added -----------
113 def EmailActivation_email(self, action, request, user, url):
114 if action != 'create':
115 return []
116 if user.email.endswith("@my-company.com") or user.email.endswith("@my-company.com>"):
117 to = user.email
118 else:
119 to = request.cfg.mail_from
120 return [to]
121
122 In this example if the email address entered by the user
123 ended in "@my-company.com", the email would be sent straight
124 to him so he can activate it. Otherwise it would go to the
125 wiki administrator. This example should happily work if you
126 just paste it into your wikiconfig.py file, and alter the
127 email address to suite. Again, be sure to get the
128 indentation right. Use spaces for indenting to avoid
129 confusion.
130
131 The parameters to EmailActivation_email are:
132
133 action - This is the string 'create' if the account is
134 being created, 'activate' if the account
135 has been successfully activated, or 'cancel'
136 if the activation has been cancelled. 'cancel'
137 is sent when the new account is explicitly
138 cancelled. No email is sent if the unactivated
139 account expires.
140
141 request - The request instance. It is moinmoin's central
142 data structure. You will need it if you are
143 going to do something tricky.
144
145 user - An instance of MoinMoin.user.User(). This
146 holds the data entered by the user into the
147 UserPreferences page when the account was
148 created.
149
150 url - For 'create' this is the URL that will enable
151 the account. It should be present in the email
152 sent. It is a string. For 'activated' this is
153 the url the user should use to login. For
154 'cancelled' this is the empty string.
155
156 If the function returns None then the account things proceed
157 as if the plugin wasn't installed. This means the account
158 is created normally (ie not disabled) and no email is sent.
159
160 Otherwise the return value must be a list containing up to 5
161 values. If values on the end of the list are omitted (ie
162 the list contains less that 5 values) or if a value is None
163 then the default will be used instead. The default is
164 usually what you would get if you didn't supply a
165 customisation script. In fact not supplying a script is
166 identical to having one that returns []. The default is to
167 not send an email when an activation request is cancelled.
168 You can change this to send a reasonable email by returning
169 [None].
170
171 The elements of the returned list are:
172
173 [to, subject, text, expire, message]
174
175 They are used like this:
176
177 to - The email addresses to send the email to. This
178 can be a single string containing one email
179 address, or a list of them.
180
181 subject - The subject of the email. This is a string.
182
183 text - The body of the email. It must be normal text
184 (ie conform to mine type text/plain). This is
185 a string.
186
187 expire - How long before the unactivated account will
188 expire, in seconds. This is an integer. It
189 is ignored when the action parameter isn't
190 'create'.
191
192 message - The message MoinMoin will display when the user
193 clicks the 'Save' button. This is a string.
194 This is ignored when the action parameter isn't
195 'create'.
196
197
198 Other Notes
199 ===========
200
201 1. Here are the configuration parameters used by the
202 script. These are the parameters defined in
203 wikiconfig.py. See HelpOnConfiguration for more
204 information what they do.
205
206 data_dir
207 mail_from
208 mail_smarthost
209 sitename
210
211 2. This plugin overrides the userform Action. If you have
212 installed other plugin's that also override userform it
213 is likely something will break.
214
215 3. If a superuser visits:
216
217 http://www.mywiki.site/mywiki/EmailActivation
218
219 they will see all unactivated accounts and can confirm
220 or cancel them.
221
222 4. Expired accounts that have not been activated are
223 deleted the next time someone tries to activate or cancel
224 a new account.
225
226 5. Anybody can delete an unactivated account by going to
227 this URL:
228
229 http://www.mywiki.site/mywiki/EmailActivation?n=UserName
230
231 where UserName is the name entered the UserPreferences
232 for the page you wish to delete.
233
234
235
236 --
237 Russell Stuart
238 2007-09-27
239
240
241
242
243 ChangeLog
244 =========
245
246 emailActivation-1.1.4 2007-11-24
247
248 - A couple of spelling mistakes spotted by Peter Chubb fixed.
249
250 emailActivation-1.1.3 2007-11-22
251
252 - By faking a create user account request a spammer could by-pass
253 EmailActivation. Not quite so trusting of the form variables
254 sent by the browser now.
255
256 emailActivation-1.1.2 2007-09-26
257
258 - Made changes as described by StephenEdwards so it would work
259 under MoinMoin 1.5.8.
260
261 emailActivation-1.1.1 2007-04-10
262
263 - Reformatted code to bring it in line with MoinMoin coding style
264 as per ThomasWaldmann's request. No functional changes.
265
266 emailActivation-1.1.0 2007-04-07
267
268 - Fixed bug in account expiry. This bug probably meant it
269 didn't work at all - sorry!
270 - If a superuser views the EmailActivation page a
271 list of outstanding activations is shown, and they can
272 be confirmed or cancelled.
273 - An email is now sent when the account is activated.
274 - An email can now be sent when the account activation is
275 cancelled.
276 - Renamed lots of things to create a more consistent
277 naming scheme.
278
279 emailActivation-1.0.1 2007-04-03
280
281 - Allowed email destination to be a list.
282 - Cleaned up wording in README.
Older Versions
emailActivation-1.1.3.tar.gz, MoinMoin 1.5.6 & 1.5.8.
emailActivation-1.1.2.tar.gz, MoinMoin 1.5.6 & 1.5.8.
emailActivation-1.1.1.tar.gz, MoinMoin 1.5.6.
emailActivation-1.1.0.tar.gz, MoinMoin 1.5.6.
emailActivation-1.0.1.tar.gz, MoinMoin 1.5.6.
emailActivation-1.0.0.tar.gz, MoinMoin 1.5.6.
Comments / Suggestions
Russell, thanks for writing that code!
I guess we could look at integrating this into moin, but maybe you could help changing some things first:
- needs to be updated to target 1.7 or 1.8
- indentation needs to be 4 blanks per level (there must not be TABs in the files)
- action/userform.py
- macro/EmailActivation.py
macro/EmailActivation.py:userform_action uses /dev/urandom - maybe you can just use util.random_string() [1.8]?
strange exception handlers for EnvironmentError - can this be made more specific?
- os.remove(os.path.join(u._cfg.data_dir, "cache/user/name2id")) - see caching module
- check the userform stuff, it was made more modular in 1.7
- cleanup this page and remove stuff you already fixed / that is outdated
- misc. minor PEP8 errors
foo != None should be changed to foo is not None
type is a builtin, you shouldn't use it as variable name
- i18n is (mostly) missing - all translateable strings need to be used _("like this")
- finally, the code should be modified so it can be optionally used instead of the normal moin behaviour
-- ThomasWaldmann 2008-09-07 13:42:43
Nice code. I had to modify it to work with 1.5.8. Symptoms: KeyError exceptions on logout, plus new account passwords being erased. Also, file errors under non-*nix OSes. Three fixes:
- in userform.py action:
- userName = form['name'][0] This line works fine for account creation, but for logout actions, there is no name key in the form data. To fix this, I just wrapped an "if form.has_key()" guard around the line, and made similar changes to later lines that depended on the user name.
- u = user.User(request, auth_username=userName) This line creates a user object. Unfortunately, if no password is specified, the password data in the user object will be empty. The next save will clobber any stored enc_password. To fix this, I added "password=form['password'][0]" as an extra parameter in this constructor call.
in EmailActivation.py macro:
- userform_action() uses /dev/urandom, but that does not exist on all platforms. To fix this, I replaced it with random.randint() to generate 8 bytes of random data. There's probably a nicer way to do this, but I wanted to change it as little as possible.
-- -- StephenEdwards 2007-09-25 16:01:17
I've installed this on my Wiki, but am still seeing spammers creating accounts and spam pages. If I try to create a new account, I get activation email (and I've seen a few spammers stopped at this stage). However, some spam bots seem to be able to bypass account creation. It looks as if the spammers are sending a login reply (somehow) automatically --- the apache logs show a GET for UserPreferences, then a POST immediately afterwards, then the new page edit requests. I'm wondering if the reply from the spammers contains a full UserPreferences reply, and includes the Account disabling flag?? Is this possible? I'm not a python hacker, so need help to debug this.
-- -- PeterChubb 2024-12-23 15:53:50
PeterChubb, I can't respond to you as I don't have an email address. Email me directly, using email address on RussellStuart.
-- -- RussellStuart 2007-11-04 23:18:00
Hi Russell,
- Your email antispam system is fighting with mine. The `email to postmaster' check in yours, is failing because your MX's IP is listed in dsbl.org. I've temporarily whitelisted the address you're coming from.
-- -- PeterChubb 2024-12-23 15:53:50
Hi,
I added this trivial patch to make the plugin work with moinmoin 1.6.2. This plugin is really useful for my setup - is there is a perspective when this feature is integrated into mainline? After a quick glance, I couldn't find an open 'ticket' at the Feature-Request 'bug-tracker' (I mean this Feature-Request bug, which looks like a substitute bug-tracker ...).
Best regards
-- -- GeorgSauthoff 2024-12-23 15:53:50
is there any plan to integrate EmailActivation into 1.7.1? We use this plugin for our Moin wiki and losing it would be a showstopper for us.
-- -- JohnJHarrison 2024-12-23 15:53:50
John, it also think it would be nice to have a current version - as a plugin. About integration into moin distribution: I would like to do have that functionality, but there are quite some issues with the code not resolved yet / still unclear. After they are resolved (see my comments above), we can think about integration. -- ThomasWaldmann 2008-09-07 13:42:43
--
I am upgrading my system to Debian Lenny, which has MoinMoin 1.7. As a consequence EmailActivation will be ported to 1.7. But I don't have a timetable. As I would prefer to not have to maintain this for every moinmoin release, I will be implementing all of Thomas's requests in the hope it one day becomes a standard part of MoinMoin. It seems to be popular enough to justify that. I will probably make some changes, so that no Python coding is required to use it. -- RussellStuart 2008-09-11 03:09:00
-- Hi, a current version of this plugin for 1.7 / 1.8 would be very much appreciated. Incorporation into Moinmoin main would be a good thing too, but as a temporary fix it would be great to have this plugin working again in current moin version. Thanks a lot for your work! -- -- DanielBachler 2024-12-23 15:53:50
--
I suddenly have spammers somehow bypassing this plugin. They are creating accounts outside the accepted email domains and without me being notified. This has worked for a long time but apparently a security hole has been discovered by spammers. I am running Moin 1.5.8 and EmailActivation 1.1.4 -- -- JohnJHarrison 2024-12-23 15:53:50
JohnJHarrison, could you contact me directly via email please. You can find my email address here: RussellStuart. I'll try and fix it as quickly as possible. If you have difficulties with email leave a message here. -- -- RussellStuart 2008-11-15 05:49:00
Apparently I am the first to report anything like this. So let me make sure I am being responsible and have not misdiagnosed the problem. For example, perhaps the new spam was created by very old accounts set up before EmailActivation was installed --- accounts that I had not noticed before and are now being reactivated by spammers. I am watching our wiki hourly for new content and especially new users. If I can confirm 100% that spammers are creating accounts now by bypassing the email activation, I will post a note here confirming and contact RussellStuart via email. If that doesn't happen within the next week, I must have misdiagnosed so I post here an apology for the false alarm.
-- -- JohnJHarrison 2024-12-23 15:53:50
I have found the problem and it is a security vulnerability with moin 1.5.8 and has nothing to do with EmailActivation. More information. Sorry about the false alarm. I will disable user creation entirely until i have updated to 1.6.2 --- since 1.6.2 is the latest that moin that supports EmailActivation
-- -- JohnJHarrison 2024-12-23 15:53:50
at http://moinmo.in/SecurityFixes I found the security patch for 1.5.8. I have applied this patch and hopefully this will solve my problem. Sorry again for thinking the problem was EmailActivation when it was not.
-- -- JohnJHarrison 2008-11-15 16:52:43
Just as an FYI, Debian Stable (Etch) fixed this vulnerability on 20-Jan-2008 in moinmoin-common 1.5.3-1.2etch1. see: http://patch-tracking.debian.net/patch/series/view/moin/1.5.3-1.2etch1/014_CVE-2008-0782_cookie_directory_traversal.patch
Is there any current summary of whether/when/how this functionality might be interested into MoinMoin 1.9.0+? I couldn't find any discussion of this other than here; apologies if I just missed something obvious!
-- -- StephanDeibel, Dec 24, 2009
I also am interested in a 1.9 version. -- -- PeterChubb, 2010-01-24 00:10:30