Corporate Blogging Features

[Elias Torres <el...@torrez.us>]

Hi everyone,

I want to introduce yet another subject of things we see definitely
being needed in Roller for it to be more suited for internal corporate
blogging.

- I have a patch ready (very simple) that allows the site
administrator through roller.properties specify which URLs users can
send trackbacks to. It'd be dump to send a trackback to an external
blog because people won't be access that post because it's on the
intranet. I've added a small check in the sendTrackback method in
WeblogEntryAction so it displays a nice error message when the URL is
not allowed. This should not affect anyone else.

- Along the same lines as trackbacks, I need to check the pings we are
currently sending to blo.gs or weblogs.com and make sure they are
disabled or a mechanism similar like the ones for trackbacks is
developed.

- We disabled anonymous comments in the intranet. I will need to add
this feature to Roller as well, of course like anything else, it
should be optional. Wordpress implements this, so I don't think should
raise any objections from the team.

- We'll write a PagePlugin that rewrites URLs in entries to go through
some global redirector (which we might add to Roller as well) so
anchors in entry URLs are not leaked to the web. Again, if anyone
wants to use Roller on the intranet, I think this is important.

- AutoRegistration. In Blog Central I made it so that for any user
that's authenticated by LDAP server if the UserManager did not find
the user, I would just create a blog for them. Instead I might follow
the Sun model to have a separate registration page where the password
is not required because we have our own auth methods.

I can't think of any others right now of the top of my head, but as
they come I'll send them.

Regards,

Elias

Re: Corporate Blogging Features

[Elias Torres <el...@torrez.us>]

On 10/7/05, Anil Gangolli <an...@busybuddha.org> wrote:
>
> Some comments below:
>
> >>>Elias Torres wrote:
> >>>
> >>>- We'll write a PagePlugin that rewrites URLs in entries to go through
> >>>some global redirector (which we might add to Roller as well) so
> >>>anchors in entry URLs are not leaked to the web. Again, if anyone
> >>>wants to use Roller on the intranet, I think this is important.
> >>>
> >>>
> >>>
> >>>
> >>Allen Gilliland wrote:
> >>
> >>i'm not sure i fully understand this one.  can you explain it more.
> >>
> >>
> >Elias Torres wrote:
> >
> >Right now when people visit my external blog from IBM's internal
> >server, I can see in my apache logs the entry anchor from the
> >referrer. This can leak information such as
> >"we_re_buying_chococalate_company_x". Do you know what I mean?
> >
> >
>
> One would have to make the rewriting PagePlugin mandatory for all users
> on your installation somehow, which is not something we currently have,
> but might be a useful feature.  As long as it is pluggable and
> localized, this sounds fine.

Right. I didn't think of this.

> If a site is really worried, they have to handle this a bit more
> centrally.  There can otherwise be a lot of internal web pages (e.g.
> project pages) that might have links to outside parties: vendors, open
> source docs, etc.  All of these would leak referrer information and
> could be just as revealing of internal projects/relationships as blogs.
>
> I believe this is the kind of thing most sites would do with outbound
> HTTP proxy servers if they really care to be thorough.  This means
> blocking outbound HTTP traffic that does not go through their proxy, and
> doing things like stripping internal referrer URLs for requests going out.
>
> --a.
>

You're right. I don't want to make you think we are being paranoid or
anything like that, but I think this is something companies need to
think more about it. For example, I don't think IBM could police with
proxy servers all content being leaked out, it's just impossible.
Also, I think that before blogs, people didn't pay as much attention
to logs as they do now with blogs and those bloggers are the ones with
biggest mouths anyways. :-) It'd be nice if Roller started providing
more features that interest/appease the corporate folks, especially
when it's really simple, like this case. Is it too crazy? Maybe,
right?

Re: Corporate Blogging Features

[Anil Gangolli <an...@busybuddha.org>]

Some comments below:

>>>Elias Torres wrote:
>>>
>>>- We'll write a PagePlugin that rewrites URLs in entries to go through
>>>some global redirector (which we might add to Roller as well) so
>>>anchors in entry URLs are not leaked to the web. Again, if anyone
>>>wants to use Roller on the intranet, I think this is important.
>>>
>>>
>>>      
>>>
>>Allen Gilliland wrote:
>>
>>i'm not sure i fully understand this one.  can you explain it more.
>>    
>>
>Elias Torres wrote:
>
>Right now when people visit my external blog from IBM's internal
>server, I can see in my apache logs the entry anchor from the
>referrer. This can leak information such as
>"we_re_buying_chococalate_company_x". Do you know what I mean?
>  
>

One would have to make the rewriting PagePlugin mandatory for all users 
on your installation somehow, which is not something we currently have, 
but might be a useful feature.  As long as it is pluggable and 
localized, this sounds fine.

If a site is really worried, they have to handle this a bit more 
centrally.  There can otherwise be a lot of internal web pages (e.g. 
project pages) that might have links to outside parties: vendors, open 
source docs, etc.  All of these would leak referrer information and 
could be just as revealing of internal projects/relationships as blogs.

I believe this is the kind of thing most sites would do with outbound 
HTTP proxy servers if they really care to be thorough.  This means 
blocking outbound HTTP traffic that does not go through their proxy, and 
doing things like stripping internal referrer URLs for requests going out.

--a.

Re: Corporate Blogging Features

[Allen Gilliland <Al...@Sun.COM>]

On Thu, 2005-10-06 at 10:42, James M Snell wrote:
> Our blog entry URL's also contain our email addresses.  for instance, 
> the URL of my latest blog entry is:
> 
>    
> http://.../weblogs/page/jasnell@us.ibm.com/20051003#my_hell_will_be_blogged
> 

I was thinking about this a bit today and it seems like it would be a good thing to let people login with their email addresses without actually forcing the username = email.  This is pretty common these days and I think it makes a lot of sense.

-- Allen


> I may not want folks at Microsoft or wherever knowing that I 
> specifically am linking to them.
> 
> Allen Gilliland wrote:
> 
> >On Wed, 2005-10-05 at 20:15, James M Snell wrote:
> >  
> >
> >>Elias Torres wrote:
> >>
> >>    
> >>
> >>>>i'm not sure i fully understand this one.  can you explain it more.
> >>>>   
> >>>>
> >>>>        
> >>>>
> >>>Right now when people visit my external blog from IBM's internal
> >>>server, I can see in my apache logs the entry anchor from the
> >>>referrer. This can leak information such as
> >>>"we_re_buying_chococalate_company_x". Do you know what I mean?
> >>>
> >>> 
> >>>
> >>>      
> >>>
> >>If I can weigh in on this, this is absolutely a major issue for us.  
> >>Ideally the URL's would be opaque in the first place, but using a global 
> >>redirector is a very good solution.
> >>    
> >>
> >
> >I see what you guys are talking about, but for some reason I don't see this as being such a big deal.  I suppose it's not too nice if someone posts an entry called "i hate microsoft" along with links to microsoft sites, in that case the referers in the logs on the microsoft site would be something like "myserver.com/roller/page/foo?entry=i_hate_microsoft".
> >
> >the only thing i see potentially worth concealing in that url is the actual anchor, and you could conceal that by using the entryid rather than anchor, which is something i think we should make possible anyways.
> >
> >what else would need to be changed?
> >
> >-- Allen
> >
> >  
> >
> >>>>i think there are actually 2 action items here.  (1) provide a good SSO
> >>>>structure so that a roller admin could easily define what happens when a
> >>>>user transfers from another application into roller and (2) provide a
> >>>>good way for roller to be remotely administrated, possibly via secure
> >>>>web services.  by remotely administrated i mean ... register users,
> >>>>create weblogs, reset account info, etc.  we do this stuff at Sun right
> >>>>now, but we've just hacked a backdoor for roller and really this should
> >>>>be flushed out into a full feature.
> >>>>   
> >>>>
> >>>>        
> >>>>
> >>>ahhh... a nice remote interface would be awesome. so much to do, so little time.
> >>>
> >>> 
> >>>
> >>>      
> >>>
> >>I've been giving some thought to a Admin API that is based roughly on 
> >>the same fundamental design concepts as the Atom Publishing API.  It 
> >>would be great if we could come up with a mechanism that could be 
> >>implemented across multiple blogging platforms.
> >>
> >>- James
> >>    
> >>
> >
> >
> >  
> >
> 

Re: Corporate Blogging Features

[James M Snell <ja...@gmail.com>]

Our blog entry URL's also contain our email addresses.  for instance, 
the URL of my latest blog entry is:

   
http://.../weblogs/page/jasnell@us.ibm.com/20051003#my_hell_will_be_blogged

I may not want folks at Microsoft or wherever knowing that I 
specifically am linking to them.

Allen Gilliland wrote:

>On Wed, 2005-10-05 at 20:15, James M Snell wrote:
>  
>
>>Elias Torres wrote:
>>
>>    
>>
>>>>i'm not sure i fully understand this one.  can you explain it more.
>>>>   
>>>>
>>>>        
>>>>
>>>Right now when people visit my external blog from IBM's internal
>>>server, I can see in my apache logs the entry anchor from the
>>>referrer. This can leak information such as
>>>"we_re_buying_chococalate_company_x". Do you know what I mean?
>>>
>>> 
>>>
>>>      
>>>
>>If I can weigh in on this, this is absolutely a major issue for us.  
>>Ideally the URL's would be opaque in the first place, but using a global 
>>redirector is a very good solution.
>>    
>>
>
>I see what you guys are talking about, but for some reason I don't see this as being such a big deal.  I suppose it's not too nice if someone posts an entry called "i hate microsoft" along with links to microsoft sites, in that case the referers in the logs on the microsoft site would be something like "myserver.com/roller/page/foo?entry=i_hate_microsoft".
>
>the only thing i see potentially worth concealing in that url is the actual anchor, and you could conceal that by using the entryid rather than anchor, which is something i think we should make possible anyways.
>
>what else would need to be changed?
>
>-- Allen
>
>  
>
>>>>i think there are actually 2 action items here.  (1) provide a good SSO
>>>>structure so that a roller admin could easily define what happens when a
>>>>user transfers from another application into roller and (2) provide a
>>>>good way for roller to be remotely administrated, possibly via secure
>>>>web services.  by remotely administrated i mean ... register users,
>>>>create weblogs, reset account info, etc.  we do this stuff at Sun right
>>>>now, but we've just hacked a backdoor for roller and really this should
>>>>be flushed out into a full feature.
>>>>   
>>>>
>>>>        
>>>>
>>>ahhh... a nice remote interface would be awesome. so much to do, so little time.
>>>
>>> 
>>>
>>>      
>>>
>>I've been giving some thought to a Admin API that is based roughly on 
>>the same fundamental design concepts as the Atom Publishing API.  It 
>>would be great if we could come up with a mechanism that could be 
>>implemented across multiple blogging platforms.
>>
>>- James
>>    
>>
>
>
>  
>

Re: Corporate Blogging Features

[Allen Gilliland <Al...@Sun.COM>]

On Fri, 2005-10-07 at 13:12, Dave Johnson wrote:
> Some users have asked for numeric anchors (different from the DB id), 
> which I think is a good idea. So, post number one would have anchor 1, 
> two would have 2, and so on.
> 
> So we'd have:
> 
>     myserver.com/roller/page/foo?entry=434
> 
> instead of:
> 
>     myserver.com/roller/page/foo?entry=i_hate_microsoft

i like that idea ... sounds like a nice and simple rfe.

-- Allen


> 
> - Dave
> 
> 
> >
> > what else would need to be changed?
> >
> > -- Allen
> >
> >>
> >>>> i think there are actually 2 action items here.  (1) provide a good 
> >>>> SSO
> >>>> structure so that a roller admin could easily define what happens 
> >>>> when a
> >>>> user transfers from another application into roller and (2) provide 
> >>>> a
> >>>> good way for roller to be remotely administrated, possibly via 
> >>>> secure
> >>>> web services.  by remotely administrated i mean ... register users,
> >>>> create weblogs, reset account info, etc.  we do this stuff at Sun 
> >>>> right
> >>>> now, but we've just hacked a backdoor for roller and really this 
> >>>> should
> >>>> be flushed out into a full feature.
> >>>>
> >>>>
> >>>
> >>> ahhh... a nice remote interface would be awesome. so much to do, so 
> >>> little time.
> >>>
> >>>
> >>>
> >> I've been giving some thought to a Admin API that is based roughly on
> >> the same fundamental design concepts as the Atom Publishing API.  It
> >> would be great if we could come up with a mechanism that could be
> >> implemented across multiple blogging platforms.
> >>
> >> - James
> >
> 

Re: Corporate Blogging Features

[Dave Johnson <da...@rollerweblogger.org>]

On Oct 6, 2005, at 1:26 PM, Allen Gilliland wrote:
> the only thing i see potentially worth concealing in that url is the 
> actual anchor, and you could conceal that by using the entryid rather 
> than anchor, which is something i think we should make possible 
> anyways.

One of the design goals for Roller was to keep raw database IDs out of 
the public URLs produced by Roller.  I've always thought it was OK to 
use them within the editor UI, but for permalinks I think we need to 
stick with handles and anchors and other identifiers.

Some users have asked for numeric anchors (different from the DB id), 
which I think is a good idea. So, post number one would have anchor 1, 
two would have 2, and so on.

So we'd have:

    myserver.com/roller/page/foo?entry=434

instead of:

    myserver.com/roller/page/foo?entry=i_hate_microsoft

- Dave


>
> what else would need to be changed?
>
> -- Allen
>
>>
>>>> i think there are actually 2 action items here.  (1) provide a good 
>>>> SSO
>>>> structure so that a roller admin could easily define what happens 
>>>> when a
>>>> user transfers from another application into roller and (2) provide 
>>>> a
>>>> good way for roller to be remotely administrated, possibly via 
>>>> secure
>>>> web services.  by remotely administrated i mean ... register users,
>>>> create weblogs, reset account info, etc.  we do this stuff at Sun 
>>>> right
>>>> now, but we've just hacked a backdoor for roller and really this 
>>>> should
>>>> be flushed out into a full feature.
>>>>
>>>>
>>>
>>> ahhh... a nice remote interface would be awesome. so much to do, so 
>>> little time.
>>>
>>>
>>>
>> I've been giving some thought to a Admin API that is based roughly on
>> the same fundamental design concepts as the Atom Publishing API.  It
>> would be great if we could come up with a mechanism that could be
>> implemented across multiple blogging platforms.
>>
>> - James
>

Re: Corporate Blogging Features

[Dave Johnson <da...@rollerweblogger.org>]

On Oct 6, 2005, at 4:06 PM, Elias Torres wrote:
> On 10/6/05, Allen Gilliland <Al...@sun.com> wrote:
>> I see what you guys are talking about, but for some reason I don't 
>> see this as being such a big deal.  I suppose it's not too nice if 
>> someone posts an entry called "i hate microsoft" along with links to 
>> microsoft sites, in that case the referers in the logs on the 
>> microsoft site would be something like 
>> "myserver.com/roller/page/foo?entry=i_hate_microsoft".
>
> Remember that not everyone blogging is really technical or blog savvy.
> We have the responsibility a company need to protect our employees.

I think this is an important feature for internal bloggers and IBM is 
not going to be the only company asking for this. As long as we can 
make it optional/pluggable, I don't see why we wouldn't want it in 
Roller.

- Dave

Re: Corporate Blogging Features

[James M Snell <ja...@gmail.com>]

Allen Gilliland wrote:

>On Thu, 2005-10-06 at 13:06, Elias Torres wrote:
>  
>
>>Yes, entryid could be used, but then we have userids. Also, if use
>>entryids we lose the advantages of using a nice readable anchor.
>>    
>>
>
>true, but i thought the goal in this case was anonymity and obfuscation?
>
>  
>
Externally yes, internally no.

- James

Re: Corporate Blogging Features

[Allen Gilliland <Al...@Sun.COM>]

On Thu, 2005-10-06 at 13:06, Elias Torres wrote:
> Yes, entryid could be used, but then we have userids. Also, if use
> entryids we lose the advantages of using a nice readable anchor.

true, but i thought the goal in this case was anonymity and obfuscation?

i guess i still don't understand exactly how you guys plan to tackle this problem.  maybe you could give a little more detail about how you think this would work.

-- Allen

Re: Corporate Blogging Features

[Elias Torres <el...@torrez.us>]

On 10/6/05, Allen Gilliland <Al...@sun.com> wrote:
> On Wed, 2005-10-05 at 20:15, James M Snell wrote:
> > Elias Torres wrote:
> >
> > >
> > >>i'm not sure i fully understand this one.  can you explain it more.
> > >>
> > >>
> > >
> > >Right now when people visit my external blog from IBM's internal
> > >server, I can see in my apache logs the entry anchor from the
> > >referrer. This can leak information such as
> > >"we_re_buying_chococalate_company_x". Do you know what I mean?
> > >
> > >
> > >
> > If I can weigh in on this, this is absolutely a major issue for us.
> > Ideally the URL's would be opaque in the first place, but using a global
> > redirector is a very good solution.
>
> I see what you guys are talking about, but for some reason I don't see this as being such a big deal.  I suppose it's not too nice if someone posts an entry called "i hate microsoft" along with links to microsoft sites, in that case the referers in the logs on the microsoft site would be something like "myserver.com/roller/page/foo?entry=i_hate_microsoft".

Remember that not everyone blogging is really technical or blog savvy.
We have the responsibility a company need to protect our employees.

>
> the only thing i see potentially worth concealing in that url is the actual anchor, and you could conceal that by using the entryid rather than anchor, which is something i think we should make possible anyways.

Yes, entryid could be used, but then we have userids. Also, if use
entryids we lose the advantages of using a nice readable anchor.

>
> what else would need to be changed?
>
> -- Allen
>
> >
> > >>i think there are actually 2 action items here.  (1) provide a good SSO
> > >>structure so that a roller admin could easily define what happens when a
> > >>user transfers from another application into roller and (2) provide a
> > >>good way for roller to be remotely administrated, possibly via secure
> > >>web services.  by remotely administrated i mean ... register users,
> > >>create weblogs, reset account info, etc.  we do this stuff at Sun right
> > >>now, but we've just hacked a backdoor for roller and really this should
> > >>be flushed out into a full feature.
> > >>
> > >>
> > >
> > >ahhh... a nice remote interface would be awesome. so much to do, so little time.
> > >
> > >
> > >
> > I've been giving some thought to a Admin API that is based roughly on
> > the same fundamental design concepts as the Atom Publishing API.  It
> > would be great if we could come up with a mechanism that could be
> > implemented across multiple blogging platforms.
> >
> > - James
>
>

Re: Corporate Blogging Features

[Allen Gilliland <Al...@Sun.COM>]

On Wed, 2005-10-05 at 20:15, James M Snell wrote:
> Elias Torres wrote:
> 
> >
> >>i'm not sure i fully understand this one.  can you explain it more.
> >>    
> >>
> >
> >Right now when people visit my external blog from IBM's internal
> >server, I can see in my apache logs the entry anchor from the
> >referrer. This can leak information such as
> >"we_re_buying_chococalate_company_x". Do you know what I mean?
> >
> >  
> >
> If I can weigh in on this, this is absolutely a major issue for us.  
> Ideally the URL's would be opaque in the first place, but using a global 
> redirector is a very good solution.

I see what you guys are talking about, but for some reason I don't see this as being such a big deal.  I suppose it's not too nice if someone posts an entry called "i hate microsoft" along with links to microsoft sites, in that case the referers in the logs on the microsoft site would be something like "myserver.com/roller/page/foo?entry=i_hate_microsoft".

the only thing i see potentially worth concealing in that url is the actual anchor, and you could conceal that by using the entryid rather than anchor, which is something i think we should make possible anyways.

what else would need to be changed?

-- Allen

> 
> >>i think there are actually 2 action items here.  (1) provide a good SSO
> >>structure so that a roller admin could easily define what happens when a
> >>user transfers from another application into roller and (2) provide a
> >>good way for roller to be remotely administrated, possibly via secure
> >>web services.  by remotely administrated i mean ... register users,
> >>create weblogs, reset account info, etc.  we do this stuff at Sun right
> >>now, but we've just hacked a backdoor for roller and really this should
> >>be flushed out into a full feature.
> >>    
> >>
> >
> >ahhh... a nice remote interface would be awesome. so much to do, so little time.
> >
> >  
> >
> I've been giving some thought to a Admin API that is based roughly on 
> the same fundamental design concepts as the Atom Publishing API.  It 
> would be great if we could come up with a mechanism that could be 
> implemented across multiple blogging platforms.
> 
> - James

Re: Corporate Blogging Features

[James M Snell <ja...@gmail.com>]

Elias Torres wrote:

>
>>i'm not sure i fully understand this one.  can you explain it more.
>>    
>>
>
>Right now when people visit my external blog from IBM's internal
>server, I can see in my apache logs the entry anchor from the
>referrer. This can leak information such as
>"we_re_buying_chococalate_company_x". Do you know what I mean?
>
>  
>
If I can weigh in on this, this is absolutely a major issue for us.  
Ideally the URL's would be opaque in the first place, but using a global 
redirector is a very good solution.

>>i think there are actually 2 action items here.  (1) provide a good SSO
>>structure so that a roller admin could easily define what happens when a
>>user transfers from another application into roller and (2) provide a
>>good way for roller to be remotely administrated, possibly via secure
>>web services.  by remotely administrated i mean ... register users,
>>create weblogs, reset account info, etc.  we do this stuff at Sun right
>>now, but we've just hacked a backdoor for roller and really this should
>>be flushed out into a full feature.
>>    
>>
>
>ahhh... a nice remote interface would be awesome. so much to do, so little time.
>
>  
>
I've been giving some thought to a Admin API that is based roughly on 
the same fundamental design concepts as the Atom Publishing API.  It 
would be great if we could come up with a mechanism that could be 
implemented across multiple blogging platforms.

- James

Re: Corporate Blogging Features

[Elias Torres <el...@torrez.us>]

On 10/5/05, Allen Gilliland <Al...@sun.com> wrote:
>
> Elias Torres wrote:
>
> >Hi everyone,
> >
> >I want to introduce yet another subject of things we see definitely
> >being needed in Roller for it to be more suited for internal corporate
> >blogging.
> >
> >- I have a patch ready (very simple) that allows the site
> >administrator through roller.properties specify which URLs users can
> >send trackbacks to. It'd be dump to send a trackback to an external
> >blog because people won't be access that post because it's on the
> >intranet. I've added a small check in the sendTrackback method in
> >WeblogEntryAction so it displays a nice error message when the URL is
> >not allowed. This should not affect anyone else.
> >
> >
> sounds good to me.
>
> >- Along the same lines as trackbacks, I need to check the pings we are
> >currently sending to blo.gs or weblogs.com and make sure they are
> >disabled or a mechanism similar like the ones for trackbacks is
> >developed.
> >
> >
> yep.  i think it would be nice if a lot of this stuff was easily toggled
> on/off via a property like "roller.mode=intranet".

good idea

>
> >- We disabled anonymous comments in the intranet. I will need to add
> >this feature to Roller as well, of course like anything else, it
> >should be optional. Wordpress implements this, so I don't think should
> >raise any objections from the team.
> >
> >
> that sounds like a good one too.  i think this one is reasonably big
> enough that we should see a design proposal for it though.  the main
> issue being how to properly set things up to do the authentication for
> comments.

I agree. I'll try to get one started, if I can figure out my login for
the wiki. :-)

>
> >- We'll write a PagePlugin that rewrites URLs in entries to go through
> >some global redirector (which we might add to Roller as well) so
> >anchors in entry URLs are not leaked to the web. Again, if anyone
> >wants to use Roller on the intranet, I think this is important.
> >
> >
> i'm not sure i fully understand this one.  can you explain it more.

Right now when people visit my external blog from IBM's internal
server, I can see in my apache logs the entry anchor from the
referrer. This can leak information such as
"we_re_buying_chococalate_company_x". Do you know what I mean?

>
> >- AutoRegistration. In Blog Central I made it so that for any user
> >that's authenticated by LDAP server if the UserManager did not find
> >the user, I would just create a blog for them. Instead I might follow
> >the Sun model to have a separate registration page where the password
> >is not required because we have our own auth methods.
> >
> >
> i think there are actually 2 action items here.  (1) provide a good SSO
> structure so that a roller admin could easily define what happens when a
> user transfers from another application into roller and (2) provide a
> good way for roller to be remotely administrated, possibly via secure
> web services.  by remotely administrated i mean ... register users,
> create weblogs, reset account info, etc.  we do this stuff at Sun right
> now, but we've just hacked a backdoor for roller and really this should
> be flushed out into a full feature.

ahhh... a nice remote interface would be awesome. so much to do, so little time.

>
> >I can't think of any others right now of the top of my head, but as
> >they come I'll send them.
> >
> >
> they all sound pretty good to me.
>
> -- Allen
>
> >Regards,
> >
> >Elias
> >
> >
>

Re: Corporate Blogging Features

[Allen Gilliland <Al...@Sun.COM>]

Elias Torres wrote:

>Hi everyone,
>
>I want to introduce yet another subject of things we see definitely
>being needed in Roller for it to be more suited for internal corporate
>blogging.
>
>- I have a patch ready (very simple) that allows the site
>administrator through roller.properties specify which URLs users can
>send trackbacks to. It'd be dump to send a trackback to an external
>blog because people won't be access that post because it's on the
>intranet. I've added a small check in the sendTrackback method in
>WeblogEntryAction so it displays a nice error message when the URL is
>not allowed. This should not affect anyone else.
>  
>
sounds good to me.

>- Along the same lines as trackbacks, I need to check the pings we are
>currently sending to blo.gs or weblogs.com and make sure they are
>disabled or a mechanism similar like the ones for trackbacks is
>developed.
>  
>
yep.  i think it would be nice if a lot of this stuff was easily toggled 
on/off via a property like "roller.mode=intranet". 

>- We disabled anonymous comments in the intranet. I will need to add
>this feature to Roller as well, of course like anything else, it
>should be optional. Wordpress implements this, so I don't think should
>raise any objections from the team.
>  
>
that sounds like a good one too.  i think this one is reasonably big 
enough that we should see a design proposal for it though.  the main 
issue being how to properly set things up to do the authentication for 
comments.

>- We'll write a PagePlugin that rewrites URLs in entries to go through
>some global redirector (which we might add to Roller as well) so
>anchors in entry URLs are not leaked to the web. Again, if anyone
>wants to use Roller on the intranet, I think this is important.
>  
>
i'm not sure i fully understand this one.  can you explain it more.

>- AutoRegistration. In Blog Central I made it so that for any user
>that's authenticated by LDAP server if the UserManager did not find
>the user, I would just create a blog for them. Instead I might follow
>the Sun model to have a separate registration page where the password
>is not required because we have our own auth methods.
>  
>
i think there are actually 2 action items here.  (1) provide a good SSO 
structure so that a roller admin could easily define what happens when a 
user transfers from another application into roller and (2) provide a 
good way for roller to be remotely administrated, possibly via secure 
web services.  by remotely administrated i mean ... register users, 
create weblogs, reset account info, etc.  we do this stuff at Sun right 
now, but we've just hacked a backdoor for roller and really this should 
be flushed out into a full feature.

>I can't think of any others right now of the top of my head, but as
>they come I'll send them.
>  
>
they all sound pretty good to me.

-- Allen

>Regards,
>
>Elias
>  
>

Re: Corporate Blogging Features

[Michael Appleby <mi...@yale.edu>]

Elias Torres wrote:

>- We disabled anonymous comments in the intranet. I will need to add
>this feature to Roller as well, of course like anything else, it
>should be optional. Wordpress implements this, so I don't think should
>raise any objections from the team.
>  
>
We have added the option to restrict comments to logged-in users.   In 
our implementation it's a per-post option, but forcing it "on" via a 
config property would be simple.   The logged-in user's username is 
stored with the comment.

-Michael

Re: Corporate Blogging Features

[Anil Gangolli <an...@busybuddha.org>]

>>
>> - Along the same lines as trackbacks, I need to check the pings we are
>> currently sending to blo.gs or weblogs.com and make sure they are
>> disabled or a mechanism similar like the ones for trackbacks is
>> developed.
>>  
>>
> In the current code base you can restrict the set of ping target sites 
> by disabling Custom Ping Targets.  The administrator still gets to 
> determine the set of Common Ping Targets.
>
> This is documented in the 1.2 User Guide.
> --a.

I meant to say the Admin Guide.  By the way, this is somewhat hard to 
find on our wiki, and there's a bogus section 9 in the table of contents 
in the User Guide that remains.  The link is below.  Check out the 
material in Section 3.5 on Disabling Custom Ping Targets.

http://www.rollerweblogger.org/wiki/Wiki.jsp?page=AdminstrationGuide_120

Re: Corporate Blogging Features

[Anil Gangolli <an...@busybuddha.org>]

Elias Torres wrote:

>Hi everyone,
>
>I want to introduce yet another subject of things we see definitely
>being needed in Roller for it to be more suited for internal corporate
>blogging.
>
>- I have a patch ready (very simple) that allows the site
>administrator through roller.properties specify which URLs users can
>send trackbacks to. It'd be dump to send a trackback to an external
>blog because people won't be access that post because it's on the
>intranet. I've added a small check in the sendTrackback method in
>WeblogEntryAction so it displays a nice error message when the URL is
>not allowed. This should not affect anyone else.
>
>- Along the same lines as trackbacks, I need to check the pings we are
>currently sending to blo.gs or weblogs.com and make sure they are
>disabled or a mechanism similar like the ones for trackbacks is
>developed.
>  
>
In the current code base you can restrict the set of ping target sites 
by disabling Custom Ping Targets.  The administrator still gets to 
determine the set of Common Ping Targets.

This is documented in the 1.2 User Guide.
--a.

>- We disabled anonymous comments in the intranet. I will need to add
>this feature to Roller as well, of course like anything else, it
>should be optional. Wordpress implements this, so I don't think should
>raise any objections from the team.
>
>- We'll write a PagePlugin that rewrites URLs in entries to go through
>some global redirector (which we might add to Roller as well) so
>anchors in entry URLs are not leaked to the web. Again, if anyone
>wants to use Roller on the intranet, I think this is important.
>
>- AutoRegistration. In Blog Central I made it so that for any user
>that's authenticated by LDAP server if the UserManager did not find
>the user, I would just create a blog for them. Instead I might follow
>the Sun model to have a separate registration page where the password
>is not required because we have our own auth methods.
>
>I can't think of any others right now of the top of my head, but as
>they come I'll send them.
>
>Regards,
>
>Elias
>
>
>  
>