You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by ke...@apache.org on 2020/06/08 15:27:23 UTC
[allura] branch kt/8362 updated (6bc072a -> 5d623f6)
This is an automated email from the ASF dual-hosted git repository.
kentontaylor pushed a change to branch kt/8362
in repository https://gitbox.apache.org/repos/asf/allura.git.
discard 6bc072a fixup! [#8362] Add secure attr to session cookie
discard ccf3da3 [#8362] Add secure attr to session cookie
add 59863ea Add more functionality to the add_user_to_group.py script
add 5df2588 email_change_notif email added/removed mail notifications
add 522e634 email_change_notif email on primary changed, password recover, email verified
add 992db64 email_change_notif prevent new email notifications on site-admin
add 03e2aac [#8361] templates tests pass
add 84a477c [#8361] only strings for dispatch paths
add 34e0aa0 [#8361] test_admin fixes; MaxBytesValidator should not convert
add c0fa061 [#8361] use our own UnicodeString validator to work around problem, make sure everywhere uses it
add c440188 [#8361] work around formencode problems with Files/bytes
add 829ce8b [#8361] e.message doesn't exist in py3
add 6308ce0 [#8361] don't utf8 encode urls in tests
add e659af3 [#8361] referer fixes (comes in as bytes, we want to use it as a string)
add 8c45db8 [#8361] more header encoding fixes
add 3bad27b [#8361] work on test; will need Easywidgets version bump
add 66462e7 [#8361] Bump Easywidgets version
add 9755507 [#8361] updated requirements.txt
new 5fd1df1 [#8362] Add secure attr to session cookie
new 25737e2 fixup! [#8362] Add secure attr to session cookie
new 5d623f6 fixup! fixup! [#8362] Add secure attr to session cookie
This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version. This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:
* -- * -- B -- O -- O -- O (6bc072a)
\
N -- N -- N refs/heads/kt/8362 (5d623f6)
You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.
Any revisions marked "omit" are not gone; other references still
refer to them. Any revisions marked "discard" are gone forever.
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
Allura/allura/app.py | 6 +-
Allura/allura/controllers/attachments.py | 4 +-
Allura/allura/controllers/auth.py | 51 ++++++++--
Allura/allura/controllers/discuss.py | 22 ++---
Allura/allura/controllers/project.py | 8 +-
Allura/allura/controllers/repository.py | 4 +-
Allura/allura/controllers/rest.py | 6 +-
Allura/allura/controllers/site_admin.py | 20 ++--
Allura/allura/ext/admin/admin_main.py | 5 +-
Allura/allura/ext/admin/widgets.py | 13 +--
Allura/allura/ext/user_profile/user_main.py | 9 +-
Allura/allura/lib/plugin.py | 2 +-
Allura/allura/lib/repository.py | 8 +-
Allura/allura/lib/utils.py | 2 +-
Allura/allura/lib/validators.py | 32 +++++-
Allura/allura/lib/widgets/auth_widgets.py | 2 +-
Allura/allura/lib/widgets/discuss.py | 9 +-
Allura/allura/lib/widgets/form_fields.py | 15 +--
Allura/allura/lib/widgets/forms.py | 68 +++++++------
Allura/allura/lib/widgets/user_profile.py | 7 +-
Allura/allura/public/nf/js/allura-base.js | 3 +-
Allura/allura/public/nf/js/maximize-content.js | 2 +-
Allura/allura/public/nf/js/memorable.js | 2 +-
.../mail/{password_changed.md => email_added.md} | 4 +-
.../mail/{password_changed.md => email_removed.md} | 4 +-
...assword_changed.md => primary_email_changed.md} | 4 +-
Allura/allura/tests/decorators.py | 14 ++-
Allura/allura/tests/functional/test_admin.py | 31 +++---
Allura/allura/tests/functional/test_auth.py | 42 ++++++--
Allura/allura/tests/functional/test_discuss.py | 20 ++--
Allura/allura/tests/functional/test_root.py | 7 +-
.../tests/templates/jinja_master/test_lib.py | 5 +-
Allura/allura/tests/test_plugin.py | 15 ++-
Allura/allura/tests/unit/patches.py | 7 +-
Allura/allura/webhooks.py | 7 +-
AlluraTest/alluratest/controller.py | 12 ---
ForgeBlog/forgeblog/main.py | 15 +--
ForgeBlog/forgeblog/tests/functional/test_rest.py | 6 +-
ForgeBlog/forgeblog/widgets.py | 3 +-
ForgeChat/forgechat/main.py | 6 +-
.../forgediscussion/controllers/root.py | 9 +-
ForgeDiscussion/forgediscussion/forum_main.py | 2 +-
ForgeDiscussion/forgediscussion/widgets/admin.py | 6 +-
ForgeImporters/forgeimporters/base.py | 4 +-
ForgeImporters/forgeimporters/github/code.py | 4 +-
ForgeImporters/forgeimporters/github/tracker.py | 4 +-
ForgeImporters/forgeimporters/github/wiki.py | 7 +-
ForgeSVN/forgesvn/model/svn.py | 2 +-
ForgeSVN/forgesvn/svn_main.py | 4 +-
ForgeShortUrl/forgeshorturl/main.py | 13 ++-
.../forgetracker/tests/functional/test_root.py | 16 +--
ForgeTracker/forgetracker/tracker_main.py | 31 +++---
ForgeTracker/forgetracker/widgets/admin.py | 5 +-
ForgeTracker/forgetracker/widgets/bin_form.py | 9 +-
ForgeTracker/forgetracker/widgets/ticket_form.py | 2 +-
ForgeWiki/forgewiki/wiki_main.py | 15 +--
requirements.in | 6 +-
requirements.txt | 108 ++++++++++-----------
scripts/add_user_to_group.py | 72 +++++++++++---
59 files changed, 506 insertions(+), 315 deletions(-)
copy Allura/allura/templates/mail/{password_changed.md => email_added.md} (87%)
copy Allura/allura/templates/mail/{password_changed.md => email_removed.md} (87%)
copy Allura/allura/templates/mail/{password_changed.md => primary_email_changed.md} (87%)
[allura] 02/03: fixup! [#8362] Add secure attr to session cookie
Posted by ke...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
kentontaylor pushed a commit to branch kt/8362
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 25737e23a26adb4a26c04b3062fb81e54c885f11
Author: Kenton Taylor <kt...@slashdotmedia.com>
AuthorDate: Tue Jun 2 15:05:41 2020 +0000
fixup! [#8362] Add secure attr to session cookie
---
Allura/allura/lib/custom_middleware.py | 3 ++-
Allura/allura/lib/decorators.py | 2 +-
Allura/allura/lib/plugin.py | 1 +
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index 521ad05..649b978 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -214,9 +214,10 @@ class CSRFMiddleware(object):
def session_start_response(status, headers, exc_info=None):
if dict(headers).get('Content-Type', '').startswith('text/html'):
+ use_secure = 'secure; ' if environ['beaker.session'].secure else ''
headers.append(
(str('Set-cookie'),
- str('%s=%s; secure; Path=/' % (self._cookie_name, cookie))))
+ str('%s=%s; %sPath=/' % (self._cookie_name, cookie, use_secure))))
return start_response(status, headers, exc_info)
return self._app(environ, session_start_response)
diff --git a/Allura/allura/lib/decorators.py b/Allura/allura/lib/decorators.py
index a4b9bd2..7eaeb22 100644
--- a/Allura/allura/lib/decorators.py
+++ b/Allura/allura/lib/decorators.py
@@ -219,7 +219,7 @@ def memorable_forget():
:param raised: any error (redirect or exception) raised by the controller action
"""
if _ok_to_forget(response, controller_result, raised):
- response.set_cookie('memorable_forget', request.path)
+ response.set_cookie('memorable_forget', request.path, secure=request.environ['beaker.session'].secure)
@decorator
def _inner(func, *args, **kwargs):
diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py
index a79750c..86bb0b5 100644
--- a/Allura/allura/lib/plugin.py
+++ b/Allura/allura/lib/plugin.py
@@ -1554,6 +1554,7 @@ class ThemeProvider(object):
response.set_cookie(
'site-notification',
set_cookie,
+ secure=request.environ['beaker.session'].secure,
max_age=timedelta(days=365))
return note
[allura] 03/03: fixup! fixup! [#8362] Add secure attr to session
cookie
Posted by ke...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
kentontaylor pushed a commit to branch kt/8362
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 5d623f60e31570edd51bf716af1d6ad571aa4c53
Author: Kenton Taylor <kt...@slashdotmedia.com>
AuthorDate: Thu Jun 4 18:41:10 2020 +0000
fixup! fixup! [#8362] Add secure attr to session cookie
---
Allura/allura/lib/plugin.py | 2 +-
Allura/allura/public/nf/js/allura-base.js | 3 ++-
Allura/allura/public/nf/js/maximize-content.js | 2 +-
Allura/allura/public/nf/js/memorable.js | 2 +-
Allura/allura/tests/test_plugin.py | 15 +++++++++++----
5 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py
index 86bb0b5..bcf6527 100644
--- a/Allura/allura/lib/plugin.py
+++ b/Allura/allura/lib/plugin.py
@@ -261,7 +261,7 @@ class AuthenticationProvider(object):
self.session.invalidate()
self.session.save()
response.delete_cookie('allura-loggedin')
- response.set_cookie('memorable_forget', '/')
+ response.set_cookie('memorable_forget', '/', secure=request.environ['beaker.session'].secure)
def validate_password(self, user, password):
'''Check that provided password matches actual user password
diff --git a/Allura/allura/public/nf/js/allura-base.js b/Allura/allura/public/nf/js/allura-base.js
index 6a4fd10..a4031d6 100644
--- a/Allura/allura/public/nf/js/allura-base.js
+++ b/Allura/allura/public/nf/js/allura-base.js
@@ -218,7 +218,8 @@ $(function(){
cookie = cookie.replace(new RegExp(note_id + '-([0-9]+)-False'), note_id + '-$1-True');
$.cookie('site-notification', cookie, {
expires: 365,
- path: '/'
+ path: '/',
+ secure: top.location.protocol==='https:' ? true : false
});
e.preventDefault();
return false;
diff --git a/Allura/allura/public/nf/js/maximize-content.js b/Allura/allura/public/nf/js/maximize-content.js
index 7202125..c714057 100644
--- a/Allura/allura/public/nf/js/maximize-content.js
+++ b/Allura/allura/public/nf/js/maximize-content.js
@@ -25,7 +25,7 @@ $(document).ready(function () {
$('#maximize-content, #restore-content').click(function (e) {
$('body').toggleClass('content-maximized');
var is_visible = $(".content-maximized").is(":visible") ? 'true' : 'false';
- $.cookie('maximizeView', is_visible);
+ $.cookie('maximizeView', is_visible, {secure: true});
e.preventDefault();
return false;
diff --git a/Allura/allura/public/nf/js/memorable.js b/Allura/allura/public/nf/js/memorable.js
index e756cea..7143f35 100644
--- a/Allura/allura/public/nf/js/memorable.js
+++ b/Allura/allura/public/nf/js/memorable.js
@@ -264,7 +264,7 @@ Memorable.forget = function(key_prefix){
localStorage.removeItem(localStorage.key(i));
}
}
- $.removeCookie('memorable_forget', { path: '/' });
+ $.removeCookie('memorable_forget', { path: '/', secure: true });
}
};
diff --git a/Allura/allura/tests/test_plugin.py b/Allura/allura/tests/test_plugin.py
index e615b74..04cd893 100644
--- a/Allura/allura/tests/test_plugin.py
+++ b/Allura/allura/tests/test_plugin.py
@@ -338,9 +338,11 @@ class TestThemeProvider_notifications(object):
note.page_tool_type = None
SiteNotification.actives.return_value = [note]
request.cookies = {'site-notification': 'deadbeef-1-false'}
+ request.environ['beaker.session'].secure = False
+
assert_is(ThemeProvider().get_site_notification(), note)
response.set_cookie.assert_called_once_with(
- 'site-notification', 'deadbeef-2-False', max_age=dt.timedelta(days=365))
+ 'site-notification', 'deadbeef-2-False', max_age=dt.timedelta(days=365), secure=False)
@patch('allura.lib.plugin.c', MagicMock())
@patch('allura.model.notification.SiteNotification')
@@ -370,9 +372,11 @@ class TestThemeProvider_notifications(object):
note.page_tool_type = None
SiteNotification.actives.return_value = [note]
request.cookies = {'site-notification': '0ddba11-1000-true'}
+ request.environ['beaker.session'].secure = False
+
assert_is(ThemeProvider().get_site_notification(), note)
response.set_cookie.assert_called_once_with(
- 'site-notification', 'deadbeef-1-False', max_age=dt.timedelta(days=365))
+ 'site-notification', 'deadbeef-1-False', max_age=dt.timedelta(days=365), secure=False)
@patch('allura.lib.plugin.c', MagicMock())
@patch('allura.model.notification.SiteNotification')
@@ -387,9 +391,10 @@ class TestThemeProvider_notifications(object):
note.page_tool_type = None
SiteNotification.actives.return_value = [note]
request.cookies = {}
+ request.environ['beaker.session'].secure = False
assert_is(ThemeProvider().get_site_notification(), note)
response.set_cookie.assert_called_once_with(
- 'site-notification', 'deadbeef-1-False', max_age=dt.timedelta(days=365))
+ 'site-notification', 'deadbeef-1-False', max_age=dt.timedelta(days=365), secure=False)
@patch('allura.lib.plugin.c', MagicMock())
@patch('allura.model.notification.SiteNotification')
@@ -404,9 +409,11 @@ class TestThemeProvider_notifications(object):
note.page_tool_type = None
SiteNotification.actives.return_value = [note]
request.cookies = {'site-notification': 'deadbeef-1000-true-bad'}
+ request.environ['beaker.session'].secure = False
+
assert_is(ThemeProvider().get_site_notification(), note)
response.set_cookie.assert_called_once_with(
- 'site-notification', 'deadbeef-1-False', max_age=dt.timedelta(days=365))
+ 'site-notification', 'deadbeef-1-False', max_age=dt.timedelta(days=365), secure=False)
@patch('allura.lib.plugin.c')
@patch('allura.model.notification.SiteNotification')
[allura] 01/03: [#8362] Add secure attr to session cookie
Posted by ke...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
kentontaylor pushed a commit to branch kt/8362
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 5fd1df12ba16a5db5386b6c63b7ad187c0b5178b
Author: Kenton Taylor <kt...@slashdotmedia.com>
AuthorDate: Fri May 29 14:54:13 2020 +0000
[#8362] Add secure attr to session cookie
---
Allura/allura/lib/custom_middleware.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index 1b21f92..521ad05 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -216,7 +216,7 @@ class CSRFMiddleware(object):
if dict(headers).get('Content-Type', '').startswith('text/html'):
headers.append(
(str('Set-cookie'),
- str('%s=%s; Path=/' % (self._cookie_name, cookie))))
+ str('%s=%s; secure; Path=/' % (self._cookie_name, cookie))))
return start_response(status, headers, exc_info)
return self._app(environ, session_start_response)