Commit Graph

70 Commits (d17225bd2f9192492c47638b33a73675ad4bb491)

Author SHA1 Message Date
Simon McVittie d283e4ca1a useragent: Automatically choose whether to use LWPx::ParanoidAgent
The simple implementation of this, which I'd prefer to use, would be:
if we can import LWPx::ParanoidAgent, use it; otherwise, use
LWP::UserAgent.

However, aggregate has historically worked with proxies, and
LWPx::ParanoidAgent quite reasonably refuses to work with proxies
(because it can't know whether those proxies are going to do the same
filtering that LWPx::ParanoidAgent would).

Signed-off-by: Simon McVittie <smcv@debian.org>
2019-02-26 22:21:27 +00:00
Simon McVittie 2afb0dd663 Do not directly enable emailauth by default, only indirectly via openid
This avoids nasty surprises on upgrade if a site is using httpauth,
or passwordauth with an account_creation_password, and relying on
only a select group of users being able to edit the site. We can revisit
this for ikiwiki 4.
2015-05-27 08:52:01 +01:00
Joey Hess 95e1e51caa emailauth link sent and verified; user login works
Still some work to do since the user name is an email address and should
not be leaked.
2015-05-13 22:27:03 -04:00
Joey Hess 5b459737a5 Converted openid-selector into a more generic loginselector helper plugin. 2015-05-13 18:50:29 -04:00
Joey Hess f8add0adb3 rename openid selector files to login-selector 2015-05-13 17:58:59 -04:00
Joey Hess 7765941011 further generalization of openid selector
Now template variables can be set to control which login methods are shown
2015-05-13 17:51:29 -04:00
Joey Hess ab4d9a5467 generalized the openid selector to a login selector
This includes some CSS changes to names of elements.

Also, added Email login button (doesn't work yet of course),
and brought back the small openid login buttons. Demoted yahoo and verison
to small buttons. This makes the big buttons be the main login types, and
the small buttons be provider-specific helpers.
2015-05-13 16:50:44 -04:00
Joey Hess ec72b4c95b When openid and passwordauth are the only enabled auth plugins, make the openid selector display "Password" instead of "Other", so users are more likely to click on it when they don't have an openid. 2015-05-13 12:18:22 -04:00
Joey Hess ea8c7a7e02 openid: Stop suppressing the email field on the Preferences page.
This is needed for notifyemail, and not all openid providers report an
email address, or necessarily the one the user wants to get email.
2014-11-06 15:00:09 -04:00
Amitai Schlair 09e7c1ad99 IkiWiki::Plugin::openid: as a precaution, do not call non-coderefs
We're running under "use strict" here, so if CGI->param's array-context
misbehaviour passes an extra non-ref parameter, it shouldn't be executed
anyway... but it's as well to be safe.

[commit message added by smcv]
2014-10-16 22:24:48 +01:00
Simon McVittie f4ec7b06d9 Make sure we do not pass multiple CGI parameters in function calls
When CGI->param is called in list context, such as in function
parameters, it expands to all the potentially multiple values
of the parameter: for instance, if we parse query string a=b&a=c&d=e
and call func($cgi->param('a')), that's equivalent to func('b', 'c').
Most of the functions we're calling do not expect that.

I do not believe this is an exploitable security vulnerability in
ikiwiki, but it was exploitable in Bugzilla.
2014-10-16 22:24:47 +01:00
Tuomas Jormola dc53ca18f2 Bug#737121: ikiwiki: [PATCH] Implement configuration option to set the user agent string for outbound HTTP requests
Package: ikiwiki
Version: 3.20140125
Severity: wishlist

By default, LWP::UserAgent used by IkiWiki to perform outbound HTTP
requests sends the string "libwww-perl/<version number>" as User-Agent
header in HTTP requests. Some blogging platforms have blacklisted the
user agent and won't serve any content for clients using this user agent
string. With IkiWiki configuration option "useragent" it's now possible
to define a custom string that is used for the value of the User-Agent
header.
2014-02-01 16:53:33 -04:00
Amitai Schlair 462d8f8015 Honor proxy env vars and reliably honor cookiejar. 2013-07-27 08:12:01 -04:00
Joey Hess c849a9f409 openid: Automatically upgrade openid_realm to https when accessed via https. 2013-06-29 13:31:47 -04:00
Joey Hess c29413ba2a openid: Display openid in Preferences page as a comment, so it can be selected in all browsers. 2012-12-04 13:59:19 -04:00
Joey Hess a695b5b2f8 updated jquery and made it its own underlay 2011-06-15 19:15:06 -04:00
Joey Hess b2754fa272 openid: also use Net::INET6Glue if available 2011-05-09 18:15:35 -04:00
Joey Hess d991ccf134 use cgitemplate, remove misctemplate 2011-01-05 17:15:38 -04:00
Joey Hess 326c4d6af2 use CGI->url to get current absolute cgi url for openid login process 2010-12-25 15:08:22 -04:00
Joey Hess 93d7368a32 revert cgiurl change that broke openid login 2010-12-25 14:23:55 -04:00
Simon McVittie 296e5cb2fd Use local paths for the CGI URL 2010-11-23 00:12:17 +00:00
Simon McVittie d2e3741a6f Use local paths for redirection where possible 2010-11-23 00:00:11 +00:00
Joey Hess dbb63cb7fd openid: Fix handling of utf-8 nicknames. 2010-07-11 13:38:37 -04:00
Joey Hess 7fdf1f1d00 move nickname sanitization out
Probably best to store it unsanitized and sanitize as needed on use.
And it already was for comments, leaving only the need to sanitize the
nickname when git committing, to ensure the email address is legal.
2010-07-04 16:44:38 -04:00
Joey Hess acde957512 further sanitize nickname characters 2010-07-04 16:12:50 -04:00
Joey Hess 9a32451986 finializing openid nickname support
Renamed usershort => nickname.

Note that this means existing user login sessions will not have the nickname
recorded, and so it won't be used for those.
2010-06-23 20:16:01 -04:00
Joey Hess b38b9327a8 take username from email address as fallback 2010-06-23 19:36:23 -04:00
Joey Hess d5181a1977 realm is an url pattern 2010-06-11 14:14:20 -04:00
Joey Hess 475b4199e1 openid: Add openid_realm and openid_cgiurl configuration options, useful in a few edge case setups. 2010-06-11 13:53:56 -04:00
Joey Hess c3e9215e1f moved non-openid signin form into same page as openid selector; show/hide as buttons are pressed 2010-05-08 15:57:39 -04:00
Joey Hess b8dcaf91d0 scale display form to match openid size 2010-05-07 21:48:50 -04:00
Joey Hess 8f6cfbfade Removed the openidsignup option. 2010-05-07 21:33:27 -04:00
Joey Hess 1e75389a85 bugfix
Always load IkiWiki::CGI so its cgi_signin is present, so we replace it.
2010-05-07 21:28:59 -04:00
Joey Hess dc0d48459c bugfix 2010-05-07 21:27:02 -04:00
Joey Hess c1e365abdc remove loginlabel, not used 2010-05-07 21:20:21 -04:00
Joey Hess f8c2a67b3c pretty openid login
* openid: Incorporated a fancy openid-selector signin form.
  (http://code.google.com/p/openid-selector/)
* openid: Use "openid_identifier" as the form field, as required
  by OpenID Authentication v2.0 spec.
2010-05-07 20:14:25 -04:00
Joey Hess 378c647768 patch hidden field setting code
Fixes http://code.google.com/p/openid-selector/issues/detail?id=11#c3
2010-05-07 19:10:50 -04:00
Joey Hess a76206d480 fix back-compat with old Net::OpenID
Debian stable's Net::OpenID does not support getting extension fields.
2010-03-24 15:32:35 -04:00
Joey Hess a01e0679f4 openid: Use Openid Simple Registration or OpenID Attribute Exchange to get the user's email address and username.
The info is stored in the session database, not the user database.
There should be no reason to need it when a user is not logged in.

Also, hide the email field in the preferences page for openid users.

Note that the email and username are not yet actually used for anything.
The email will be useful for gravatar, while the username might be used
for a more pretty display of the openid.
2010-03-13 19:08:15 -05:00
Joey Hess a63929f6cc Group related plugins into sections in the setup file, and drop unused rcs plugins from the setup file. 2010-02-11 22:24:15 -05:00
Joey Hess 046095552a httpauth: When cgiauthurl is configured, httpauth can now be used alongside other authentication methods (like openid or anonok). Rather than always redirect to the cgiauthurl for authentication, there is now a button on the login form to use it. 2010-02-11 17:26:09 -05:00
Joey Hess b547170a96 Improve display of openid in preferences page.
Now that openiduser is in IkiWiki core, it's ok to have passwordauth check
for it, and avoid displaying useless password fields when showing
preferences for an openid.

Also improved the styling of the display of the openid in the preferneces
page.
2010-02-04 15:07:10 -05:00
Simon McVittie e12b7f5e54 Move OpenID pretty-printing from openid plugin to core
On various sites I have two IkiWiki instances running from the same
repository: one accessible via http and only accepting openid logins,
and one accessible via authenticated https and only accepting httpauth.
The https version should still pretty-print OpenIDs seen in git history,
even though it does not itself accept OpenID logins.
2009-07-10 18:41:16 +01:00
Simon McVittie ea4686a565 Update IkiWiki::openiduser to work with Net::OpenID 2.x
openiduser previously used a constructor that no longer works in 2.x.
However, all we actually want is the (undocumented) DisplayOfURL function
that is invoked by the display method, so try to use that.
(cherry picked from commit c3dd0ff5c7c10743107f203a5b456fdcd1b171df)
2009-07-07 13:38:04 -04:00
Joey Hess 678d467a40 finalise version 3.00 of the plugin api 2008-12-23 16:34:19 -05:00
Simon McVittie 801dc76bf0 openid: in &openiduser, allow subdirectory-style providers to end with '/'
This improves the display of OpenIDs like 'http://id.mayfirst.org/jamie/'
(taking an example from the IkiWiki commit log).
2008-12-21 16:36:22 +00:00
Simon McVittie e0cd19f30b openid: in &openiduser, let domain-style providers have arbitrarily many subdomains
This leads to better display for OpenIDs like smcv.pseudorandom.co.uk
and thm.id.fedoraproject.org (to take a couple of examples from the
IkiWiki commit history).
2008-12-21 16:36:10 +00:00
Joey Hess bb93fccf06 Coding style change: Remove explcit vim folding markers. 2008-12-17 15:22:16 -05:00
Joey Hess a32c0ecd51 include perl error in warning about openid
it may be some other module missing, this way you can tell by reading the
log
2008-09-23 12:59:43 -04:00
Joey Hess 39195de96e add plugin safe/rebuild info (part 2 of 3)
(brain.. melting..)
2008-08-03 17:20:21 -04:00