This avoids nasty surprises on upgrade if a site is using httpauth,
or passwordauth with an account_creation_password, and relying on
only a select group of users being able to edit the site. We can revisit
this for ikiwiki 4.
default_plugins => {
type => "internal",
default => [qw{mdwn link inline meta htmlscrubber passwordauth
default_plugins => {
type => "internal",
default => [qw{mdwn link inline meta htmlscrubber passwordauth
- openid emailauth signinedit lockedit conditional
+ openid signinedit lockedit conditional
recentchanges parentlinks editpage
templatebody}],
description => "plugins to enable by default",
recentchanges parentlinks editpage
templatebody}],
description => "plugins to enable by default",
hook(type => "auth", id => "openid", call => \&auth);
hook(type => "formbuilder_setup", id => "openid",
call => \&formbuilder_setup, last => 1);
hook(type => "auth", id => "openid", call => \&auth);
hook(type => "formbuilder_setup", id => "openid",
call => \&formbuilder_setup, last => 1);
+ IkiWiki::loadplugin("emailauth");
IkiWiki::loadplugin("loginselector");
IkiWiki::Plugin::loginselector::register_login_plugin(
"openid",
IkiWiki::loadplugin("loginselector");
IkiWiki::Plugin::loginselector::register_login_plugin(
"openid",
+ikiwiki (3.20150330) UNRELEASED; urgency=medium
+
+ The new "emailauth" plugin allows users to authenticate using an email
+ address, without otherwise creating an account.
+
+ The openid plugin now enables emailauth by default. Please include
+ emailauth in the disable_plugins setting if this is not desired.
+ Conversely, if emailauth is required on a wiki that does not enable
+ openid, you can list it in the enable_plugins setting.
+
+ -- Simon McVittie <smcv@debian.org> Wed, 27 May 2015 08:30:43 +0100
+
ikiwiki (3.20150107) experimental; urgency=medium
By default, this version of IkiWiki tells mobile browsers that its
ikiwiki (3.20150107) experimental; urgency=medium
By default, this version of IkiWiki tells mobile browsers that its
ikiwiki (3.20150330) UNRELEASED; urgency=medium
ikiwiki (3.20150330) UNRELEASED; urgency=medium
* New emailauth plugin lets users log in, without any registration,
by simply clicking on a link in an email.
* Re-remove google from openid selector; their openid provider is
* New emailauth plugin lets users log in, without any registration,
by simply clicking on a link in an email.
* Re-remove google from openid selector; their openid provider is
* Make cgiurl output deterministic, not hash order. Closes: #785738
Thanks, Daniel Kahn Gillmor
* Make cgiurl output deterministic, not hash order. Closes: #785738
Thanks, Daniel Kahn Gillmor
+ [ Simon McVittie ]
+ * Do not enable emailauth by default, to avoid surprises on httpauth-only
+ sites. Enable it by default in openid instead, since it is essentially
+ a replacement for OpenIDs.
+
-- Joey Hess <id@joeyh.name> Tue, 28 Apr 2015 12:24:08 -0400
ikiwiki (3.20150329) experimental; urgency=high
-- Joey Hess <id@joeyh.name> Tue, 28 Apr 2015 12:24:08 -0400
ikiwiki (3.20150329) experimental; urgency=high
the login, a one-time-use link is emailed to the user, and they can simply
open that link in their browser.
the login, a one-time-use link is emailed to the user, and they can simply
open that link in their browser.
-It is enabled by default, but can be turned off if you want to only use
-some other form of authentication, such as [[passwordauth]] or [[openid]].
+It is (indirectly) enabled by default, but can be turned off if you want to
+only use some other form of authentication, such as [[passwordauth]] or
+[[openid]].
Users who have logged in using emailauth will have their email address used as
their username. In places where the username is displayed, like the
Users who have logged in using emailauth will have their email address used as
their username. In places where the username is displayed, like the
>>>
>>> Another way to do it would be to hash the email address,
>>> so the commit appears to come from
>>>
>>> Another way to do it would be to hash the email address,
>>> so the commit appears to come from
->>> `smcv <smcv@dc84925053b18a910f4b95fb7ce1bf802eb7d80e>` instead of
+>>> `smcv <smcv@02f3eecb59311fc89970578832b63d57a071579e>` instead of
>>> from `smcv <smcv@debian.org>` - if the hash is of `mailto:whatever`
>>> (like my example one) then it's compatible with
>>> [FOAF](http://xmlns.com/foaf/spec/#term_mbox_sha1sum).
>>> from `smcv <smcv@debian.org>` - if the hash is of `mailto:whatever`
>>> (like my example one) then it's compatible with
>>> [FOAF](http://xmlns.com/foaf/spec/#term_mbox_sha1sum).
to random third parties. The principle of least astonishment would suggest
that we should do the same here.
to random third parties. The principle of least astonishment would suggest
that we should do the same here.
+> This part is now addressed by cloaking email addresses:
+> `smcv@debian.org` → `smcv@02f3eecb59311fc89970578832b63d57a071579e`
+> (that's the sha1sum of `mailto:smcv@debian.org`, as used in FOAF).
+> --[[smcv]]
+
(The expectation of privacy for direct git commits is rather different:
I think we can expect direct git committers to know that they
should either set a plausible non-email-address in their git identity,
(The expectation of privacy for direct git commits is rather different:
I think we can expect direct git committers to know that they
should either set a plausible non-email-address in their git identity,