value => $session->param("name"),
size => 50, force => 1,
fieldset => "login");
+ $form->field(name => "email", type => "hidden");
}
}
}
}
+ # Ask for client to provide a name and email, if possible.
+ # Try sreg and ax
+ $claimed_identity->set_extension_args(
+ 'http://openid.net/extensions/sreg/1.1',
+ {
+ optional => 'email,fullname,nickname',
+ },
+ );
+ $claimed_identity->set_extension_args(
+ 'http://openid.net/srv/ax/1.0',
+ {
+ mode => 'fetch_request',
+ 'required' => 'email,fullname,nickname,firstname',
+ 'type.email' => "http://schema.openid.net/contact/email",
+ 'type.fullname' => "http://axschema.org/namePerson",
+ 'type.nickname' => "http://axschema.org/namePerson/friendly",
+ 'type.firstname' => "http://axschema.org/namePerson/first",
+ },
+ );
+
my $check_url = $claimed_identity->check_url(
return_to => IkiWiki::cgiurl(do => "postsignin"),
trust_root => $config{cgiurl},
}
elsif (my $vident = $csr->verified_identity) {
$session->param(name => $vident->url);
+
+ my @extensions=grep { defined } (
+ $vident->signed_extension_fields('http://openid.net/extensions/sreg/1.1'),
+ $vident->signed_extension_fields('http://openid.net/srv/ax/1.0'),
+ );
+ foreach my $ext (@extensions) {
+ foreach my $field (qw{value.email email}) {
+ if (exists $ext->{$field} &&
+ defined $ext->{$field} &&
+ length $ext->{$field}) {
+ $session->param(email => $ext->{$field});
+ last;
+ }
+ }
+ foreach my $field (qw{value.nickname nickname value.fullname fullname value.firstname}) {
+ if (exists $ext->{$field} &&
+ defined $ext->{$field} &&
+ length $ext->{$field}) {
+ $session->param(username => $ext->{$field});
+ last;
+ }
+ }
+ }
}
else {
error("OpenID failure: ".$csr->err);
safe => 0,
rebuild => 0,
},
+ websetup_unsafe => {
+ type => "string",
+ example => [],
+ description => "list of additional setup field keys to treat as unsafe",
+ safe => 0,
+ rebuild => 0,
+ },
websetup_show_unsafe => {
type => "boolean",
example => 1,
}
}
+sub issafe ($) {
+ my $key=shift;
+
+ return ! grep { $_ eq $key } @{$config{websetup_unsafe}};
+}
+
sub showfields ($$$@) {
my $form=shift;
my $plugin=shift;
# XXX hashes not handled yet
next if ref $config{$key} && ref $config{$key} eq 'HASH' || ref $info{example} eq 'HASH';
# maybe skip unsafe settings
- next if ! $info{safe} && ! ($config{websetup_show_unsafe} && $config{websetup_advanced});
+ next if ! ($config{websetup_show_unsafe} && $config{websetup_advanced}) &&
+ (! $info{safe} || ! issafe($key));
# maybe skip advanced settings
next if $info{advanced} && ! $config{websetup_advanced};
# these are handled specially, so don't show
if (ref $value eq 'ARRAY' || ref $info{example} eq 'ARRAY') {
$value=[(ref $value eq 'ARRAY' ? map { Encode::encode_utf8($_) } @{$value} : "")];
- push @$value, "", "" if $info{safe}; # blank items for expansion
+ push @$value, "", "" if $info{safe} && issafe($key); # blank items for expansion
}
else {
$value=Encode::encode_utf8($value);
}
}
- if (! $info{safe}) {
+ if (! $info{safe} || ! issafe($key)) {
$form->field(name => $name, disabled => 1);
}
else {
@value=0;
}
- if (! $info{safe}) {
+ if (! $info{safe} || ! issafe($key)) {
error("unsafe field $key"); # should never happen
}
+ikiwiki (3.20100313) UNRELEASED; urgency=low
+
+ * websetup: Add websetup_unsafe to allow marking other settings
+ as unsafe.
+ * openid: Use Openid Simple Registration or OpenID Attribute Exchange
+ to get the user's email address and username.
+
+ -- Joey Hess <joeyh@debian.org> Sat, 13 Mar 2010 14:48:10 -0500
+
ikiwiki (3.20100312) unstable; urgency=HIGH
* Fix utf8 issues in calls to md5_hex.
enough to be manipulated over the web; these are still shown, by default,
but cannot be modified. To hide them, set `websetup_show_unsafe` to false
in the setup file. A few settings have too complex a data type to be
-configured via the web.
+configured via the web. To mark additional settings as unsafe, you can
+list them in `websetup_unsafe`.
Plugins that should not be enabled/disabled via the web interface can be
listed in `websetup_force_plugins` in the setup file.
A slightly more complex next step would be to request sreg from the provider and, if provided, automatically set the identity's username and email address from the provided persona. If username login to accounts with blank passwords is disabled, then you have the best of both worlds. Passwordless signin, human-friendly attribution, automatic setting of preferences.
+> Given that openids are a global user identifier, that can look as pretty
+> as the user cares to make it look via delegation, I am not a fan of
+> having a site-local identifier that layered on top of that. Perhaps
+> partly because every site that I have seen that does that has openid
+> implemented as a badly-done wart on the side of their regular login
+> system.
+>
+> Openid Simple Registration is now used to populate the userdb with the
+> email address for openid users.
+>
+> I am considering displaying the userid or fullname, if available,
+> instead of the munged openid url in recentchanges. It would be nice
+> for those nasty [[google_openids|forum/google_openid_broken?]]. But,
+> I first have to find a way to encode the name in the VCS commit log,
+> while still keeping the openid of the committer in there too.
+> Perhaps something like this (for git): --[[Joey]]
+>
+> Author: Joey Hess <http://joey.kitenet.net/@web>
+
Unfortunately I don't speak Perl, so hopefully someone thinks these suggestions are good enough to code up. I've hacked on openid code in Ruby before, so hopefully these changes aren't all that difficult to implement. Even if you don't get any data via sreg, you're no worse off than where you are now, so I don't think there'd need to be much in the way of error/sanity-checking of returned data. If it's null or not available then no big deal, typing in a username is no sweat.
[[!tag wishlist]]
[[!tag wishlist]]
It would be nice if ikiwiki, particularly [[plugins/comments]]
-supported user avatar icons. I was considering adding a directive for this,
-as designed below.
+supported user avatar icons.
-However, there is no *good* service for mapping openids to avatars --
-openavatar has many issues, including not supporting delegated openids, and
-after trying it, I don't trust it to push users toward.
-Perhaps instead ikiwiki could get the email address from the openid
-provider, though I think the perl openid modules don't support the openid
-2.x feature that allows that.
-
-At the moment, working on this doesn't feel like a good use of my time.
---[[Joey]]
-
-Hmm.. unless is just always used a single provider (gravatar) and hashed
-the openid. Then wavatars could be used to get a unique avatar per openid
-at least. --[[Joey]]
-
-----
-
-The directive displays a small avatar image for a user. Pass it the
-email address, openid, or wiki username of the user.
+Idea is to add a directive that displays a small avatar image for a user.
+Pass it the email address, openid, or wiki username of the user.
\[[!avatar user@example.com]]
\[[!avatar http://joey.kitenet.net/]]
\[[!avatar user]]
+These directives can then be hand-inserted onto pages, or more likely,
+included in eg, a comment post via a template. Possibly included in a
+recentchanges page item via that template too?
+
The avatars are provided by various sites. For email addresses, it uses a
[gravatar](http://gravatar.com/). For openid,
-[openavatar](http://www.openvatar.com/) is used. For a wiki username, the
+[openavatar](http://www.openvatar.com/) could used, but I am not very happy
+with it; probably better to just get the email via SREG (as is done now for
+openid), and use that. For a wiki username, the
user's email address is looked up and the gravatar for that user is
displayed. (Of course, the user has to have filled in their email address
on their Preferences page for that to work.)