From: Joey Hess Date: Sun, 14 Mar 2010 00:08:24 +0000 (-0500) Subject: Merge branch 'master' of ssh://git.ikiwiki.info/srv/git/ikiwiki.info X-Git-Tag: 3.20100403~174 X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/e96aa16ab959e62c4ce826c599e48a959ebc3e64?hp=4da6e94305c2c7f4adab057b362d9e58a7494439 Merge branch 'master' of ssh://git.ikiwiki.info/srv/git/ikiwiki.info --- diff --git a/IkiWiki/Plugin/openid.pm b/IkiWiki/Plugin/openid.pm index bb99446b4..9355cd85a 100644 --- a/IkiWiki/Plugin/openid.pm +++ b/IkiWiki/Plugin/openid.pm @@ -90,6 +90,7 @@ sub formbuilder_setup (@) { value => $session->param("name"), size => 50, force => 1, fieldset => "login"); + $form->field(name => "email", type => "hidden"); } } @@ -113,6 +114,26 @@ sub validate ($$$;$) { } } + # Ask for client to provide a name and email, if possible. + # Try sreg and ax + $claimed_identity->set_extension_args( + 'http://openid.net/extensions/sreg/1.1', + { + optional => 'email,fullname,nickname', + }, + ); + $claimed_identity->set_extension_args( + 'http://openid.net/srv/ax/1.0', + { + mode => 'fetch_request', + 'required' => 'email,fullname,nickname,firstname', + 'type.email' => "http://schema.openid.net/contact/email", + 'type.fullname' => "http://axschema.org/namePerson", + 'type.nickname' => "http://axschema.org/namePerson/friendly", + 'type.firstname' => "http://axschema.org/namePerson/first", + }, + ); + my $check_url = $claimed_identity->check_url( return_to => IkiWiki::cgiurl(do => "postsignin"), trust_root => $config{cgiurl}, @@ -139,6 +160,29 @@ sub auth ($$) { } elsif (my $vident = $csr->verified_identity) { $session->param(name => $vident->url); + + my @extensions=grep { defined } ( + $vident->signed_extension_fields('http://openid.net/extensions/sreg/1.1'), + $vident->signed_extension_fields('http://openid.net/srv/ax/1.0'), + ); + foreach my $ext (@extensions) { + foreach my $field (qw{value.email email}) { + if (exists $ext->{$field} && + defined $ext->{$field} && + length $ext->{$field}) { + $session->param(email => $ext->{$field}); + last; + } + } + foreach my $field (qw{value.nickname nickname value.fullname fullname value.firstname}) { + if (exists $ext->{$field} && + defined $ext->{$field} && + length $ext->{$field}) { + $session->param(username => $ext->{$field}); + last; + } + } + } } else { error("OpenID failure: ".$csr->err); diff --git a/IkiWiki/Plugin/websetup.pm b/IkiWiki/Plugin/websetup.pm index 5c19c9b63..d444c0a3d 100644 --- a/IkiWiki/Plugin/websetup.pm +++ b/IkiWiki/Plugin/websetup.pm @@ -27,6 +27,13 @@ sub getsetup () { safe => 0, rebuild => 0, }, + websetup_unsafe => { + type => "string", + example => [], + description => "list of additional setup field keys to treat as unsafe", + safe => 0, + rebuild => 0, + }, websetup_show_unsafe => { type => "boolean", example => 1, @@ -57,6 +64,12 @@ sub formatexample ($$) { } } +sub issafe ($) { + my $key=shift; + + return ! grep { $_ eq $key } @{$config{websetup_unsafe}}; +} + sub showfields ($$$@) { my $form=shift; my $plugin=shift; @@ -78,7 +91,8 @@ sub showfields ($$$@) { # XXX hashes not handled yet next if ref $config{$key} && ref $config{$key} eq 'HASH' || ref $info{example} eq 'HASH'; # maybe skip unsafe settings - next if ! $info{safe} && ! ($config{websetup_show_unsafe} && $config{websetup_advanced}); + next if ! ($config{websetup_show_unsafe} && $config{websetup_advanced}) && + (! $info{safe} || ! issafe($key)); # maybe skip advanced settings next if $info{advanced} && ! $config{websetup_advanced}; # these are handled specially, so don't show @@ -156,7 +170,7 @@ sub showfields ($$$@) { if (ref $value eq 'ARRAY' || ref $info{example} eq 'ARRAY') { $value=[(ref $value eq 'ARRAY' ? map { Encode::encode_utf8($_) } @{$value} : "")]; - push @$value, "", "" if $info{safe}; # blank items for expansion + push @$value, "", "" if $info{safe} && issafe($key); # blank items for expansion } else { $value=Encode::encode_utf8($value); @@ -210,7 +224,7 @@ sub showfields ($$$@) { } } - if (! $info{safe}) { + if (! $info{safe} || ! issafe($key)) { $form->field(name => $name, disabled => 1); } else { @@ -346,7 +360,7 @@ sub showform ($$) { @value=0; } - if (! $info{safe}) { + if (! $info{safe} || ! issafe($key)) { error("unsafe field $key"); # should never happen } diff --git a/debian/changelog b/debian/changelog index 7fdbbcb63..854d83130 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +ikiwiki (3.20100313) UNRELEASED; urgency=low + + * websetup: Add websetup_unsafe to allow marking other settings + as unsafe. + * openid: Use Openid Simple Registration or OpenID Attribute Exchange + to get the user's email address and username. + + -- Joey Hess Sat, 13 Mar 2010 14:48:10 -0500 + ikiwiki (3.20100312) unstable; urgency=HIGH * Fix utf8 issues in calls to md5_hex. diff --git a/doc/plugins/websetup.mdwn b/doc/plugins/websetup.mdwn index f1756ba8f..b4d23ba9c 100644 --- a/doc/plugins/websetup.mdwn +++ b/doc/plugins/websetup.mdwn @@ -16,7 +16,8 @@ enabled and disabled using it too. Some settings are not considered safe enough to be manipulated over the web; these are still shown, by default, but cannot be modified. To hide them, set `websetup_show_unsafe` to false in the setup file. A few settings have too complex a data type to be -configured via the web. +configured via the web. To mark additional settings as unsafe, you can +list them in `websetup_unsafe`. Plugins that should not be enabled/disabled via the web interface can be listed in `websetup_force_plugins` in the setup file. diff --git a/doc/todo/Separate_OpenIDs_and_usernames.mdwn b/doc/todo/Separate_OpenIDs_and_usernames.mdwn index 2cd52e8c4..ae427d540 100644 --- a/doc/todo/Separate_OpenIDs_and_usernames.mdwn +++ b/doc/todo/Separate_OpenIDs_and_usernames.mdwn @@ -6,6 +6,25 @@ I see this being implemented in one of two possible ways. The easiest seems like A slightly more complex next step would be to request sreg from the provider and, if provided, automatically set the identity's username and email address from the provided persona. If username login to accounts with blank passwords is disabled, then you have the best of both worlds. Passwordless signin, human-friendly attribution, automatic setting of preferences. +> Given that openids are a global user identifier, that can look as pretty +> as the user cares to make it look via delegation, I am not a fan of +> having a site-local identifier that layered on top of that. Perhaps +> partly because every site that I have seen that does that has openid +> implemented as a badly-done wart on the side of their regular login +> system. +> +> Openid Simple Registration is now used to populate the userdb with the +> email address for openid users. +> +> I am considering displaying the userid or fullname, if available, +> instead of the munged openid url in recentchanges. It would be nice +> for those nasty [[google_openids|forum/google_openid_broken?]]. But, +> I first have to find a way to encode the name in the VCS commit log, +> while still keeping the openid of the committer in there too. +> Perhaps something like this (for git): --[[Joey]] +> +> Author: Joey Hess + Unfortunately I don't speak Perl, so hopefully someone thinks these suggestions are good enough to code up. I've hacked on openid code in Ruby before, so hopefully these changes aren't all that difficult to implement. Even if you don't get any data via sreg, you're no worse off than where you are now, so I don't think there'd need to be much in the way of error/sanity-checking of returned data. If it's null or not available then no big deal, typing in a username is no sweat. [[!tag wishlist]] diff --git a/doc/todo/avatar.mdwn b/doc/todo/avatar.mdwn index b8aa2327f..4409e7b14 100644 --- a/doc/todo/avatar.mdwn +++ b/doc/todo/avatar.mdwn @@ -1,35 +1,24 @@ [[!tag wishlist]] It would be nice if ikiwiki, particularly [[plugins/comments]] -supported user avatar icons. I was considering adding a directive for this, -as designed below. +supported user avatar icons. -However, there is no *good* service for mapping openids to avatars -- -openavatar has many issues, including not supporting delegated openids, and -after trying it, I don't trust it to push users toward. -Perhaps instead ikiwiki could get the email address from the openid -provider, though I think the perl openid modules don't support the openid -2.x feature that allows that. - -At the moment, working on this doesn't feel like a good use of my time. ---[[Joey]] - -Hmm.. unless is just always used a single provider (gravatar) and hashed -the openid. Then wavatars could be used to get a unique avatar per openid -at least. --[[Joey]] - ----- - -The directive displays a small avatar image for a user. Pass it the -email address, openid, or wiki username of the user. +Idea is to add a directive that displays a small avatar image for a user. +Pass it the email address, openid, or wiki username of the user. \[[!avatar user@example.com]] \[[!avatar http://joey.kitenet.net/]] \[[!avatar user]] +These directives can then be hand-inserted onto pages, or more likely, +included in eg, a comment post via a template. Possibly included in a +recentchanges page item via that template too? + The avatars are provided by various sites. For email addresses, it uses a [gravatar](http://gravatar.com/). For openid, -[openavatar](http://www.openvatar.com/) is used. For a wiki username, the +[openavatar](http://www.openvatar.com/) could used, but I am not very happy +with it; probably better to just get the email via SREG (as is done now for +openid), and use that. For a wiki username, the user's email address is looked up and the gravatar for that user is displayed. (Of course, the user has to have filled in their email address on their Preferences page for that to work.)