Activity for Apache Allura™

  • Dave Brondsema Dave Brondsema created merge request #418 on Git

    make scripts/add_user_to_group.py work without a --replaces-users value

  • Dillon Walls Dillon Walls created ticket #8564

    [Feature Request] Easier Merge Request Creation

  • Guillermo Cruz Guillermo Cruz committed [451809] on Git

    bump urllib3 2.2.1 -> 2.2.2

  • Dave Brondsema Dave Brondsema committed [75e520] on Git

    CHANGES updated for ASF release 1.17.1

  • Kenton Taylor Kenton Taylor committed [d73c6e] on Git

    improve url checks

  • Dave Brondsema Dave Brondsema committed [4e3da1] on Website Repo

    fix jenkins link; remove IRC link

  • Dave Brondsema Dave Brondsema committed [77ceca] on Website Repo

    publish 1.17.0 with security notice

  • Dillon Walls Dillon Walls committed [d49f88] on Git

    [#8556] remove TruthyCallable, has_access() now returns a normal bool

  • Dillon Walls Dillon Walls modified ticket #8556

    deprecate and remove has_access(..)() syntax

  • Dillon Walls Dillon Walls posted a comment on ticket #8556

    Looks good. Merged

  • Dave Brondsema Dave Brondsema committed [2b8b70] on Git

    remove #allura irc mentions

  • Dave Brondsema Dave Brondsema committed [bd805e] on Git

    [#8556] remove TruthyCallable, has_access() now returns a normal bool

  • Dave Brondsema Dave Brondsema posted a comment on ticket #8556

    Somehow db/8556-breaking-removal didn't have any changes in it. I re-created the changes at db/8556-breaking-removal-2 and have run all the tests. Its ready to be merged

  • Dave Brondsema Dave Brondsema committed [5c012d] on Git

    delete unused jinja file with invalid syntax

  • Dave Brondsema Dave Brondsema committed [8d25b6] on Git

    replace tabs with spaces in jinja html files

  • Dave Brondsema Dave Brondsema committed [2fb08c] on Git

    add jinja linter to pre-commit

  • Dave Brondsema Dave Brondsema committed [4efffe] on Git

    publicize security fix in CHANGES file

  • Dave Brondsema Dave Brondsema modified a wiki page

    Home

  • Dave Brondsema Dave Brondsema committed [3a7219] on Git

    CHANGES updated for ASF release 1.17.0

  • Dave Brondsema Dave Brondsema committed [1337e8] on Git

    remove deprecated version line from docker-compose.yml

  • Dave Brondsema Dave Brondsema committed [67f9d7] on Git

    Update copyright year

  • Kenton Taylor Kenton Taylor committed [3c8b53] on Git

    use urlopen in blog external rss feed processing

  • Kenton Taylor Kenton Taylor committed [1f21d4] on Git

    rename class

  • Kenton Taylor Kenton Taylor committed [156ec6] on Git

    prevent dns rebinding

  • Kenton Taylor Kenton Taylor committed [ec117d] on Git

    update tests

  • Dave Brondsema Dave Brondsema modified ticket #7272

    Support for OAuth 2.0 - NEEDS INDEX

  • Dave Brondsema Dave Brondsema posted a comment on ticket #7272

    done with several merge requests from Carlos Cruz and myself

  • Guillermo Cruz Guillermo Cruz updated merge request #417

    final (hopefully) improvements to oauth2

  • Dave Brondsema Dave Brondsema created merge request #417 on Git

    final (hopefully) improvements to oauth2

  • Dave Brondsema Dave Brondsema modified ticket #8562

    Java Runtime Error with XWPFDocument.getParagraphs() poi-ooxml-5.2.5.jar

  • Dave Brondsema Dave Brondsema posted a comment on ticket #8562

    This is the Apache Allura project, not the Apache POI project. See https://poi.apache.org/

  • Vamsi Vamsi created ticket #8562

    Java Runtime Error with XWPFDocument.getParagraphs() poi-ooxml-5.2.5.jar

  • Dave Brondsema Dave Brondsema updated merge request #416

    Generate custom bearer tokens and other fixes

  • Dave Brondsema Dave Brondsema posted a comment on merge request #416

    Uh oh our indexes are having an issue with multiple bearer tokens now. If I try to generate a 2nd bearer token for myself I get an error: E11000 duplicate key error collection: pyforge.oauth2_access_token index: refresh_token_1 dup key: { refresh_token: null } Would it be ok to ignore null refresh_tokens? Probably? If so, then we could move that index to be like this I believe: custom_indexes = [ dict(fields=('refresh_token',), sparse=True, unique=True), ]

  • Carlos Cruz Carlos Cruz posted a comment on merge request #416

    Reverted generate_bearer_token to generate a different token every time it's clicked Removed the client validation log message Added unique index on client_id to OAuth2ClientApp

  • Dave Brondsema Dave Brondsema posted a comment on merge request #416

    Nice work on all the negative tests! generate_bearer_token i think it could be okay to allow multiple tokens. I've done that before to have different ones for different things. And it could be surprising when you click "Generate Bearer Token" and it replaces your old one, making it not work any more. don't need log.info(f'Validating client id: {client_id}') OAuth2ClientApp can we add a unique index on client_id?

  • Carlos Cruz Carlos Cruz modified a comment on merge request #416

    Deleted oauth2_authorize_ok.html which is no longer needed Added a message at the top of the OAuth apps page saying that need to create a client app and generate a bearer token for direct API usage Created unique indices for access_token, refresh_token, and authorization_token Moved the OAuth2 authorization pages to the auth controller as a better option to redirect to the login page when accessing while logged out Replaced all instances of /rest/oauth2/authorize to the new /auth/oauth2/authorize...

  • Carlos Cruz Carlos Cruz posted a comment on merge request #416

    Deleted oauth2_authorize_ok.html which is no longer needed Added a message at the top of the OAuth apps page saying that need to create a client app and generate a bearer token for direct API usage Created unique indices for access_token, refresh_token, and authorization_token Moved the OAuth2 authorization pages to the auth controller as a better option to redirect to the login page when accessing while logged out Replaced all instances of /rest/oauth2/authorize to the new /auth/oauth2/authorize...

  • Dave Brondsema Dave Brondsema posted a comment on merge request #416

    can delete oauth2_authorize_ok.html too it's a bit annoying to have to make a client app, just to generate a bearer token. But that was good enough for oauth1 and would require probably a fair bit of changes to have a token without an app. Maybe we should just have a sentence on the OAuth page explaining for direct API usage, create a client app and then generate a bearer token for indexes, this change (below) would make all 4 fields together be unique. It'd probably be better to have multiple unique...

  • Carlos Cruz Carlos Cruz created merge request #416 on Git

    Generate custom bearer tokens and other fixes

  • Dillon Walls Dillon Walls updated merge request #415

    oauth2 - combine preferences pages

  • Carlos Cruz Carlos Cruz posted a comment on merge request #415

    All changes look good to merge.

  • Dave Brondsema Dave Brondsema posted a comment on merge request #415

    I rebased against master and made one more fixup: remove UniqueOAuthApplicationName usage within oauth2 make redirect URI required, since oauthlib seems to require it. In the rare case of something like wiki-copy.py which isn't a web app, they'll have to put something in, even if they don't use it.

  • Dave Brondsema Dave Brondsema updated merge request #414

    Update docs and wiki-copy example for OAuth2 support

  • Dave Brondsema Dave Brondsema posted a comment on merge request #414

    There already is a confirm_redirect_uri and it has the same code :D in the api docs, you included client_credentials which does match what we have in validate_grant_type, but I'm wondering if we need it at all. Maybe in next merge request can decide if that is what we use for personal bearer tokens? Or if we don't need it, we should remove it entirely.

  • Carlos Cruz Carlos Cruz posted a comment on merge request #414

    Removed the revoke_token method since we already have our internal mechanism to revoke tokens save_bearer_token uses user_id because it's a public endpoint that doesn't require authentication so we attempt to fetch the user id depending on the grant_type instead than from the current context Added the correct OAuth2 settings for the raml file Updated /auth/oauth2/ to /auth/oauth in wiki-copy.py For the redirect issues, we agreed that upon registering a new client the user must add at least one redirect...

  • Dave Brondsema Dave Brondsema posted a comment on merge request #415

    good catch, I had this correct earlier but it didn't get merged properly so I had to redo it on this branch and missed that bit. Fixup pushed now. hmm that is interesting. UniqueOAuthApplicationName checks globally so you couldn't have 2 clients named "test". Do we want this? The only reason I can think of is to prevent confusion if there are multiple people with "Zapier" clients, you might wonder which one is the "real" one? But you only see the authorization page for the client apps that you engage...

  • Carlos Cruz Carlos Cruz posted a comment on merge request #415

    Got an AttributeError: access_token error when authenticating an API endpoint request using an access token, I think that's because of using request instead of req in rest.py:510 For some reason my UI froze when clicking the Register new application for OAuth2. I ended up clicking the button many times and when the UI was responsive again, it created multiple clients with the same name. Looks like UniqueOAuthApplicationName only validates against OAuth1 collections, so maybe should create an OAuth2...

  • Dave Brondsema Dave Brondsema posted a comment on merge request #414

    revoke_token should handle deleting a refresh token too. Not sure if we necessarily need it or not, but seems like the right thing to do according to https://oauthlib.readthedocs.io/en/latest/oauth2/validator.html?highlight=validate_refresh_token#oauthlib.oauth2.RequestValidator.revoke_token That says there's a token_type_hint to indicate which type of token it is I noticed in save_bearer_token you changed a c.user._id to a user_id determined by the request params. That seems good. Can you double...

  • Dave Brondsema Dave Brondsema created merge request #415 on Git

    oauth2 - combine preferences pages

  • Dave Brondsema Dave Brondsema committed [85ab89] on Git

    [#8558] make sure all user prefs changes get indexed by solr

  • Guillermo Cruz Guillermo Cruz committed [85a8e2] on Git

    code cleanup using autopep8

  • Guillermo Cruz Guillermo Cruz committed [8cb617] on Git

    [#8558] make sure all user prefs changes get indexed by solr

  • Dave Brondsema Dave Brondsema modified ticket #8558

    user email changes not getting into solr

  • Carlos Cruz Carlos Cruz created merge request #414 on Git

    Update docs and wiki-copy example for OAuth2 support

  • Dave Brondsema Dave Brondsema updated merge request #412

    Implement security features for OAuth2 support

  • Carlos Cruz Carlos Cruz posted a comment on merge request #412

    Fixes: Reverted the use of owner and owner_id back to user and user_id in order to be consistent with the user objects set in the authentication pipeline. Removed the use of ast.literal_eval and replaced it in favor of json.dumps to serialize the credentials object and json.loads to reconstruct it Fixed the issue with access tokens' expiration date Fixed failing tests Removed try / except clauses from the authorization and token endpoints The OAuth2AccessToken has no attribute remove error was fixed...

  • Dillon Walls Dillon Walls modified ticket #8560

    Support Google Analytics 4 (GA4)

  • Dillon Walls Dillon Walls created ticket #8560

    Support Google Analytics 4 (GA4)

  • Dave Brondsema Dave Brondsema posted a comment on merge request #412

    I also got this error when re-authorizing an app a 2nd time 15:55:11,232 ERROR [allura.controllers.rest] type object 'OAuth2AccessToken' has no attribute 'remove' Traceback (most recent call last): File "/src/allura/Allura/allura/controllers/rest.py", line 575, in token headers, body, status = self.server.create_token_response(uri=request.url, http_method=request.method, body=json_body, headers=request.headers) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^...

  • Dave Brondsema Dave Brondsema posted a comment on merge request #412

    instead of ast.literal_eval what about json.loads? I think that'd be a bit more typical and safer (literal_eval is more safe than regular eval, but I just checked the docs and it does have some warnings about ways it might not be safe) several TestOAuth2 tests fail with allura/controllers/rest.py:547: in do_authorize credentials = ast.literal_eval(request.params['credentials']) ../../env3-allura/lib/python3.11/site-packages/webob/multidict.py:344: in __getitem__ raise KeyError(key) E KeyError: 'credentials'...

  • Dave Brondsema Dave Brondsema updated merge request #413

    Ignore .vscode settings folder

  • Carlos Cruz Carlos Cruz created merge request #413 on Git

    Ignore .vscode settings folder

  • Carlos Cruz Carlos Cruz created merge request #412 on Git

    Implement security features for OAuth2 support

  • Kenton Taylor Kenton Taylor modified ticket #8559

    tickets API: better type handling

  • Kenton Taylor Kenton Taylor posted a comment on ticket #8559

    Merged.

  • Dave Brondsema Dave Brondsema modified ticket #8559

    tickets API: better type handling

  • Dave Brondsema Dave Brondsema posted a comment on ticket #8559

    allura:db/8559 It actually mostly worked, only a few code changes needed. Tests and docs improved.

  • Dave Brondsema Dave Brondsema created ticket #8559

    tickets API: better type handling

  • Dave Brondsema Dave Brondsema updated merge request #410

    Add authorization view for OAuth2 support

  • Dave Brondsema Dave Brondsema updated merge request #411

    Add tests to OAuth2 features

  • Dave Brondsema Dave Brondsema modified a comment on merge request #411

    need to restore the csp.form_actions_enforce code that is commented out. Either now or in a following merge request, can make it skip only for the oauth redirects allura/tests/functional/test_root.py has failures because of this allura/tests/functional/test_auth.py and allura/tests/functional/test_rest.py test failures. Interestingly, they pass if I have auth.oauth2.enabled = false in development.ini (but then some oauth2 tests fail of course) If those get addressed, then I can merge this as an incremental...

  • Dave Brondsema Dave Brondsema modified a comment on merge request #411

    need to restore the csp.form_actions_enforce code that is commented out. Either now or in a following merge request, can make it skip only for the oauth redirects allura/tests/functional/test_root.py has failures because of this allura/tests/functional/test_auth.py and allura/tests/functional/test_rest.py test failures. Interestingly, they pass if I have auth.oauth2.enabled = false in development.ini (but then some oauth2 tests fail of course) If those get addressed, then I can merge this as an incremental...

  • Dave Brondsema Dave Brondsema posted a comment on merge request #411

    need to restore the csp.form_actions_enforce code that is commented out. Either now or in a following merge request, can make it skip only for the oauth redirects allura/tests/functional/test_root.py has failures because of this allura/tests/functional/test_auth.py and allura/tests/functional/test_rest.py test failures. Interestingly, they pass if I have auth.oauth2.enabled = false in development.ini (but then some oauth2 tests fail of course) If those get addressed, then I can merge this as an incremental...

  • Guillermo Cruz Guillermo Cruz committed [062892] on Git

    code updates to AkismetWithoutStartupVerify

  • Dave Brondsema Dave Brondsema created ticket #8558

    user email changes not getting into solr

  • Guillermo Cruz Guillermo Cruz committed [e83afa] on Git

    pin docutils to v0.20.1 to keep compatibility with older versions of Python

  • Guillermo Cruz Guillermo Cruz modified ticket #8557

    Upgrade python packages

  • Guillermo Cruz Guillermo Cruz posted a comment on ticket #8557

    ticket has been merged

  • Dave Brondsema Dave Brondsema modified a comment on merge request #411

    First pass of feedback, also including earlier merge request(s). More to come probably, but I wanted to give you what I have so far: the commits should use Allura ticket numbers. I found a ticket for oauth2 support here: https://forge-allura.apache.org/p/allura/tickets/7272/ so can you rebase the branch and edit the commit messages to be [#7272]? test_revoke_tokens fails comparing model classes to oauth1 ones: those that have a user_id field, you can add a user = RelationProperty('User') line similar...

  • Guillermo Cruz Guillermo Cruz committed [21b6e8] on Git

    [#8557] updated _strip_tags_re with regexp since it was removed from markupsafe package

  • Guillermo Cruz Guillermo Cruz committed [b9f668] on Git

    [#8557] Upgrade pre-commit 3.6.0 -> 3.7.0, and its deps: cfgv,identify,nodeenv,setuptools,PyYAML,virtualenv,distlib,filelock,platformdirs

  • Guillermo Cruz Guillermo Cruz committed [4052bd] on Git

    [#8557] Upgrade gunicorn 21.2.0 -> 22.0.0, and its deps: packaging

  • Guillermo Cruz Guillermo Cruz committed [b94e1b] on Git

    [#8557] Upgrade pytest-sugar 0.9.7 -> 1.0.0, and its deps: packaging,pytest,iniconfig,packaging,pluggy,termcolor

  • Guillermo Cruz Guillermo Cruz committed [7c6285] on Git

    [#8557] Upgrade pytest 7.4.4 -> 8.1.1, and its deps: iniconfig,packaging,pluggy

  • Guillermo Cruz Guillermo Cruz committed [076b9c] on Git

    [#8557] Upgrade testfixtures 7.2.2 -> 8.1.0

  • Guillermo Cruz Guillermo Cruz committed [87663f] on Git

    [#8557] Upgrade ruff 0.3.2 -> 0.3.7

1 >