Activity for Apache Allura™
-
Guillermo Cruz updated merge request #421
don't check some limits, for user's own profile project creations
-
Dave Brondsema created merge request #421 on Git
don't check some limits, for user's own profile project creations
-
Carlos Cruz created merge request #420 on Git
Disable OAuth2 authorize button and change its text value on click
-
Dillon Walls committed [8b6f7a] on Git
fixup! update ming calls from find_and_modify to find_one_and_update
-
fixup! replace uses of Collection.count() with Collection.estimated_document_count()
-
drop pymongo/ming method
-
When we get everything updated, we can remove the ming & pymongo lines in pytest.ini that make it ignore deprecation warnings.
-
support newer pwd hashs, remove deprecated 'crypt'
-
support per-page csp_frame_domains modifier
-
running with threads is good, for our prod example
-
Allura/allura/lib/custom_middleware.py remove the 'group' method wrapping instead of .estimated_document_count() what do you think about .count({})? It seems like estimated_document_count should be reliable in nearly all cases, but I don't like the name, it makes it seem unreliable. And its long. find_and_modify had new=True, but find_one_and_update doesn’t have that kwarg, it has a upsert kwarg instead. Looking pretty good, just reviewing the code. Haven't actually tried running it
-
bump requests 2.32.1 -> 2.32.3
-
bump cryptography 42.0.5 -> 42.0.8
-
replace uses of Collection.count() with Collection.estimated_document_count()
-
I have completed this prep on branch dw/8565 However, these updates were made in concert with pre-release Ming changes. We shouldn't merge this branch until a new version of Ming has been published that includes its own API migration prep.
-
add additional logging of concurrency values in run_tests
-
pymongo - use drop instead of remove in some places
-
use pymongo's create_index rather than ensure_index
-
remove ming/pymongo map_reduce and inline_map_reduce. no longer provided by mongo
-
replace deprecated ming/mongo collection_names() with list_collection_names()
-
replace deprecated ming/mongo database_names() with list_database_names()
-
update ming calls from find_and_modify to find_one_and_update
-
Prepare for Upgrade to Pymongo 4
-
Prepare for Upgrade to Pymongo 4
-
Home
-
fix typo
-
announce 1.17.1
-
publicize security fix in changelog
-
deprecate and remove has_access(..)() syntax
-
Kenton Taylor updated merge request #418
make scripts/add_user_to_group.py work without a --replaces-users value
-
make scripts/add_user_to_group.py work without a --replaces-users value
-
[Feature Request] Easier Merge Request Creation
-
bump urllib3 2.2.1 -> 2.2.2
-
CHANGES updated for ASF release 1.17.1
-
improve url checks
-
fix jenkins link; remove IRC link
-
publish 1.17.0 with security notice
-
[#8556] remove TruthyCallable, has_access() now returns a normal bool
-
deprecate and remove has_access(..)() syntax
-
Looks good. Merged
-
remove #allura irc mentions
-
[#8556] remove TruthyCallable, has_access() now returns a normal bool
-
Somehow db/8556-breaking-removal didn't have any changes in it. I re-created the changes at db/8556-breaking-removal-2 and have run all the tests. Its ready to be merged
-
delete unused jinja file with invalid syntax
-
replace tabs with spaces in jinja html files
-
add jinja linter to pre-commit
-
publicize security fix in CHANGES file
-
Home
-
CHANGES updated for ASF release 1.17.0
-
remove deprecated version line from docker-compose.yml
-
Update copyright year
-
use urlopen in blog external rss feed processing
-
rename class
-
prevent dns rebinding
-
update tests
-
Support for OAuth 2.0 - NEEDS INDEX
-
done with several merge requests from Carlos Cruz and myself
-
final (hopefully) improvements to oauth2
-
final (hopefully) improvements to oauth2
-
Java Runtime Error with XWPFDocument.getParagraphs() poi-ooxml-5.2.5.jar
-
This is the Apache Allura project, not the Apache POI project. See https://poi.apache.org/
-
Vamsi created ticket #8562
Java Runtime Error with XWPFDocument.getParagraphs() poi-ooxml-5.2.5.jar
-
Generate custom bearer tokens and other fixes
-
Uh oh our indexes are having an issue with multiple bearer tokens now. If I try to generate a 2nd bearer token for myself I get an error: E11000 duplicate key error collection: pyforge.oauth2_access_token index: refresh_token_1 dup key: { refresh_token: null } Would it be ok to ignore null refresh_tokens? Probably? If so, then we could move that index to be like this I believe: custom_indexes = [ dict(fields=('refresh_token',), sparse=True, unique=True), ]
-
Reverted generate_bearer_token to generate a different token every time it's clicked Removed the client validation log message Added unique index on client_id to OAuth2ClientApp
-
Nice work on all the negative tests! generate_bearer_token i think it could be okay to allow multiple tokens. I've done that before to have different ones for different things. And it could be surprising when you click "Generate Bearer Token" and it replaces your old one, making it not work any more. don't need log.info(f'Validating client id: {client_id}') OAuth2ClientApp can we add a unique index on client_id?
-
Deleted oauth2_authorize_ok.html which is no longer needed Added a message at the top of the OAuth apps page saying that need to create a client app and generate a bearer token for direct API usage Created unique indices for access_token, refresh_token, and authorization_token Moved the OAuth2 authorization pages to the auth controller as a better option to redirect to the login page when accessing while logged out Replaced all instances of /rest/oauth2/authorize to the new /auth/oauth2/authorize...
-
Deleted oauth2_authorize_ok.html which is no longer needed Added a message at the top of the OAuth apps page saying that need to create a client app and generate a bearer token for direct API usage Created unique indices for access_token, refresh_token, and authorization_token Moved the OAuth2 authorization pages to the auth controller as a better option to redirect to the login page when accessing while logged out Replaced all instances of /rest/oauth2/authorize to the new /auth/oauth2/authorize...
-
can delete oauth2_authorize_ok.html too it's a bit annoying to have to make a client app, just to generate a bearer token. But that was good enough for oauth1 and would require probably a fair bit of changes to have a token without an app. Maybe we should just have a sentence on the OAuth page explaining for direct API usage, create a client app and then generate a bearer token for indexes, this change (below) would make all 4 fields together be unique. It'd probably be better to have multiple unique...
-
Generate custom bearer tokens and other fixes
-
oauth2 - combine preferences pages
-
All changes look good to merge.
-
I rebased against master and made one more fixup: remove UniqueOAuthApplicationName usage within oauth2 make redirect URI required, since oauthlib seems to require it. In the rare case of something like wiki-copy.py which isn't a web app, they'll have to put something in, even if they don't use it.
-
Update docs and wiki-copy example for OAuth2 support
-
There already is a confirm_redirect_uri and it has the same code :D in the api docs, you included client_credentials which does match what we have in validate_grant_type, but I'm wondering if we need it at all. Maybe in next merge request can decide if that is what we use for personal bearer tokens? Or if we don't need it, we should remove it entirely.
-
Removed the revoke_token method since we already have our internal mechanism to revoke tokens save_bearer_token uses user_id because it's a public endpoint that doesn't require authentication so we attempt to fetch the user id depending on the grant_type instead than from the current context Added the correct OAuth2 settings for the raml file Updated /auth/oauth2/ to /auth/oauth in wiki-copy.py For the redirect issues, we agreed that upon registering a new client the user must add at least one redirect...
-
good catch, I had this correct earlier but it didn't get merged properly so I had to redo it on this branch and missed that bit. Fixup pushed now. hmm that is interesting. UniqueOAuthApplicationName checks globally so you couldn't have 2 clients named "test". Do we want this? The only reason I can think of is to prevent confusion if there are multiple people with "Zapier" clients, you might wonder which one is the "real" one? But you only see the authorization page for the client apps that you engage...
-
Got an AttributeError: access_token error when authenticating an API endpoint request using an access token, I think that's because of using request instead of req in rest.py:510 For some reason my UI froze when clicking the Register new application for OAuth2. I ended up clicking the button many times and when the UI was responsive again, it created multiple clients with the same name. Looks like UniqueOAuthApplicationName only validates against OAuth1 collections, so maybe should create an OAuth2...
-
revoke_token should handle deleting a refresh token too. Not sure if we necessarily need it or not, but seems like the right thing to do according to https://oauthlib.readthedocs.io/en/latest/oauth2/validator.html?highlight=validate_refresh_token#oauthlib.oauth2.RequestValidator.revoke_token That says there's a token_type_hint to indicate which type of token it is I noticed in save_bearer_token you changed a c.user._id to a user_id determined by the request params. That seems good. Can you double...
-
oauth2 - combine preferences pages
-
[#8558] make sure all user prefs changes get indexed by solr
-
code cleanup using autopep8
-
[#8558] make sure all user prefs changes get indexed by solr
-
user email changes not getting into solr
-
Update docs and wiki-copy example for OAuth2 support
-
Implement security features for OAuth2 support