Ticket search results

API for disabled users should 404

Dave Brondsema — Thu, 20 Aug 2015 22:07:00 -0000

Just like /u/USER/ 404s for disabled users, /rest/u/USER should too.

Better existing email addr handling

Dave Brondsema — Thu, 20 Aug 2015 22:07:00 -0000

When adding an email address to an account, we check to see if someone else has already claimed that address, and show error "Email address already claimed". This can be a form of email address enumeration (finding out if someone else's email is in the system). We should avoid that, and have the result on the page be the same whether the email is already claimed or not. The email that we send out to the address can be different (since only the real owner will get it). The email can say something like "You tried to add EMAIL to your SITE_NAME account, but it is already claimed by your USERNAME account. You should use that account instead, or remove that address from that account. If this was not you who attempted this, you can safely ignore this email". We should also check to see if a claimed address belongs to a disabled user or not.

Handle + in email address url params

Dave Brondsema — Thu, 20 Aug 2015 22:07:00 -0000

On /auth/preferences if an unverified email address has a "+" in it and you click the verify link, it doesn't work. I think the "+" is being handled in the URL (e.g converting it to a space?) Example: /auth/send_verification_link?a=dbrondsema+test@sample.com

Redirect to password expiration page after login

Alexander Luberg — Thu, 20 Aug 2015 22:07:00 -0000

Redirect to the expired password page(pwd_expired) after logging-in if user's password is expired. User should not be authenticated to work with other pages until the password will be updated.

Make collection of birthdate configurable

Dave Brondsema — Thu, 20 Aug 2015 22:07:00 -0000

Add an option to the .ini file to control whether or not birth date is a field on /auth/user_info/

ini option to limit pwd reset to primary email address

Dave Brondsema — Thu, 20 Aug 2015 22:07:00 -0000

We should have a .ini config option to limit password resets to the primary email address of a user, rather than all verified email addresses. The "success" message 'A password reset email has been sent, if the given email address is on record in our system.' will have to be changed if the option is enabled. If so, message should be 'A password reset email has been sent, if the given email address is on record as a primary email address.'

"Error 500" when saving SVN permissions #8522

Anonymous — Thu, 20 Aug 2015 22:07:00 -0000

*Originally created by:* jwb1980 Support Ticket#: https://sourceforge.net/p/forge/site-support/8522/ Project: https://sourceforge.net/p/flightgear/admin/fgaddon/update description: Hi, I try to set "permissions" for my SVN repo ( https://sourceforge.net/p/flightgear/fgaddon/ ) I'm able to access the setting page ( https://sourceforge.net/p/flightgear/admin/fgaddon/permissions ) and select groups, but when I press "Save" button I fallback on https://sourceforge.net/p/flightgear/admin/fgaddon/update where there is "Error 500 We're sorry but we weren't able to process this request." Thus my settings are not saved. This happened yesterday, before I was able to save permissions settings without problem but since yesterday I have this "Error 500" each time I press "Save" button. I hope you will be able to help me to fix it because I really need to change the permissions on my SVN repo. Regards, Clément Research: Had IM conversation with Dave asked that I escalate this ticket to Engineering for code changes

Use sendsimplemail instead of sendmail in some cases

Dave Brondsema — Thu, 20 Aug 2015 22:07:00 -0000

Followup from [#7526], these files should use `sendsimplemail` instead of `sendmail`: * Allura/allura/tasks/export_tasks.py * Allura/allura/controllers/auth.py We should also add some docstrings to the sendmail and sendsimplemail functions so that folks know how to use them.

Milestone admin page can be very slow

Dave Brondsema — Thu, 20 Aug 2015 22:07:00 -0000

https://sourceforge.net/p/allura/tickets/milestones in particular is getting really slow. I suspect its due to queries for the "Progress" column for every milestone. Perhaps those can be run in a single mongo query somehow, or parallelize with threads. Or just skipped for closed milestones.

Password recovery should not confirm email addr existance

Dave Brondsema — Thu, 20 Aug 2015 22:07:00 -0000

The forgotten password recovery form says "Unable to recover password for this email" if you enter an email that is not in our database. This can be used to determine if an email address is in the system or not. Instead, we should always have a generic success message like "A password reset email has been sent, if the given email address is on record in our system."

Email address associations need better user associations NEEDS MONGO MIGRATION

Dave Brondsema — Thu, 20 Aug 2015 22:07:00 -0000

A user can claim any address and even if they don't verify it, that still blocks someone else from trying to claim it. This can be fixed in auth.py like: ~~~~ ::diff - if M.EmailAddress.query.get(_id=new_addr['addr']): + if M.EmailAddress.query.get(_id=new_addr['addr'], confirmed=True): ~~~~ However this leads to another problem, if multiple users have the same email address claimed (but not verified). One user sees a "verify" link, but the other sees "Unknown addr obj foo@bar.com", on the preferences page. There probably are more issues when it gets to verification, too.

Fix mail headers in email verification email

Dave Brondsema — Thu, 20 Aug 2015 22:07:00 -0000

In `send_verification_link` we should set headers better: * The To: header is missing * From: should be `g.noreply` (omit Reply-To header, or set the same) * Subject: should include the site name

Test extracting Allura tickets for Apache move

Dave Brondsema — Thu, 20 Aug 2015 22:07:00 -0000

Re: Do an export of tickets from SF Allura and write a script to go through the JSON and: * filter out all deleted & private tickets (except #6054) * change "QA" field to "Reviewer" * change "size" field to a labels like "sf-1", "sf-2", etc * change milestone: * to "backlog" if open/in-progress/validation/review/blocked * to "released" if closed/wontfix/invalild Or even better would to look at the git tags for releases 1.0.0, 1.0.1, and 1.1.0 and find the tickets that go into those, and assign milestones appropriately. Can default a ton of tickets to 1.0.0 and then smaller set for 1.0.1 and 1.1.0 Then import locally as a test run and see how it works.

Add project creation date to API

Dave Brondsema — Thu, 20 Aug 2015 22:07:00 -0000

From [forge:feature-requests:#281] The project API should include the project creation date. (The ?doap version already does)

Project API errors on unicode screenshot name

Dave Brondsema — Thu, 20 Aug 2015 22:07:00 -0000

This screenshot filename: https://sourceforge.net/p/echaracter/screenshot/Pantalla%20Inicial-v3-ConSelecci%C3%B3n.jpg causes this error on /rest/p/echaracter/ ~~~~ File '/var/local/allura/Allura/allura/controllers/rest.py', line 298 in index return c.project.__json__() File '/var/local/allura/Allura/allura/model/project.py', line 1103 in __json__ for ss in self.get_screenshots() File '/usr/lib64/python2.7/urllib.py', line 1268 in quote return ''.join(map(quoter, s)) KeyError: u'\\xf3' ~~~~

'url' missing on MovedTicket models

Dave Brondsema — Thu, 20 Aug 2015 22:07:00 -0000

When running `allura.command.show_models.ReindexCommand` the following error occurs when encountering a `forgetracker.model.ticket.MovedTicket` artifact. ~~~~ Traceback (most recent call last): File "/var/local/allura/Allura/allura/model/monq_model.py", line 267, in __call__ self.result = func(*self.args, **self.kwargs) File "/var/local/allura/Allura/allura/command/base.py", line 49, in run_command return command.run(arg_list) File "/var/local/env-allura/lib/python2.7/site-packages/PasteScript-1.7.4.2-py2.7.egg/paste/script/command.py", line 238, in run result = self.command() File "/var/local/allura/Allura/allura/command/show_models.py", line 138, in command self._chunked_add_artifacts(ref_ids) File "/var/local/allura/Allura/allura/command/show_models.py", line 164, in _chunked_add_artifacts **self.add_artifact_kwargs) File "/var/local/allura/Allura/allura/tasks/index_tasks.py", line 76, in add_artifacts s = artifact.solarize() File "/var/local/allura/Allura/allura/lib/search.py", line 89, in solarize doc = self.index() File "/var/local/allura/Allura/allura/model/artifact.py", line 312, in index url_s=self.url(), File "/var/local/allura/Allura/allura/model/artifact.py", line 324, in url raise NotImplementedError, 'url' # pragma no cover NotImplementedError: url ~~~~

Clean up incomplete sentence in activity feed

Dave Brondsema — Thu, 20 Aug 2015 22:07:00 -0000

Activity rss feed has `Administrator ab created a wiki page on `. We should remove the trailing "on", e.g. compared to the activity web page listing "Administrator ab created a wiki page"

Cannot delete wiki entries [ss7480]

Chris Tsai — Thu, 20 Aug 2015 22:07:00 -0000

[forge:site-support:#] >Yesterday I tried to rename a page and got a timeout. When I went back and tried again it said that a page already existed with that name. >So I tried to manually delete the old page and it gave me an error. https://sourceforge.net/p/opennop/wiki/Update%20Appliance%20to%2013.1%20%28not%20ready%29/ >Its still not working today when I try to delete the wiki page. 405 Method Not Allowed >The method GET is not allowed for this resource. Confirmed, I tried renaming the page to see if that would allow me to rename as well, but it didn't help.

Trove Category Admin Browse

Chris Tsai — Thu, 20 Aug 2015 22:07:00 -0000

It's hard to figure out what's already in the Trove system (at "/categories/") without significant prior knowledge of its organization. A search function would make it much easier.

Replace "git branch --set-upstream" with "git branch --set-upstream-to" [ss2584]

Chris Tsai — Thu, 20 Aug 2015 22:07:00 -0000

[forge:site-support:#2584] >The example command currently is "git branch --set-upstream master origin/master", however the --set-upstream option is deprecated: ~~~~ $git branch --set-upstream master origin/master The --set-upstream flag is deprecated and will be removed. Consider using --track or --set-upstream-to Branch master set up to track remote branch master from origin. $ ~~~~ Referring to the "empty git repo" instructions.