#foswiki 2012-02-02,Thu

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)

WhoWhatWhen
pharveyREST requests needing auth in Drupal respond with 403 because, "... 401 Unauthorized must be combined with HTTP authentication, which is not what Drupal is using, so this is not an option" - http://drupal.stackexchange.com/questions/18348/why-does-drupal-use-403-forbidden [00:07]
SvenDowideitpharvey, yeah, on the other hand, other people.... :)
pharvey, did you re-read the task of doom?
in which you already did a pile of lit survey
SvenDowideit wants this to be a dev faq thing, and if we can improve the seo on it, maybe we can become a place people go for info (wisdom would be too much to ask :))
SvenDowideit has to break his computer again
[00:20]
gac410With template auth, the "fail" actuall returns 302 redirect to bin/login. bin/login doesn't have a fail - it returns 200 with a valid template to solicit response. [00:22]
pharvey1) I think sniffing for XHR means something is wrong, 2) I'm worried we're mixing our application & HTTP layers in a way we're not supposed to. [00:22]
gac410The old issue was login would send the template with a 403 and no WWW-Auth header. Thats totally wrong.
The question is ... when auth is required, is the 302 redirect always correct? or if the js that issued a mechanized request capable of handling a 403 with some WWW-Auth mechanism that the browser doesn't know.
[00:22]
SvenDowideitmmm, talk about network reboot for me :/
SvenDowideit dreams a bit then decides to forget request-types
in reality, like cdot, how much do we care about standard or consistent
expedience will continue to find ways to bite us, but what the heck?
[00:26]
harlanpersonally, I find consistency to be even better than standards. [00:32]
gac410well the standards are usually there for a very good reason. It's one thing to implement options of them, it's another to violate. We will have breakage on browsers, etc. and other unexpected results.
Especially any rfc marked *Standards Track*. Those are the really important ones. Others - like Hypertext Coffee Pot Protocol - can probably be ignored.
[00:33]
pharveyIf we have to sniff for XHR, I fear we're doing the wrong thing. But maybe I'm just weird. [00:36]
SvenDowideitharlan sad - we're a bunch of old codgers :) [00:36]
gac410Well I wouldn't go as far as say sniffing for it. It's being supplied as a header saying what the client wants.
We don
er. We don't want a redirect to some other place, we want to handle an authentication directly.
[00:36]
harlanAnd having said that, I'll point out that if a Standard is useful/prevalent, it's good to follw it. And there are plenty of cases where folks don't quite hit the mark (as implementing the standard or in coding to use an implementation) [00:37]
gac410Unfortunately standards by committee is a bit of an "art" in the commercial space ... to sneak in your intellectual property. some have lots of options, different implementations chosen by different vendors. Some of the IEEE 802.11 standards are like that. And just try for SIP interoperability
WiFi came about partly because there were so many options, you couldn't really implement an interoperable 802.11 net.
[00:40]
pharveyI read an interview with a guy who wrote some of SS7 protocol spec. He lamented that the players involved with SS7 didn't want to make it "too easy" to implement SS7... [00:42]
gac410yeah ss7 lots of old telcos trying to protect their signalling [00:42]
pharveybut that kind of shenanigans shouldn't be prevalent in HTTP-land... surely? :)
SvenDowideit, which "task of doom" are you referring to - I seem to recall doing research, but I can only find the task where I found google & yahoo seemed to be returning 200s.
[00:43]
gac410Don't know about http. It was sure prevalent in some of the routing protocols. and frame relay early days it was a beast to get some of that to interoperate. I used to participate in multi-vendor interoperation test and bake-off's [00:44]
pharveymmm bake-off [00:46]
harlanmmm [00:54]
SvenDowideitpharvey look for status 400 on f.o
its in the logs from last night, and the night before
[01:07]
SvenDowideit is somewhat tired of trying to advocate the standard when I'd much rather the convenience of other things :/ [01:15]
pharveySo, is the choice that we violate the spec and use an application-layer WWW-Authenticate method where an HTTP-layer one is expected, or use boring old X-Foo headers
Crawford's concern seems to be that an X-Header doesn't propagate up through a dumb stack of JS code wrapping the actual XHR
is that correct?
[01:23]
gac410The only thing I'm fuzzy on is MUST the WWW-Authenticate always be HTTP layer external to the application.
Is the OAuth implementation using WWW_Authenticate handled by the browser, or an oauth application plugin or ???
[01:27]
pharveyOAuth works entirely in the HTTP headers. That's unlike TemplateLogin, which requires processing of response body HTML, and special knowledge of how our JS works.
sorry, I mean that; OAuth doesn't use the response body part for anything.
[01:35]
gac410Okay ... so arguing how many angels dance on a pin. HTTP says that the WWW-Authenticate header is handled by the "User Agent" ... and defines that as usually the browser, or robots, spiders, etc. etc. With Ajax, is the JS code essentially the "user agent" for this exchanges?
Template login happens AFTER the 302 redirect to bin/login. The question is instead of 302 redirect is is okay to pass a 401 WWW-Authenticate header to the "User Agent"
At the time of the 302 (and crawford's 401) there is no template or body to scrape for login.
[01:37]
pharveyI'm confused why a rest handler would want to redirect to bin/login/templateauth anyway.
anyway/in the first place.
But there must be an obvious reason, or I've just got low sugar.
[01:41]
gac410Today's new CommentPlugin - if you bin/rest/CommentPlugin/comment on a topic, and need login, it redirects and works just fine.
And if rest is unprotected, and the "Allow Guests to comment" then the comment goes through without redirect.
[01:42]
pharveyhttp://trunk.foswiki.org/bin/rest/CommentPlugin/comment/Development/ImprovedRESTSupport says "GET denied" [01:43]
gac410If AllowGuestToComment is disabled, it redirects to restauth which needs the login.
sorry... if you POST bin/rest/CommentPlugin/Comment ...
[01:43]
pharveyThen that's not a rest handler which I'm supposed to visit in my web browser
Or you mean... I see.
[01:44]
gac410Right. You click on COMMENT button. and it does the post, which redirects if necessary.
so if browser forms use rest, you redirect, if ajax uses rest, you don't. That's crawford's dilemma.
[01:44]
pharveyThen surely the proper solution is to use an HTTP Accept Content-Type which is non-HTML.
For the ajax request.
[01:46]
gac410Ah. Maybe that's a better option than CDot's proposed X-Requested-By XML... [01:47]
pharveypharvey wonders what response CommentPlugin/comment gives when you ARE authenticated [01:47]
gac410200. [01:47]
pharveywith what in the body? [01:47]
SvenDowideitfinally. [01:48]
gac410Oh... no I have to go look - it might be a 302 back to the page with the comment button. [01:48]
SvenDowideitsomeone else realises that requested content-type matters
in my ideal world, a non-authed request for an auth required resource should get 401 _always_ (no redirect to login)
and for tmpl auth you'd set WWW-Auth to html, telling the browser to render that
[01:48]
pharveyassuming we have an auth mechanism that lives in the HTTP layer :P [01:50]
SvenDowideit(if.... requested content-type was html...
no
[01:50]
gac410pharvey - it returns 200 unless an option is specified to return to a different topic, in which case it redirects.
And it returns 404 if not authorized and in ajax.
[01:50]
SvenDowideitwhat about if you're authed, but don't have permission to modify? [01:51]
pharveyI'm not worried about the status code. I'm wondering about the response body accompanying the 200 [01:51]
gac410$response->header( -status => 200 ); $response->body("$web.$topic"); [01:52]
SvenDowideitwhat a fascinitting thing to reply to content-type xml
or html
or json
SvenDowideit ponders RestPlugin
[01:52]
gac410Most of the time I believe it sets a "return" option resulting in a 302. [01:53]
SvenDowideitwhich is really simplistic [01:53]
gac410okay. bin/rest if urlparam endPoint is specified, it does a redirect to that url. otherwise it just returns whatever the handler set in the body [01:59]
pharveypharvey ponders replacing TemplateLogin with Foswiki as an OAuth server :P [02:00]
SvenDowideitpharvey doable, but oauth sux [02:03]
pharveyis there a betterauth? [02:03]
SvenDowideitbrowserid is the next attempt
and i like it for its logical simplicity
[02:03]
pharveythat sounds browser-centric [02:03]
gac410The %COMMENT macro validates the redirectto parameter and sets a valid destination as endPoint in the POST to rest. [02:03]
SvenDowideitlike oauth, its maddeningly redirecty [02:04]
gac410So to change the subject. back to my bcrypt ruminating. If I implemented bcrypt in js using one of the popular libraries Would that be an acceptable use of 401 WWW-Authentication with js bcrypt as the mechanism? [02:05]
pharveygac410, I'm not sure if "everything happens in the headers" == "It's an HTTP-layer thing" is correct, but that's my current (possibly mistaken) understanding [02:09]
..... (idle for 20mn)
gac410X-Requested-With - is a commonly used header. defined in Wikipedia: mainly used to identify Ajax requests. Most JavaScript frameworks send this header with value of XMLHttpRequest
so cdot is not proposing anything out of the norm there in headers.
[02:29]
pharveyI still think that's an arse-about solution though.
Accept headers should control the response.
I'm working with half a dozen HTTP REST APIs at $work. None of them contain this kind of madness, but then, they don't have any auth features either.
They *do* make extensive use of Accept to control the response, though.
[02:32]
SvenDowideitwhat worries me about X-Requested-With
is that the first thing one does when you debug oddity, is run curl -I
which would inexplicably give a different result
i do however think using Accept - as in content-type would help more than X-Request..
[02:47]
gac410as long as we clearly document that curl --header blah. it's just another part of the specification. [02:48]
SvenDowideitas a full html req is (should..) different from a html fragment
people typically don't read the doc
[02:48]
pharveyI've updated my comment to reflect my main concern that XHR shouldn't be a special case (i.e. let's use an Accept type instead). [02:49]
SvenDowideitworse, only a tiny portion come here to be told the doc
pharvey, sweet
SvenDowideit is having a bad, bad day :/
[02:49]
gac410the X-requested-with seems to be common in ajax-land [02:50]
SvenDowideitseems that i've wasted 2 hours on getting a cheap trivial video card not running well [02:50]
pharveyI still have doubts that TemplateLogin should be an WWW-Authenticate method, but I care less about that issue. [02:50]
SvenDowideity, and ajax-land constantly thinks its the only user [02:50]
pharveyit is common, and it is meaningless [02:50]
gac410But Template login is not. template login starts with bin/login [02:50]
SvenDowideiti'd love tmpl-auth to be a valid 401 reposnse :)
tmpl login starts with a redirect to /bin/login
[02:50]
pharveySvenDowideit, that would be mixing application & HTTP protocol layers, isn't that bad? [02:51]
SvenDowideitits naf
i don't think its bad really
[02:51]
pharveyOr am I splitting hairs. Or making angels dance on the head of a pin, as gac410 said. [02:51]
SvenDowideiti think its a real problem that http has not dealt with the reality of auth [02:52]
gac410302 redirects a failed request to the template login. we are saying failed resource should just fail 401 gives a possibility of an auth method. 403 does not. [02:52]
SvenDowideit401 != failed resource [02:52]
pharveyThe *only* justification for pretending that Foswiki's TemplateLogin belongs in the HTTP layer when it really doesn't, is the convenience that a 401 can propagate an error up the stack of JS crap that wraps an actual XHR call. [02:52]
SvenDowideit401 is - can't tell you anything unless you auth
pharvey, if i had retentive hat on, i'd agree
[02:52]
gac410sven, right. 401 says you need to auth. And sends a Mechanism. In cdot [02:53]
pharveypharvey wonders if it would be very hard at all to move TemplateLogin's magic out of HTML+JS and into the headers [02:53]
SvenDowideitbut, having pragmatic hat on, under which i recongnise 1) the importance and utility of consistency and 2) the importance and relevance of htmlform based auth [02:53]
gac410cdot's example, it can't handle it, so it ALERT's
I think what CDot's proposal offers is that JS *could* implement a mechanism and respond to the WWW-AUthenticate with a valid response.
[02:53]
SvenDowideitimo the browser could too [02:54]
gac410Right. [02:54]
SvenDowideitin that its probably possible for a browser plugin to hack it [02:55]
pharveyIf you're mixing the auth with the repsonse body (e.g. extracting nonce out of the HTML) then that's clearly an application-level thing. [02:55]
SvenDowideitSvenDowideit wonders if anyone here has ie5
pharvey, yes, we grok the purity issue
and i'm pretty certain that _if_ it doesn't break old browsers hard, then purity is a crok of stupidity
[02:55]
pharveyIt is if it can be easily fixed. [02:56]
SvenDowideit_we_ should all be pissy at w3c for not having addressed the issue in the >15 years we've known about it [02:57]
gac410I don't think we are, (mixing response and body) in that nobody has implemented anything. If I deal with bcrypt auth using javascript that becomes a implementation issue more header interaction. [02:57]
SvenDowideitjs is not going to solve anything
as there are other clients of the endpoints that also should get a useful info
for eg, curl http:..../bin/view/Secrt/Topic
[02:57]
gac410no, what I meant was ... if WWW-Authenticate mech is to-be-designed ... it adds addl. headers to the response, and js does the response using headers as well. [02:58]
SvenDowideitshould to my mind get a 401, not a 302 [02:58]
pharveygac410 isn't making JS a solution. He's making an impl. that avoids relying on parsing/using/understanding any of the response body.
i.e. other non-JS code could also implement the bcrypt auth, and not have to dig into the response body.
And more importantly, wouldn't need to grok HTML to do so
[02:58]
SvenDowideityou're ignoring the simpler senario i'm talking about [02:59]
gac410assuming this ever gets beyond the what if stage. [02:59]
SvenDowideitin that 401 + WWW-Auth: custom tells the consumer what is required [03:00]
gac410exactly [03:00]
SvenDowideitwhereas 302 + /bin/login is useless [03:00]
pharveyI don't think we're disagreeing on that point [03:00]
SvenDowideitand thats a html+non-X-Requested case
what i'm simply trying to get to, is that there's a consistent browser, ajax, whatever reply that makes sense
[03:00]
gac410*today* though - until template auth is redesigned as a WWW-auth mechanism, rest from ajax needs to not redirect. [03:01]
SvenDowideitand if ie5 or whatever dumbness render the html body for a 401+WWW-Auth:custom
then we're happy as pigs in mud
[03:01]
pharveyand that, I think, is easily solved with an appropriate Accept header [03:01]
SvenDowideitand can stop bikeshedding
gac410> *today* though - until template auth is redesigned as a WWW-auth mechanism,
i think is bikeshedding
s/think/hope/
[03:01]
gac410not knowing what bikeshedding really is ... gac410 agrees. [03:02]
SvenDowideitAccept should not be relevant either
gac410, google it
[03:02]
pharveyAccept isn't relevant to what? [03:03]
SvenDowideitcurl http:..../bin/view/Secrt/Topic
in that we're asking for html
[03:03]
gac410curl http .../bin/fiew/Secrt/Topic --header Accept-whatever [03:04]
SvenDowideitthats what i want to avoid
there's sod all point in adding that complexity unless its __actually needed__
and i'm positing that if a browser renders the body on 401 with WWW-Auth:don'tgrok
SvenDowideit thought cdot was going to test that tho
when i finally have a computer again...
[03:04]
gac410CDot did test a bunch, so far his ajax error: handler worked fine. Of course will IE5 or IE4 or curl have an ajax implementation worth using? [03:06]
SvenDowideitwe don't want this to be specific to ajax is what i keep trying to communicate
unless we totally and uterly have no choice (due to browser simplicity_)
[03:06]
pharveyWell, as long as we dive into with eyes open.
I'm extremely wary because between Confluence, X-Wiki & Drupal I haven't any of them doing this
[03:07]
SvenDowideitevery rest auth thing i've read says
use basic auth over ssl, or use the amazon eg of oauth
which basically seems to me to come down to
'don't request with ajax until after you've authed'
ie - everyone's passing the buck
[03:08]
gac410So maybe if rest called from (that which resembles ajax) maybe we just respond 403. prohibited.
Can't ajax trap that just as well as a 401?
[03:11]
pharveythat's what Drupal does. [03:12]
SvenDowideit403 isn't really sane for ajax either
as the ajax should not then re-try
[03:12]
pharveyThey seem to have decided it was the lesser of 87 evils. [03:13]
gac410So the only advantage I can see of a 401, is that it gives the client side the possibility of implementing some future auth mechanism.
ajax won't retry. CDot's example just sends an ALERT - to login before trying whatever it was you just did.
[03:13]
SvenDowideit'future' being something that actually does exist
cdot doesn't happen to want to retry
but my ajax client will
as it'll alert using a html popup containing.... user&pwd form
[03:13]
gac410how will your ajax client auth? drive bin/login in the background?
never mind ;)
[03:14]
SvenDowideitmore significantly
WWW::Mechanise can do the same too
[03:15]
gac410so it needs to then post to bin/login, get a cookie and then try the original request again. [03:15]
SvenDowideitget the html in a 401 and drive [03:15]
pharveyX-Wiki seems to favour WSSE [03:15]
SvenDowideitthe preferences are almost entirely driven by what the auth flavour of that month was [03:15]
pharveywell, it's an OASIS thing, which alfresco also seems to support [03:17]
SvenDowideitgac410,
The original issue way back when, if I recall correctly, was that the bin/login script returned the 40x error along with the request to login., and did not include a WWW-Authenticate request.
is not right
the original issue was that it was returning 400
[03:18]
gac410oh. :( yeah you are right. [03:19]
SvenDowideitwhich was totally broken, as many clients did the right thing and just broke off talking
WWW:Mech for eg has a die if (400)
[03:19]
pharveyanyone heard of SPNEGO ? [03:20]
gac410yeah. but in any event, as a standalone transaction, bin/logon -> webform -> post user/password - there are no failures involved. 200 is the right response lets not reopen that one :-D [03:20]
SvenDowideitif that were the case gac410
then what do you get for aoache auth?
personally, while the spec lawyer hat says mixing abstraction levels is bad
the pragmatist tells me that having different auth mechs need different detection mechs is worse
[03:20]
gac410apache auth gets a 401, but is bin/login needed? i'ts usually requested on the *auth script [03:22]
SvenDowideit/bin/logon exists and is used
the *auth scripts are a hack that keeps getting removed
as its wrong and dumb
the *auth scripts basically simplify the http conf
[03:22]
gac410if I view a topic that has ACL restriction, doesn't it redirect to viewauth which in turn triggers the apache auth [03:23]
SvenDowideitas /bin/login can detect what the url req was before apache re-directed it
same as the viewfile one does
yes, and thats a bug
[03:23]
gac410It's a very consistent bug then. [03:24]
SvenDowideitif we where better coders, we'd re-write that
y, its how it was implemented originally
[03:24]
gac410and is being replicated. I think restauth was recently added. [03:24]
SvenDowideityup [03:24]
gac410bin/login needs 2 redirects view -> bin/login -> view ... (and double-encodes formfields breaking things :( ) [03:25]
SvenDowideitsimplistic and working ~~ expedient
it doesn't _need_
[03:25]
gac410as implemented... [03:26]
pharveySvenDowideit, are you done editing [03:26]
SvenDowideitthe second can (and i thoght was) an internal redirect
rather than a browser to more
gac410, are you sure its not one of those 'code says redirect', 'which then gets optimised
pharvey, na, canceled instead
too much typing, not enoughcondensing
[03:26]
gac410hm. I'd have to trace it again. If it doesn't redirect, then the browser url will be wrong, correct? get stuck on login [03:27]
pharveySvenDowideit, did you know there was IETF discussion circa 2009 to standardize "Cookie-Based HTTP Auth"? Fascinating
pharvey sets fire to standards processes
[03:27]
SvenDowideitpharvey, yes, i did
and there was an informal discussion around 2000 too
[03:27]
pharveyhttp://tools.ietf.org/html/draft-broyer-http-cookie-auth-00 [03:28]
Babarpharvey: did anybody commit on the Release01x01 branch since I made my changes? [03:28]
pharveyBabar, yes [03:29]
Babarand? [03:29]
pharveychecking.. [03:30]
Babarhttps://github.com/foswiki/UnitTestContrib/tree/Release01x01 doesn't look good ;( [03:30]
pharveyfunny, github makes each and every open window/tab in iceweasle hang for 60 seconds [03:31]
Babar! [rejected] Release01x01 -> Release01x01 (non-fast-forward) [03:31]
pharveygac410 made a commit on Release01x01 core but it's not there in github :/
rejected?
[03:32]
Babaryeah... need to figure out why [03:32]
dj_segfaultHi, guys. So here's my crazy scheme of the day. I need to do as close as I can get to a discussion forum, where somebody can suggest an idea, and others can comment. I had this idea of using EditTable and CommentPlugin, and I set up a table with a format of "|textarea,5x30,|text,50,$percntCOMMENT{}$percnt|". In other words, a textarea for the suggestion in the first column, and a CommentMacro in the second column. [03:33]
SvenDowideitdj_segfault, use comment plugin
SvenDowideit did a proof of concept a while back - given that today is sucking majorly, i'll see if i can find it
[03:34]
gac410probably want to use COMMENT macro wit custom forms then - and not let it create the html. [03:34]
dj_segfaultI am. If you look above, the second column is a %COMMENT{}% [03:34]
SvenDowideitnot using a table tho :) [03:35]
gac410Well. %COMMENT{} will create the input field. You'll need it with the noform option. [03:35]
SvenDowideiti made a threaded comment based forum
mmmm, i have no idea where that code is :/
[03:35]
gac410CommentPlugin has a threaded mode already - maybe you integrated it? [03:35]
dj_segfaultgac410: Ah that explains why it edits the table.
Threaded mode? OK lemme go back and look at the page.
[03:36]
gac410The trunk CommentPlugin is much improved - released to Extensions/Testing. It uses rest handler and can be configured to allow guests to comment. [03:36]
Babarpharvey: I could git push -f, but it might cause issues for you...
still, better than a never moving branch :)
[03:37]
pharveyBabar, it's ok - I'll suffer it [03:37]
Babarcore should be pushed [03:40]
pharveyta [03:43]
Babarok, forcing a huge update to see if it works
or maybe I should get some sleep?
04:44 looks like a nice time to be sleeping, doesn't it?
[03:43]
SvenDowideithttp://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-16
friggen heck - a nice long 2012 rfc that in the end, helps nothing
[03:44]
Babarseems I still have some bugs :( [03:51]
SvenDowideithttp://tools.ietf.org/html/draft-oiwa-http-auth-problem-statement-00
seems to document reality a little
[03:52]
dj_segfaultI tried threadmode, but it doesn't seem to do anything different than putting comments first to last. I figured "threadmode" would let you comment on a comment. Maybe that was an unrealistic expectation. Or did I do something wrong? [03:53]
SvenDowideitno, some work is needed to make it all look like a real forum [03:53]
gac410the draft-ietf-htpbis seems to indicate that WWW-Authenticate is *not* extensible. New schemes "SHALL" be registered with the ietf. [03:53]
SvenDowideitbut i've failed to find it
gac410, y, which is as dumb as a dumb thing
[03:53]
gac410dj_segfault: I didn't go any further than noticing that there was a thread mode defined. I guess it's incomplete :-( [03:54]
SvenDowideitthe're very very busy burying their heads in sand and avoiding 20 years of use [03:54]
dj_segfaultgac410: DOH. OK, I'll bail on this idea and try something else. [03:54]
SvenDowideitharumpf
http://tools.ietf.org/html/draft-ietf-httpbis-authscheme-registrations-02
Negotitate is classed as 'bad cos we refuse to negotiate with reality
[03:55]
dj_segfaultThanks. [03:56]
gac410If you want to do what you defined, you could put a target, and use a noform based %COMMENT% to spread the form across table colunms.
the plugin is very flexible. But would need some work. The new version is also usable with ajax
[03:56]
SvenDowideitSvenDowideit contemplated putting in an rfc: stop sticking your head up your butt :) [03:58]
gac410blah. I can understand why Negotiate is rejected. It's a microsoft thingy ... "SPNEGO-based Kerberos and NTLM HTTP in Windows" [03:58]
dj_segfaultSvenDowideit: Maybe they should get together with the IPv6 committee and have one big "We don't learn from history" party [03:59]
SvenDowideitSvenDowideit is now totally depressed [03:59]
gac410several friends of mine used to attend ietf meetings. Just like sausage - don't really want to see how things are being made. [04:00]
SvenDowideityup, know someone that worked on c++ standards too [04:01]
gac410Here you go -- Extensible Authentication Protocol over HTTP http://www.arkko.com/publications/draft-torvinen-http-eap-01.txt
probably rejected as it needs state between exchanges - essentially ppp authentication.
[04:07]
SvenDowideity - do you know where to find info about why thigns were not continued?
http://tools.ietf.org/id/draft-broyer-http-cookie-auth-00.txt
seems to me to be the most pragmatic rfc i've found
and the discussion just peters out
[04:09]
gac410no - maybe ietf meeting minutes somewhere. If they can't get consensus, it probably just fades away. [04:10]
SvenDowideity, or similarly, if the proposer gives up quietly, it just fades too [04:11]
pharveyBabar: go to sleep :P [04:11]
Babarfound a weird error/bug
restarted, we'll see if it gets better :)
Babar goes to bed
[04:11]
gac410SvenDowideit: Probably tidbits of information in http://www.ietf.org/mail-archive/web/http-auth/current/threads.html#00022 the mailing lists. [04:15]
SvenDowideityeah, i've been reading lots of the more recent mails and links
and it all sounds like 'html auth is broken, so we won't try to fix it'
[04:16]
pharveyhah, http://www.w3.org/html/wg/tracker/issues/13 - exactly our concerns.
STATE: CLOSED
lol
[04:16]
SvenDowideitok, this probly is the killer for my idea
2) Browsers do not display the text/html response body of a HTTP 401 response, instead, they just pop up a modal authentication dialog (until "cancel" is pressed).
pharvey, tell me when i can edit please
[04:18]
pharveySvenDowideit: just added the ISSUE-13 link, done now. [04:21]
gac410well based on the drafts, I'd say WWW-Authenticate is not intended (or won't be) extensible. So using that header - we are charting new territory. Not a good thing - :-( [04:22]
pharveyhttp://www.w3.org/html/wg/tracker/actions/86 seems to contain all relevant things pertaining to the broyer cookie auth proposal
well, from the w3 side
and all those links are borken
[04:22]
gac410yeah. "service is down" [04:23]
SvenDowideitnot that new - they're talking about another header too
'Authenticate'
or X-Authenticate for now
but they really do seem more interested in not deciding anything
[04:24]
gac410,
can you tell me if the suggestion i added it just plain busted?
http://foswiki.org/Development/ImprovedRESTSupport
[04:36]
gac410gac410 looking [04:36]
SvenDowideiti'm using you as the 'standards should be followed because the authors have thought it through more than we can' person :/
i tried to do that whileyou slept, but its hard, cos really, i want what cdot wants, plus consistency
the thing that lead me to 200+X-Error was that cdot didn't mention that he was poking thirdparty code in which adding a $.ajaxSetup.error() is possible
but adding $.ajaxSetup.success() handler is dodgey as all heck
(those 2 are global event handlers that get called 'in parallel' to the event handlers that are set up by the actual call to the ajax req
[04:37]
pharveySvenDowideit, so, Drupal's use of 403 is chickening out somewhat, but not entirely without justification... [04:39]
SvenDowideitdrupal's chopped off their face to spite their nose
and then the js author has to ignore the meaning of 403, and re-request
[04:40]
pharveybut given that "the assumption is you're already auth'd, before doing any rest" ... :) [04:40]
SvenDowideitwhich is just as bad a response as itef's lack of leadership [04:40]
gac410I'm really surprised that the draft essentially casts WWW-Authenticate as not extensible. Which is a real bummer. [04:41]
pharveywhat a depressing day [04:41]
SvenDowideitfor which i'm spamming a few people again
gac410, i dont' think that draft has a hope in hell
as it pretends it can make something that has been happening for the age of the internet invalid
[04:41]
pharveyI think whoever wrote that, must not be talking about reality [04:41]
SvenDowideitthey're not [04:42]
gac410yeah - I'm still leaning toward extending the 401 / WWW-Authenticate. I was just reading through all the possible status codes - and there is nothing else that comes close. [04:42]
SvenDowideitmost of this stuff is head in sand
gac410, so we have group-think :)
[04:42]
gac410The fly in ointment is the 3rd party stuff. If it was all local, then defined a json structure that has it's own error code, etc. should be fine. [04:43]
SvenDowideitala jsonrpc :) [04:44]
gac410yes. [04:44]
pharveyI'm concerned about putting something into WWW-Authenticate that is fundamentally not an HTTP scheme. So, is Broyer's Cache-Auth anywhere near implementable? And to hell with its official status. [04:44]
SvenDowideitpharvey,
http://www.xml.com/pub/a/2003/12/17/dive.html is implemented
so, its fundamentally not a problem
the only kicker is that
2) Browsers do not display the text/html response body of a HTTP 401 response, instead, they just pop up a modal authentication dialog (until "cancel" is pressed).
statement
i had hoped that wasn't the case
but... meh
[04:45]
pharveyIs that really true?
WSSE usage in Alfresco and X-Wiki gives it some credibility.
Althoug, I wonder if Alfresco's using it because that whole thing is SOAP-tastic.
[04:45]
SvenDowideitNegotiate for ntlm and gssapi does too [04:47]
gac4102) is true if the browser understands the WWW-Auth mechanism. I think CDot proved that if the mechanism is not Basic or Digest, the browser ignores it and ajax can handle it. [04:47]
SvenDowideitin that itef only reluctantly mentions it as a WWW-Authentic value
when ajax is used, browser support is irrelevant
[04:47]
gac410The stuff I found on WSSE suggests it's complex and very slow. 100s of requests/sec in tests vs. 1000's. [04:47]
SvenDowideitis the browser does naught
i bring up WSSE only for ONE reason
[04:48]
pharveyI'm not worried about having IETF's blessing for whatever we put into WWW-Authenticate. I'm more worried that the thing we put in there is actually even relevant to HTTP auth at all. [04:48]
SvenDowideitthey areable to use the WWW-Auth header without stuffup [04:48]
gac410okay - yes. They did extend WWW-Auth.
As does OAuth from what I couuld tell.
[04:48]
SvenDowideity [04:48]
gac410So IETF won't bless extensions ... but as long as the client and server implementatoins agree, who cares. [04:49]
SvenDowideitand all i want is to have the you need auth server response tell the receiver enough info to doit
and the www-auth: cookie draft has a 'goto this url' value that would do that
[04:49]
gac410so... are we converging on WWW-auth
and 401
[04:50]
SvenDowideitbut sadly only for non-Accept:html req's
due to browser dumbness
another day wasted on itef uselessness
[04:50]
gac410right. If client wants html, then auth needs to redirect to the login template. [04:51]
SvenDowideity (facepalm) [04:52]
gac410one more dumb ajax question. If web server is set to require Basic or Digest auth. will browser handle that for ajax or does ajax have to do it.
ie what happens to CDot's code if the web server is reconfigured.
[04:53]
SvenDowideiti'm 60% sure thebrowser pops up its auth mess [04:54]
gac410That would be good I think - [04:54]
SvenDowideitit'd do that even if the user was authed
makig a bit of a mess too
so i'm not sure
[04:55]
pharveygac410: jQuery's $.ajax() allows you to supply username & password, FWIW [04:56]
gac410Basic only or digest as well pharvey? [04:56]
pharveyI guess that's up to the web browser (so I assume both)
but I must have it wrong... otherwise why do people complain about "ugly" prompt boxes
[04:57]
SvenDowideitno, you're right
that trick is used to logoff basic auth too
[04:57]
pharveyexcept in chrome, which sucks
(... or did they fix that)
[04:58]
SvenDowideitchrome? wossat :) [04:58]
pharveychrome retains the credentials of the last _successful_ authentication
or at least, it used to.
[04:58]
SvenDowideitok, ietf people flamed a bit [04:59]
pharveywhere? Can I join in? :P [04:59]
SvenDowideitprobly
we'll see if anyone of them replies
[05:01]
gac410Lots of people have troubles with EditChapter. [05:04]
SvenDowideitSvenDowideit needs pharvey to finish <P>
so that i can fix EditInlinePlugin
[05:04]
pharveySvenDowideit, didn't you hear? It's even more doomed that SafeWikiPlugin [05:04]
gac410last I heard, pharvey reported it's hopless [05:05]
SvenDowideitas its a simpler impl of the same functionality [05:05]
pharveyor maybe I'm just easily depressed this week [05:05]
SvenDowideitoh ffs, pharvey you smell :P [05:05]
pharveyI know right :P [05:05]
SvenDowideityou should see how i feel
i've wasted almost 10 days of my life on openstack
which is a pile of inconsiderate 'experts only' shit.
[05:05]
pharveyone last www-authenticate thing: http://trac.tools.ietf.org/area/sec/trac/wiki/HttpAuthentication/ProblemSpace [05:06]
SvenDowideitand then am dealing with hardware failures everywhere [05:06]
pharveyso, OMFG they have a wiki [05:06]
SvenDowideity
thats the url that started my email
I've asked that they fix http://trac.tools.ietf.org/area/sec/trac/wiki/HttpAuthentication/ProblemSpace/ExistingMechanisms/HTMLFormBased
where it says 'Plain-text password sent to the server'
as that statement is BS
and the other 3 are their fault entirely
[05:06]
pharveyso openstack is almost as user-friendly as setting up a new cpan site? [05:07]
SvenDowideitie, all Cons go away if they get off their arse and spec up something that works
no
openstack is as userfriendly as foswiki
minus the ACG and install doc
as they tell you about all million options
but fail to give a consistent and working 'try me out' setup
there are more than 5 scripts to make an openstack setup, but none result in a fully functioning system
due to one bug or other
[05:07]
gac410well their test cases look hopeful. For "unknown mechanism" all browsers display the page - considered a Pass - which means it probably won't get in the way of the ajax. [05:08]
pharveySvenDowideit, btw: couldn't think of a nice way to avoid things like <p></div></p> unless we start grokking HTML properly in the renderer, which means real parsing... [05:08]
SvenDowideitpharvey, ffs :)
you're bikeshedding
[05:09]
pharveyI'm not bikeshedding. I'm giving up. [05:09]
SvenDowideitstart with fixing the P's for all content that is simple [05:09]
pharvey... I guess that's the same.
I have, and the unit tests pass
[05:09]
SvenDowideitand then work from there [05:09]
pharveyBut then you run it for real and it's totally b0rked [05:09]
SvenDowideitgood - can we have that code?
for what values of borked?
[05:09]
pharveyby "unit tests pass" I mean the tests that I wrote myself. Not FoswikiSuite. [05:10]
SvenDowideitoh, thats not pass
suite ~~ pass
[05:10]
pharveyIndeed.
The second you start adding <html>, it all catches fire.
[05:10]
SvenDowideitSvenDowideit gives up on today and goes to mow the lawn [05:10]
pharveyPure TML is fine.
.. not that that's worth much.
have fun
[05:11]
gac410I've got a few more months before that task comes back on the radar. [05:11]
....... (idle for 31mn)
***gac410 has left [05:42]
........... (idle for 54mn)
SvenDowideitoh shit.
i just tried to use wysiyg's blockquote
and it quoted not just the text i highlighted, but the next 2 lines too
pharvey, you astound people too much - you succeed with too many impossibles, so we keep asking for more
[06:36]
pharveySvenDowideit: trunk or release TMCE
SvenDowideit: TMCE doesn't really <blockquote> a selection - it converts the container from whatever it is (<p>, for example) into a <blockquote>
which is possibly naff, if you went to the trouble of making a selection
pharvey compares with moxiecode tmce
yeah, that's consistent with the behaviour at http://www.tinymce.com/tryit/full.php
SvenDowideit, in my experience they ignore this kinda bug unless you make a pull request :P
pharvey angrily bashing numbers into spreadsheets
[06:41]
.... (idle for 16mn)
SvenDowideithey ArthurClemens
i started (and should do more on) a foswiki monthly post for jan 2012
but really wish i didn't have to use wordpress for it
from your email, it feels like we're not using the Blog web only because some content has not been migrated?
I'd rather use it and worry about old stuff if and when anyone has the time
[07:01]
ArthurClemensok, fine with me to start using it
I think the web is protected now
[07:04]
SvenDowideiti don't know nothin about it yet :)
and we need to work out how and where to advertise its existance
I'll start by writing an unpublished thing and see where that leads me
mmm, so if i use the creator and save that topic, its published already?
[07:05]
ArthurClemensyes [07:09]
SvenDowideitSvenDowideit adds an ALLOWVIEWTOPIC to it, and grimaces [07:10]
ArthurClemensso you'd need a "publish" checkbox? [07:10]
SvenDowideitsomething - it'll take me a few days to write this [07:10]
ArthurClemensand a way to find unpublished posts [07:11]
SvenDowideitand unpublished kinda means a resricted ALLOWVIEW [07:11]
ArthurClemensin the end it is just a topic with a data form [07:11]
SvenDowideitrather than obscurity - which google with websearch would break instantly [07:12]
ArthurClemensso you could write something without it being a blog post [07:12]
SvenDowideitwhat i did on home.org.au years ago
is taht the topic template had ALLOWTOPICVIEW=$AUTHOR in it
and then I would have to intentionally remove that to 'publish'
[07:12]
ArthurClemensthat is beyond an expert setting [07:14]
SvenDowideitreally?
i wonder what makes you say that
[07:14]
ArthurClemensmy colleagues would not work with that [07:15]
SvenDowideitSvenDowideit did have 'look at prefsplugin' on his task que [07:15]
ArthurClemenswould refuse [07:15]
SvenDowideitits not hard to make that optional - there's no reason to refuse
SvenDowideit has to go, will give up on life, its a bad day for me anyhoo
[07:16]
..... (idle for 21mn)
Babarpharvey: should be all pushed now
we'll see if it stays that way :)
[07:37]
pharveykool [07:38]
BabarI still need to deal with scrach, as for the time being, I create a sub-project with the name of the person
but... later
[07:40]
pharveyscratch isn't so important
github is my scratch :)
[07:40]
Babaryeah
but it's not nice
anyway, have to go to work
l8r
[07:41]
pharveyseeya
pharvey goes home from work
[07:41]
GithubBot[foswiki] foswiki pushed 1 new commit to master: http://git.io/qOv9vw
[foswiki/master] Item11483: force the push upon creation, in case it already existed and would not fast-forward - OlivierRaginel
[07:47]
***GithubBot has left [07:47]
FoswikiBothttp://foswiki.org/Tasks/Item11483 [ Item11483: Module repos aren't pushing Release01x01 branch to github ] [07:47]
foswiki_irc5Hi there! Is it possible to grant access right to an logged in user? i would not like to define a group or someting... [08:00]
is there no possibility to tell the system * Set ALLOWWEBVIEW = "logged in user" ? [08:09]
harlanfoswiki_irc5: how about: DENYWEBVIEW = WikiGuest [08:19]
foswiki_irc5that would be an idea! [08:20]
.... (idle for 18mn)
***ChanServ sets mode: +o MichaelDaum [08:38]
.... (idle for 15mn)
CDotpharvey: SvenDowideit: http://tools.ietf.org/html/draft-oiwa-http-auth-extension-00 [08:53]
.... (idle for 18mn)
harlanI'm looking at the HomePagePlugin and I'm still thinking I might want to rename the USERSWEB because I want to restrict VIEW access to the users and groups to logged-in folks; I don't want guests to see any of that stuff.
Am I just tired and I can DENYWEBVIEW to WikiGuest for the Main web, and use the HomePagePlugin to "offer" a different home web for folks who visit the "landing page"?
[09:11]
pharveyhi CDot [09:26]
CDotpharvey: moin [09:27]
pharveypharvey obviously doesn't understand how IETF works. How can a draft be 'standards track'? [09:30]
CDotpharvey: in answer to your question, yes, what you can do when 3rd party JS is in the way is molto importando [09:30]
harlanbecause the document is a WIP towards becoming an IETF standard? [09:30]
CDotsee the wikipedia article on RFC's (yes, I had to read it too) [09:30]
pharveyI see
ah, and it's Intended-status. Not actual status.
[09:31]
CDotCDot thinks the Drupal folks are *wrong* [09:31]
pharveypharvey too [09:32]
CDotCDot is cold and needs his breakfast. Back l8r. [09:33]
....... (idle for 30mn)
CDot finds the winternet very slow today. Just my local connection?
pharvey: since you are editing; the answer to SvenDowideit's =Accepts= idea is that in my (real world) application I don't have access to the $.ajax call in order to add such a header (though arguably I could set up a global jQuery handler; I haven't tried)
[10:03]
pharveyCDot, my internet is slow because of the rain clogging up the tubes. Well, that's what my neighbour told me. [10:06]
CDotno rain here, but it *is* bloody cold. Maybe the fibre optics are frozen. [10:07]
pharveySo, making XHR a special case is the last thing that's really troubling me. [10:08]
CDotCDot thinks XHR *is* a special case, so long as browsers make an arse of handling auth [10:09]
pharveyAs somebody working with 6 different HTTP-REST services provided by 4 different institutions, I'd like to think /bin/rest is useful to clients other than AJAX [10:11]
CDotpffft my ISP reckons it's giving me 37Mb this morning. Sure doesn't feel like it :-( [10:12]
pharveyI'm barely getting 170KiB/sec, what's that... 1.7Mbit? :) [10:12]
CDotCDot isn't fixated on rest, but more on how to handle clients that can't make use of 200+login page [10:12]
pharveythat would be all clients that aren't web browsers [10:13]
CDotthat would include other user agents, such as wget and curl
yes
so, the problem is spotting an interactive request from a web browser
can't use the user agent, obviously
[10:13]
pharveyBut isn't this arse-backwards? I'm used to setting Accept: to control the response, never have I learnt of anything requiring X-Requested-With
but maybe I'm just being precious
[10:14]
CDotcan't use an Accepts header, because that requires access to change the request
wget sends Accepts: text/html, after all
[10:15]
pharveyit does by default [10:15]
CDotright, and "default" is the case we (as service providers) have to think about [10:15]
pharveyservice providers need to worry about wget's default accept header?
Not that I'd call them perfect exmplars of web citizenship, but at least one API I use bombs if you ask for anything other than JSON
Actually, my copy of wget uses Accept: */*
which makes me wonder why it's there at all
Perhaps to satisfy obnoxious service providers
[10:18]
CDotI'm still not sure why you think the Accepts: header should influence the HTTP protocol
Accepts defines the format of the response, not the status codes to be used in that response
"The Accept request-header field can be used to specify certain media types which are acceptable for the response." - rfc2616
[10:21]
pharveySure. But asking for a non-HTML representation, would preclude being redirected to one (i.e. /bin/login) [10:23]
CDotso you favour throwing back a 200 + gobbledegook? [10:23]
gmcso you throw an error... if you can't deliver what the client is asking for [10:24]
CDoton an auth failure?
gmc: zactly
an auth failure is a failure (IMHO) so must be sent with a failure code (again IMHO)
[10:24]
pharveyI'm not arguing about the response status code
I'm arguing about your reason for making XHR a special case
[10:25]
gmci think that is the not so humble opinion of the relevant rfc as well (although it's been a while since i read it) [10:26]
CDot.... just how it gets triggered, sure [10:26]
pharveywhich I though was to avoid the 302 redirect [10:26]
gmcbut i missed the entire discussion, so i'm probably not making much sense.. [10:26]
MichaelDaumMichaelDaum didnt have the chance to read CDot's proposal yet [10:26]
pharveyI agree 401 is the correct response code, except that it's intended to require an HTTP auth mechanism, which TemplateLogin isn't
And so, pretending for a second that TemplateLogin can be an appropriate HTTP-Layer auth mechanism
I'm just trying to think of a way to not make XHR a special case
[10:26]
gmcwell.. i don't think that's the problem .. you have an auth failure which is NOT a http-auth failure, want to show a html page but can't because the client doesn't accept your format [10:27]
MichaelDaumMichaelDaum is convinced that for our use case - auth-ing a xhr request - specs leave not enuf room for error codes. so the error codes must go somewhere else: either as a custom http header or as part of the response object itself like it is the case in jsonrpc [10:28]
gmcso that's a 406 response then [10:28]
MichaelDaum... no room for error http error codes that is [10:28]
CDotgmc: what makes you think 401 is reserved for Basic/Digest auth? [10:28]
MichaelDaumMichaelDaum does agree with Sven in that respect [10:28]
pharveygmc, 406 is a failure to negotiate an appropriate Content-Type
AFIAK
Eg. you request application/json but server only knows how to provide xml
[10:29]
CDotyeah, 406 is wrong too, because there has been no Content-Type failure.
MichaelDaum: I think you are in a minority of one on that point.
[10:29]
MichaelDaumguys theres no point in sifting thru the http status codes for xhr. [10:30]
CDotCDot still hasn't found anywhere in the RFC's that reserves 401 for Basic/Digest auth [10:30]
MichaelDaumthis is mixing transport codes versus application error codes [10:30]
CDotNO! HTTP is an application layer, *not* transport layer [10:31]
MichaelDaumthere are tons of specific errors that make absolute no sense for http [10:31]
CDotread the RFCs
e.g. OAuth uses 401
[10:31]
MichaelDaumlike input validation [10:31]
CDotand is impl. in JS [10:31]
pharveyOAuth does use 401, but it does so without polluting the response body. *THAT* is the mixing of Hypertext Transfer Protocol and "Application" [10:32]
SvenDowideitone thing I'm doing [10:32]
MichaelDaumauth'ing is just one of the things the client side must handle as part of the total error handling [10:32]
CDotCDot doesn't understand "polluting the response body" in this case [10:32]
MichaelDaumMichaelDaum neither [10:32]
SvenDowideitis harrassing the author of the www-auth: cookie draft and a few other people involved in ietf specing.
and the first reply i've gotten
[10:32]
CDotSvenDowideit: good move [10:33]
SvenDowideitwas 'theres no reason you can't use www-auth: cookie' [10:33]
CDotdo you mean WWW-Authenticate: cookie? Or something else? [10:33]
SvenDowideitit probly isn't a good move, and I'm extremely pissed of with them
yes, WWW-Authenticate: whatever you friken want
[10:33]
CDotsure, just want to be clear [10:34]
SvenDowideityup
its just that Cookie was a draft spec that isn't totally our invention
and has ad some consideration before it was forgotten
[10:34]
CDotditto with the forms-based auth spec I posted this am; though I can't see any discussion of it [10:35]
SvenDowideitits a shit that you are basically thinking you can't even get the jquery plugin to use a non-html mime type [10:35]
CDotCDot wonders where IETF peope do their talking [10:35]
SvenDowideitin paris soon
all over the world, like real standards people - face to face with no public minutes
cos its not the right place to have every not well formed idea recorded against you
[10:35]
CDotCDot doesn't have a vested interest either way, just wants something that works [10:36]
SvenDowideitmy personal preference is to ignore the naive hope not to mix levels [10:36]
pharveyCDot, it wouldn't be the first time I've convinced myself of something completely wrong, but when somebody says "HTTP Layer" when talking about web services infrastructure, I think "Headers, and keeping out of the response body". TemplateLogin needs strikeone, which means grokking the HTML. [10:36]
MichaelDaumCDot, +1 [10:36]
SvenDowideiti'd like to have something that works now, and works in 5 years time [10:37]
MichaelDaumSvenDowideit, +1 [10:37]
SvenDowideitand the latest draft would declare lots of things invalid [10:37]
CDotpharvey: correction; templatelogin does *not* need the HTML. I can templatelogin from JS only. [10:37]
pharveydon't you need to compute strikeone? [10:38]
SvenDowideitactually, y, tmpl login should work without looking at the html payload [10:38]
pharveyI'm pretty sure last time I tried, it gave the CSRF oops [10:38]
CDotpharvey: yes; but I can send the s1 key in other ways [10:38]
SvenDowideitbut that needs one little tweak that we discussed for doing RestPlugin and WWW::MEcha
CDot pharvey we already have that proposal (unimplemented)
but none of that helps CDot 's horrid plugin case
except
[10:38]
pharveycool, so, as I said, the last thing that bothers me, is depending on X-Requested-With [10:39]
CDotthe only reason s1 uses the HTML is pure laziness on my part [10:39]
SvenDowideitdoes the jquery POS you're using actually request text/html?
and expect html back??
[10:39]
CDotSvenDowideit: it's not totally horrid, cos I *could* preprocess ever 200 sent to the client in JS
and read the headers there. JQ supports that.
but processing every 200 seems..... dirty, compared to only looking at 401's
[10:39]
SvenDowideitso - the big q - what is it requesting [10:40]
CDotSvenDowideit: it does a $.ajax with no content type, so text/html [10:40]
SvenDowideiti would like templauth to throw 401 for all non html req's, as you can't get... [10:40]
CDot(the specific example is JEditable) [10:41]
SvenDowideit$.ajax is crap. [10:41]
pharvey$.ajax isn't that crap [10:41]
SvenDowideitthat would be the third bug in it that i've had the misfortune of getting sodded by [10:41]
pharveyit's crap if you don't drive it properly [10:41]
SvenDowideitit deleted PUT until last year ffs [10:41]
CDotmaybe so. tell it to the JQ peeps, they will pat your hand. [10:41]
SvenDowideitits crap
the author is a shortsighted bum
did that - funnily enough, they fixed it
[10:41]
pharveyyeah, mutilating the options you give it, isn't cool [10:42]
SvenDowideitbut the first fix was almost as stupid as the initial bug [10:42]
CDotCDot throws another kangaroo steak over the wire to SvenDowideit to calm him down [10:42]
SvenDowideit:) [10:42]
pharveyit even purged any username/pass credentials you give it, until last year also... or whenever 1.5 was [10:42]
SvenDowideitand that was issue 2 [10:42]
CDoty, JQ is a bit shit. But it's what we use, so..... [10:42]
SvenDowideity, i'm ok with that
but don't tell me $.ajax is 'good' :)
[10:43]
CDotCDot didn't [10:43]
SvenDowideitits what we have, and bugs need to be fought
y - i'm trying to get pharvey to stop with the HTTP auth layer vs app layer :)
[10:43]
pharveyso back to the point. Is there any other way than leaning on X-Requested-With. Or do we give up and do that, and add that to our "REST API for non-browser UAs" [10:43]
CDotah, k [10:43]
SvenDowideitcos that boat has sailed
20 friken years ago
[10:43]
CDotpharvey: there may be a way [10:44]
pharveyhuh? [10:44]
MichaelDaumbah ... this proposal is loong and goes far over my abilities to concentrate on right now [10:44]
SvenDowideitanyone (inclusing HTTPWG) that thinks they can stop a glacier... [10:44]
CDotand that is to look at other things *as well* [10:44]
SvenDowideitMichaelDaum thats the problem for the standards guys too [10:44]
MichaelDaummeh. this is just about how to get an error code thru to the client, isnt it. [10:44]
SvenDowideityes [10:45]
MichaelDaumso pft [10:45]
pharveyAlso how to tell the client how it should auth
(potentially)
[10:45]
SvenDowideitif browsers had fixed the 401 render html body issue
then we would have a trivial answer
but the standards bodies used several other issues to bunt that too
[10:45]
CDotpharvey: describe a case where 401 is appropriate *without* X-Requested-With: ? [10:45]
MichaelDaumproblem with 401: doesnt it end up in an endless redirect loop based on standard behaviors of browsers? [10:45]
CDotMichaelDaum: no [10:45]
SvenDowideitCDot peasy [10:45]
pharveyCDot: curl
LWP
[10:46]
SvenDowideitcurl http://vire [10:46]
CDotdescribe a case [10:46]
SvenDowideitif i request a html page that i need auth to
then curl should tell me the truth
not a 302 to some other random place
[10:46]
CDotI agree; but we use curl today without [10:46]
MichaelDaumCDot, what happens with this auto-renegotiating of basic auth that browsers happen to do when hitting a 401 with xhr? [10:46]
SvenDowideitno, we don't much
MichaelDaum thats a special case
[10:46]
CDotand why not curl -whatevereitis X-Requested-With=XMLHttpRequest http://vire ? [10:47]
SvenDowideitwhere you have 401 and WWW-Auth:basic set
because users won't think of it
[10:47]
MichaelDaumah ok. cool. [10:47]
SvenDowideituntil they've wasted an hour
the status should be clear and obvous
not obfuscated and bizzare
its a 'status' not a mystery novel
[10:47]
CDotSvenDowideit: so you are arguing the default should be 401 *unless* the request can be positively identified as coming from an interactive browser? [10:48]
SvenDowideitSvenDowideit has to go take the girls to bed :) [10:48]
pharveyHere's a real case I'm supposed to be supporting by December last year. Content scraper is scraping our wiki, and follows a link to a protected page. [10:48]
SvenDowideitCDot _YES_
and only because browsers are broken
bbin30
[10:48]
MichaelDaumso do I get this right: when www-auth is not set to basic, then browsers wont auto-negotiate auth? [10:48]
CDotMichaelDaum: correct
Basic/Digest are the only supported by browsers
[10:48]
MichaelDaumMichaelDaum learned something today [10:48]
CDotall else passes thro to client [10:48]
pharveyCDot: FWIW, curl -whatevereitis X-Requested-With=XMLHttpRequest seems like the only way, having discussed this to exhaustion [10:49]
CDotCDot wonders how to identify a request as coming from an interactive browser [10:49]
gmcnice.. evacuation of the building WHEN IT IS FREEZING OUTSIDE [10:50]
CDotpharvey: SvenDowideit has a point, it would be best to 401 *unless* the client says "I can do auth"
gmc: have a cold one on me :-)
CDot is feezing *inside* the building today
[10:50]
gmci thikn the rfc has a MUST that a 401 response must include http auth headers [10:51]
pharveyit's cold here too, except cold means 14 C :) [10:51]
gmcThe request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). [10:53]
CDotgmc: it has a MUST incude WWW-Authenticate:. It does *not* specify WWW-Authenticate beyond that, and the client can handle it "however" [10:54]
pharveyMichaelDaum, btw. I failed to fix Foswiki::Render, my naive approach was doomed... too hard to avoid things like <p></div></p>.. so I will try to make it pluggable, then a more aggressive adventure can be had. [10:54]
FoswikiBothttp://trunk.foswiki.org/System/PerlDoc?module=Foswiki::Render [ (Foswiki login) PerlDoc ] [10:54]
CDotmost browsers handle Basic and Digest in WWW-Authenticate, but all other (e.g. OAuth) are handled in JS (in standard browsers) [10:55]
MichaelDaumMartinCleaver, yep. thats what I meant with my cryptic comment down that proposal. [10:56]
CDotCDot thinks SvenDowideit is right - 401 should be the default - but can't see how to work around browser limitations on that [10:56]
MichaelDaumI once tried something like alter between <p> and </p> every now and then ... which resulted in exactly the html youve described above.
so there are some other elements which should force a currently open <p> to be closed prematurely
[10:56]
pharveyI have renewed energy to tackle Foswiki::DOM. Just ... not this month :/ [10:57]
FoswikiBothttp://trunk.foswiki.org/System/PerlDoc?module=Foswiki::DOM [ (Foswiki login) PerlDoc ] [10:57]
pharveyBUT
The first alternate implementation, should be WyswiygPlugin::TML2HTML :)
Even if it's not useful. Just to prove the pluggableness can work.
[10:58]
MichaelDaumjust recently there was a (german) article on markdown saving the world [11:00]
pharveyI should think so! It shares your initials! [11:01]
MichaelDaumMichaelDaum doesnt have xray view [11:01]
pharveyany specific reason why it's saving the world?
is it cool because github uses it?
[11:01]
SvenDowideitthe rfc simply says, 401 must have a www-authenticate header [11:02]
MichaelDaumMichaelDaum fetching the link ... maybe google translate is able to reveil [11:02]
SvenDowideitthere are _not_ limitations on the value of that header [11:02]
MichaelDaumhttp://t3n.de/news/markdown-simple-markup-sprache-363015/
"simple markup for clean html"
[11:02]
SvenDowideitlol
markdown 'simple'
[11:02]
pharveyoh. [11:03]
MichaelDaumwould be cool to add TOPICINFO{ renderer="markdown"} [11:03]
pharveymarkdown is compelling because it's boring. T/Fos/MediaWiki try to do too much. [11:03]
SvenDowideitMichaelDaum thats the old topic-types proposal :) [11:04]
CDothmmm. My internet is really slow. Should I persist with it, or give up and go out and play instead? What a dilemma! [11:04]
SvenDowideitand we do still need it [11:04]
MichaelDaum$Foswiki{Renderer}{markdow}{Module} = 'Foswiki::Renderer::Markdown'; [11:04]
FoswikiBothttp://trunk.foswiki.org/System/PerlDoc?module=Foswiki::Renderer::Markdown [ (Foswiki login) PerlDoc ] [11:04]
SvenDowideitI want topic_type=jpg
ie, you don't set renderer in the cfg
[11:04]
pharveyCDot: you've basically convinced me I can live with your original proposal, as long as we document X-Requested-With for all non-browser UAs. [11:04]
SvenDowideitits done based on content
ie, mime type
i don't think i can live with X-Requested-With
as debugging it will give each new dev chest pain for no reason
[11:04]
CDotSvenDowideit: how about X-Requested-With: *plus* something else (simpler?) [11:05]
SvenDowideitnope [11:05]
CDotas in either-or
CDot can't work out how to tell if a request came from an interactive browser or not :-(
[11:05]
SvenDowideitcan i re-write your paraphrasing of my proposal above as
401 unless we detect client broken-ness
[11:06]
CDothow do we detect client broken-ness? [11:06]
SvenDowideitwhere broken-ness currently stands at web browsers
that probly will take us another hour or 3 to work out
[11:06]
pharveyMichaelDaum: agree, TOPICINFO{contenttype="text/vnd.daringfireball.markdown" would be cool :) [11:07]
SvenDowideitbut betcha there's a way :) [11:07]
MichaelDaumlunch [11:07]
CDotI agree in principle, but have been trying for the last 30mins to detect client brokenness and so far can't [11:07]
SvenDowideiti'm very pleased with your having written it that blatently, cos i can use that with the people i'm talking to
i take the position (as i did yesterday) that we are not the wisest, nor the cleverest people in the world
[11:07]
CDotindeed; we are not experts, just punters trying to do shit. [11:08]
pharveyI'd be less unhappy if we had X-Requested-With + something else more friendly. [11:08]
SvenDowideitnot to say that you should not implement X-Requested-With _now_
as it does not preclude adding more cases....
[11:09]
CDotindeed. [11:09]
pharveyindeed. [11:09]
SvenDowideitif we all agree that 401 except where 401 breaks is a good principle [11:09]
pharveyyep. [11:09]
SvenDowideitthen X-Requested-With still meets the principle
(which is the kind of point i'm trying to express to the standards people - garry style: perfect is the enemy of progress)
[11:09]
pharveyFoswiki Standards Interpretations and Arguments Working Group has decided! [11:10]
SvenDowideit<pharvey> Foswiki Standards Interpretations and ARGUMENTS(full half hour please) Working Group has decided!
fixed it for you
FSIA WG
mmm
[11:10]
CDotok, well, SvenDowideit and pharvey please reflect your conclusions in comments in the proposal, so we can track and make sure we cover all concerns [11:13]
pharveyCDot, done. [11:14]
CDotI will refactor the discussion to bring the "whole" proposal back to emphasis later [11:14]
SvenDowideiti'll add my 5c after i've written the first draft of my reply to the ietf people
else i'll loose the anger, and go back to what i should be doing
reading the reply a fourth time give me a little hope
anyone know when basic auth was first written down?
was it in the original spec?
SvenDowideit remembers implementing html form auth in ~~94
but i don't know before then
[11:19]
pharveySvenDowideit: wikipedia says "Basic access authentication was originally defined in 1996 by RFC 1945"
although 1996 might just be the year it was finished
[11:24]
CDoty, probably was around for a couple of years before that. Many of the RFCs were publicly adopted before being "defined" :-) [11:25]
SvenDowideitso the real q is when was it implemented in httpd
SvenDowideit will pass and just mention that i did htmlform auth in 94 - before that so gungho that i dont' recal much
[11:27]
.... (idle for 16mn)
MichaelDaumbtw we need xhr code in the request handler anyway as content sent that way is utf8 encoded, not SiteCharset like other requests.
xhr specific code
[11:43]
CDotMichaelDaum: good point; please add that to the proposal, as it must be covered [11:45]
MichaelDaumthere's even a related bug report already 'bout save being called by xhr destroying the encoding [11:46]
SvenDowideiter
we need that for PUT ops
but for a GET?
(its kind of a side issue)
SvenDowideit is reading more of the IETF discussion, and it seems that they have been waiting for security people to get back to them (for 16 years)
[11:46]
MichaelDaumtis a side issue, y. anyway, all url params to a rest call (get or not) are utf8 encoded. no matter what your sitecharset is or the charset of the originating html page. [11:47]
SvenDowideitlook ma, i'm sitting on my hands....... ma, why are my fingers tingly?
CDot, do you have a 401 causing server code nearby you could quickly test for me?
I want to know - if we send 401+WWW-Auth: Cookie and a html payload
does firefox still not render the html
[11:48]
CDotno, sorry. My test example involved sending thorugh JEditable where I can't get to the $.ajax [11:52]
SvenDowideitor is WWW-Auth....: Cookie not treated the same as others
ah, ok
so I should write the 5 lines of code myself :)
[11:52]
CDot:-) [11:52]
SvenDowideitSvenDowideit _is_ slack :)
pretty uch my entire network is giving me the shits atm
[11:52]
CDotMichaelDaum: it's a side issue to the 401 question, but very important to the full REST proposal [11:52]
SvenDowideithell y
another reason we should extract the discussion
[11:52]
CDotSvenDowideit: I tried sending a 401+HTML to FF with a non-Basic auth scheme, and it got through
not tried other browsers yet
[11:53]
MichaelDaumah there is the proposal ... adding my 2c ... looking up the related task item... [11:53]
SvenDowideitwhereas if you set to basic / digest it wont'? [11:53]
CDotright [11:53]
SvenDowideitsweet.
then we're cooking with gaseoeseses
[11:53]
CDoterm, with FF maybe. /me recalls issues on (yes you guessed it) IE [11:54]
SvenDowideitnot entirely a problem :
:)
[11:54]
pharveyIE has an "is it bigger than 640k" rule controlling whether it likes your ErrorDocument or not :) [11:55]
SvenDowideiti'm looking for ways to build a reasonable suggestion to push for 'docco something that mostly is whats done, with tweaks for adding somethign that works and will be extendable to somethign securer in future) [11:55]
MichaelDaumpharvey, 604k this rings a bell.
640k
[11:59]
***kip3f has left [12:02]
SvenDowideitneat.
chrome renders the html for www-auth: basic
after you hit escape
www-auth: cookie it just does what we want.
so... anyone here have an old ie?
SvenDowideit has to think about where his are stashed
[12:02]
CDotCDot revises his prior assertion; it doesn't work with FF either, if you call the right thing. [12:14]
SvenDowideit?
print header(-status=>401, 'WWW-Authenticate' => 'Cookie');
[12:15]
CDotCDot has an IE 5 somehere, but it's really flakey (I think some of the DLLs got lost) [12:16]
SvenDowideitor what? [12:16]
CDotCDot is using -WWW_Authenticate => 'Smurf' [12:16]
SvenDowideitSvenDowideit would start FF, but has no free memory atm
underscore?
oioioi?
[12:16]
CDot'tis allowed in CGI
no quotes, - instead
[12:17]
pharveyCGI is magical [12:17]
SvenDowideitso is my version wrong? [12:17]
CDotno
both work
CDot gets the response body, but FF doesn't render it
[12:17]
SvenDowideitmmm, cept in my case, i get the html i want [12:18]
pharveymeanwhile, "cookies that may uniquely identify your browser or your Google Account" - is google able to scrape facebook cookies? Hehe [12:18]
CDotpharvey: probably [12:18]
pharveyprobably via flash
pharvey saw a proof-of-concept JS demo that could determine which popular websites you'd recently visited, based on whether fetching their content was cached or not
[12:18]
SvenDowideitok, ie6.0 renders the html
pharvey, y, but its crap
there was a much better one years ago
that used css tricks
cached content is much less reliable
CDot, what FF?
SvenDowideit is impressed that ie6 worked
[12:19]
CDot6.0.2 [12:20]
SvenDowideitwith www-auth: basic, ie6 did the same as chrome
rendered the html payload _if_ the used hit escape on the browser auth dialog
[12:21]
CDothttp://pastebin.com/9wLZLxLq [12:21]
SvenDowideitanyone here with ie7,8,9... [12:21]
CDotis my test code [12:21]
SvenDowideitmines just using the proceduaral, otherwise the same
i'm alternating between basic and cookie to see that it does something different
now to find a computer i can use ff on :)
mmm, crtl-h makes windows shutdown?
i didna know that!
[12:22]
CDotstill don't get it rendered if I WWW-Authenticate=>Basic and hit escape :-( [12:24]
SvenDowideiti'm using icedove 3.5
mozilla 5.0
and www-auth:basic renders payload on cancel browser auth dialog
[12:24]
CDotnot for me :-( [12:25]
SvenDowideitand with www-auth:cookie it does what i want [12:25]
CDotCDot wonders if it's a difference in payload/headers [12:25]
SvenDowideitone mo, i'll show you the c&p i'm using :)
http://pastebin.com/qNidK8Bw
[12:26]
CDotheaders couldn't be simpler
CDot tries chrome
[12:26]
SvenDowideitand of course, i called my script... testenv :) [12:27]
CDotdoesn't work on chrome either. /me called his script "smurf", in honour of hwsnbn [12:27]
SvenDowideitsame idea, different impl ;)
though testenv also because i just went to cgi.pm and c&ped the firs eg it gave me
[12:27]
CDotd'oh - of course, you are correct; I'm handling an AJAX response, of course it doesn't render [12:28]
SvenDowideitgibberplatz [12:29]
CDotCDot slaps his stupid node [12:29]
SvenDowideitin.sadi.us
in.sidi.us?
[12:29]
CDotiDiot [12:29]
SvenDowideitdon't think there's a tld of .ot [12:30]
CDotCDot confirms SvenDowideit's script on chrome [12:31]
SvenDowideitso, we can actually talk about 401 for_all_ auth req [12:32]
CDotaye.... unless we remember why we didn't go that route before [12:32]
SvenDowideitand try to help get the www-auth: cookie draft into a reality [12:32]
CDotor did we get lost in 400/403 confusion? [12:32]
SvenDowideitwe didn't find that bit of extra info
yes
i was desperate not to have 400
[12:32]
CDotCDot *likes* 401, it makes so much sense [12:33]
SvenDowideitother than that, i assumed you guys were more likely to read the specs
cos i was even more shitforbrains at that time
[12:33]
CDotI'm pretty sure I proposed 401 originally, but was steered off it by other because of the "Basic/Digest only" myth [12:34]
SvenDowideitright now i was just sufficiently pissy about several things, including having to revisit this issue that i gac&ph managed to get me to do some resaerch too
its not entirely a myth
there is a proposal to solidify a formal registry
[12:34]
CDotis there? where? [12:34]
SvenDowideitfound it today, havn;t found it again yet
some head in sand comittee person i'm hoping
the reply i'm working to reply to makes me think that restricting www-auth has little hope of being accepted (but i'd like to make sure)
[12:34]
pharveyI learnt that vnd.foo.bar are supposed to be all formally registered too. [12:36]
SvenDowideityup, i went there when writing restplugin for you :)
and then said 'sod off you retards'
[12:36]
pharveylolz0r
pharvey had settled on text/x-foswiki (all %MACROs expanded) & application/x-foswiki (%MACROs not expanded), but now the psycho in me thinks text/x-foswiki-tml is more future-proof
[12:36]
SvenDowideitoh ffs :)
i meant to bug you about that
you have a topic in which you discuss this
but you never mention
Motivation: why anyone would want to waste time caring about it
[12:39]
pharveybecause I like content negotiation !!!!
it's like, awesome
[12:40]
SvenDowideit(not that i can't make up one, but, you need to say so)
so why did you not tell us so?
[12:40]
pharveyand I want things like TOPICINFO{contenttype="foo/bar" [12:41]
SvenDowideit(aka, i might know that, but who else would) [12:41]
pharveyand all the cool wikis are doing it
except mediawiki
are they uncool?
[12:41]
SvenDowideityes
SvenDowideit sends pharvey to the legacy web to find the old topic-types proposal
[12:41]
pharveyI'm vaguely aware of it [12:41]
SvenDowideitcos you can find lots of cool things to throw up :) [12:42]
pharveybut you know, reading is so much harder than writing [12:42]
SvenDowideithehe
and communicating is harder than reading
yeah, i knows :)
[12:42]
pharveyFWIW the survey of wiki Media-Types and depressing trail of lack-of-standards is at http://foswiki.org/Development/MIMETypeForWikiSyntax [12:42]
SvenDowideitTOPICINFO{contenttype="foo/bar" is not enough
y, i now
[12:42]
pharveynot enough? [12:43]
SvenDowideitthats why i'm bugging you to add a motivation statement to it
and then give reasons for people to spend brain and attention time on it
[12:43]
pharvey"let's use Media Types for everything, ... except our main markup language?" [12:43]
SvenDowideitwithout being obtuse :p
kettle, meet pot
i want a png to be a valid 'topic'
[12:43]
pharvey$dom->new('garbage', contenttype='foo', except_is_it_this_other_thing='sure') [12:44]
SvenDowideitalong the way we redefine topic -> resource
and then we get all the cool stuff we dreamed of in er, the dark ages
[12:44]
pharveypharvey doesn't see how he's breaking the topic = attachment case [12:44]
SvenDowideityou're not
thats my point
your writing leads there, but forgets to tell the reader that it does, and why they want to go there
SvenDowideit goes back to 401(k?) email
[12:44]
pharveywell, I often lament that my writing is too verbose and ranting, so I try to whittle it down :P
pharvey writes a motivational speech at the top
[12:45]
RaulFRhello :-) [12:48]
nick_Hi [12:48]
pharveyHi RaulFR, nick_ [12:49]
nick_I got a package update yesterday that inclided EditChapterPlugin.
It didn't seem to change anything. That is, EditChapterPlugin still doesn't work.
[12:49]
SvenDowideitnick_, I'm working on separating all the packages that make up a core release (initially for the rpm's i'm still labouring over)
once thats done, i have to convert the foswiki-core deb to use the same scripts
from that point on, i'll probly track releases faster, as i won't make the foswiki deb manually anymore
[12:52]
nick_Cool [12:53]
SvenDowideitthat said, I can't say when [12:54]
nick_I knew there was a headache for ou involved in doing that. [12:54]
SvenDowideiti've lost a week dealing with various failures [12:54]
nick_Beats me. [12:54]
SvenDowideitranging from hardware, openstack, centos nafness, all the way to the last 2 days of working out why the ietf didn't help me :) [12:54]
nick_I've lost about the last week to laziness. [12:54]
SvenDowideitgrin
laziness - i expect i'll get to do that in 30 years time
twins appears to have trained me to expect less sleep and no downtime
theyre' now at the point where if i don't get up the moment i hear them wake int he morning
they'll have created their own breakfast
with risks of that including shattered glass
[12:54]
RaulFRlol [12:56]
SvenDowideit(tbh, i'm enjoying every moment)
but its very different from double income no kids, casual fun
[12:56]
nick_My boss recently used a good metaphor: "<the system> sleeps like a baby. It wakes up screaming every 30 minutes wanting nothing more than attention." [12:59]
SvenDowideitoh my
that is good to add to pharvey's bosses 'perfect is the enemy of progress'
[12:59]
pharveyadded a motivation bullet points to MIMETypes
pharvey abandons mangling Foswiki::Render some more
[13:05]
FoswikiBothttp://trunk.foswiki.org/System/PerlDoc?module=Foswiki::Render [ (Foswiki login) PerlDoc ] [13:05]
SvenDowideitnite :) [13:06]
RaulFRnite Paul [13:06]
SvenDowideitmmm, shall do same - see you all in a long time :) [13:06]
RaulFRtake rest :-)
SvenDowideit: the good thing is that you are handling this double work at the same time, and can mutualize your efforts
[13:06]
ArthurClemenswouldn't it be nice if a formfield named ALLOWTOPICCHANGE could set the permission [13:08]
RaulFRArthurClemens: why a formfield ? [13:14]
ArthurClemensso that you can easier change the permissions from a data form, it becomes a matter of filling in your name or checking checkboxes [13:25]
RaulFRIf this is for making the user's life easier in setting this type of parameters, even non geeks, I don't think it will meet the goal (my users are afraid of forms, don't use them, or even see them, and less even know how to create one and attach it to a topic).
We would do much better adding a jQuery menu to the "More topic actions", to improve their usability, and include a nice interface there for setting permissions and do other stuff burried there
[13:27]
ArthurClemensunless the form is already attached and editing settings is using form-only [13:27]
CDotArthurClemens: gac410: I updated the =configure= patch to support ENABLE_IF as well. [13:29]
ArthurClemensthis morning Sven wanted to create a new blog post without publishing it. his suggestion was to write ALLOWTOPICVIEW=$AUTHOR in the topic
but having to deal with these kind of settings is one bar too high for my colleagues
[13:29]
MichaelDaumRaulFR, see NatSkin [13:30]
foswiki_irc2hi, everybody [13:30]
ArthurClemensso it would be easier if all settings, also the permissions, could be dealt with on one page
where you don't need to remember or look up permission syntax
CDot: ok, will download it tonight
[13:31]
MichaelDaumthats implemented in NatSkin using SetVariablePlugin [13:31]
RaulFRMichaelDaum: I have to try it one day :-)
ArthurClemens: why only this one and not DENYTOPICVIEW, ALLOW / DENYTOPICRENAME, etc.
[13:31]
MichaelDaumit has got all "more" actions in a menu. and an acl ui. [13:32]
ArthurClemensor course, these others too [13:32]
foswiki_irc2i'm new in foswiki. I'd like to build a simple hierarchical documentation repository. Can suggest me a howto?
no answer?
[13:33]
ArthurClemensfoswiki_irc2: if the data is really simple, just texts, just create topics with distinguishable names
create a hierarchy by setting the parent topic, in "More actions"
display the hierarchy as shown in System.HierarchicalNavigation, or use TreePlugin
[13:36]
foswiki_irc2thanks arthur. [13:37]
RaulFRfoswiki_irc2: also when you create a topic from another topic, it naturally has a hierachical relationship : typing the WikiName of a topic that does not exist and clicking on it to create it makes the created topic a child of that topic without need to set the parent topic [13:38]
foswiki_irc2yes... but i found a bit difficult to discover the steps needed (plugin (treeplugin) installation, plugin usage, and so) [13:40]
ArthurClemensyou don't _need_ TreePlugin
but it might help you display the hierarchy
you can also create a manual index, or do a search for most recent changes, like on Sandbox.WebHome
[13:42]
foswiki_irc2no, i need an automated tree view of contents
can you suggest me any howto to learn the basic steps to organize content, customize page layout, most usefull plugins or extensions.... i've read the standard documentation but it has no "working" examples
i've tried twiki and now downloading foswiki VM appliance... i'll try to learn, but is very time expensive activity....
[13:43]
RaulFRfoswiki_irc2: Foswiki is a very flexible tool, there is not really a standard type of usage of it [13:51]
nick_If you can use twiki there's nothing really new to learn for using foswiki, no? [13:51]
RaulFRthe most useful plugins or extensions are included in the core of Foswiki by the community, if they are not included, this is because it is up to you to decide if you want to use the depending on your usecase. They are classified according to their type there : http://www.foswiki.org/Extensions/WebHome [13:53]
............. (idle for 1h0mn)
tsnfooAnybody using WorkflowPlugin on trunk? The %WORKFLOWTRANSITION% doesn't work. [14:53]
........... (idle for 51mn)
gac410The SafeWikiPlugin issue - it finds the if IE conditional </base> and auto-closes <head> (or dies unclosed <head> at </base> if purity enabled).
And I'm getting totally lost in the parser. For some reason it decides that </base> should trigger closing <head>
[15:44]
Ah. found the problem the HTML parser is confused by <base ... /> if IE </base> Being both self-closing and conditionally closed. [15:57]
ArthurClemens: Do we need to have the <base tag self-closing /> along with conditional </base> tag for IE? From what I can see, for XHTML either the /> shorthand or </base> are valid. Why not just have a traditional </base> close?
the only time </base> is prohibited is in HTML 4.0 but then the self closing would be invalid too wouldn't it?
[16:03]
ArthurClemensbecause of a serious error in IE6 or 7 that made text selection impossible
I think this is described in the template
[16:06]
gac410I know I saw that. http://ruthsarian.wordpress.com/2006/01/31/ie-base-tag-bug/
My question is the other direction. Why not </base> for everyone instead of self-closing always PLUS a conditional </base<
[16:07]
ArthurClemensif you can test the effect on IE [16:09]
gac410unfortunately ... probably not. Though since IE sees the </base> anyway, I suspect the errors would be in other browsers that want /> not </base>
I guess the other solution is to hack the SafeWiki parser to ignore the </base> tag.
[16:10]
which is probably better anyway. I'd rather not muck with our templates. [16:17]
...... (idle for 27mn)
***ChanServ sets mode: +o MichaelDaum [16:44]
.... (idle for 15mn)
pete0rHi, quick question about LdapContrib. In our system, we have some userID's which have the first character capitalized and some that aren't. This is confusing to our users and while I think we should clean them up, management wants me to figure if there's a way to resolve this within Foswiki. Is there any way that I can force all LDAP user ID's to be lowercase? [16:59]
CDotgac410: I added ENABLE_IF to the =configure= patch, if you want to play. [17:12]
gac410Okay - still beating my head on SafeWiki ... very slow going trying to get a functional system with it enabled. [17:12]
MichaelDaumpete0r, hi
there are two kinds user ids actually
one is used for logging in, the other to display the user online
the first one is provided as it comes from your ldap directory
[17:14]
pete0rAh, sorry, so I'm having problems with the Login userID, not the wiki'fied name [17:15]
MichaelDaumthe second one is a WikiWord that points to your user profile page [17:15]
pete0rI was just wondering if there was a way to make the Login ID not case-sensative, or, force it to all lower-case
dispite how we have it stored in our ldap directory
[17:18]
............... (idle for 1h14mn)
gac410Something broke trunk. PasswordChange and PasswordReset are now disabled [18:32]
It's just trunk - release branch password change/reset still work. [18:37]
........ (idle for 36mn)
tsnfooAnybody know why FormPlugin doesn't load on trunk?
I just get this: Foswiki::Plugins::FormPlugin could not be loaded. Errors were: Attempt to reload Foswiki/Plugins/FormPlugin.pm aborted. Compilation failed in require at (eval 6042) line 2.
[19:13]
FoswikiBothttp://trunk.foswiki.org/System/PerlDoc?module=Foswiki::Plugins::FormPlugin [ (Foswiki login) PerlDoc ] [19:13]
gac410do you have JSON installed? Seems to be listed as required in the dependencies
And List::Moreutils
List::MoreUtils
[19:17]
................ (idle for 1h15mn)
tsnfoogac410: yeah. Restarting apache seemed to fix it. Sometimes fcgid seems to hold onto stuff longer than I'd expect. [20:33]
gac410right, with fcgi, you need to either restart apache, or just kill all the fcgi handler tasks, and they start right back up. [20:40]
Babar - do you have a task for your _ stat optimizations -- I've got a few for some of the Configure checkers. [20:54]
........... (idle for 50mn)
fooloveI have forced login setup on foswiki but when i exit my browser I do not want to have to be forced authentication [21:44]
tsnfoofoolove: you mean completely quit your browser? I don't think there's a setting for long-term cookies. [21:49]
foolovei am in the session section [21:50]
tsnfoofoolove: I'd have to check the session timeout docs. [21:50]
fooloveand playing around with settings but no luck [21:50]
tsnfooThe section talks about persistent session, if you click the "expert settings" link
Never tried it.
[21:51]
foolovei see the check box for remember me [21:51]
gac410you beat me ... try ExpireCookiesAfter [21:51]
fooloveok
What would I need to initiate to have the checkbox checked on the template login to remmeber me on this computer
when i exit the browser it still forces login
ya the key is having the check box remember me and the cookie timer is important too
[21:51]
gac410Read the help on expert param ExpireCookiesAfter: TemplateLogin only. Normally the cookie that remembers a user session is set to expire when the browser exits, but using this value you can make the cookie expire after a set number of seconds instead. If you set it then users will be able to tick a 'Remember me' box when logging in, and their session cookie will be remembered even if the browser exits. [21:58]
fooloveright
i have that working
but i want the checkbox to be checked at the page by default
:)
maybe i need to change a page on the backend for this to work
[21:58]
gac410probably a template change. not sure where.
You'll need to create a skin to override the login.tmpl file.
[21:59]
I was trying to make you an example but I'm not getting it to work. :-(
okay - got it. If you can edit files on your file system, go to the foswiki/templates directory, and create a file. login.foolove.tmpl It wil have 2 lines
%TMPL:INCLUDE{"login"}%
%TMPL:DEF{"rememberbox"}%%BR%<input tabindex='3' id="remember" name="remember" type="checkbox" value="1" checked /><label for="remember">&nbsp;%MAKETEXT{"Remember me on this computer"}%</label>%TMPL:END%
Then change your system skin settings to be SKIN=foolove,pattern Or you can test it with bin/login/Main/WebHome?skin=foolove,pattern
[22:10]
..... (idle for 21mn)
fooloveoh :) [22:34]
gac410If you cant or don't want to edit files in templates you can do it in a System topic as welll
System.FooloveSkinLoginTemplate with the same two lines I showed above - should work.
[22:34]
fooloveoh ok
i will try i ton the system itself
[22:36]
gac410You could just edit the login.tmpl... but they when you upgrade, you'd loose your change. This method includes and overrides the shipped files so an update doesn't overlay anything [22:38]
fooloveoh its fine ill just do it on their end thanks so much
where is the login.tmpl on just browsing pages
[22:38]
gac410You can't get to the templates from the browser.
it's in foswiki_install/templates/login.tmpl
[22:43]
........ (idle for 36mn)
Babargac410: hum... I think I did open one, but I'm not sure
lemme git log it for you
Item11458 it was
[23:19]
gac410okay thanks [23:19]
FoswikiBothttp://foswiki.org/Tasks/Item11458 [ Item11458: TopicUserMapping blocks registration if passwords are not writable - FAIL!! ] [23:19]
Babarso totally unrelated, sorry [23:20]

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)