Some enhancements - Githubissues

dennisreimann / masquerade

masquerade is the predecessor of masq: https://github.com/dennisreimann/masq - please consider using masq from now on, as it is the more modular approach.

MIT License

218 stars 46 forks source link

Some enhancements #27

Closed wingfire closed 12 years ago

wingfire commented 13 years ago

move db prefill from migration into seeds and add schema.rb for command 'rake db:setup'
set 'Standard' role (personas) as default public role when creating an account
use more specific login error messages (unknown user, wrong password)
add csrf_meta_tag to make sites and roles deletable via js
remove safe-login page
enable permission storing for normal openid requests
force trust normal openid requests if domain is listed in trusted domains
add migration for accounts without a standard role

!!! We change the behavior of the config setting trusted_domain. Now this value forces trusting domains for openid requests without user interaction !!!

djmaze commented 13 years ago

Looks good!

Can you state the reason you removed the safe-login page altogether? AFAIK this is a worthwhile security measure, particularly when not used in an intranet. Maybe we should allow disabling that feature through app_config?

dennisreimann commented 13 years ago

Thank you for the changes! They are very much appreciated :)

Nevertheless: Can you please provide tests for the additions? These would be necessary for us to merge your pull request.

Maybe we should allow disabling that feature through app_config?

Yeah, good point!

wingfire commented 13 years ago

Hi,

if you setup a id server you want to have it useable with other services / domains by default
the current content on the safe-login page is somewhere between confusing and technically wrong
if you lock down a domain via the config you should tell the the user on the safe-login page (i.e. this domain is not allowed to use the openid server)
including this in a config a good idea

Sorry we are not able to run and enhanded the tests. They require rvm. This is neither available on our linux server nor on the windows clients. Can rvm be removed form the testing requirements?

dennisreimann commented 13 years ago

We do not depend on infinity_test which uses RVM. You can execute the tests like before by running rake.

djmaze commented 13 years ago

Rather than getting rid of the safe-login page, I'd like to see an option for that. We could add another option "disable safe-login page". What do you think? Btw, I agree the text on that page can be improved.

@wingfire: I like your suggestion - allow usage from specific domains only. That makes sense if you want to lock down usage to a corporate intranet, for example. So you could configure "trusted domains" like before and have new boolean option "only allow trusted domains".

ghost commented 13 years ago

Another suggestion: add to personas field for GPG public keys.

dennisreimann commented 12 years ago

fyi: I merged some of the commits by cherry-picking them.