fedora-infra / fas Goto Github PK

Again, filing this comment as an official bug so it can be tracked:

5e02cf2#commitcomment-9330578

People will be allowed to check their account activities from their profile's page.
Here's what type of info they will have

• Date: request datetime of remote client.
• Event: type of request (e.g, signed-in, request a token api, connected-app, etc).
• Location: country and city where remote client did the request (extracted from remote client IP).
• IP: the remote client IP.

The current "My account" section shows the SSH key on a single line, but this causes the page to stretch a lot to the right. Enabling text-wrapping on the SSH key would be beneficial.

FAS has documented the steps to make a new release in the HACKING file. This needs to be updated to use github and git flow instead of generic git against fedorahosted.org. You can look at the packagedb or python-fedora release steps for ideas:

• https://github.com/fedora-infra/packagedb/blob/develop/README#L375
• https://github.com/fedora-infra/python-fedora/blob/develop/README#L226

Note that fas has a po compilation step built into its setup.py so it may not need to do some of the steps that those projects have.

From the perspective of FAS alone, it is neat that you can choose to change the id used to generate your libravatar.

However, when considering multiple systems interacting together, I'm not sure this is a net gain. If the user changes their libravatar key to be something else (say, [email protected]). Our other systems that expect to lookup their libravatar as '[email protected]' will get the "wrong image" compared to the one they have set in FAS.

I'd be glad to make the code changes to restrict this to only one kind of value (one that matches the way all our other systems do it (badges, bodhi2, trac, pkgdb, fedmenu, etc..)) but I want to check with @laxathom first.

On creating a new account with a security question:

[Tue Dec 23 20:03:19 2014] [error] cherrypy.msg INFO HTTP: Page handler: <bound method User.create of <fas.user.U
ser object at 0x7f5519c32810>>
[Tue Dec 23 20:03:19 2014] [error] Traceback (most recent call last):
[Tue Dec 23 20:03:19 2014] [error] File "/usr/lib/python2.6/site-packages/CherryPy-2.3.0-py2.6.egg/cherrypy/_cp
httptools.py", line 121, in _run
[Tue Dec 23 20:03:19 2014] [error] self.main()
[Tue Dec 23 20:03:19 2014] [error] File "/usr/lib/python2.6/site-packages/CherryPy-2.3.0-py2.6.egg/cherrypy/_cp
httptools.py", line 264, in main
[Tue Dec 23 20:03:19 2014] [error] body = page_handler(_virtual_path, *_self.params)
[Tue Dec 23 20:03:19 2014] [error] File "", line 3, in create
[Tue Dec 23 20:03:19 2014] [error] File "/usr/lib/python2.6/site-packages/turbogears/controllers.py", line 361,
in expose
[Tue Dec 23 20:03:19 2014] [error] _args, *_kw)
[Tue Dec 23 20:03:19 2014] [error] File "", line 0, in run_with_transaction
[Tue Dec 23 20:03:19 2014] [error] File "/usr/lib/python2.6/site-packages/peak/rules/core.py", line 153, in c
all
[Tue Dec 23 20:03:19 2014] [error] return self.body(_args, *_kw)
[Tue Dec 23 20:03:19 2014] [error] File "/usr/lib/python2.6/site-packages/turbogears/database.py", line 458, in
sa_rwt
[Tue Dec 23 20:03:19 2014] [error] retval = func(_args, *_kw)
[Tue Dec 23 20:03:19 2014] [error] File "/usr/lib/python2.6/site-packages/turbogears/controllers.py", line 244, in _expose
[Tue Dec 23 20:03:19 2014] [error] @abstract()
[Tue Dec 23 20:03:19 2014] [error] File "", line 0, in _expose
[Tue Dec 23 20:03:19 2014] [error] File "/usr/lib/python2.6/site-packages/peak/rules/core.py", line 153, in c
all
[Tue Dec 23 20:03:19 2014] [error] return self.body(_args, *_kw)
[Tue Dec 23 20:03:19 2014] [error] File "/usr/lib/python2.6/site-packages/turbogears/controllers.py", line 390, in
[Tue Dec 23 20:03:19 2014] [error] fragment, options, args, kw)))
[Tue Dec 23 20:03:19 2014] [error] File "/usr/lib/python2.6/site-packages/turbogears/controllers.py", line 425, in _execute_func
[Tue Dec 23 20:03:19 2014] [error] output = errorhandling.try_call(func, _args, *_kw)
[Tue Dec 23 20:03:19 2014] [error] File "/usr/lib/python2.6/site-packages/turbogears/errorhandling.py", line 77, in try_call
[Tue Dec 23 20:03:19 2014] [error] return func(self, _args, *_kw)
[Tue Dec 23 20:03:19 2014] [error] File "", line 3, in create
[Tue Dec 23 20:03:19 2014] [error] File "/usr/lib/python2.6/site-packages/turbogears/controllers.py", line 207, in validate
[Tue Dec 23 20:03:19 2014] [error] return errorhandling.run_with_errors(errors, func, _args, *_kw)
[Tue Dec 23 20:03:19 2014] [error] File "/usr/lib/python2.6/site-packages/turbogears/errorhandling.py", line 118, in run_with_errors
[Tue Dec 23 20:03:19 2014] [error] return func(self, _args, *_kw)
[Tue Dec 23 20:03:19 2014] [error] File "/usr/lib/python2.6/site-packages/fas/user.py", line 959, in create
[Tue Dec 23 20:03:19 2014] [error] telephone, postal_address, age_check)
[Tue Dec 23 20:03:19 2014] [error] File "/usr/lib/python2.6/site-packages/fas/user.py", line 1014, in create_user
[Tue Dec 23 20:03:19 2014] [error] person.security_answer = encrypt_text(config.get('key_securityquestion'), security_answer)
[Tue Dec 23 20:03:19 2014] [error] File "/usr/lib/python2.6/site-packages/fas/lib/gpg.py", line 28, in encrypt_text
[Tue Dec 23 20:03:19 2014] [error] recipient = ctx.get_key(receiver)
[Tue Dec 23 20:03:19 2014] [error] GpgmeError: (7, 16383, u'End of file')
[Tue Dec 23 20:03:19 2014] [error]

Filing this comment as an official bug for tracking:

d700249#commitcomment-9330564

A requirements.txt would be very helpful. It was really annoying to find the needed dependencies, since they were not clearly listed or provided in a requirements file.

The .fas command in zodbot searches FAS username, full names, emails, and IRC nicks for a string. To do this, upon loading the supybot-fedora plugin, it requests a list of every single user in FAS, and creates a fairly large dictionary containing the search strings. This has multiple problems.

If there was an endpoint where zodbot could search usernames, full names, emails, and IRC nicks, supybot-fedora would be able to drop the large in-memory database and the 6-minute load time.

Currently on all Fedora's and RHEL7, fas is not creating the nss db files it makes the way that glibc expects them. This results in users not getting any groups on login and having to run 'newgrp' all the time.

fas just calls "makedb" with the data, but thats not sufficent, apparently a initgroups header is needed.

Look at /var/db/Makefile for the awk thats called before makedb for groups (or anything else) and add this handling to fas.

Happy to provide more info, etc.

see related trac ticket https://fedorahosted.org/fedora-infrastructure/ticket/4569

If you click by accident on 'Remove me' on a group page, it just proceeds without asking first for confirmation: "Are you sure you want to remove yourself from the group?"

See: https://fedorahosted.org/fas/ticket/172

We can do this by adding the keyword to the regex's list in ValidSSHKey validator.

From:
https://fedorahosted.org/fedora-infrastructure/ticket/1905

If we had a bugzilla account field, we could use that to figure out what someones bugzilla account was. It could/should just default to the same as their email address, but if set differently it could be used for bugzilla permissions syncing and the like. This would mean we would not need to keep some mapping config like we currently do in python-fedora.

FAS 3.0 should be able to create virtual user (only by admin or group admin)

• This virtual user [has to|could] be bind to a real user account. it [will|could] also be created based on real user's data as template.
• Why a "virtual user"? virtual user can be a use for system user which has special access/auth where they should not appear from the public user listing even if they have been tagged as "system's user". This way, we can better track to whom this special user belong to and manage its level of permission. Also, this virtual user will be automatically blocked out if the user it's attached to has been set inactive or deleted.

Groups' management re-design:

• Will inherit standard features from fas2 (with wording updates)
• Group status. Account's admin will be able to:
  • block
  • archive
  • active
  • mute (group can still be managed by group's admin. However, no updated infos will be sent out, no emails, nor sync with fas-client or any 3rd parties, etc).
• Create or set group as private that only members and account's admin can see.
• Can Delete groups (if empty only and/or no child groups): only by account's admin.
• When applying (requesting membership) to a group, offer user to send an (optional) introduction with a modal form.
• License agreement signing is tied to group membership, no more from profile's page. User can join a group without having to sign license agreement if it's not required.
• Membership notifications
  • Send email (via pyramid's event mechanism?) to members if status or infos get changed.
  • Send email when someone left/join a group (email sent to registered mailing list).
• Offer to principal_admin (previously, group's owner) a way to pass along its ownership to other admin's members (account's admin have this power too): use modal form.
• Filter role type from members list (all, sponsor, admin).
• Request group creation form. Once done, group admin and editors will received an email to approve the new group. Requester will receive an email if approved.

Those are my notes that I save here to track related commits

This is from:

https://fedorahosted.org/fedora-infrastructure/ticket/1312

Basically it would be nice when rejecting a user from group membership to optionally have a text field you could enter some text into that would go to the user along with the rejection. Something like "Sorry, you need to do x,y,z before joining" or "please reapply after you do X"

This isn't so much a big deal anymore since we have invite only groups, but it would be nice anyhow.

Thoughts?

Contributors would be able to connect their Fedora account to twitter which will
allow them to share any events from Fedora services (builds, pkgs updates, badges, etc)

FAS 3.0 should offer to admin a way to manage some of fas's settings.

• Just a few from /etc/fas.cfg (e.g, plugins activation, project's name, etc)
• Most of other from group/user/plugins/view's settings.

We should check if domain's email exist and valid before insert/update to database person info.

At least one user in FAS wants to specify two GPG key ids, therefore please allow to specify multiple GPG keys, maybe even allow one to be the primary one.

FAS 3.0 should be able to support group hierarchy.

• Admin would be able to choose between parent or child group.
• Also, be able to choose what type of level permission group can have (only member or admin and member, etc).
• Still able to add a prerequire group.

I love FAS, but perhaps we could implement 2step verification to the login. One could disable or enable it. If it is enabled on an account, then a 2stepcode should be passed as a parameter to FAS upon authentication, and should be asked from the user if the user is accessing the page through a browser.

We could use Google Authenticator (http://stackoverflow.com/questions/8529265/google-authenticator-implementation-in-python, https://code.google.com/p/google-authenticator/)

This is just an idea; if we were to implement it, a lot of work would go into making it work. Ideas appreciated.

We currently fatal/throw/500 when you go to: https://admin.fedoraproject.org/accounts/user/view/codeblock/foo

We should 404 instead.

• Move API endpoint to correct url's and to a dedicated object (avoid to split it out everywhere as atm).
• Add a token feature for some endpoint services (e.g administration, etc)

Full trace follows:

Traceback (most recent call last):
  File "/home/ricky/.virtualenvs/fas-python2.7/lib/python2.7/site-packages/pyramid_debugtoolbar-2.3-py2.7.egg/pyramid_debugtoolbar/toolbar.py", line 178, in toolbar_tween
    response = _handler(request)
  File "/home/ricky/.virtualenvs/fas-python2.7/lib/python2.7/site-packages/pyramid_debugtoolbar-2.3-py2.7.egg/pyramid_debugtoolbar/panels/performance.py", line 57, in resource_timer_handler
    result = handler(request)
  File "/home/ricky/.virtualenvs/fas-python2.7/lib/python2.7/site-packages/pyramid-1.5.2-py2.7.egg/pyramid/tweens.py", line 21, in excview_tween
    response = handler(request)
  File "/home/ricky/.virtualenvs/fas-python2.7/lib/python2.7/site-packages/pyramid_tm-0.10-py2.7.egg/pyramid_tm/__init__.py", line 95, in tm_tween
    reraise(*exc_info)
  File "/home/ricky/.virtualenvs/fas-python2.7/lib/python2.7/site-packages/pyramid_tm-0.10-py2.7.egg/pyramid_tm/__init__.py", line 76, in tm_tween
    response = handler(request)
  File "/home/ricky/.virtualenvs/fas-python2.7/lib/python2.7/site-packages/pyramid-1.5.2-py2.7.egg/pyramid/router.py", line 163, in handle_request
    response = view_callable(context, request)
  File "/home/ricky/.virtualenvs/fas-python2.7/lib/python2.7/site-packages/pyramid-1.5.2-py2.7.egg/pyramid/config/views.py", line 329, in attr_view
    return view(context, request)
  File "/home/ricky/.virtualenvs/fas-python2.7/lib/python2.7/site-packages/pyramid-1.5.2-py2.7.egg/pyramid/config/views.py", line 305, in predicate_wrapper
    return view(context, request)
  File "/home/ricky/.virtualenvs/fas-python2.7/lib/python2.7/site-packages/pyramid-1.5.2-py2.7.egg/pyramid/config/views.py", line 355, in rendered_view
    result = view(context, request)
  File "/home/ricky/.virtualenvs/fas-python2.7/lib/python2.7/site-packages/pyramid-1.5.2-py2.7.egg/pyramid/config/views.py", line 501, in _requestonly_view
    response = view(request)
  File "/home/ricky/devel/python/fedora/fas/fas/api/groups.py", line 63, in group_list
    data.set_pages('groups', page, limit)
  File "/home/ricky/devel/python/fedora/fas/fas/api/__init__.py", line 44, in set_pages
    pages = compute_list_pages_from(obj, limit)[0]
  File "/home/ricky/devel/python/fedora/fas/fas/utils/__init__.py", line 53, in compute_list_pages_from
    return (int(ceil(float(count) / float(limit))), int(count))
ValueError: could not convert string to float: groups

IDEA:

Would be nice to allow user to customize their shell or shell's env when they have shell access to server.
Admin would be able to allow what type of shell a group (which allow access to server) can offer and if you can actually customize it for this group you have just been in.

There is no pagination in the user list, the returned data is limited to a certain length.

See:

https://fedorahosted.org/fedora-infrastructure/ticket/4259

Basically we want some way to bless some users (probibly by adding them to a group like 'can_inactivate') that should be allowed to inactivate other users. This is a small subset of what the accounts group can do, we just want to split it out.

Hi,
1/ https://admin.fedoraproject.org/accounts/
2/ select "fr" for locale
3/ login
4/ text is in English because my profile default is "locale=en"

=> I find weird

can we make those fix ?

• if set, continue use the locale set on welcome page
• add explicitly the locale on https://admin.fedoraproject.org/accounts/user/view/jibecfed so user understand the impact of setting

btw, that "locale setting" is interesting, does it have some usages in other context ?

I have just updated my email in my Fedora Account. An email got sent out to the old address with a notification, all seems well.

However, the new email address is not listed in the email that should show the changes? No email address is displayed there at all.

It is good to have the notification of the change sent to the old address, but it surely should include the changed address :-)

I just saw a user do this. All they did was upload a new public ssh key, but fedmsg said that:

fas.user.update -- wacker edited the following fields of wacker's FAS profile:  ssh_key, ircnick, gpg_keyid,
comments, locale                                                                                            

/cc @DAWacker

Create and delete licenses from settings' page.

License can't be deleted if attached to any of registered groups.
Pop up a dialog about it and request some action before be able to delete
selected group.

The requirements for a FAS password are mad, offering no real sense of security. It's better to force long passwords, than forcing into deprecated schemes with special characters, numbers and uppercase letters.

Reference:
https://pbs.twimg.com/media/BhkZoPrCYAEF8ww.png:large
http://xkcd.com/936/

Would be nice for admins to have a way to add comments to an account. In particular when admin locking them.

If we intend to adopt this "everywhere" it would be nice to have a good central link.

I had my koji certificate revoked for some reason and I needed to renew it. All account settings are typically in the account page: https://admin.fedoraproject.org/accounts/user/view/xuser . That includes ssh keys etc.

However, the koji keys, or documentation on how to renew them is not there. I believe that this is an omission, which if added it would simplify by moving all account info to a single page.
https://fedoraproject.org/wiki/Using_the_Koji_build_system

Some users are concerned that when they change account data, fas sends them an email with their name, phone, etc. This email could be intercepted or viewed along the way.

Perhaps we could just do the same thing we do for password changes? ie, have a link where we say someone has changed your account, login here to see the changes? Possibly still with a list of those changes (since we expose them via fedmsg anyhow). Ie:

Someone (hopefully you) has changed: ircnick, privacy on your account, go to https://fasserver/accounts/whatever to see the changes?

Use as backend for People and Groups.

We still are gonna use the db for everything else which mean,
feature should be done without having to change high level code which do
requests to People and Groups' objects.

See:
https://lists.fedoraproject.org/pipermail/infrastructure/2013-March/012651.html
In general it would be nice to note when someone is creating a new account what fields are optional or not needed so they can ignore them if they choose to.

This could be adding (optional) next to those fields, or perhaps putting a * next to the required fields or something.

The GPG key id is only a part of the keys fingerprint (at least for current keys) and only the fingerprint properly identifies an keys. Therefore FAS should require fingerprints of users' GPG keys instead of only key ids to be able to do something meaningful with this information. Alternatively users could be allowed to upload a public GPG key.

Used to have the key set starting with 0x, got some error on visiting the link. I noticed the hint indicates it's not supported. Might be better if either the link wasn't active in that case or the link formatter managed to cope with that.

It should be handled and we should render an error…

First filed downstream here: https://fedorahosted.org/fedora-infrastructure/ticket/3946

It would be cool if we could keep a user profile/bio field in FAS (in markdown or asciidoc) so that we could render it in other places (the badges app, for instance).

From fedora webmaster mail:
"
Hi,
there is a typo in czech translation of page title on fas user detail page:
https://admin.fedoraproject.org/accounts/user/view/jdornak

The title is now: "Prohlážet účet", but should be "Prohlížet účet".

Regards,
QB
"
Relevant file:
https://github.com/fedora-infra/fas/blob/develop/po/cs.po

When displaying an account that you do not own, we hide the security question and answer. It would be nice to display that a security question is present, just not the value of it.

May need to use a sentinel value because I believe we use filter_private to remove the security_question before we return the data to the template.

Very large numbers are allowed when latitude should be between -90 and +90 and longitude between -180 and 180.

Person A uses Language X
Person B uses Language Y

When Person A alters the status of Person B in a group that Person A has control over, the email that gets sent to Person B is in Language X instead of in Language Y.

E.g. I use English but @puiterwijk does not. When @puiterwijk upgraded my status in a group tonight, the email I received was in his language preference, not English:

puiterwijk <[email redacted]> heeft u  opgewaardeerd naar administrator status in de
'sysadmin-jenkins' groep van het Fedora Accounts System Deze verandering treedt
direct in, en heeft binnen een uur invloed op de de e-mail
aliassen.

When you update your location (Latitude and Longitude fields) using "," as a decimal separator, the server returns an error 500 and do not update the profile, if you use "." as the decimal separator it updates the profile OK.

Locales tested: en, es