Hey TG App authors, I've been working on fixing our CSRF problem and I've gotten a prototype FAS up and running. It requires only a few changes to the code you have in your application but one of those is in the login template. We have to run forward_url and previous_url through the tg.url() function in order for the csrf token to be added to the urls. Additionally, we can have a click-through page to authenticate a user who already has an active, authenticated session and only lacks a tg-visit. This needs to be added to the login template. I have a working template in fas. In the interest of making this transition as painless as possible I was thinking of adding it to the python-fedora package as well. The trouble is I don't know if it can be used verbatim in all of our apps. The fas login template, for instance, is written in genshi and has an <xi:include href="master.html> (meaning that it pulls some of its look and feel from a template named master.html). So questions that spring to mind: 1) Is everyone using genshi now or do we need several templates for genshi, mako, kid, etc? 2) Is everyone's base template named master.html or willing to change? I know pkgdb is named layout.html but I can easily change this. 3) Does everyone like the idea of having a centralized login template? 4) Does this tie in with the Chrome that mizmo is working on at all (or is that all css)? 5) Can we reference the master template in the individual apps from the login.html in a centralized location? (I imagine it would work but haven't tried yet)? 6) Am I going about this wrong? Should we have an intermediate template in each app that pulls in a fragment from the centralized location? This might be more organized but requires some recoding for each app. -Toshio
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
