I've just updated python-fedora on the app servers to 0.3.25. This update has quite a few changes to the server helpers. For people watching for end user issues, if someone reports problems with logging in and out of the turbogears web apps on admin.fedoraproject.org or having their csrf token cause problems it is possible that the python-fedora update is to blame. Please let me know if you spot something like that and I'll try to troubleshoot. (abadger1999 on irc). For web application developers there have been a few deprecations and additions. * The fedora.tg.tg1utils and fedora.tg.tg2utils modules have been deprecated. tg1 and tg2 have their own hierarchy now: fedora.tg.utils (for TG1) and fedora.tg2.utils (for tg2). * The TG2 auth middleware has been reworked a bit. It should no longer log you out if you don't have a CSRF token. You should be able to regain your logged in status simply by clicking on a link. Links should have the CSRF token embedded in them in these instances. * Additionally, the TG2 fas auth middleware has had its metadata updated so that it is compatible with the default TG2 auth provider. This should make it possible to write code that is compatible with both out-of-the-box TG2 auth and the faswho auth middleware. * Provisions for testing web applications with the faswho auth provider have been made and documented. You should now be able to set faswho to use tes fas servers for authentication. Details of setting this up are in the updated documentation. https://fedorahosted.org/releases/p/y/python-fedora/doc/faswho.html#authenticating-against-fas-with-turbogears2 * One last, untested feature is that the CSRF middleware that faswho uses to protect against CSRF attacks has been made independent of faswho. You should be able to combine it with other repoze.who auth providers (like the TG2 default auth provider) to have CSRF protection in your application. If you are working on an app that should be able to auth against both fas and some other repoze.who auth source, please feel free to test this and report any bugs to me. This is a desirable feature and I want to make it work. https://fedorahosted.org/releases/p/y/python-fedora/doc/faswho.html#using-csrf-middleware-with-other-auth-methods * Last but not least, just as we have genshi templates for TG1 for CSRF enabled login forms and buttons we now have mako templates for TG2 that do the same. With all the other changes in this release, it shouldn't be hard to make a TG2 version of the genshi templates if those are needed. https://fedorahosted.org/releases/p/y/python-fedora/doc/faswho.html#templates -Toshio
Attachment:
pgp0t7zgaS5x4.pgp
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
