[tor-bugs] #10754 [Tor Support]: Implement an invitation based token system into webchat
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Apr 15 16:31:41 UTC 2014
#10754: Implement an invitation based token system into webchat
-----------------------------+--------------------------
Reporter: Sherief | Owner: Sherief
Type: task | Status: needs_review
Priority: blocker | Milestone:
Component: Tor Support | Version:
Resolution: | Keywords: SponsorO
Actual Points: | Parent ID: #10755
Points: |
-----------------------------+--------------------------
Comment (by Sherief):
Replying to [comment:26 lunar]:
> Is it really needed to have a `pups_project` sub-directory? Probably
related question: shouldn't be the `stats` and `webchat` modules be sub-
modules of the `pups` module?
No. I can just name the repo pups_project and remove the extra folder.
> Is `settings.py` meant to be configured by the local administrator? Then
it should probably not be commited as is. Something like
`settings_sample.py' should be in the repository instead and we should
expect administrators to copy and adjust before running the application.
It's worth being documented in the README.
Added a `settings_sample.py` and will document it later.
> On the topic, could it be documented how to configure Apache to run both
a staging and a production environment from the same codebase? This looks
unfortunately more complicated than it should:
> https://docs.djangoproject.com/en/dev/howto/deployment/wsgi
/#configuring-the-settings-module
> https://stackoverflow.com/a/11515629
> Looks like WSGI daemon mode and multiple “wsgi.py” files are required.
This is on my TODO list but I will have to prioritize functionality for
the time being.
> `wsgi.py` contains some boilerplate at the end that should probably be
removed.
Done.
> `ChangePassForm.change_password()` control flow should be inverted (so
that the “happy path” can be easily seen):
> {{{
> if not new_pass_is_right():
> return False
> do_something_when_pass_is_right()
> return True
> }}}
Done.
> I don't understand the meaning of the `success` variable
`Token.revoke_token()`.
While working I was thinking about a way to report a delete failure and
forgot to continue writing the code in the function.
> The semantics of `Token.revoke_token()` are still weird. I can pass it a
list of token great. If it returns True, then I know that all the list was
revoked, great. But when it returns False? I know that there's one in the
list that was not good. But I don't know which one and with the current
code, the ones after that will not have been modified… Not good. I'm not
sure if Django handles database COMMIT/ROLLBACK properly, but if that's
the case, the best course of action is to have the function raise an
Exception so the previous changes are rolled back.
I understand a database transaction is the best way to go here, thanks for
reminding me. I will put this one on my TODO list and comment later when I
am done.
> Sorry we misunderstood each others for `Token.get_token()`. It should
> read:
> {{{
> def get_token(self, token):
> try:
> return Token.objects.get(token=token)
> except ObjectDoesNotExist:
> return []
> }}}
Nah, I was just stupid :D
> `webchat/urls.py` contains mapping for `/chpass` and `/logged` URLs
which do not belong to the webchat part of Pups. Same with
`webchat/views.py`, so things might require to be moved around some more.
Or everything merged together, that's probably fine given the current
size.
Django offers you to create a project that contains many apps inside, each
app is supposed to do one thing and do it good. For example: a blog can go
up to 12 apps (Comment, Post, View, Admin, Captcha, etc..)
Pups_Project is the main project that contains pups (handles login,
logout, changePassword and user creation and deletion), webchat (contains
token_page and prodromus) and finally stats.
I preferred moving things instead of merging to follow the Django's best
practices.
> In `webchat/views.py`:
>
> `change_password()`, `create_token()`, `revoke_token()`, `chat()` all
have `if …: return …; else` constructs.
Fixed that (I hope so) and I am loving the "happy path" :)
> For `change_password()` is there an error message when the form is not
valid?
It's not obvious but validation is handled well.
> This should really be turned into its own method for readability:
> {{{
> token.get_assistant_tokens(User.objects.get(id =
request.user.id)).filter(expires_at__gt=F('created_at')),
> }}}
I just added the `.filter(expires_at__gt=F('created_at'))` part to
`models.Token.get_assistant_tokens(assistant)`
> In `tokens_page()`, `params` is not used before the `render()` call at
the end. It should be moved closer to that.
Done.
> Why use `HttpResponse` in `chat()` and not a proper template? Also can
it be made that the HTTP error codes are 404 for invalid tokens and 410
for expired ones?
I was just lazy but now I created a proper template for each.
> Unless I'm mistaken `webchat/templates/tokens.html` directly contain the
value of `token.comment`. It should be escaped to be displayed in an HTML
context, otherwise that's a security issue.
I tried to add html tags, sql code but non worked since Django's ORM
checks things before adding data into the db automatically and
render(request, template, context)'s context handles what you mean.
Anyway, there is a models cleaning function I can use models.full_clean()
`https://docs.djangoproject.com/en/1.4/ref/models/instances/#django.db.models.Model.full_clean`
> Please make the code PEP8 compliant unless there's a good reason for it:
> {{{
> $ pep8 pups_project | wc -l
> 91
> }}}
On my TODO list.
Again, Thank you for the review. :)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10754#comment:27>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list