AudioGuyWorkNotes
CssWork - parent
This is current problems/tasks/working notes.
To Do
- 1 Gathering docs, understanding code - ongoing
- 2 Walk through all admin access in slash and see where javascript can be dumped, what other fixes needed - put off for a few days while I try to fix htacces problem
- 3 Try minified javascript - in place testing
- 4 Solve htaccess problem for staff wiki - in process
- 5 Solve topic add problem - put off until #2 is in process.
The htaccess problem
Put an htaccess file in the html folder for slash, as I have done hundreds to times before...and it did not work.
Specifically, it did nothing at all.
No error, just...nothing.
Nothing in log that revealed much.
A problem with debugging this is the presence of 'Varnish' a cache ahead of the server. However, in the end I am told this is not, on this particular server, doing anything but passing the requests through.
First problem noted was that in the main apache config, the directive AllowOverride None was in place. this prevents anything in htaccess files from overriding the main config. Changed to AllowOverride All. Still not working. Checked the local apache config in the site/sslashcott.org dir and saw that had another such directive. Changed that one. Still not working. Decided to give up on htaccess completely, and put the directives into the main apache file. Still not working.
Noticed, however, this in the slash apache config file:
# Fourth Apache phase: access control PerlAccessHandler Slash::Apache::Banlist PerlAccessHandler Slash::Apache::User
The slash apache module has taken control of the Apache access control phase.
I am pretty sure this means that ONLY the perl modules now can operate in that phase, as in apache 1.3, there is just a traversal through the different phases, and whoever handles the phase causes apache to go on to the next phase.
Tried to check the docs to confirm this, but apache has removed 1.3 docs from their site.
Finally found an old 1.3 source on a backup, grabbed the docs out of this, and read:
-- Apache breaks down request handling into a series of steps, more or less the same way the Netscape server API does (although this API has a few more stages than NetSite does, as hooks for stuff I thought might be useful in the future). These are:
- URI -> Filename translation
- Auth ID checking [is the user who they say they are?]
- Auth access checking [is the user authorized here?]
- Access checking other than auth
- Determining MIME type of the object requested
- `Fixups' --- there aren't any of these yet, but the phase is intended as a hook for possible extensions like SetEnv, which don't really fit well elsewhere.
- Actually sending a response back to the client.
- Logging the request
These phases are handled by looking at each of a succession of modules, looking to see if each of them has a handler for the phase, and attempting invoking it if so. The handler can typically do one of three things:
- Handle the request, and indicate that it has done so by returning the magic constant OK.
- Decline to handle the request, by returning the magic integer constant DECLINED. In this case, the server behaves in all respects as if the handler simply hadn't been there.
- Signal an error, by returning one of the HTTP error codes. This terminates normal handling of the request, although an ErrorDocument may be invoked to try to mop up, and it will be logged in any case.
Most phases are terminated by the first module that handles them; however, for logging, `fixups', and non-access authentication checking, all handlers always run (barring an error)
--
So in short, if perl decides to handle the 'access' phase, Apache cannot.
I am now 99% certain that I cannot use htaccess or any other access phase functions on the apache server with slash.
However, the slash system itself has all that is required to do this, I just need to find a way to use it.
And an looking now...
Proposed solution:
Slash always checks if a user is logged in early in the page generation process. Find that place, and modify it to redirect all users who are not logged in to a login page (which must be created.)
Tracing through code now...
A redirect to this page might work: http://slashcott.org/my/login
Trying a staff.shtml static version of that page... And that worked fine to log me in.
Now, will it work with no links on the side, or those links disabled?
Looking for a 'hook'
These pages use perl scripts: - on front page- journal.pl messages.pl topic.pl authors.pl search.pl (listed as older stuff) pollbooth.pl (listed as past polls) submit.pl (listed as submit story) http://slashcott.org/~AudioGuy/ This is the link on the users name when logged in. Must be a redirect? also most recent journal entries go to similar urls like http://slashcott.org/~martyb/journal/ http://slashcott.org/index.pl?issue=20140206 - older stuff box, date link http://slashcott.org/arhttp://slashcott.org/search.pl?start=2ticles/00/01/25/1430236.shtml older stuff box, article link http://slashcott.org/search.pl?start=2 older stuff,'older articles' http://slashcott.org/index.pl?issue=20140306 'yesterdays news' -the topic images- http://slashcott.org/search.pl?tid=8 - static shtml file links - Forbidden You don't have permission to access /faq/index.shtml on this server. http://slashcott.org/about.shtml - 'about' on main menu http://slashcott.org/faq.shtml - 'faq' on main menu also: authors.shtml - exists, but link goes to .pl version hof.shtml - when accessed directly, goes to a summary of Most Active Stories etc moderation.shtml - an textual page explaining what moderation is about slashguide.shtml - goes to: http://slashcott.org/faq/ which shows error: "Forbidden You don't have permission to access /faq/index.shtml on this server." staff.shtml - redirects internally to a login function - My page!!!!!! topics.shtml - shows essentially same result as topics.pl list of topics. -Main home logo- http://slashcott.org/ actually goes to index.shtml - the 'my' redirection http://slashcott.org/my/ create account/login
Routines in the chief .pl pages:
# require POST and logged-in user for these ops my $user_ok = $user->{state}{post} && !$user->{is_anon}; # possible value of "op" parameter in form my %ops = ( edit => [ !$user->{is_anon}, \&editArticle ], removemeta => [ !$user->{is_anon}, \&articleMeta ],
# require POST and logged-in user for these ops my $user_ok = $user->{state}{post} && !$user->{is_anon}; display_prefs => [ !$user->{is_anon}, \&display_prefs ], save_prefs => [ $user_ok, \&save_prefs ], list_messages => [ !$user->{is_anon}, \&list_messages ],
No obvious check
no obvious check
no obvious check
no obvious check
my @redirect_ops; push @redirect_ops, "title=" . strip_paramattr($form->{subj}) if $form->{subj}; push @redirect_ops, "url=" . strip_paramattr($form->{url}) if $form->{url}; if ($form->{subj} || $form->{url}) { push @redirect_ops, "new=1"; my %ops = ( blankform => [1, \&blankForm], previewstory => [1, \&previewStory], pending => [!$user->{is_anon}, \&yourPendingSubmissions], submitstory => [1, \&saveSub], list => [$submiss_view, \&submissionEd], viewsub => [$submiss_view, \&previewForm], update => [$user->{is_admin}, \&updateSubmissions], my $op = lc($form->{op} || 'default'); $op = 'default' if !$ops{$op} || !$ops{$op}[ALLOWED];
# require POST and logged-in user for these ops my $user_ok = $user->{state}{post} && !$user->{is_anon}; # possible value of "op" parameter in form my %ops = ( edit => [ !$user->{is_anon}, \&editArticle ], removemeta => [ !$user->{is_anon}, \&articleMeta ], preview => [ $user_ok, \&editArticle ], save => [ $user_ok, \&saveArticle ], # journal.pl waits until it's inside the op's subroutine to print # its header. Headers are bottlenecked through _printHead. my $op = lc($form->{op}) || ''; if (!$op || !exists $ops{$op} || !$ops{$op}[ALLOWED]) { $op = 'default'; }
sub main { my $start_time = Time::HiRes::time; my $constants = getCurrentStatic(); my $user = getCurrentUser(); my $form = getCurrentForm(); my $slashdb = getCurrentDB(); my $reader = getObject('Slash::DB', { db_type => 'reader' }); return if redirect_home_if_necessary(); sub redirect_home_if_necessary { my $user = getCurrentUser(); my $form = getCurrentForm(); my $script = ''; if (!$user->{is_anon} && defined $form->{usebeta}) { if ( $form->{op} && $form->{op} eq 'userlogin' && !$user->{is_anon} || $form->{upasswd} || $form->{unickname} ) { # Any login attempt, successful or not, gets # redirected to the homepage, to avoid keeping # the password or nickname in the query_string of # the URL (this is a security risk via "Referer"). # (If we've determined the user needs to go to # index2.pl, send them there.) Note that # $form->{returnto} is processed by # Slash::Apache::User::handler, which for reasons # of a mysterious bug defers the actual redirect # to be handled by this script. $script = $form->{returnto} || '/'; } if ($script) { redirect($script); return 1; }
conclusion so far
There is not consistent way to handle security level on all he pl pages, they all either don't handle it at all, or handle it in different ways.
What is there consistently is:
- Inclusion of User and Utillity libs
- A main() routine
- there may be differences in how they call header, but all do in some fashion.
- They all call footer()
- redirect is in utility / Anchor.pm (in lib64)
sub redirect { my($url, $code) = @_; $code = 302 if !$code || $code != 301; my $constants = getCurrentStatic(); $url = url2abs($url); my $r = Apache->request; $r->content_type($constants->{content_type_webpage} || 'text/html'); $r->header_out(Location => $url); $r->status($code); $r->send_http_header; slashDisplay('html-redirect', { url => $url, code => $code }); }
Try to get topics.pl to redirect to my staff page
This works, right before the header call:
############## if ($user->{is_anon} ) { redirect("/staff.shtml"); } ############## header(getData('head'), $form->{section}, $data) or return;
Todo
add
makes code easier if(privatesite) {} with button in admin interface
0 - off 1 = private.
List all pages and give list to paul for incorporation.
private_site variable set to 1 - this is the name
####### # if ($user->{is_anon} && $private_site ) {redirect("/staff.shtml"); } # may need to add a local private site and do what is needed to get it first ######
This is how constants in vars are accessed:
my $constants = getCurrentStatic(); if ($constants->{body_bytes}) {}
Ok, so this should work:
Must first make sure my $constants = getCurrentStatic(); earlier, then
###### if ( $user->{is_anon} && $constants->{private_site} ) {redirect("/staff.shtml"); } # should change name of staff.shtml to loginonly.shtml or justlogin.shtml ######
Discuss code style.
Suggest voluminous comments with option to emove easily with a grep -v
Hard left # for comments to be remove, code indented as usual.
########## # # Code added Fri Mar 7 23:22:47 PST 2014 - Mike Demmers # to add a private slash option. # If database table 'vars' variable 'private_site' != 0 then site is private # and all non-logged in users will be redirected to a login page. # This code requires my $constants = getCurrentStatic(); declared earlier to # insure the constant 'private_site' (set in admin interface, variables) # is available locally. ( also $user = getCurrentUser(); ) # This routine must be added to all publicly available .pl scripts # (pages, not inclusions), just prior to the first header() call. # if( $user->{is_anon} && $constants->{private_site} ) { redirect("/staff.shtml"); } # ##########
http://perl.apache.org/docs/1.0/index.html
21:09 stderr Hmm... Can you use an AuthUser on a virtual host that acts like a proxy? NCommander audioguy, oh wait, you're using varnish NCommander You need a fucking hack in slash to make that work NCommander There's a sanity check I stabbed out that causes slash to act stupid when its varnished audioguy That is what I was afraid of. Wondering if there is a simple way to do the same thing in slash code. 21:10 NCommander I think the patch is on the master branch, if not, you need to grep for "X-Forwarded-By" in slashcode -- mechanicjay audioguy: is it borked? 21:45 mechanicjay Varnish is passing everything through audioguy It is getting in the way of me trying to debug a problem audioguy I am trying to use .htaccess files, it is not letting me see the real errors, audioguy Logs shows this: audioguy [Wed Mar 5 05:40:08 2014] [error] :Slash::Utility::Environment:/usr/local/lib64/perl5/Slash/Utility/Environment.pm:683:cannot getSkin for empty skid='' ;; Which was called by:Slash::Apache:/usr/local/lib64/perl5/Slash/Apache.pm:359 21:46 mechanicjay Varnish should not be caching anything for the slashcott domain. I'll double check right now
Minifed javascript for jquery
This has now been placed on slashcott as a test to see if it workable on the main site.
I simply replaced the file in
/usr/local/slash/plugins/Ajax/htdocs/images/jquery/jquery-1.3.2.js
with
/usr/local/slash/plugins/Ajax/htdocs/images/jquery/jquery-1.3.2.min.js
after backing the original up, of course:
[root@slashcode jquery]# pwd /usr/local/slash/plugins/Ajax/htdocs/images/jquery [root@slashcode jquery]# ls jquery-1.3.2.js jquery.autogrow.js jquery.textselection.js ui.sortable.js jquery-1.3.2.min.js jquery.elastic-1.6.js ORIGINALjquery-1.3.2.js ui.tabs.js jquery.autocomplete.css jquery.lazyload.js ui.core.js jquery.autocomplete.js jquery.metadata.js ui.draggable.js
The minified version is about 50% smaller.
57254 Mar 5 14:33 jquery-1.3.2.js 57254 Mar 5 14:30 jquery-1.3.2.min.js 120764 Mar 3 20:21 ORIGINALjquery-1.3.2.js
- [[1]] git - themes