| Age | Commit message (Collapse) | Author |
|---|
|
These fields aren't editable anyway, but if we don't do the full
validation we will instead crash if for example the same account
creation form is submitted twice (happens surprisingly often). Now we
will instead show a validation error message.
|
|
|
|
This was already done for the majority on signin, but for new accounts
we should do the same.
|
|
It's not always entirely correct, but it's less wrong than 200.
|
|
If login isn't completed in 10 minutes, expire the cookie and require a
start-over.
|
|
During oauth logins we need to store some temporary data related to the
users session. Previously we did this in the django session, but thanks
to AI bots trying millions of logins every day (and never completing the
process) we end up with many abandoned sessions in the db. To work
around this, instead store the temporary data in an encrypted cookie
passed to the browser. Since this cookie can be limited in scope to just
the auth part of the site, the slightly larger cookie size doesn't
matter, and we don't need to store any data at all server-side.
|
|
Instead of prepopulating a GET request that could generate a session,
createa a form with different submit buttons and use that. In the brave
new world of AI bots, nobody cares about robots.txt anymore, so we'd get
hit by a lot of requests specifically for these logins that were then
thrown away because they couldn't log in on the third party site.
|
|
This makes for better readability, and is exactly the same
functionality...
Pointed out by Jacob Champion
|
|
This creates a community auth version 3 (previous one being 2, and 1 is
long gone) trhat uses AES_SIV as the encryption method instead of
regular AES_CBC, and validates the digests on all accounts.
As this gets deployed on servers incrementall, the version has to be
specified in the database record for the site. We could have the site
indicate this itself, but doing it this way seems safer as it will then
just break for any app that accidentally reverts the plugin.
Reviewed by Jacob Champion
|
|
Per discussion among moderators
|
|
|
|
Author: Christoph Berg <myon@debian.org>
|
|
Create a new governance directory page which centralizes access to the
various existing pages for project governance teams and committees. In
passing, also move some content from the wiki to their own pg.o pages
(committers, sysadmins), and create non-existing pages (contributors
committee).
There are undoubtedly some missed opportunities here for general
improvement as well as other unmentioned governance groups, but this is
a good start.
|
|
|
|
|
|
|
|
Moving forwards we'll have three types of sponsors:
- Contributing - those that the sponsor team are responsible for.
- Financial - those who donate to an NPO.
- Servers - those who provide servers/infrastructure.
For the financial sponsors, there are a few rules:
- "NPO" means a recognised NPO, (which includes SPI and PGCA).
- Each NPO may choose whether or not to list any sponsors on this page.
- Each NPO may define the criteria under which sponsors are listed, and
any levels they wish to use.
- Conference/event sponsorship does not count; it must be sponsorship of the
organisation itself.
- Sponsors may be listed once under each NPO they have donated to.
Note that the same sponsor may be listed in any or all of the categories
(contributing, financial, servers).
Patch by myself and Jonathan.
|
|
Clearly not properly tested.
Reported by Akshat Jaimini, found by the testing harness
|
|
Since this one is not managed inside Django, it doesn't know what to do
with it when deleting, so just make postgres handle it.
|
|
We have this info available in the Version field and on the website,
so making it available in a machine-readably way simplifies allowing
people to access this data in a scriptable way.
Author: Corey Huinker <corey.huinker@gmail.com>
|
|
Missed that in updating the endpoint.
|
|
|
|
Only the v2 API is free now. Let's hope the fix is to just switch to
that version, and possibly re-generate tokens (this has worked for other
systems).
|
|
Once someone has fixed the signups, we should of course re-enable it,
but "no link" is better than a broken link.
|
|
|
|
This could cause a crash when the devel version of the docs had a
placeholder entry for a major version that had not yet been released.
|
|
Fixes redirect from "naked major version" URLs when major version is
2-digit.
|
|
|
|
Move to use core_version for more information, making some purges easier
and more predictable as well. Just create a hardcoded list of versions
prior to what we have real version entries for, it's just a couple that
we need to reference old release notes for (pre-6.3), so it simplifies a
lot.
Fixes (again) the release notes purging to use xkeys as set, which was
accidentally and partially undone in ac618d1b.
Generally makes the code easier to read and fixes a few cornercases.
Templates also much simplified, with the list template accidentally
already committed as part of 19682de8.
Reviewed-by: Jonathan Katz
|
|
Technically not needed for the system, but confusion is ensured if you
have two different sites with the same name...
|
|
There were no direct links to the CommitFest application from
the developers section, even though CommitFest are a key part of
PostgreSQL development. This adds said links, and provides a brief
explanation of what CommitFest are.
Reviewed-by: Magnus Hagander <magnus@hagander.net>
|
|
eccfb71c did not correctly invite people who were not in the
allow-listed domains. This uses a "shared join" link that
allows this to occur.
This is considered a temporary fix to ensure new users can still
sign up for the community Slack account. A future commit will
direct people to a better solution.
Reported-by: Stephen Frost <sfrost@snowman.net>
|
|
We already allow it on the docs pages themselves, but not on images
served up. Seems it can't get worse, and hopefully this fixes the
reported issues.
Reported by: Peter Geoghegan
|
|
Instead of an exception complaining about bad style URLs, just ensure
that the URL for the next parameter is always relative. (The form for
consent can only be triggered via one redirect, and it always has the
parameter relative).
We did the right thing before (as in, did not perform a redirect), but
the error dump was not nice.
|
|
Avoids huge resultsets and we should never deal with searches bigger
than this anyway.
|
|
Typically this required a user (especially the committer) to
manually do this step, which was easily and often missed. This
limits user error and ensures the release notes are available
to users in a timely manner.
Reviewed-by: Magnus Hagander <magnus@hagander.net>
|
|
This adds search fields (name, handle), a filter for contributor
type, and default ordering options to make it easier to navigate
this list in the admin panel.
|
|
This adds a permission check in the user admin view logic to allow
someone administrating contributors to use the autocomplete
functionality even if the user does not have permission to modify
the users directly.
|
|
This pointed at a previous resource used to moderate sign-in that
has sinced been removed.
Author: Melih Mutlu <m.melihmutlu@gmail.com>
Author: Jonathan Katz <jonathan.katz@excoventures.com>
|
|
When somebody posts a news article, make it possible to delete it before
it's submitted to moderation (or after it's been withdrawn or bounced),
instead of forcing the user to leave it around ForEver (TM).
Do this by adding some generic functionality for confirmation popups,
that can also be used for other things in the future.
|
|
|
|
This will require some further updates on the loading side of things
before it's fully valid, but for now track and show a link to the git
hash used to build developer docs *if* one is specified.
We only track it for devel (because releases have release numbers) and
we only show it in the cases where we would already show the loading
time.
|
|
|
|
|
|
The == operator is Bash specific, and since the script isn't Bash
specific the = operator should be used instead.
Author: Andreas 'ads' Scherbaum <ads@pgug.de>
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
Discussion: https://postgr.es/m/671fc8a3-8106-be8d-d6a6-325e19b8358f@pgug.de
|
|
This has probably not worked since 0cb56d93, but this patch will
allow for the warning to appear.
|
|
This sets the documentation pages to use the "/docs/current/"
prefix to be the canonical docs. This follows SEO guidance to
help improve which doc pages show up higher in search, per:
https://developers.google.com/search/docs/advanced/crawling/consolidate-duplicate-urls
Reviewed-by: Magnus Hagander <magnus@hagander.net>
Reviewed-by: Andres Freund <andres@anarazel.de>
|
|
When a user logs into a community auth site, that account is
automatically subscribed to receive updates from the system whenever any
changes are made to the user, such as name/email/ssh keys. However, when
a site imports a user without them being directly logging in, that
subscription is not set up, so any changes made are lost until the user
first logs in.
This commnit adds an endpoint to the auth system so that a site can
expliciltly request updates are sent about a user. This will create a
"fake login" on that site, which will enable the normal system to start
sending data. The access to the endpoint is protected with a hmac
authentication using the existing community auth key.
|
|
This affects how we redirect news when tehre's what looks like an "id"
number both before and after. For example, the link:
2016-08-11-security-update-release-1688
would previously detect the id as 2017 and redirect to that article,
which is obviously wrong.
This changes the order so that id-at-the-end is checked first. This
instead gives problems for urls that *end* in a year (or other things
that looks like an id).
This is not ideal, but it's better than before because at least now the
links that are being generated *now* are handled the correct way.
|
|
As of django 3.2.11 in what's considered a security fix (wouldn't be in
our use cases, but could be in others), we can no longer use dictsort
on lower() -- doing so returns an empty list.
So instead we create a new filter called sort_lower, and use that one
fromt he two places where we use the filter.
This bug caused the list of translations and yearly reports no the CoC
page to become empty. Spotted by Umair Shahid.
|
