These are chat archives for translate/dev

12th
Apr 2016
Leandro Regueiro
@unho
Apr 12 2016 12:01
@julen Hi, is there any way to retrieve a property from User model and expose it in https://github.com/translate/pootle/blob/master/pootle/static/js/shared/models/user.js#L18-L65 I mean other that creating a new view that returns the value of the property, and then call that view from this backbone model to get the actual value.
phlax
@phlax
Apr 12 2016 13:46
so @ta2-1 we were just discussing django/pootle_comments and the CommentForm
i was saying that subclassing from dj_commentform provides some anti-spam protection
although this is less of an issue for non-nobody, and even less so for admin user comments
im still reluctant to circumvent these protections
esp if we are going to (hopefully) hook up notifications that will include the comment etc
and i think its pretty trivial to add
Taras Semenenko
@ta2-1
Apr 12 2016 13:48
so @phlax, we are going to use them because they are come out of the box, yes?
phlax
@phlax
Apr 12 2016 13:48
and because they are a good idea
which is why they are in the box
we kind have 2 choices
bot h are pretty trivial to implement
  • add a timestamp and hash into the comment form
  • remove the security hash field from the comment form
in the case of the first i just mean include the timestamp/hash generated by the form in the ui
Taras Semenenko
@ta2-1
Apr 12 2016 13:51
timestamp from the UI looks as a wierd idea
phlax
@phlax
Apr 12 2016 13:51
it has 2 purposes from a sec pov
  • only server can generate form to submit commet
  • generated form expires after a certain amount of time
Taras Semenenko
@ta2-1
Apr 12 2016 13:56
I could misunderstand. so do you think that form can receive timestamp from the server and then start counter which adds amount of passed seconds to the initial server timestamp?
phlax
@phlax
Apr 12 2016 13:56
hmm
more like this
  • user clicks button to open comment form
  • xhr request to get form creds - ie timestamp and hash
  • user fills comment field etc
  • xhr request includes timestamp/hash
the time limit is very long
(i think)
but its necessary to verify the hash
Taras Semenenko
@ta2-1
Apr 12 2016 13:58
extra request to get credits?
phlax
@phlax
Apr 12 2016 13:59
probably
it could be generated beforehand - but i think that would be a v bad idea
ie creating lots of forms uncessarily
that was why i was asking really
it would pretty trivial to add though
but may require an additional action in UnitAPI to keep with current way of doing things
Taras Semenenko
@ta2-1
Apr 12 2016 14:01
why should every form have a separate security creds?
phlax
@phlax
Apr 12 2016 14:02
its more like every target object tbh
the hash is combo of object+timestamp
like i said we could cirumvent
but i would be pretty -1 on that
how were you thinking to add the comment form in?
i dont think we want to add lots of DOM nodes on render
so we need to do some js handling anyhow im thinking
we could also generate the hashes with the unit where relevant but i would probs just use an xhr request
Taras Semenenko
@ta2-1
Apr 12 2016 14:05
tbh I don't understand what we get with this hashes from sec pov...
phlax
@phlax
Apr 12 2016 14:05
hmm - let me dig you out relevant bits...
Taras Semenenko
@ta2-1
Apr 12 2016 14:06
what is the case when they prevent us from spam?
phlax
@phlax
Apr 12 2016 14:06
in this case its not such an issue
becuase its a restricted view
Taras Semenenko
@ta2-1
Apr 12 2016 14:06
I'm going for a 30 min walk. ping you when back.
phlax
@phlax
Apr 12 2016 14:06
but yep - these are spam protections to prevent a form from being used to hammer a site
and as mentioned i think that once we start hooking up events - esp comments that will be forwarded - to email or other notifications
its important
there are more notes in the source code
Taras Semenenko
@ta2-1
Apr 12 2016 14:09
sorry I still can't get why it's important once we start hooking...
phlax
@phlax
Apr 12 2016 14:10
well atm if you spammed some comments or similar it would spam some random unit nowhere
but if there were emails being sent off to project admins, contributors, watchers etc
and you can include your comment (even better with a url or image) then that is a vector for spam
Taras Semenenko
@ta2-1
Apr 12 2016 14:17

what is the case when they prevent us from spam?

its a restricted view

phlax
@phlax
Apr 12 2016 14:20
well in this case there is defo less of an issue
but not-nobody is not a protection when its trivial to get the necessary creds
tbh tho
i tend to work with sec measures rather than against them
where poss
Taras Semenenko
@ta2-1
Apr 12 2016 14:25
@phlax afk for a walk... will think about our stuff outside
phlax
@phlax
Apr 12 2016 14:25
cool
phlax
@phlax
Apr 12 2016 15:23
@ta2-1 added PR with tests for pootle_comments
needs a little love yet