Now that MUGLE is released, we will consider the trunk to be stable.
That means it should only ever improve at this point -- no commit
should make anything worse, even temporarily.
So I think when we gave up on using branches that was helpful for
getting it out faster, but now we need to go back
In terms of providing a rich API while keeping the code as simple for the
students as possible, i like the idea of keeping the existing code the same,
but have them pass the .class object, and then using browser side
reflection.
Yes so we should look into that reflection library. I've got no
For those who haven't seen yet, we now have two of the best student games up
on the MUGLE platform, and they seem to be doing what they're supposed to be
doing.
http://mugle-app.appspot.com
They are both terrific, so you should definitely check them out.
--
Mailing list:
So there are two major problems with our KVP API:
1. Users are not able to serialize their own data types, and are instead
forced to use built-in types like String and Vector.
2. If the user builds their code with a different version of GWT than we
did, and that version has different
Note: I tried to explicitly use java.io.Serializable on the client, but got
errors in both the dev mode and compiler that key classes did not exist
(such as ObjectOutputStream). I suppose it is pretty hard to write this code
for JavaScript (well, to be precise, serialization is easy, but
Scott, you have been looking at deleting data.
I'm wondering how hard it will be to delete UGPs (without worrying about
deleting other kinds of data).
https://bugs.launchpad.net/mugle/+bug/788541
I'm trying to track down a production bug which seems to only happen the
first time for any given
Well I've dug a bit. You were quite right. It does seem to be the UGP
getter. But I'm confused. What do you know about the persistencemanager and
transactions? See the bug:
https://bugs.launchpad.net/mugle/+bug/788592
The error I am getting is this:
can't operate on multiple entity groups in a
I am really confused about this.
https://bugs.launchpad.net/mugle/+bug/788075
Is there some weird bug going on in the bowels of the database layer? I
doubt I could have screwed up on the UI, and that's all the code I changed.
In GameEditBuilder, I added:
Never mind, I figured it out and worked around it (hackily).
https://bugs.launchpad.net/mugle/+bug/788075
--
Mailing list: https://launchpad.net/~mugle-dev
Post to : mugle-dev@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mugle-dev
More help : https://help.launchpad.net/ListHelp
No but ... never mind. It's no longer critical.
--
Mailing list: https://launchpad.net/~mugle-dev
Post to : mugle-dev@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mugle-dev
More help : https://help.launchpad.net/ListHelp
** Description changed:
Currently, the DevTeamService.getGames has a boolean to ask for public
or private. This is necessary because the dev team edit page contains
the full list. Note that since we have no security on viewing things at
- all (pretty much), there is no point fixing this
Is this actually a problem? I think the fact that the client has access
to the primary key is the wrong thing to focus on. Obviously the client
can write back anything they want -- if there is a security problem,
it's that the server will let clients write to objects (based on primary
key) that
Can someone figure out if this is still an issue? I don't want old bugs
lying around if they are not real concerns.
--
You received this bug notification because you are a member of MUGLE
Developers, which is a direct subscriber.
https://bugs.launchpad.net/bugs/786016
Title:
Direct Access to
** Changed in: mugle
Status: Triaged = Invalid
--
You received this bug notification because you are a member of MUGLE
Developers, which is a direct subscriber.
https://bugs.launchpad.net/bugs/779015
Title:
Client can write back modified primary key
Status in Melbourne University
As of trunk r435, this is fixed for DevTeam and Game (which were needed
for other bugs).
Remaining services: Achievement, GameFile, GameVersion, KeyValuePair.
--
You received this bug notification because you are a member of MUGLE
Developers, which is a direct subscriber.
Well, that's it. I've ticked off every single bug that we had milestoned.
MUGLE is now pretty darn usable, and somewhat secure :)
A user should now be able to (once given a dev team), navigate around all of
the necessary UI to view and edit (where authorized) all of the games, teams
and users.
The list of bugs fixed is here:
https://launchpad.net/mugle/+milestone/0.1
--
Mailing list: https://launchpad.net/~mugle-dev
Post to : mugle-dev@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mugle-dev
More help : https://help.launchpad.net/ListHelp
*** This bug is a security vulnerability ***
Private security bug reported:
It is possible for two users to have the same URLname. Check this and
block it.
** Affects: mugle
Importance: Critical
Assignee: Matt Giuca (mgiuca)
Status: In Progress
** Tags: datastore
Fixed in trunk r451.
** Changed in: mugle
Status: In Progress = Fix Committed
--
You received this bug notification because you are a member of MUGLE
Developers, which is a direct subscriber.
https://bugs.launchpad.net/bugs/788425
Title:
User can change URLname to that of another user
** Changed in: mugle
Status: Fix Committed = Fix Released
--
You received this bug notification because you are a member of MUGLE
Developers, which is a direct subscriber.
https://bugs.launchpad.net/bugs/788425
Title:
User can change URLname to that of another user
Status in Melbourne
** Changed in: mugle
Status: Fix Committed = Fix Released
--
You received this bug notification because you are a member of MUGLE
Developers, which is a direct subscriber.
https://bugs.launchpad.net/bugs/786685
Title:
GameToken is visible to users who don't own the game
Status in
** Changed in: mugle
Status: Fix Committed = Fix Released
--
You received this bug notification because you are a member of MUGLE
Developers, which is a direct subscriber.
https://bugs.launchpad.net/bugs/786594
Title:
Upload service does not check permissions
Status in Melbourne
OK, it is released.
http://mugle-app.appspot.com/
I have added everyone on this list to the Staff team, so you can upload
games if you wish. Any game you upload will be private by default, so feel
free to do so (but don't check public for now; we just want the student's
games to appear in the
Guys is there something I am missing? I have just discovered that MUGLE
basically treats all game URLs in a common namespace.
https://bugs.launchpad.net/mugle/+bug/787378
What? I thought we always had them namespaced by devteam.
For example I am now looking at PromotedGames, which can't possibly
I believe the association and disassociation is set up correctyl (I checked
about half the classes last night). Note you DO specifically have to call
these add and remove methods on the client side in the UI for security
reasons.
So you can disassociate a user from a devteam or a game from a
But if you do that you need to make sure that the client is incapable of
putting the database into an inconsistent state, which is very tricky. I
would prefer if the server handled all of this.
--
Mailing list: https://launchpad.net/~mugle-dev
Post to : mugle-dev@lists.launchpad.net
** Summary changed:
- Views aren't restricted by permission
+ GameToken is visible to users who don't own the game
--
You received this bug notification because you are a member of MUGLE
Developers, which is a direct subscriber.
https://bugs.launchpad.net/bugs/786685
Title:
GameToken is
** Changed in: mugle
Status: Triaged = In Progress
** Changed in: mugle
Assignee: (unassigned) = Matt Giuca (mgiuca)
--
You received this bug notification because you are a member of MUGLE
Developers, which is a direct subscriber.
https://bugs.launchpad.net/bugs/786685
Title
This is directly caused by #786876 -- address those concerns and this
will be fixed.
--
You received this bug notification because you are a member of MUGLE
Developers, which is a direct subscriber.
https://bugs.launchpad.net/bugs/786685
Title:
GameToken is visible to users who don't own the
This is directly caused by bug #786876 -- address those concerns and
this will be fixed.
--
You received this bug notification because you are a member of MUGLE
Developers, which is a direct subscriber.
https://bugs.launchpad.net/bugs/786685
Title:
GameToken is visible to users who don't own
If you look at UserServiceImpl, that is implemented correctly (I assume
this one was implemented first, and the others were copied). All of the
ServiceImpls are using logic that compares the current user's key to the
object's key, which is nonsense (completely different types), EXCEPT for
when
I am trying to get my head around the purpose of checkPermissions. The
canonical version, in UserServiceImpl, seems to do the same thing twice,
and the second check is rather redundant. The cloned versions have been
modified to do the first check properly, but not the others.
Here is pseudocode
complicated for me, so I am just going to focus
on working around bug #786685 for now, and de-milestone this one.
** Changed in: mugle
Milestone: 0.1 = None
** Changed in: mugle
Importance: Critical = High
** Changed in: mugle
Assignee: Matt Giuca (mgiuca) = (unassigned)
--
You received
So bug #786904 is the inverse of this one. Not only do we get private
when we should get public, we also get public when we should get
private, so nobody other than admins will be able to write.
--
You received this bug notification because you are a member of MUGLE
Developers, which is a direct
Oh OK, thanks.
--
Mailing list: https://launchpad.net/~mugle-dev
Post to : mugle-dev@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mugle-dev
More help : https://help.launchpad.net/ListHelp
And Mugle now works, near-satisfactorily. Unfortunately I had to stay
up until 3:30 to get it, so .. let's hope I can make it to teaching
tomorrow.
If you go here:
http://mugle-app.appspot.com/
You will see Prageeth's nice new theme. I haven't put anybody as an admin or
added to the dev
*** This bug is a security vulnerability ***
Private security bug reported:
I haven't tested this, but it seems that a malicious user can craft a
GameVersion in another person's Game. This is because the
GameVersionData.setGame field is writable if you own the GameVersion.
That means you can
Guys, what happened to this plan? I just found lots of new tabs in 19 files
(and converted them to spaces as of r312).
Scott, I think they were yours (but I didn't check all of them). Please set
your editor and install the Bazaar plugin to reject commits if they include
tabs. (I asked on Friday
I've also noticed that there were some tabs remaining even after Matt
cleaned it and I think Matt missed those ones.
Weird. Were they in java files or other files? I ran a script to convert all
the tabs so I don't know why I would have missed some, unless they were
added in later.
This may be
That doesn't sound very scientific. We should either have a policy on using
it once per transaction, or not at all. And try to get to the bottom of it.
But not tonight :(
--
Mailing list: https://launchpad.net/~mugle-dev
Post to : mugle-dev@lists.launchpad.net
Unsubscribe :
On that note, dont use them in a for loop either;
I'm going through and having to change many of the ServerSideImpl to use
ModelClass.getObject(key.getID()) rather than ModelClass.getObject(pm, key)
so that the server doesnt crash
Hmm. This seems very wrong; I thought the point of the
The edit page itself should be blocked, but there's nothing stopping them
from viewing those
fields (because they need to) if they do edit an object and pass it
back it will refuse to write it
That's true for a few cases, but absolutely not in general. Case in
point: The GameToken should NOT
Yes, I have tested it, and it allows anybody to view the game token.
--
You received this bug notification because you are a member of MUGLE
Developers, which is a direct subscriber.
https://bugs.launchpad.net/bugs/786685
Title:
Views aren't restricted by permission
Status in Melbourne
Thanks Scott, for the tip to look in GameFileServiceImpl.checkPermissions.
One thing I don't understand (and possibly a bug), what is this code doing:
ClientView cv = (curUser.getPrimaryKey() == object.getPrimaryKey())
?
ClientView.PRIVATE : ClientView.PUBLIC;
I don't
** Changed in: mugle
Status: Triaged = In Progress
** Changed in: mugle
Assignee: (unassigned) = Matt Giuca (mgiuca)
--
You received this bug notification because you are a member of MUGLE
Developers, which is a direct subscriber.
https://bugs.launchpad.net/bugs/786594
Title
Most of the fields that you are talking about, I pressume they are
reference lists? The list itself should not be editable, only the values
should be changed. Adding and removing of these values are handled by
the Services and should never be changed by the ModelWrapper conversions.
Nope -- I
OK Prageeth has explained how the public/private permissions work. I
imagine, then, it's just a matter of setting gameToken's getter to
private=OWNER, public=NONE. Not sure what the first one actually should
be.
--
You received this bug notification because you are a member of MUGLE
Developers,
Scrappy notes from the meeting (I will triage)
Devteam view doesn't show existing games
game, user and devtem need links to +edit if applicable
game edit should show error in green
game edit should have an explicit save button
games gallery doesn't show any games.
Promoted games is stubbed
to work if the referer is NOT from a URL we are in control of.
That could resolve it nicely, and wouldn't be hard to implement.
** Affects: mugle
Importance: High
Assignee: Matt Giuca (mgiuca)
Status: Triaged
** Tags: security
--
You received this bug notification because you
Oh OK then. Ignore comment #1. I have filed a separate bug for that
issue (bug #786070).
Note that just making something protected won't prevent an intrepid
client from calling it. That is a client-side solution. Client-side
security is not security. We need ALL the APIs on the server to make
Confirmed on the main App Engine server (throws an exception).
https://bugs.launchpad.net/mugle/+bug/786395
--
Mailing list: https://launchpad.net/~mugle-dev
Post to : mugle-dev@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mugle-dev
More help :
Guys, I know it is late in the game, but if I am going to be working on this
project over the weekend I am going to go nuts dealing with this.
I don't mind working with tabs (I prefer spaces), but I cannot work with a
code base that has every third line it changes between tabs and spaces. My
OK then. In that case I'll change over the codebase now. Thanks for letting
me do this. I realise it's a bit pedantic, but ... the eyeball thing.
--
Mailing list: https://launchpad.net/~mugle-dev
Post to : mugle-dev@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mugle-dev
More help
You could always use eclipse instead of vim :-p
Well that won't really change the fact that the code is formatted horribly
and every time I view a diff or any code at the command line I will see an
unreadable mess, not to mention indenting or moving the cursor around the
screen will have
Anyways back to topic, there is a good plugin for eclipse that gets rid of
trailing white spaces, etc. Just follow the instructions on that:
http://andrei.gmxhome.de/anyedit/
OK but you don't need it to perform tab-space conversion, do you? The
built-in settings should suffice. I would hope
Yes, I think that's fine.
--
Mailing list: https://launchpad.net/~mugle-dev
Post to : mugle-dev@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mugle-dev
More help : https://help.launchpad.net/ListHelp
I see. So I should be calling GameVersion.getByName instead of creating a
new GameVersionService and calling gameVersionService.getByName. Is that
what you are saying?
I was just following the way the code already works in the UserViewBuilder.
Heh, or at least, the way it *did* work. I see that
OK I have fixed about a hundred issues in trying to get the basic Game UI up
and running. It still isn't working :( But at least GameVersion is somewhat
close to being able to be retrieved from the database.
I have committed everything I have done.
There are (at least) two outstanding issues
I have *still* not found a solution for this:
Now I am having a really hard time adding a devteam to DataTestServiceImpl,
so maybe someone else could do it. What I have so far is:
DevTeamData[] devteams = new DevTeamData[] {
new DevTeamData(test,
OK thanks for doing that.
--
Mailing list: https://launchpad.net/~mugle-dev
Post to : mugle-dev@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mugle-dev
More help : https://help.launchpad.net/ListHelp
No i havent yet implemented that, as i didnt get time to look up how to
implement it, so im not sure how to go about redirecting it.
You mean there's actually no way to get into GameFileServer? OK I'll have a
look at that. It should be an XML file somewhere.
OK so it looks as though after
Review: Approve
Let's just do it.
--
https://code.launchpad.net/~mugle-dev/mugle/ui/+merge/59455
Your team MUGLE Developers is subscribed to branch lp:~mugle-dev/mugle/dev-api.
--
Mailing list: https://launchpad.net/~mugle-dev
Post to : mugle-dev@lists.launchpad.net
Unsubscribe :
OK that's done. From now on, develop in trunk.
(That isn't to say you can't make more branches; just don't make any more
commits to dev-api or ui.)
--
Mailing list: https://launchpad.net/~mugle-dev
Post to : mugle-dev@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mugle-dev
More
In that case the exceptions should be moved to the client API - the
exceptions I created were as follows:
AchievementNotExists - if the dev tries to look for or change the state of
a user's achievement when an achievement with that name doesn't exist
UserNotExists - if for some reason theres
Hi guys,
I think Scott is responsible for GameViewServiceImpl (platform branch) and
Prageeth for ModelWrapper.
I am trying to debug GameViewServiceImpl.java in the platform branch. It
still isn't compiling for me.
First, what is this toReturn thing? It looks like a temporary array used to
build
Man, that is a fancy pants logo. Very very cool. But yes, as David said, the
bottom is cut off for me and various programs refuse to display it, so I
think the file is corrupted. Try again?
Also what program did you use to make it? Do you have an SVG source for the
logo?
--
Mailing list:
I personally don't see a security issue since only the desired values are
passed back to the client.
Right. If only the desired values are passed back to the client, then there is
no security *vulnerability*.
I say security issue since I would be concerned that if any one
mistake was made in
Unfortunately, the only choice is to either a) rename the class, b)
refer to both User classes by their fully-qualified names
au.edu.unimelb.csse.mugle.server.model.User and
com.google.appengine.api.users.User, or c) do what Prageeth said and
import just one class, and refer to the other by its
Just a follow-up on this. I'm not sure if Prageeth mentioned it elsewhere. I
met with Prageeth on Monday and we talked about my previous email. We
decided that since he was working on a huge changeset, it would be
appropriate to start using branches.
So all of Prageeth's changes on the wrappers
Hi Prageeth,
You added the 'synchronized' keyword to a bunch of static methods
(e.g., in data-wrapper
r57http://bazaar.launchpad.net/%7Emugle-dev/mugle/data-wrapper/revision/57).
I'm just wondering what the purpose of this was.
I haven't ever used this keyword before, so forgive me if I
** Branch linked: lp:~mugle-dev/mugle/data-wrapper
--
You received this bug notification because you are a member of MUGLE
Developers, which is subscribed to MUGLE.
https://bugs.launchpad.net/bugs/730086
Title:
Add Serializable classes of model to be passed by GWT RPC
Status in Melbourne
Public bug reported:
For some reason, we have both of these (I added both). I think one is
for GAE and one is for GWT but we certainly shouldn't have both.
Cleanup.
** Affects: mugle
Importance: Medium
Assignee: Matt Giuca (mgiuca)
Status: Triaged
--
You received this bug
No, I remember deliberately taking it out, because GWT likes to keep
other things there that can't be copied or generated. I have a feeling
that src/WEB-INF/web.xml is not actually being used at all, but I'd have
to think about it.
--
You received this bug notification because you are a member
Attention *all developers:*
(Note, if you check your bzr log and find that you have not yet updated to
r44, then you do not need to pay attention to this; you can just bzr up as
normal.)
OK I have pushed the fixed version of the branch to Launchpad. This is not
something one normally should do
74 matches
Mail list logo
