On 13 Sep 2010, at 16:33, Felix Meschberger wrote: > Hi, > > Am 12.09.2010 23:34, schrieb Ian Boston: >> >> On 12 Sep 2010, at 00:25, Felix Meschberger wrote: >> >>> There is one situation where an admin session is always retrieved: The >>> CreeateUser servlet. This is probably a bug and should only use an admin >>> session for self-registration. >> >> >> +1, >> I think we have modified out CreateUser servlet to do this, and added a hook >> to allow control over self registration, we use that hook to look for things >> like reCaptcha tokens. Is that something that should be in Sling ? > > Sounds like a good idea -- and, yes, very open to accept such a > contribution ;-)
Here is a patch [1] that brings across the optimisations that we have done to the CreateUser servlet, removing duplicate user lookups (especially where the users doesn't exist, which added quite a bit to the operation), and caching of the administrative ID. It also adds a RequestTrustValidator and interface that answers the question "what level of trust can we associated with this request", I don't think that the location of the interfaces is correct. We have put the interface next to the TokenStore bundle, but the inter bundle binding might not be appropriate. We have an reCaptcha implementation of this interface. Finally it adds OSGi events to user creation so other things can hook in. At the moment its an async event, but perhaps it should be sync. WDYT? Too much, not enough ? I havent looked through what we have done in groups at the moment. Ian http://codereview.appspot.com/2226042 > > BTW: I have created a hook for self-registration in the launchpad > content -- the signup.html page currently just displaying the usual > "not-implemented-yet" banner. We might want to integrate that with the > self-registration CreateUser servlet. > > Regards > Felix
