Re: [Trac] Re: Nessus able to create user in Trac
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Dave,
thanks for taking care to contribute your thoughts and share development
results with us.
On 05.11.2014 17:33, Dave Love wrote:
> RjOllos writes:
>
>> For reference, solutions have been provided in:
>> http://trac.edgewall.org/ticket/11803
>> http://trac-hacks.org/ticket/12047
>
> For what it's worth, I've just had spam accounts created, despite the
> AcctManager BotTrapCheck. I wanted something like TracQuestionRegister,
> but that no longer works.
For reference here you referred to QuestionRegisterPlugin [1], correct?
For what it's worth the expected incompatibility of this hack with
current accountmanager versions has been reported [2] early, including
an offer to assist on new API adoption. Seems like the hack is currently
unmaintained.
> I hacked up this change to the current
> AccountManager to ask a project-specific question ("What's the command
> to ...") which should be more robust. I'll try to contribute it if
> trac-hacks will talk to me sometime.
Your patch submission enables inclusion of the functionality of
QuestionRegisterPlugin into accountmanager, that has been blocked by the
incompatible licenses before.
I assume that you agree to put you patch unter accountmanager's BSD
license [3], but I'd still prefer, if you acknowledged that here
yourself. Once I've got your feedback I'm prepared to obsolete the
separate hack for the upcoming acct_mgr-0.5 and later.
> [The form you get from bottrap seems a bit odd to me. The box is
> labelled "Parole:" -- which is correct, but not a word I'd ever have
> used for that -- rather than the "hint" which appears below, but I
> didn't try to change it. Also, it was unclear what the register_check
> list could comprise and exactly how to customize things without the
> admin GUI.]
Regarding configuration you must have missed the relevant wiki
documentation [4]. As non-native speaker I'm not in the position to
argue about wording, but surly I took advice before making that choice.
Make sure to check, what SpamFilterPlugin [5] could do for you.
Steffen Hoffmann
[1] http://trac-hacks.org/wiki/QuestionRegisterPlugin
[2] http://trac-hacks.org/ticket/10270
[3] http://trac-hacks.org/wiki/License/MandatorySignOff
[4]
http://trac-hacks.org/wiki/AccountManagerPlugin/RegistrationInspector#ModularRegistrationChecks
[5] http://trac.edgewall.org/wiki/SpamFilter
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlRamKIACgkQ31DJeiZFuHfHvwCguDVsSn5IaaeoZ4Tm75pZyfvm
iqcAnR0alxwLDZBGWIIRIQWO3UJBxQSS
=mWex
-END PGP SIGNATURE-
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to trac-users+unsubscr...@googlegroups.com.
To post to this group, send email to trac-users@googlegroups.com.
Visit this group at http://groups.google.com/group/trac-users.
For more options, visit https://groups.google.com/d/optout.
Re: [Trac] Re: Nessus able to create user in Trac
RjOllos writes:
> For reference, solutions have been provided in:
> http://trac.edgewall.org/ticket/11803
> http://trac-hacks.org/ticket/12047
For what it's worth, I've just had spam accounts created, despite the
AcctManager BotTrapCheck. I wanted something like TracQuestionRegister,
but that no longer works. I hacked up this change to the current
AccountManager to ask a project-specific question ("What's the command
to ...") which should be more robust. I'll try to contribute it if
trac-hacks will talk to me sometime.
[The form you get from bottrap seems a bit odd to me. The box is
labelled "Parole:" -- which is correct, but not a word I'd ever have
used for that -- rather than the "hint" which appears below, but I
didn't try to change it. Also, it was unclear what the register_check
list could comprise and exactly how to customize things without the
admin GUI.]
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to trac-users+unsubscr...@googlegroups.com.
To post to this group, send email to trac-users@googlegroups.com.
Visit this group at http://groups.google.com/group/trac-users.
For more options, visit https://groups.google.com/d/optout.
--- acct_mgr/register.py 2014/11/05 15:16:40 1.1
+++ acct_mgr/register.py 2014/11/05 15:50:54
@@ -172,6 +172,8 @@
reg_basic_token = Option('account-manager', 'register_basic_token', '',
doc="A string required as input to pass verification.")
+reg_basic_question = Option('account-manager', 'register_basic_question', '',
+doc="A question to ask instead of the standard prompt, to which register_basic_token is the answer.")
def render_registration_fields(self, req, data):
"""Add a hidden text input field to the registration form, and
@@ -182,11 +184,14 @@
# everything again.
old_value = req.args.get('basic_token', '')
-# TRANSLATOR: Hint for visible bot trap registration input field.
-hint = tag.p(Markup(_(
-"""Please type [%(token)s] as verification token,
-exactly replicating everything within the braces.""",
-token=tag.b(self.reg_basic_token))), class_='hint')
+if self.reg_basic_question:
+hint = tag.p(_("Please answer above: ") + self.reg_basic_question, class_='hint')
+else:
+# TRANSLATOR: Hint for visible bot trap registration input field.
+hint = tag.p(Markup(_(
+"""Please type [%(token)s] as verification token,
+exactly replicating everything within the braces.""",
+token=tag.b(self.reg_basic_token))), class_='hint')
insert = tag(
tag.label(_("Parole:"),
tag.input(type='text', name='basic_token', size=20,
