Merge pull request #499 from jelmer/admin-bool

Don't open the admin page with a default password by default. Fixes #491

CHANGES.rst

@@ -4,6 +4,9 @@ Changelog for Isso
 0.11.2 (unreleased)
 -------------------
 
+- Don't enable admin interface with default password by default.
+  (Jelmer Vernooij, #491)
+
 0.11.1 (2018-11-03)
 -------------------
 

MANIFEST.in

@@ -11,6 +11,7 @@ include isso/js/count.dev.js
 include isso/defaults.ini
 
 include isso/templates/admin.html
+include isso/templates/disabled.html
 include isso/templates/login.html
 include isso/css/admin.css
 include isso/css/isso.css

docs/docs/configuration/server.rst

@@ -355,6 +355,24 @@ base
 limit
     number of most recent comments to return for a thread
 
+Admin
+-----
+
+Isso has an optional web administration interface that can be used to moderate
+comments. The interface is available under ``/admin`` on your isso URL.
+
+.. code-block:: ini
+
+   [admin]
+   enabled = true
+   password = secret
+
+enabled
+   whether to enable the admin interface
+
+password
+   the plain text pasword to use for logging into the administration interface
+
 Appendum
 --------
 

isso/templates/disabled.html

@@ -0,0 +1,28 @@
+<html>
+<head>
+  <title>Isso admin</title>
+  <link type="text/css" href="{{isso_host_script}}/css/isso.css" rel="stylesheet">
+  <link type="text/css" href="{{isso_host_script}}/css/admin.css" rel="stylesheet">
+</head>
+<body>
+  <div class="wrapper">
+    <div class="header">
+      <header>
+        <img class="logo" src="{{isso_host_script}}/img/isso.svg" alt="Wynaut by @veekun"/>
+        <div class="title">
+          <a href="./">
+            <h1>Isso</h1>
+            <h2>Administration</h2>
+          </a>
+        </div>
+      </header>
+    </div>
+    <main>
+      <div id="disabled">
+        Administration is disabled on this instance of isso. Set enabled=true
+        in the admin section of your isso configuration to enable it.
+      </div>
+    </main>
+  </div>
+</body>
+</html>

isso/views/comments.py

@@ -1067,8 +1067,10 @@ class API(object):
         )
 
     def login(self, env, req):
+        if not self.isso.conf.getboolean("admin", "enabled"):
+            return render_template('disabled.html')
         data = req.form
-        password = self.isso.conf.get("general", "admin_password")
+        password = self.isso.conf.get("admin", "password")
         if data['password'] and data['password'] == password:
             response = redirect(re.sub(
                 r'/login$',
@@ -1087,6 +1089,8 @@ class API(object):
 
     def admin(self, env, req):
         isso_host_script = self.isso.conf.get("server", "public-endpoint") or local.host
+        if not self.isso.conf.getboolean("admin", "enabled"):
+            return render_template('disabled.html')
         try:
             data = self.isso.unsign(req.cookies.get('admin-session', ''),
                                     max_age=60 * 60 * 24)

share/isso-dev.conf

@@ -11,7 +11,10 @@ max-age = 15m
 notify = stdout
 reply-notifications = false
 log-file = /var/log/isso.log
-admin_password = strong_default_password_for_isso_admin
+
+[admin]
+enabled = true
+password = strong_default_password_for_isso_admin
 
 [moderation]
 enabled = false

share/isso.conf

@@ -59,9 +59,11 @@ gravatar = false
 # default url for gravatar. {} is where the hash will be placed
 gravatar-url = https://www.gravatar.com/avatar/{}?d=identicon
 
-# Admin access password
-admin_password = please_choose_a_strong_password
+[admin]
+enabled = false
 
+# Admin access password
+password = please_choose_a_strong_password
 
 [moderation]
 # enable comment moderation queue. This option only affects new comments.