diff --git a/CHANGES.rst b/CHANGES.rst index d151faa..77ca306 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -4,6 +4,9 @@ Changelog for Isso 0.11.2 (unreleased) ------------------- +- Don't enable admin interface with default password by default. + (Jelmer Vernooij, #491) + 0.11.1 (2018-11-03) ------------------- diff --git a/MANIFEST.in b/MANIFEST.in index 4c63d8e..facb5ce 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -11,6 +11,7 @@ include isso/js/count.dev.js include isso/defaults.ini include isso/templates/admin.html +include isso/templates/disabled.html include isso/templates/login.html include isso/css/admin.css include isso/css/isso.css diff --git a/docs/docs/configuration/server.rst b/docs/docs/configuration/server.rst index d86e62a..6aac326 100644 --- a/docs/docs/configuration/server.rst +++ b/docs/docs/configuration/server.rst @@ -355,6 +355,24 @@ base limit number of most recent comments to return for a thread +Admin +----- + +Isso has an optional web administration interface that can be used to moderate +comments. The interface is available under ``/admin`` on your isso URL. + +.. code-block:: ini + + [admin] + enabled = true + password = secret + +enabled + whether to enable the admin interface + +password + the plain text pasword to use for logging into the administration interface + Appendum -------- diff --git a/isso/templates/disabled.html b/isso/templates/disabled.html new file mode 100644 index 0000000..b009a01 --- /dev/null +++ b/isso/templates/disabled.html @@ -0,0 +1,28 @@ + + + Isso admin + + + + +
+
+
+ +
+ +

Isso

+

Administration

+ +
+
+
+
+
+ Administration is disabled on this instance of isso. Set enabled=true + in the admin section of your isso configuration to enable it. +
+
+
+ + diff --git a/isso/views/comments.py b/isso/views/comments.py index 269dd6b..aaf4568 100644 --- a/isso/views/comments.py +++ b/isso/views/comments.py @@ -1067,8 +1067,10 @@ class API(object): ) def login(self, env, req): + if not self.isso.conf.getboolean("admin", "enabled"): + return render_template('disabled.html') data = req.form - password = self.isso.conf.get("general", "admin_password") + password = self.isso.conf.get("admin", "password") if data['password'] and data['password'] == password: response = redirect(re.sub( r'/login$', @@ -1087,6 +1089,8 @@ class API(object): def admin(self, env, req): isso_host_script = self.isso.conf.get("server", "public-endpoint") or local.host + if not self.isso.conf.getboolean("admin", "enabled"): + return render_template('disabled.html') try: data = self.isso.unsign(req.cookies.get('admin-session', ''), max_age=60 * 60 * 24) diff --git a/share/isso-dev.conf b/share/isso-dev.conf index 18400ee..d417a19 100644 --- a/share/isso-dev.conf +++ b/share/isso-dev.conf @@ -11,7 +11,10 @@ max-age = 15m notify = stdout reply-notifications = false log-file = /var/log/isso.log -admin_password = strong_default_password_for_isso_admin + +[admin] +enabled = true +password = strong_default_password_for_isso_admin [moderation] enabled = false diff --git a/share/isso.conf b/share/isso.conf index 9828ca4..05660a8 100644 --- a/share/isso.conf +++ b/share/isso.conf @@ -59,9 +59,11 @@ gravatar = false # default url for gravatar. {} is where the hash will be placed gravatar-url = https://www.gravatar.com/avatar/{}?d=identicon -# Admin access password -admin_password = please_choose_a_strong_password +[admin] +enabled = false +# Admin access password +password = please_choose_a_strong_password [moderation] # enable comment moderation queue. This option only affects new comments.