Merge pull request #499 from jelmer/admin-bool

Don't open the admin page with a default password by default. Fixes #491
This commit is contained in:
Jelmer Vernooij 2018-11-23 03:21:12 +00:00 committed by GitHub
commit 966d403ebb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 63 additions and 4 deletions

View File

@ -4,6 +4,9 @@ Changelog for Isso
0.11.2 (unreleased) 0.11.2 (unreleased)
------------------- -------------------
- Don't enable admin interface with default password by default.
(Jelmer Vernooij, #491)
0.11.1 (2018-11-03) 0.11.1 (2018-11-03)
------------------- -------------------

View File

@ -11,6 +11,7 @@ include isso/js/count.dev.js
include isso/defaults.ini include isso/defaults.ini
include isso/templates/admin.html include isso/templates/admin.html
include isso/templates/disabled.html
include isso/templates/login.html include isso/templates/login.html
include isso/css/admin.css include isso/css/admin.css
include isso/css/isso.css include isso/css/isso.css

View File

@ -355,6 +355,24 @@ base
limit limit
number of most recent comments to return for a thread number of most recent comments to return for a thread
Admin
-----
Isso has an optional web administration interface that can be used to moderate
comments. The interface is available under ``/admin`` on your isso URL.
.. code-block:: ini
[admin]
enabled = true
password = secret
enabled
whether to enable the admin interface
password
the plain text pasword to use for logging into the administration interface
Appendum Appendum
-------- --------

View File

@ -0,0 +1,28 @@
<html>
<head>
<title>Isso admin</title>
<link type="text/css" href="{{isso_host_script}}/css/isso.css" rel="stylesheet">
<link type="text/css" href="{{isso_host_script}}/css/admin.css" rel="stylesheet">
</head>
<body>
<div class="wrapper">
<div class="header">
<header>
<img class="logo" src="{{isso_host_script}}/img/isso.svg" alt="Wynaut by @veekun"/>
<div class="title">
<a href="./">
<h1>Isso</h1>
<h2>Administration</h2>
</a>
</div>
</header>
</div>
<main>
<div id="disabled">
Administration is disabled on this instance of isso. Set enabled=true
in the admin section of your isso configuration to enable it.
</div>
</main>
</div>
</body>
</html>

View File

@ -1067,8 +1067,10 @@ class API(object):
) )
def login(self, env, req): def login(self, env, req):
if not self.isso.conf.getboolean("admin", "enabled"):
return render_template('disabled.html')
data = req.form data = req.form
password = self.isso.conf.get("general", "admin_password") password = self.isso.conf.get("admin", "password")
if data['password'] and data['password'] == password: if data['password'] and data['password'] == password:
response = redirect(re.sub( response = redirect(re.sub(
r'/login$', r'/login$',
@ -1087,6 +1089,8 @@ class API(object):
def admin(self, env, req): def admin(self, env, req):
isso_host_script = self.isso.conf.get("server", "public-endpoint") or local.host isso_host_script = self.isso.conf.get("server", "public-endpoint") or local.host
if not self.isso.conf.getboolean("admin", "enabled"):
return render_template('disabled.html')
try: try:
data = self.isso.unsign(req.cookies.get('admin-session', ''), data = self.isso.unsign(req.cookies.get('admin-session', ''),
max_age=60 * 60 * 24) max_age=60 * 60 * 24)

View File

@ -11,7 +11,10 @@ max-age = 15m
notify = stdout notify = stdout
reply-notifications = false reply-notifications = false
log-file = /var/log/isso.log log-file = /var/log/isso.log
admin_password = strong_default_password_for_isso_admin
[admin]
enabled = true
password = strong_default_password_for_isso_admin
[moderation] [moderation]
enabled = false enabled = false

View File

@ -59,9 +59,11 @@ gravatar = false
# default url for gravatar. {} is where the hash will be placed # default url for gravatar. {} is where the hash will be placed
gravatar-url = https://www.gravatar.com/avatar/{}?d=identicon gravatar-url = https://www.gravatar.com/avatar/{}?d=identicon
# Admin access password [admin]
admin_password = please_choose_a_strong_password enabled = false
# Admin access password
password = please_choose_a_strong_password
[moderation] [moderation]
# enable comment moderation queue. This option only affects new comments. # enable comment moderation queue. This option only affects new comments.