View · Index

Weblog

Showing 11 - 20 of 691 Postings (summary)

OpenACS 5.10.0 Change Summary

Created by Gustaf Neumann, last modified by Gustaf Neumann 07 Oct 2023, at 05:43 PM

  • Functional improvements
    • Features:
      • Added additional page_contract filter: oneof(red|green|blue)
      • template::add_event_listener and template::add_confirm_handler now can target elements by CSS selector
      • Added text/markdown to the accepted text formats or rich-text widget
      • Support for range types in .xql files:

        PostgreSQL supports range types since 9.5. When using range types, square braces have to be used in SQL statements. Since OpenACS uses always Tcl substitution in .xql files, and OpenACS does NOT allow backslash substitution in these files, square brackets could not be escaped and therefore not be used in .xql files so far. This change allows now a developer to deactivate the substitution by passing e.g. -subst none to the db_* command using the .xql file. Valid values for -subst are all, none, vars, and commands, default is all which is exactly the behavior of previous releases. Therefore, this change is fully backward compatible.

      • Improved API browser: Visualization for code dependencies (which procs calls what, from where is a proc being called) and test-coverage
      • Warn site administrators about expiring certificates
      • Additional input types (and widgets) for ad_form:
        • checkbox_text
        • color
        • email
        • tel
        • url
        • number
        • file (multiple)
        • h5date and h5time: date and time fields using native HTML5 visualization and input normalization
      • Registry for .js and .css libraries: allow besides classical URLs symbolic names for loading external resources (e.g. jquery), this makes it easier to upgrade libraries in multiple packages (without running into problems with duplicate versions) and supports switching between CDN and local pathsURN. The existing implementation is based on URNs and extends the existing template-head API to support registration for URNs. A URN provides an abstraction and a single place for e.g. updating references to external resources when switching between a CDN and a locally stored resource, or when a resource should be updated. Instead of adding e.g. a CDN URL via template::head::add_script, one can add an URN and control its content from a single place. Use common namespaces for OpenACS such as urn:ad:css:* and urn:ad:js:*.
        • Register URNs:

          Example provider (e.g. in some theme):
             template::register_urn \ 
                 -urn urn:ad:js:jquery \ 
                 -resource /resources/xowiki/jquery/jquery.min.js
          
        • The registered URN can be used like classical URL after registration.

          Example consumer:

             template::head::add_javascript -src urn:ad:js:jquery
        • Declare composite files: Provide an interface to define that a .js file or a .css file contains multiple other .js/.css files in order to reduce the number of requests.
             template::head::includes -container urn:js::style.js -parts {urn:ad:js:jquery ...}
      • Improved support for streaming HTML: The new API function template::collect_body_scripts can be used to get the content of template::script or CSP calls (template::add_body_script, template::add_event_listener, template::add_body_handler, template::add_script) when streaming HTML (incremental HTML) is used. Before, these call could bot be used for streaming HTML.

    • Reforms:
      • Dynamic blueprint reloading:
        • When reloading apm packages, watched files, etc. the NaviServer blueprint is now updated correctly. This solves the long-standing problem that changes for scheduled procedures required a restart of the server. Furthermore, the old-style reloading was based on a ever-growing list of reload operations each time a new reload was requested, causing slow-downs in long running server instances, especially, when new threads are started.
        • Now changes are applied to all NaviServer threads, including threads for schedules procedures, ns_jobs and the like. Note that the current job has to be finished before the changes can be applied.
        • For the transition, it is possible to switch between the classical reloading style and blueprint reloading by changing a variable in acs-tcl/tcl/apm-procs.tcl
      • Login:
        • Get rid of bugging "login page expired" messages. The 17 years old construct was replaced by newer means to avoid caching of form values from the login form. Admins of existing sites should set the kernel parameter LoginPageExpirationTime to 0
      • Forums:
        • Removed hard-coded dependency with registered_users group when checking forum permissions
        • Don't rely so heavily on acs_permissions to model forum configuration, as this can have unexpected consequences in convoluted multi-group/multi-subsite scenarios. Prefer simpler table attributes instead
        • New style of attachments to the forums, allowing multiple attachments to a single message directly from the message post page, using the multiple file input widget. Retain compatibility with old style attachments, using the new 'AttachmentStyle' package instance parameter. Currently, this supports two values: 'simple' (new behavior) and 'complex' previous behavior.
      • Chat:
        • Revamping of the GUI
        • Responsiveness
        • Full screen mode
        • Skins support (minimal, classic and bubbles, included): Skins are located in the new /packages/xowiki/www/resources/chat-skins/ directory. New skins can be created by just adding the css and js files in the skins directory, and naming them accordingly (chat-$SKIN_NAME.{js|css}).
        • Avatars (can be enabled per room)
        • Number of active users in chat
        • Tab notifications of new messages
        • Web Notifications:
          • https://www.w3.org/TR/notifications/
          • https://developer.mozilla.org/en-US/docs/Web/API/Notifications_API/Using_the_Notifications_API
      • acs-lang:
        • admin pages:
          • Added the option to unregister (delete permanently the message key from all locales) a message key that has been already marked as deleted. Useful for cleaning up old message keys.
          • Added the option to undelete, using the new ::message::undelete proc.
          • Made number and category (untranslated/deleted/...) of messages coherent in all pages.
          • Added the columns 'total' and 'deleted' to the index page.
        • object_id reference: it is now possible to associate a message key to an object_id in a way that e.g. when the object is deleted, so is the message key. This addresses cases such as the message keys generated by group creation or by the new XoWiki localized fields
      • Notifications:
        • Improved scalability for notifications: One of the most expensive operations in large site is the cleanup for notification_requests in situations, where the user has lost permissions on an object, on which the user wanted to receive notifications. This check was performed previously in notification::sweep::cleanup_notifications via a permission check over all notification requests, which can be very costly on large sites. This change moves this cleanup into the actual notification sending, where the permissions have to be sent anyhow.
        • When sending a notification on behalf of a person, if the system is not configured to process replies to notification, do not set the reply-to address to anything different than the sender
        • Notifications: proper cleanup of acs_objects resulting from the deletion of dynamic notification requests
      • User/Person/Party API: rework and rationalize caching of all party, person and user API, create separate caches for each of these types, make the API and return dicts. acs_user::get will not fail anymore with non-existing user.
      • User Portrait: created API to retrieve and create, store and delete the user's portrait. Also address leftover child relationships from the past and delete them properly.
  • Non-functional Changes
    • Improved automated regression test infrastructure and test coverage
      • All packages in the oacs-5-10 branch pass regression test
      • Web testing was separated from non-maintained tcltest and was built on the standard OpenACS infrastructure
      • Include web testing per default in standard regression testing
      • Introduced new test authentication authority, allowing to run many user administration tests outside the context of a "real authority": in cases where the real authority depends on external services to proof identity, (e.g. Kerberos), those tests would just fail.
      • Introduce the display of warnings in the UI
      • Added test coverage information in the automated testing pages, using the new proc-coverage API and providing test coverage information for packages and system wide.
      • Increased overall coverage of public API
      • New tests checking various data-model properties and smells
         
    • Improved scalability:
      • Provided lock-free implementation of ad_page_contract_filters and ad_page_contract_filter_rules. This change improves parallel processing of requests and is primarily interesting for sites with a few mio page views per days. These locks were among the most frequent nsv locks

      • Reduced locks on util_memoize_cache my more invariants values into per-thread caching (acs_lookup_magic_object, ad_acs_version, .... ) and by avoiding specialized calls, which can be realized by already optimized ones (apm_package_installed_p_not_cached ref-timezones was most frequently used util_memoize_cache entry). These changes are necessary to avoid full still-stand on the unfortunate long-time locks on util_memoize_cache stemming from permission and user management with wild-card flush operations, which require to iterate over all cache entries (which might be on a busy server several hundred thousands)

      • Added new interface for cache partitioning to reduce lock latencies on high load websites

      • Added new interface for lock-free per-thread and per-request caching to avoid scattered ad-hoc implementations

      • Better reuse of DB handles (reduced expiring/reopen/etc.), faster access to handles

    • Improved startup time:
      • When the package acs-automated-testing is disabled, startup time is reduced by avoiding loading of support functions and tests; the size of the blueprint is reduced
      • xowf: loading of at-jobs is significantly improved.
         
    • Security improvements:
      • Strengthened page contracts
      • CSP support for application packages
      • CSP fine tuning
         
    • Better exception handling based on Tcl 8.6 exception handlers (try and throw, also available in Tcl 8.5)
      • Provided a new ad_try implementation based on Tcl's try replaces now the old ad_try, with_catch and with_finally, which are marked as deprecated
      • The new ad_try is in essence Tcl's try but with predefined handling of ad_script_abort and should be also used instead of catch, when the OpenACS API is used (which might use script aborts)
      • All core packages use the new ad_try instead of the deprecated versions.
         
    • Connection close reform:
      • NaviServer/AOLserver continue after connection closing commands to execute a script. This is in many situations not desired, especially, when for the page as well a .adp file exists, which will try to deliver this on the already closed connection. This can lead to errors in the error.log file, which are sometimes hard to analyze
      • Due to this cleanup, developers should use in most such cases cases ad_script_abort
      • Connection closing commands are e.g. ad_returnredirect, ad_redirect_for_registration, cr_write_content, ad_page_contract_handle_datasource_error, ad_return_string_as_file, ad_return_complaint, ad_return_error, ad_return_forbidden, ad_return_warning, ad_return_exception_page, ns_returnredirect, ns_return, ns_returnerror
      • The new version has made on most occasions explicit, when the script should abort.
         
    • API changes (new and extended API calls):
      • New API call category::get to obtain category description for a category_id and locale
      • New utility ad_pad emulating both lpad and rpad typically available in DBMSs
      • New proc lc_content_size_pretty, prettify data size given in bytes. It supports three different standards (SI base-10, IEC base-2 and the old JEDEC base-2), default is SI base-10.
      • New flag -export for ad_form: this flag uses export_vars under the hood and supports all of this API's features (e.g. :multiple, :sign, :array). This addresses a long standing TODO
      • util::pdfinfo: simple poppler-utils wrapper to extract pdf information
      • util::http: leverage new ns_http features such as request file spooling. Native implementation will now be used only on NaviServer >= 4.99.15.
      • Database API:
        • db_foreach: queries executed inside of a db_foreach will not be issued using a different handle and will therefore be safe to use in a transaction
        • db_list_of_lists: new -with_headers flag, which will make the first element of the returned list to be the column names as defined in the query
      • Groups API:
        • Logics to delete a group type have now been included in the API
        • Allow to filter group members by member_state in the API
           
    • Deprecated commands:
      • Many deprecated API calls were included in the code (and sometimes still in use) sometimes more than 10 years after these calls have been deprecated. In case a site modification still uses deprecated code, the user is warned about this. The OpenACS 5.10 code base does not depend on deprecated code.
      • Move deprecated code into separate files
      • Made loading of deprecated code optional (can be controlled via parameter "WithDeprecatedCode" in section "ns_section ns/server/${server}/acs" of the config file. By default, deprecated procs are still loaded
      • When deprecated code is not loaded, the blueprint of the interpreter is smaller. The following number of lines of code can be omitted when loading without the deprecated procs:
        • acs-tcl: 3178
        • acs-templating: 450
        • xotcl-core http-client-procs: 830
        • acs-content-repository: 1717 (including .xql files)
           
    • Bugfix and Code Maintenance:
      • Made sure all party emails are stored as lowercase through the API
      • Fixed long standing regression in template::list: we were looping through the list "elements", rather than the "display_elements". This prevents specifying different sets of columns to be returned depending on the -formats and -selected_format options in template::list::create.
      • acs-content-repository: New HEIC and HEIF mimetypes
      • acs-mail-lite: handle to_addr specified as "DisplayName <email>" without errors
      • Fixed invalidating of all existing user logins, (aka) "Logout from everywhere" feature, useful e.g. to make sure no device still holds a valid login when we change our password on a device
      • Don't lose the return URL when one tries to join a subsite before being logged in
      • Added doc(base_href) and doc(base_target) for setting <base> element via blank-baster (see issue #3435)
      • Groups:
        • When a new group is created, flush all the group::get_id caches with the same name so that the new group can be fetched correctly in case it replaces a previously deleted one
        • Cleanup message keys coming from groups in acs-translations when a group is deleted
      • acs-lang:
        • lang::util::convert_to_i18n: do not always register a en_US translation, which would be always overridden. Instead, let lang::message::register make sure that a en_US message exists and create one only as a fallback.
        • lc_time_fmt: leverage Tcl clock to address shortcomings such as handling of dates in Julian/Gregorian calendar and impossible dates such as 1999-02-29, implement missing formats, support previously undocumented formats explicitly
      • search: make sure objects in the search indexer queue still exist by the time they are swept by the indexer (e.g. items deleted before the indexer could sweep them)
      • attribute::delete: fix proc so it leverages stored procedure capability of dropping the database table as well
      • util::http: fix UTF-8 encoding issues for some cornercases
      • Localization: Complete Italian and Spanish localization for the whole .LRN set of packages (including themes). Message keys for new and previously localized packages have also been updated
         
    • General cleanup/maintenance
      • Improved handling of server implementation-specific code: server-specific code can be optionally loaded via specifying the server family in the filename. Provided *-procs-aolserver.tcl and *-procs-naviserver.tcl similar to *.postgresql.xql and *.oracle.xql where appropriate
      • Modernization of Tcl idioms.
      • Compliance of files, proc names, ... to the naming conventions.
      • White space cleanup, indentation changes.
      • Improvement of public API documentation
      • Adjustment of proc protection levels (public, private)
      • Adjustment of log severity
      • Cleanup of obsolete files
      • Replacement of handcrafted forms by ad_form
      • Typo fixing
      • Editor hints
      • Replacement of deprecated calls
      • Addition of missing contracts
      • ...
         
    • SQL cleanup:
      • Cleanup of obsolete nonportable SQL constructs in a way Oracle and PostgreSQL code base divergency is reduced:
        • "nvl" -> "coalesce"
        • "sysdate" / "now()" -> standard "current_date" or "current_timestamp"
        • Use standard-compliant "dual" table where appropriate (required by Oracle, supported by PostgreSQL)
        • Use non-dialectal cast idioms when appropriate
        • Adopt CTE idioms in Oracle codebase as well (e.g. connect -> with recursive)
        • ... (reference Oracle version will be 11gr2 as is oldest version officially supported by Oracle (See here and here)
      • Reduced superfluous .xql queries
        • acs-subsite: delete 21 files with un-referenced .xql queries
        • acs-tcl: delete 4 files
        • news: 3 files
        • file-storage: 1 file
        • dotlrn: 9 files
           
    • New Packages:
      • cookie-consent: alerting users about the use of cookies on a website
      • boomerang: performance of your website from your end user’s point of view
      • xooauth: OAuth implementation, including LTI (Learning Tools Interoperability)
      • dotlrn-bootstrap3-theme: Bootstrap 3 theme for DotLRN
      • xowf-monaco-plugin: Integration of Monaco editor with for code exercise types in xowf
      • proctoring-support: utilities and user interfaces to implement proctoring of the user session, mainly intended in the context of distance education and online exams. The main proctoring feature relies only on web technologies and does not require any plugin or additional software. Optional support for the Safe Exam Browser has also been introduced. The package is currently at the core of WU Online Exam infrastructure and is integrated in the inclass exam implementation for xowf.
         
  • Require Tcl 8.6, XOTcl 2.1, PostgreSQL 9.6 (PostgreSQL 9.5 EOL: February 2021), tdom 0.9

Install OpenACS with NaviServer from Scratch

Created by Gustaf Neumann, last modified by Brian Fenton 18 Aug 2023, at 03:00 PM

This page describes how to install OpenACS with NaviServer on Unix-like systems (e.g. Linux, macOS, Solaris, OmniOS) by compiling all but PostgreSQL from scratch, guided by script that collects the components from various sources, compiles it, etc.

The installation is done in two steps:

  • install-ns.sh: Install NaviServer and its components for a PostgreSQL installation from scratch by obtaining the relevant sources and compiling it. The script assumes PostgreSQL to be already installed (or obtainable via package managers), and installs all other components by obtaining it from the source repositories and compiling it from scratch (e.g. Tcl, tcllib, tDOM, libthread, nsf/XOTcl 2).
     
  • install-oacs.sh: Install OpenACS from CVS/git. This script configures a (pre-installed) PostgreSQL installation for
    OpenACS, adds hstore, installs OpenACS core, basic OpenACS packages, xowiki, xowf and optionally dotlrn from CVS/git and generates a config file and startup files (for Ubuntu and Fedora Core). The script assumes a pre-existing NaviServer installation, installed e.g. via install-ns.sh

 These install scripts are frequently updated when new components are released or problems are detected (commit log).

If you open the links above, use save-as in the browser to save the files. Alternatively, download the files as .zip file or clone the repository via GitHub.

   cd /usr/local/src
   git clone https://github.com/gustafn/install-ns
   cd install-ns

The scripts work under a typical Linux installation (e.g. Ubuntu, Fedora Core) as well as on Mac OS X or on OmniOS,  OpenBSD 6.1, 6.3, 6.6, 6.8, 6.9, FreeBSD 12.2, 13.0, Ubuntu 12.04, 13.04, 14.04, 16.04, 18.04, 20.04, Raspbian GNU/Linux 9.4 (stretch), Fedora Core 18, 20, 32, 35, CentOS 7, Roxy Linux 8.4, ArchLinux.. The scripts are tested (over the years) with PostgreSQL 9.1 to 14.5.

On a fresh Ubuntu installation, you should be able to download the two scripts from this page and install OpenACS with NaviServer in the following steps:

   sudo bash

   bash install-ns.sh
   bash install-ns.sh build

   bash install-oacs.sh
   bash install-oacs.sh build

When running "install-ns.sh", you will see an output like the following (shortened here).

SETTINGS   build_dir              (Build directory)                 /usr/local/src
           ns_install_dir         (Installation directory)          /usr/local/ns
           version_ns             (Version of NaviServer)           4.99.24
           git_branch_ns          (Branch for git checkout of ns)   main
           version_modules        (Version of NaviServer Modules)   4.99.24
           version_tcllib         (Version of Tcllib)               1.20
           version_thread         (Version Tcl thread library)      
           version_xotcl          (Version of NSF/NX/XOTcl)         2.4.0
           version_tcl            (Version of Tcl)                  8.6.12
           version_tdom           (Version of tDOM)                 0.9.1
           ns_user                (NaviServer user)                 nsadmin
           ns_group               (NaviServer group)                nsadmin
                                  (Make command)                    make
                                  (Type command)                    type -a
           ns_modules             (NaviServer Modules)              nsdbpg
           with_mongo             (Add MongoDB client and server)   0
           with_postgres          (Install PostgreSQL DB server)    1
           with_postgres_driver   (Add PostgreSQL driver support)   1
           with_system_malloc     (Tcl compiled with system malloc) 0
           with_ns_doc            (NaviServer documentation)        1

The values in the first column can be used to tailor the system for your needs by setting same-named shell variables. One can use e.g.

   version_tdom=0.9.3 bash install-ns.sh 

to configure the compilation to use tDOM in version 0.9.3 instead of 0.9.1. As a more detailed example, if you want to use the newest version of NaviServer, and you want to use a different build directory and get also some extra modules compiled from their git versions, use e.g. the following command:

   version_ns=GIT \
      build_dir=/usr/local/src-test \
      ns_modules="nsdbpg nsdbi nsdbipg nsudp nssmtpd nsloopctl" \
      bash install-ns.sh 

For standard setups, the default settings should be OK.

After running both scripts in the default configuration, you will see e.g.

   Congratulations, you have installed OpenACS with NaviServer on your machine.
   You might start the server manually with
       sudo /usr/local/ns/bin/nsd -t /usr/local/ns/config-oacs-5-10-0.tcl -u nsadmin -g nsadmin

One can start the server manually with the mentioned command.

Using systemd

On Fedora/CentOS or on Ubuntu installations starting with 15.04, systemd is used. The generated startup file for RedHat/Fedora is in /lib/systemd/system/oacs-5-10-0.service. The startup commands for systemd are

    sudo systemctl status oacs-5-10-0
    sudo systemctl start oacs-5-10-0
    sudo systemctl stop oacs-5-10-0

Remember, when a new systemd service is installed, systemd requires the following command to re-scan its service files:

    sudo systemctl daemon-reload

To start OpenACS automatically on every new start of the machine, issue the following command:

    sudo systemctl enable oacs-5-10-0

Using upstart

Alternatively, some older Ubuntu versions (up to 15.04) use upstart. For upstart, the the generated startup file is in /etc/init/oacs-5-9-1.conf. The service can be started/managed with the following commands

    sudo initctl status oacs-5-10-0
    sudo initctl start oacs-5-10-0
    sudo initctl stop oacs-5-10-0

Configuration

When the service is running, one can use OpenACS by browsing to http://localhost:8000/ (when the browser and server is running on the same host). The relevant files are stored under the following locations:

Configuration file /usr/local/ns/config-oacs-5-10-0.tcl
access.log /var/www/oacs-5-10-0/log/
error.log /var/www/oacs-5-10-0/log/
Source tree /var/www/openacs-5-10-0/packages/

 

Security Guidelines

Created by Gustaf Neumann, last modified by Gustaf Neumann 24 Jul 2023, at 05:19 PM

The maintained OpenACS packages are regularly tested with state-of-the-art web vulnerability scanners. The packages are developed using the following the guidelines.
 

Protecting against SQL injection (SQI):

 

  • Use colon-prefixed bind variables in SQL statements when possible (for local variables)
    # use bindvars with local variables
    set x 0
    db_0or1row . {select * from acs_objects where object_id = :x}
    
    or pass bind variables explicitly, using the -bind option
    # use bind variables by passing a dictionary (attribute value list)
    set bindvars {object_id 0 security_inherit_p t}
    db_0or1row . {
       select * from acs_objects 
       where object_id = :object_id
       and security_inherit_p = :security_inherit_p
    } -bind $bindvars
    
  • In case, bind-variables are not possible, use ns_dbquotevalue or ns_dbquotelist (see NaviServer documentation)
     set x 0
     db_0or1row . [subst {select * from acs_objects where object_id = [ns_dbquotevalue $x]}] 
    
    Manual page
  • In general, avoid using double-quoted SQL statements whenever possible to avoid unescaped substitutions.
     

Protecting against cross side scripting (XSS):

 

  • Validate all input values using page contracts with value checkers, and validate all form variables in the form specification.
  • Make sure that Content Security Policies (CSP) are activated in the package parameters. When you have to relax the CSP roles, use "security::csp::require" as local as possible (e.g. on the page level) and not on the site level.

Using OpenACS with External Identity Providers

Created by Gustaf Neumann, last modified by Gustaf Neumann 24 Jul 2023, at 02:45 PM

With the forthcoming version, OpenACS 5.10.1 (and the current head version in the oacs-5-10 branch) OpenACS provides support for external identity providers, which can be used in parallel to the existing OpenACS authorities. It is possible, that users can

  • login alternatively via the configured authority and/or via external identity providers, or
  • exclusively over external identity providers

The alternative login requires that the same email address is used for a user in OpenACS and on the identity provider.

Handling of unregistered users

When using alternative logins, the returned user information might match pre-existing OpenACS users, or user information, which is unknown to the system. In such a situation, three scenarios might be possible:

  1. reject the unknown user
  2. create a new OpenACS user based on the information returned from the identity provider.

The default behavior of the implementation is to reject the user. When the optional flag "-create_not_registered_users" is activated for an external provider, such users will be created. When creating users (e.g. in dotlrn), it is also possible to add these automatically to certain dotlrn groups (specified in "create_with_dotlrn_role"). Further behavior might be specified by extending the predefined behavior (see example below).

 

Supported external identity providers for alternative logins

Currently, the following (OAuth 2 based) identity providers are supported

  • Microsoft Identity Platform (based on ID-Tokens) based on Azure and Active Directory
  • GitHub

OpenACS allows defining one or more identity handlers by defining either different login-handler objects for the same identity provider (e.g. for use on different subsites) to by defining login-handler objects for different identity providers (maybe also for the same subsite).

To enable the external identity providers, the package xooauth has to be installed and one or more external identity providers must be configured on the side of the provider service (to allow its usage for the OpenACS instance) and on the OpenACS instance. So, make sure xooauth is installed and mounted on /oauth (the mount path is relevant for the Redirect URI below).

Microsoft Identity Platform

 

  • Configuration on the provider side:
    • Register application via the Azure Portal
    • Set the Redirect URI type to Web and value pointing to the redirect page (e.g. YOURLOCATION/oauth/www/azure-login-handler)
    • In this process you will obtain the "tenant_id", "client_id" and a "client_secret"
    • Microsoft supports its ID token interface in version v1.0 and v2.0. When v2.0 is configured on the OpenACS side (see below), make sure to define in the "Token configuration" the optional claims "upn", "family_name", and "given_name" (latter two only, when allowing automatic account creation).
    • Details: Add sign-in with Microsoft to a web appMicrosoft identity platform ID tokens
       
  • Configuration on OpenACS
    •   Create a login-handler object (e.g. in xooauth/tcl/oauth-init.tcl)
       
      ms::Authorize create ms::azure
          -tenant "..." \
          -client_id "..."
      		
      Potential further parameters:

              -responder_url "..."  (default "/oauth/azure-login-handler")
              -debug
              -create_not_registered_users
              -create_with_dotlrn_role "..."
              -after_successful_login_url "..."
              -login_failure_url "..."
       
    • The interface is based on the same infrastructure as the Microsoft Graph interface of OpenACS.
    • For the full list of parameters, see the online documentation of the ms::Authorize class.


Using GitHub as Identity Provider

 

  • Configuration on the provider side:
    • Register application on GitHub: login on GitHub (with e.g. your ID), goto "Settings", "Developer Settings", "OAuth Apps", "Register a new application"
    • Set the Redirect URI: When registering the application, fill in the value of "Authorization callback URL" to YOURLOCATION/oauth/www/github-login-handler
    •  Details: Authorizing OAuth Apps
       
  • Configuration on OpenACS
    • Create a login-handler object (e.g. in xooauth/tcl/oauth-init.tcl)
       
      xo::oauth::GitHub create ::xo::oauth::github \
          -client_id "..." \
          -client_secret "..."
      
      Potential further parameters:

             -responder_url "..."   (default "/oauth/github-login-handler")
             -debug
             -create_not_registered_users
             -create_with_dotlrn_role "..."
             -after_successful_login_url "..."
             -login_failure_url "..."
    • For the full list of parameters, see the online documentation of the GitHub class.

The parameters "-debug", "-create_not_registered_users" and "-create_with_dotlrn_role ..." are common parameters and control the behavior.

  • When the switch "-debug" is specified, the interface page (e.g. /oauth/github-login-handler) can be used for testing and to see the provided parameters ("claims") returned from the identity provider. In the testing mode, the user is not logged-in. Furthermore, on the public login pages of the OpenACS instance, the external entity is not offered.
     
  • When the switch "-create_not_registered_users" is specified, the users authorized via the external identity provider not existing as users in OpenACS (based on the email address) are automatically created as new OpenACS users (automated account creation). By default, this switch is turned off. 
     
  • The parameter "-create_with_dotlrn_role ..." is useful for DotLRN instances. When it is defined, new users will be created as DotLRN users with the specified role (e.g. "student").

The configuration parameter can be provided when the login-handler objects are created, or these can be provided via the OpenACS configuration file. The parameters are looked up from the configuration file on a path based on the name of the login-handler object. So, with the following login-handler objects are defined

     ::ms::Authorize create ::ms::azure
     ::xo::oauth::GitHub create ::xo::oauth::github

the parameters for these objects can be specified during
creation (.... -client:id "..." ...) or in the
configuration file in the following sections:

      ns/server/[ns_info server]/acs/oauth/ms/azure {
         ns_param tenant "..."
         ns_param client_id "..."
         ...
      }
      ns/server/[ns_info server]/acs/oauth/github {
         ...
      }

the parameters for these objects can be specified during creation (.... -client_id "..." ...) or in the configuration file in the following sections:

       ns/server/[ns_info server]/acs/oauth/ms {
          ...
       }

Testing

For testing, it is recommended to define the login-handler objects with the optional "-debug" flag (see above). Add the login-handler object with the following command in xooauth/tcl/oauth-init.tcl file

      xo::oauth::GitHub create ::xo::oauth::github \
          -debug

This assumes that the GitHub as Identity Provider was defined on GitHub, and at least the parameters "client_id" and "client_secret" are defined in the OpenACS configuration file.

Then restart the server and navigate to YOURLOCATION/oauth/github-login-handler and you will see the option to login via GitHub. By clicking on the link, you will be redirected to GitHub for registering, and then you will be redirected to the interface page showing the claims provided by GitHub, and whether the user_id exists, etc.

When the login-handler objects are created without the "-debug" flag, the login options for all the created login-handler objects are listed on the register/login page of OpenACS (it is possible to omit these via a package parameter set on a subsite).

Example configuration with a custom login handler

Example for xooauth/tcl/oauth-init.tcl:

#
# Potential place for creating login-handler objects for external
# identity providers.
#
# xo::oauth::GitHub create ::xo::oauth::github \
#    -client_id "..." \
#    -client_secret "..."
#
# ms::Authorize create ms::azure \
#    -tenant "..." \
#    -client_id "..."
#

#
# This is a custom login handler, 
# - configured to create unregistered users,
# - using the "tenant" and "client_id" from the configuration file, and
# - adding some site-specific actions after a successful registration
#
ms::Authorize create ms::LoginHandler -create_not_registered_users
ms::LoginHandler object method register_new_user {
    {-first_names}
    {-last_name}
    {-email}
} -returns integer {

    # perform first the "register_new_user" action as usual
    set user_id [next]

    # on successful registrations (no exception during "next") the user_id is returned.
    # Do whatever you want with this user_id, adding it to groups, etc.
    ns_log notice "ms::LoginHandler: new registration of user $email returned user_id $user_id"

    return $user_id
}

 

xooauth

Created by Gustaf Neumann, last modified by Gustaf Neumann 24 Jul 2023, at 02:09 PM

Package Specification Summary for Package: xooauth

Summary: XOTcl based OAuth implementation and OAuth based REST interfaces for OpenACS
Description: This package aims to provide a comprehensive OAuth implementation for OpenACS, i.e. OAuth core, OAuth client, OAuth server. Probably, just the core part is ready for production use, the other functions are currently deactivated. This package was developed originally by Knowledge Markets https://km.at/
Maturity: New Submission or Maturity Unknown
This package depends on: acs-tcl xotcl-core xowf
Packages that depend on xooauth: None
Package parameters: None

Bug Tracker Summary for Package: xooauth

There is no package with the name "xooauth" known to bug-tracker.

Code Metrics Summary for Package: xooauth

# Tcl Procs 2
# Tcl Lines 4017
# Tcl Blank Lines 401
# Tcl Comment Lines 1169
# Automated Tests 0
# Stored Procedures PG: 0 ORA: 0
# SQL Lines PG: 0 (blank 1 comments 0) ORA: 0 (blank 1 comments 0)
# ADP pages 3
# ADP lines 84
# Include pages (xooauth/lib/) 2
# Documentation pages 0
# Documentation lines 0
Browse Source API-browser
Github Repository: https://github.com/openacs/xooauth/tree/oacs-5-10

This package was developed to provide a comprehensive OAuth implementation for OpenACS based on the XOTcl infrastructure. The package contains OAuth core, OAuth client, OAuth server. Currently, just the core part is ready for production use, the other functions are currently deactivated.

The package can be used to

The xooauth component was originally developed by Knowledge Markets.

Coding Standards - Index

Created by Rocael Hernández Rizzardini, last modified by Gustaf Neumann 24 Jul 2023, at 10:45 AM

A coding style is always important to maintain quality of the code and in this case, the OpenACS project. Here you'll find a set of links that will guide through our most common standards.

The definitive guide on coding standards can be found at OpenACS Style Guide.

Many stuff has been gathered from many post or guides other openacs community members have done, such as:

    Privacy Policy

    Created by Monika Andergassen, last modified by Monika Andergassen 10 Jun 2023, at 02:34 PM

    Effective Date: June 10, 2023

    This Privacy Policy describes how OpenACS.org collects, uses, and shares your personal data when you use our website, forums, wiki, and other services.

    1. Data We Collect
      1. Data You Provide to Us
        When you use our Services, you may provide us with data about yourself, such as your name, email address, and any other data you choose to provide. This can occur, for example, when you register for an account, post on our forums, or contribute to our wiki.
      2. Data We Collect Automatically
        We may automatically collect certain data about you when you use our Services, such as your IP address, device information, browser type, and data about your interactions with our Services.
      3. Cookies and Similar Technologies
        We use cookies to collect data about your use of our Services and to remember your login state and preferences. You can control the use of cookies at the individual browser level.
         
    2. How We Use Your Data
      We use the data we collect to provide, maintain, and improve our Services, to communicate with you, to monitor and analyze usage and trends, and to personalize and improve your experience with our Services.
       
    3. How We Share Your Data
      We do not sell your personal data. We may share your data with third-party service providers who perform services on our behalf, such as hosting providers and analytics providers. We may also share your data to comply with the law, to protect the rights and safety of our users and third parties, or as part of a business transaction like a merger or sale of assets.
       
    4. Your Choices
      You may update, correct, or delete your account data at any time by logging into your account. You may also contact us to request access to, correct, or delete any personal data that you have provided to us.
       
    5. Security
      We take reasonable measures to protect your personal data from loss, theft, misuse, unauthorized access, disclosure, alteration, and destruction. However, the internet is not 100% secure, and we cannot guarantee the security of your data.
       
    6. Children's Privacy
      Our Services are not intended for individuals under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal data, we will take steps to delete such data.
       
    7. Changes to This Privacy Policy
      We may update this Privacy Policy from time to time. If we make changes, we will notify you by revising the date at the top of the policy and, in some cases, we may provide you with additional notice.
       
    8. Contact Us
      If you have any questions about this Privacy Policy, please contact us at oct@openacs.org.

    rl_json

    Created by Michael Aram, last modified by Vlad V 01 May 2023, at 01:02 PM

    Caveat: Page under construction

    rl_json

    Example Installation for NaviServer under Ubuntu (for rl_json version until 11.5)

    cd /var/tmp
    git clone https://github.com/RubyLane/rl_json.git
    cd rl_json
    autoconf
    ./configure --prefix=/usr/local/ns && make && sudo make install

     

    After rl_json version 11.5 (see issue):

    git clone --recurse-submodules --depth 1 --branch 0.12.2 https://github.com/RubyLane/rl_json.git rl_json-0.12.2
    cd rl_json-0.12.2
    autoconf
    ./configure
    ./make
    ./make install

     

    E-Mail: Outgoing E-Mail

    Created by Malte Sussdorff, last modified by Gustaf Neumann 06 Feb 2023, at 04:48 PM

    Current documentation for ACS Mail Lite, the standard API for inbound and outbound email is at https://openacs.org/doc/acs-mail-lite/.

    Recommendation

    The current recommendation for sending outgoing mail is via the NaviServer module nssmtpd, since this handles well large outgoing mails and works as well with >1000 file descriptors open. In OpenACS 5.10, set the package parameter "EmailDeliveryMode" in the acs-mail-lite package to "nssmtpd".

    Older Discussion

    Outgoing E-Mail at the moment in acs-mail-lite is split in a multitude of procedures, some doubling the efforts of the other. To clean this up, I propose the following (in general):

    • Replace acs-mail-lite::send with acs-mail-lite::complex_send, making it a wrapper for complex_send or the other way round (rename complex_send to send and so on).
    • Only support sending of e-mails via SMTP. Use smtp::sendmessage from TCLLIB for it (as does complex_send).
    • Daveb suggested splitting up complex_send to make it easier to test parts of it. Here are some ideas:
      • Sub procedure to generate "to/cc/bcc/_lists" which are used in the respective TO/CC/BCC header. This will also clean up the sending of individual emails.
      • Have only one call to smtp::sendmessage and one hook for the complex_send callback.
      • Sub-procedure to append file tokens. Not sure if this is useful as we need to do upvar for the tokens and could not do automated tests on them anyway. So I'd not do it.
    • Have only one sweeper (the complex_sweeper) with support for multiple mail sending servers (so you can have multiple mail senders in the cluster instead of only one).
    • Split of incoming email handing into a separate file
    • Delete acs-mail-lite-procs.tcl :-). Just kidding, but deprecate most of the procedures.

    Sadly, it is not a straightforward approach, as there is a catch. Using smtp::sendmessage forces us to figure out a new way for setting the bounce-email address header, as the old approach will not work any more (using the SMTP command "FROM" set to the bounce address). Another option is to use the non-standard "Errors-To" Header instead.

    Double Click Handling

    Created by Gustaf Neumann, last modified by Gustaf Neumann 02 Nov 2022, at 06:06 PM

    Many users tend to click twice on links/and forms, causing therefore multiple identical requests, that can kill the performance of a server, especially when these are expensive requests. On one site, we saw users firing up to several hundred identical requests, probably via a “rapid fire” function available for some mice, coming from the gaming world.

    There are essentially two generic ways to handle double clicks in OpenACS:

    1. Server-side double click handling: The xotcl-request-monitor has since a long time the feature to block (optionally) multiple identical requests from the same client. The user will receive for subsequent identical requests the message “Repeated Operation, please resubmit”, which as some “educative” value. It has several heuristics built in to allow certain double requests (e.g., for embedded resources).
       
    2. Client-side double click handling: Via HTML markup, one can disable the same requests for a certain time on the client side (i.e., in the browser). For this time, double-clicks are blocked (the button/link is disabled), such that the true double-click, or “rapid fire” functions are mitigated. The request is only one time executed. Potential problems are potential confusion, when a user wants to open the same page in rapid sequence in multiple tabs, windows. Furthermore, repeated requests from bots are not mitigated. This is a new feature which will part of the OpenACS 5.10.1 release.

    The client-side double click handling is activated by a content developer for a link prone to this concern by adding the CSS class “prevent-double-click” to the HTML anchor or button. The double click prevention deactivates a button or an anchor element after clicking for a short time (per default for 2s) and ignores in this time window further clicks. The default time window can be specified via the package parameter DefaultPreventDoubleClickTimeoutMs of acs-templating. The time window can be specified for every occurrence via the data element “oacs-timeout”. When a double click occurs, the duplicate click is determined at the client side (in the browser) such that the first request will continue to run and will render its result when finished. Without double click prevention (or with the double click-prevention on the server side), the results of the first request are lost for the client, although these are still computed at the server side.

    Usage Example:

        <p>text with a <a class="prevent-double-click" href="/slow.tcl?t=10s">link</a>
        <p>
        <form action="/slow.tcl">
        <input class="btn prevent-double-click" data-oacs-timeout="4000" type="submit" value="Submit">
        ...
        </form>

    Next Page
    previous March 2024
    Sun Mon Tue Wed Thu Fri Sat
    25 26 27 28 29 1 2
    3 4 5 6 7 8 9
    10 11 12 13 14 15 16
    17 18 19 20 21 22 23
    24 25 26 27 28 29 30
    31 1 2 3 4 5 6

    Popular tags

    17 , 5.10 , 5.10.0 , 5.9.0 , 5.9.1 , ad_form , ADP , ajax , aolserver , asynchronous , bgdelivery , bootstrap , bugtracker , CentOS , COMET , compatibility , CSP , CSRF , cvs , debian , docker , docker-compose , emacs , engineering-standards , exec , fedora , FreeBSD , guidelines , host-node-map , hstore
    No registered users in community xowiki
    in last 30 minutes
    Contributors

    OpenACS.org