schleuder-web issueshttps://0xacab.org/schleuder/schleuder-web/-/issues2023-11-14T08:54:01Zhttps://0xacab.org/schleuder/schleuder-web/-/issues/128Show key summary after import2023-11-14T08:54:01ZpazShow key summary after importAfter key(s) have been uploaded, the flash message should show the key summary (which includes a possible expiration) about each imported key.
Those details will be provided by the API daemon after schleuder!425 has been merged.After key(s) have been uploaded, the flash message should show the key summary (which includes a possible expiration) about each imported key.
Those details will be provided by the API daemon after schleuder!425 has been merged.5.0.0pazpazhttps://0xacab.org/schleuder/schleuder-web/-/issues/127Upgrade to rails 72022-09-13T14:51:17ZNinaUpgrade to rails 75.0.0NinaNinahttps://0xacab.org/schleuder/schleuder-web/-/issues/126Run test suite with Ruby 3.12022-09-13T14:51:30ZpazRun test suite with Ruby 3.15.0.0pazpazhttps://0xacab.org/schleuder/schleuder-web/-/issues/125Drop support for Ruby 2.5+2.62022-09-11T18:24:00ZpazDrop support for Ruby 2.5+2.6Should be noted in the README, too.Should be noted in the README, too.5.0.0pazpazhttps://0xacab.org/schleuder/schleuder-web/-/issues/123Is schleuder-web compatible with schleuder 4.x.x?2021-12-08T15:43:14ZAndreas SchleiferIs schleuder-web compatible with schleuder 4.x.x?The README of this repository explicitly talks about schleuder 3.
Is this just out of date in the README or is this really only working with schleuder 3?The README of this repository explicitly talks about schleuder 3.
Is this just out of date in the README or is this really only working with schleuder 3?https://0xacab.org/schleuder/schleuder-web/-/issues/122web interface unusable due to multiple 'undefined method' errors2021-06-09T14:32:39ZRoberto Sotoweb interface unusable due to multiple 'undefined method' errorsHello, i have finally managed to install _schleuder_ and configured it to work through the _cli_.
However _schleuder-web_ is unusable past the first screen as many actions break because of internal server errors.
Looking at the logs, th...Hello, i have finally managed to install _schleuder_ and configured it to work through the _cli_.
However _schleuder-web_ is unusable past the first screen as many actions break because of internal server errors.
Looking at the logs, they turn out to be **undefined methods** in code.
I'm copying here some logs for example:
- GET /subscriptions/1
```
[2021-06-08T16:41:38.305505 #18] FATAL -- : [ee1288a5-2471-41f2-af2c-713b91db926a]
[ee1288a5-2471-41f2-af2c-713b91db926a] ActionView::Template::Error (undefined method `summary' for #<Key:0x000056388ab8dfd0>):
[ee1288a5-2471-41f2-af2c-713b91db926a] 1: - if key.trust_issues.blank?
[ee1288a5-2471-41f2-af2c-713b91db926a] 2: = link_to key.summary, list_key_path(@list, key), class: key_css_classes(key)
[ee1288a5-2471-41f2-af2c-713b91db926a] 3: - else
[ee1288a5-2471-41f2-af2c-713b91db926a] 4: = link_to list_key_path(@list, key), title: key_trust_title(key), class: key_css_classes(key) do
[ee1288a5-2471-41f2-af2c-713b91db926a] 5: = key.summary
[ee1288a5-2471-41f2-af2c-713b91db926a]
[ee1288a5-2471-41f2-af2c-713b91db926a] app/views/keys/_key_oneline.html.haml:2
[ee1288a5-2471-41f2-af2c-713b91db926a] app/views/subscriptions/show.html.haml:63
```
- GET /lists/1/edit
```
[70a55337-0724-4be1-9722-f629aed9cfa4] ActionView::Template::Error (undefined method `munge_from' for #<List:0x000056388a672668>):
[70a55337-0724-4be1-9722-f629aed9cfa4] 16: %fieldset
[70a55337-0724-4be1-9722-f629aed9cfa4] 17: %legend Message control
[70a55337-0724-4be1-9722-f629aed9cfa4] 18: = checkbox f, :keep_msgid, "Pass incoming Message-IDs to outgoing messages? This enables threading in Mail-clients and helps to identify messages."
[70a55337-0724-4be1-9722-f629aed9cfa4] 19: = checkbox f, :munge_from, "Include the original sender's email address into the From header of outgoing messages? If this is enabled recipients can see who sent the email before decrypting the content. Some people like that, but be aware that this puts information into the open which otherwise might have been hidden (depending on the encryption of the messages)."
[70a55337-0724-4be1-9722-f629aed9cfa4] 20: = checkbox f, :set_reply_to_to_sender, "Set a Reply-To header to outgoing messages, which contains the originally incoming Reply-To value, or the incoming From value? If this is enabled replies will by default be sent to this email address instead of to the list. PLEASE BEWARE: this might result in ACCIDENTALLY REVEALED EMAIL ADDRESSES of subscribers even to non-subscribers!"
[70a55337-0724-4be1-9722-f629aed9cfa4] 21: = f.input :max_message_size_kb, hint: "Emails bigger than this will be rejected (measured in kilo-bytes.)"
[70a55337-0724-4be1-9722-f629aed9cfa4] 22: = f.input :headers_to_meta, hint: "One header-name per line. Case-insensitive.", as: :text
```https://0xacab.org/schleuder/schleuder-web/-/issues/120Redirect to originally requested url after login does not work2021-02-03T16:31:28Zo-Redirect to originally requested url after login does not workWhen I navigate to a particular resource on a schleuder-web interface with no pre-existing session, then I am not properly redirected to that url after login.
### Steps to reproduce
1. open an incognito window
2. visit some-schleuder-w...When I navigate to a particular resource on a schleuder-web interface with no pre-existing session, then I am not properly redirected to that url after login.
### Steps to reproduce
1. open an incognito window
2. visit some-schleuder-web/lists/some_list
3. login
4. it wrongly redirects to / instead of /lists/some_list
5. logout
6. visit some-schleuder-web/lists/some_list again
7. login
8. it correctly redirects to /lists/some_list
### Potential Fix
I am pretty sure the error is at https://0xacab.org/schleuder/schleuder-web/-/blob/master/app/controllers/application_controller.rb#L87 as I get the following error in the logs: `Error: no implicit conversion of nil into String`.
I would suggest a fix along these lines:
```
def authenticate
- expiry = Time.parse(session[:login_expires_at])
- if current_account && expiry > Time.now
+ expiry = Time.parse("#{session[:login_expires_at]}") rescue nil
+ if current_account && expiry && expiry > Time.now
update_session_expiry
```
However, what seems to be an additional issue is that the message at https://0xacab.org/schleuder/schleuder-web/-/blob/master/app/controllers/application_controller.rb#L110 is never displayed in the login form. The login form always says "please log in with your schleuder account" and does not display the error.https://0xacab.org/schleuder/schleuder-web/-/issues/116svg assets missing (due to Rails upgrade?), makes webinterface nearly unusable2020-05-18T11:34:00Zgeorgsvg assets missing (due to Rails upgrade?), makes webinterface nearly unusablesvg assets as shipped in `app/assets/images` worked before I did an upgrade of an installation. I guess something changed due to the Rails upgrade.
```
I, [2020-05-17T22:57:53.749141 #20001] INFO -- : [a71e3587-2758-4935-8024-0c6caaaed...svg assets as shipped in `app/assets/images` worked before I did an upgrade of an installation. I guess something changed due to the Rails upgrade.
```
I, [2020-05-17T22:57:53.749141 #20001] INFO -- : [a71e3587-2758-4935-8024-0c6caaaed120] Started GET "/lists/9/subscriptions" for 123.123.123.123 at 2020-05-17 22:57:53 +0200
I, [2020-05-17T22:57:53.750010 #20001] INFO -- : [a71e3587-2758-4935-8024-0c6caaaed120] Processing by ListsController#subscriptions as HTML
I, [2020-05-17T22:57:53.750059 #20001] INFO -- : [a71e3587-2758-4935-8024-0c6caaaed120] Parameters: {"id"=>"9"}
D, [2020-05-17T22:57:53.751167 #20001] DEBUG -- : [a71e3587-2758-4935-8024-0c6caaaed120] Account Load (0.1ms) SELECT "accounts".* FROM "accounts" WHERE "accounts"."id" = ? LIMIT ? [["id", 20], ["LIMIT", 1]]
D, [2020-05-17T22:57:53.755659 #20001] DEBUG -- : [a71e3587-2758-4935-8024-0c6caaaed120] Ignoring check for hostname (verify_certificate_identity()).
D, [2020-05-17T22:57:53.756609 #20001] DEBUG -- : [a71e3587-2758-4935-8024-0c6caaaed120] Ignoring check for hostname (verify_certificate_identity()).
D, [2020-05-17T22:57:53.767092 #20001] DEBUG -- : [a71e3587-2758-4935-8024-0c6caaaed120] Ignoring check for hostname (verify_certificate_identity()).
D, [2020-05-17T22:57:53.768041 #20001] DEBUG -- : [a71e3587-2758-4935-8024-0c6caaaed120] Ignoring check for hostname (verify_certificate_identity()).
I, [2020-05-17T22:57:53.775266 #20001] INFO -- : [a71e3587-2758-4935-8024-0c6caaaed120] Rendering lists/subscriptions.html.haml within layouts/application
I, [2020-05-17T22:57:53.782979 #20001] INFO -- : [a71e3587-2758-4935-8024-0c6caaaed120] Rendered lists/_subscription_row.html.haml (3.8ms)
I, [2020-05-17T22:57:53.783651 #20001] INFO -- : [a71e3587-2758-4935-8024-0c6caaaed120] Rendered lists/subscriptions.html.haml within layouts/application (8.2ms)
I, [2020-05-17T22:57:53.783984 #20001] INFO -- : [a71e3587-2758-4935-8024-0c6caaaed120] Completed 500 Internal Server Error in 34ms (ActiveRecord: 0.1ms)
F, [2020-05-17T22:57:53.785098 #20001] FATAL -- : [a71e3587-2758-4935-8024-0c6caaaed120]
F, [2020-05-17T22:57:53.785152 #20001] FATAL -- : [a71e3587-2758-4935-8024-0c6caaaed120] ActionView::Template::Error (The asset "person.svg" is not present in the asset pipeline.):
F, [2020-05-17T22:57:53.785355 #20001] FATAL -- : [a71e3587-2758-4935-8024-0c6caaaed120] 1: .card
[a71e3587-2758-4935-8024-0c6caaaed120] 2: .card_icon= image_tag 'person.svg', width: '30px'
[a71e3587-2758-4935-8024-0c6caaaed120] 3: .card_text
[a71e3587-2758-4935-8024-0c6caaaed120] 4: = render "subscriptions/subscription", subscription: subscription
[a71e3587-2758-4935-8024-0c6caaaed120] 5: .card_info
F, [2020-05-17T22:57:53.785391 #20001] FATAL -- : [a71e3587-2758-4935-8024-0c6caaaed120]
F, [2020-05-17T22:57:53.785415 #20001] FATAL -- : [a71e3587-2758-4935-8024-0c6caaaed120] app/views/lists/_subscription_row.html.haml:2:in `_app_views_lists__subscription_row_html_haml__331968684713084359_47138938680860'
[a71e3587-2758-4935-8024-0c6caaaed120] app/views/lists/subscriptions.html.haml:14:in `block in _app_views_lists_subscriptions_html_haml___2395196878497040950_47138938529860'
[a71e3587-2758-4935-8024-0c6caaaed120] app/views/lists/subscriptions.html.haml:13:in `each'
[a71e3587-2758-4935-8024-0c6caaaed120] app/views/lists/subscriptions.html.haml:13:in `_app_views_lists_subscriptions_html_haml___2395196878497040950_47138938529860'
```https://0xacab.org/schleuder/schleuder-web/-/issues/115Logs IP addresses via Rails (production) log file2020-05-19T23:29:25ZgeorgLogs IP addresses via Rails (production) log filehttps://0xacab.org/schleuder/schleuder-web/-/issues/113Initial release2020-05-17T11:28:07ZgeorgInitial releaseI would like to release `1.0.0` after we've released Schleuder %"3.5.0": the software is out there and used by people, and we should handle this project similar to the others, IMHO.
As an easy start, personally, I would be fine with a s...I would like to release `1.0.0` after we've released Schleuder %"3.5.0": the software is out there and used by people, and we should handle this project similar to the others, IMHO.
As an easy start, personally, I would be fine with a signed git tag.
Relates: #101 https://0xacab.org/schleuder/schleuder-web/-/issues/112Support `deliver_selfsent`2020-03-22T21:51:30ZpazSupport `deliver_selfsent`schleuder#365 introduced a new list-option, which should be supported by schleuder-web.schleuder#365 introduced a new list-option, which should be supported by schleuder-web.3.5.0pazpazhttps://0xacab.org/schleuder/schleuder-web/-/issues/111Don't allow to upload expired keys2020-07-01T12:13:58ZcasperDon't allow to upload expired keysYou shouldn't be allowed to upload an unusable key. Or at least, there should be an informative warning flash message as proposed in #12.You shouldn't be allowed to upload an unusable key. Or at least, there should be an informative warning flash message as proposed in #12.https://0xacab.org/schleuder/schleuder-web/-/issues/110Move x-attach-listkey documentation to subscribers doc2019-02-02T15:01:30ZngMove x-attach-listkey documentation to subscribers docThe documentation for that list keyword should be movedThe documentation for that list keyword should be movedhttps://0xacab.org/schleuder/schleuder-web/-/issues/107FEATURE: More finegrained user rights - domains2019-03-31T12:22:05ZmalteFEATURE: More finegrained user rights - domainsIt would be nice to have the possiblility to give users the right to become "superuser", but only for a defined set of mail-domains. Maybe invent a new role for that.It would be nice to have the possiblility to give users the right to become "superuser", but only for a defined set of mail-domains. Maybe invent a new role for that.https://0xacab.org/schleuder/schleuder-web/-/issues/104sprockets: Path Traversal vulnerability (CVE-2018-3760)2018-07-19T12:52:38Zgeorgsprockets: Path Traversal vulnerability (CVE-2018-3760)# schleuder-web was / is not vulnerable.
Ruby security announcement
------
There is an information leak vulnerability in Sprockets. This vulnerability
has been assigned the CVE identifier CVE-2018-3760.
Versions Affected: 4.0.0.beta...# schleuder-web was / is not vulnerable.
Ruby security announcement
------
There is an information leak vulnerability in Sprockets. This vulnerability
has been assigned the CVE identifier CVE-2018-3760.
Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower.
Not affected: NONE
Fixed Versions: 4.0.0.beta8, 3.7.2, 2.12.5
Impact
------
Specially crafted requests can be used to access files that exists on
the filesystem that is outside an application's root directory, when the Sprockets server is
used in production.
All users running an affected release should either upgrade or use one of the work arounds immediately.
Releases
--------
The 4.0.0.beta8, 3.7.2 and 2.12.5 releases are available at the normal locations.
Workarounds
-----------
In Rails applications, work around this issue, set `config.assets.compile = false` and
`config.public_file_server.enabled = true` in an initializer and precompile the assets.
This work around will not be possible in all hosting environments and upgrading is advised.
Source: [ruby-security-ann@](https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k)https://0xacab.org/schleuder/schleuder-web/-/issues/103Let users reset their password2020-07-29T02:22:26ZMuri NicanorLet users reset their passwordOften users forget their passwords- their should be some way for them to set a new password, maybe with a token sent to the email addressOften users forget their passwords- their should be some way for them to set a new password, maybe with a token sent to the email addresshttps://0xacab.org/schleuder/schleuder-web/-/issues/102Validate email address for account request2021-03-18T12:19:41ZngValidate email address for account requestWhen signing up for a new account we do not validate for a valid emailaddress at the moment before sending out the AccountRequest.
We should validate that the email in the AccountRequest is a valid address.When signing up for a new account we do not validate for a valid emailaddress at the moment before sending out the AccountRequest.
We should validate that the email in the AccountRequest is a valid address.pazpazhttps://0xacab.org/schleuder/schleuder-web/-/issues/96Upgrade to rails 52018-04-14T15:29:18ZgeorgUpgrade to rails 5Hi all,
I've spoken to the Debian Ruby people regarding the future of rails in Debian. It might need some time, still, but there is clear intent to upgrade rails to 5.x. Therefore, we're good to go on this front.
While researching this...Hi all,
I've spoken to the Debian Ruby people regarding the future of rails in Debian. It might need some time, still, but there is clear intent to upgrade rails to 5.x. Therefore, we're good to go on this front.
While researching this topic, I've stumbled over the following two links which might be worth to have a look at (even if our code base isn't that huge):
- https://shopifyengineering.myshopify.com/blogs/engineering/upgrading-shopify-to-rails-5-0
- https://github.com/domcleal/as_deprecation_tracker
Cheers,
Georghttps://0xacab.org/schleuder/schleuder-web/-/issues/95Upgrade loofah to >= 2.2.1 to prevent potential XSS vulnerability caused by l...2018-03-26T10:13:06ZgeorgUpgrade loofah to >= 2.2.1 to prevent potential XSS vulnerability caused by libxml2 (CVE-2018-8048)upstream loofah released a new version to mitigate this [recently](https://github.com/flavorjones/loofah/issues/144). Currently, we don't depend directly on loofah, it gets pulled in via rails-html-sanitizer and i18n. Not sure what's the...upstream loofah released a new version to mitigate this [recently](https://github.com/flavorjones/loofah/issues/144). Currently, we don't depend directly on loofah, it gets pulled in via rails-html-sanitizer and i18n. Not sure what's the way forward here (e.g. depending directly on it, or pushing the upstreams of r-h-s and i18n), but, FWIW, I've just sent a mail to rails-html-sanitizer upstream, as this new version is breaking two tests, asking for input.https://0xacab.org/schleuder/schleuder-web/-/issues/93Fix rendering error message if list.key is not available2020-01-19T15:00:58ZpazFix rendering error message if list.key is not available`app/views/application/_list_menu.html.haml` checks for
`@list.key.blank?` to show a "this list has a problem" error message,
but apparently (#91) the model raises an error 500 in this case.
We should change this so the error message is...`app/views/application/_list_menu.html.haml` checks for
`@list.key.blank?` to show a "this list has a problem" error message,
but apparently (#91) the model raises an error 500 in this case.
We should change this so the error message is actually sent to the browser.