api secret: allow admin to delete for one or all users #720
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
monkeyiq
added a commit
that referenced
this pull request
Feb 4, 2020
* db: update auditlogs query for pg and mariadb compat (#704) * fixes for ie11 (#705) * Crypto: This allows keyversion 1 to work in Edge and IE11 on Windows 10 (#708) * this allows pbkdf2 to work in edge * gah ie11 * this works with edge and ie * cleanup * move terasender back to normal js * only do this for keyversion 1 * only do this for keyversion 1 * docs: gpg section for reporting sensitive issues (#710) * ie11: fix for generated passwords (#711) * filesender.py rest client: refresh (#717) * filesender.py ability to delete and create apisecret, uap (#718) * filesender.py ability to delete and create apisecret, uap * docs, no autogen with aup * make that interaction explicit * pgsql migration update * filesender.py accept aup in client (#719) * api secret: allow admin to delete for one or all users (#720) * Add missing parameter to DBView::cast_as_number; provide default viewcolname for DBView::cast_as_number (#721) * flash: remove older references to Flash (#722) * transfer log, set file path to name if not set (#723) * transfer audit: allow full path for files with it (#724) * clientlogs: buttons to send and clear them (#725) * admin-users-page-clientlogs-table-border-fix (#726) * transfer-logs better for file log (#727) * my transfers page cleaner table presentation (#728) * translation updated oldterms.txt (#729) * rest api aup add the terms template page (#730) * console log: ui.log() to also add items to clientlog (#731) * rest api aup add the terms template page * clientlogs: add ui.log to client logs * clientlogs: increse log size to 100 by default. Rename stash_len to be consistent with config.php name (#732) * rest api aup add the terms template page * clientlogs: increase log size to 100 by default. Rename stash_len to be consistent with config.php name * 2020/jan/my transfers div (#734) * rest api aup add the terms template page * clientlogs: move from console.log to clientlogs.log * dangling div tag * Revert "2020/jan/my transfers div (#734)" (#735) This reverts commit c7b7db2. * Update StorageFilesystemChunked class Update StorageFilesystemChunked class to also retry fwrite 100 times, just like fopen * Update StorageFilesystemChunked.class.php typeO fs to fh * remove dangling div from my transfers page (#736) * rest api aup add the terms template page * clientlogs: move from console.log to clientlogs.log * remove that one div end tag only * i18n: auto import from poedtor on 2020-02-02-1580589029 (#738) * Items for release 2.14 (#712) (#739) * db: update auditlogs query for pg and mariadb compat (#704) * fixes for ie11 (#705) * Crypto: This allows keyversion 1 to work in Edge and IE11 on Windows 10 (#708) * this allows pbkdf2 to work in edge * gah ie11 * this works with edge and ie * cleanup * move terasender back to normal js * only do this for keyversion 1 * only do this for keyversion 1 * docs: gpg section for reporting sensitive issues (#710) * ie11: fix for generated passwords (#711) * Items for release 2.14 (#712) (#740) * db: update auditlogs query for pg and mariadb compat (#704) * fixes for ie11 (#705) * Crypto: This allows keyversion 1 to work in Edge and IE11 on Windows 10 (#708) * this allows pbkdf2 to work in edge * gah ie11 * this works with edge and ie * cleanup * move terasender back to normal js * only do this for keyversion 1 * only do this for keyversion 1 * docs: gpg section for reporting sensitive issues (#710) * ie11: fix for generated passwords (#711) * Items for release 2.14 (#712) (#741) * db: update auditlogs query for pg and mariadb compat (#704) * fixes for ie11 (#705) * Crypto: This allows keyversion 1 to work in Edge and IE11 on Windows 10 (#708) * this allows pbkdf2 to work in edge * gah ie11 * this works with edge and ie * cleanup * move terasender back to normal js * only do this for keyversion 1 * only do this for keyversion 1 * docs: gpg section for reporting sensitive issues (#710) * ie11: fix for generated passwords (#711) * Items for release 2.14 (#712) (#742) * db: update auditlogs query for pg and mariadb compat (#704) * fixes for ie11 (#705) * Crypto: This allows keyversion 1 to work in Edge and IE11 on Windows 10 (#708) * this allows pbkdf2 to work in edge * gah ie11 * this works with edge and ie * cleanup * move terasender back to normal js * only do this for keyversion 1 * only do this for keyversion 1 * docs: gpg section for reporting sensitive issues (#710) * ie11: fix for generated passwords (#711) Co-authored-by: hammondr <hammondr@users.noreply.github.com> Co-authored-by: Michael D'Silva <michael.dsilva@aarnet.edu.au>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This allows a user to be found have the admin to revoke their api secret. They can still make it again if they like, but if there is an aup in place they must accept that to remake the api secret. This button can also be handy to disable a key if a site notices what it regards as abuse of the rest api key. In this case it would be assumed to be unintended abuse, such as a compromised key. This is because the key is revoked but the user can remake a key and continue.
There is also a super "delete all api keys" which was added to allow the introduction of an aup which would require everybody to accept the api secret aup in order to start using the rest clients again.
This also leaves off the ESCAPE clause for pgsql, relates to #583. I think perhaps we should be doing the escaping client side rather than asking the database do to things. It seems that the same sort of thing as this ESCAPE can be enabled in pgsql using E'my\tstring' but trying to combine the escape 'E' prefix with parameters to prepared statements was becoming a digression in and of itself. In this case we could expand the tab in the php code and pass the final string to the database in the parameter. Perhaps this was needed in the past when ascii was the default encoding but we could expand citations to unicode characters to the real codepoint these days. For example, the \uxxxx codes from https://www.postgresql.org/docs/current/sql-syntax-lexical.html#id-1.5.3.5.9.5.2