Foswiki

For pages that are linked to by pages that have been through one or more move/renames, when you go to rename or delete the page (the target of the links), you'll sometimes see the old - no longer existing - topic names in the list of links to ... [More] update. For example, here I had: Created Sandbox.RenameTest10 Created Sandbox.RenameTest11 which contained a link to Sandbox.RenameTest10. Renamed Sandbox.RenameTest11 to Sandbox.RenameTest12 Gone to delete Sandbox.Test10 The result was a list of pages to update that included the no longer existing RenameTest11. And here's another example: I've reproduced this both on my 1.1.9 site and Michael's demo site. If you go through with the delete or rename it doesn't seem to cause too much of a problem for the end user except that it's a bit confusing. This issue may be related to Item12843. Again I'm not sure this Contrib is to blame so feel free to re-categorize. -- Main.LeilaPearson - 03 Apr 2014 At least on the demo site, backlinks are extracted from Solr. If you are fast enough to delete a page before the solr picks up the update, will it still display it on the rename/move page. The time frame within that bug happens depends on your setup of the reindexing process: using iwatch this is about 5-10 seconds, using a cronjob for delta indexing it depends on your settings there, e.g. 15 minutes. A work around would be to add an extra check for the topics to exist when using solr for backlinks to mitigate the display of broken links as in above screenshot. -- Main.MichaelDaum - 02 Jun 2018 [Less]

Foswiki-2.2.x doesn't need a username anymore changing a password as the username is already given by the user being logged in. Only the admin can change the password or email of somebody else.

When using the password reset function on https://foswiki.org I'm receiving an email with an autogenerated password. There are a few issues with that: The password consists of upper- and lowercase characters, numbers and special characters ... [More] , which is good, but it is only 8 characters long, which makes it quite weak. Consider generating a 20+ character password at least. The password is sent to the user in clear-text via mail, which also isn't very secure. Users are not forced to change their passwords afterwards and can keep the auto-generated ones forever. 1. could be addressed fairly easily by generating longer passwords. In the settings I have found {MinPasswordLength} which could be set to a higher value for example. Allowing users to have passwords with only 7 characters is a bad idea anyway nowadays. For the other issues, they could be addressed in one sweep. but the effort would be quite more substantial. Instead of generating a password and mailing it to the user, a random generated one-time-token should be generated. It should be stored on the server alongside the username and the current timestamp. A new config option {PasswordTokenExpiry} should be added with a default value of 600 seconds (=10 minutes). The password reset mail should contain a link which contains that token. If a user clicks on that link, a page should be opened which contains a password reset form, which doesn't the current password. A hidden form-field containing the token should be part of the HTML form. To increase security, users could be required to input their username, that way, if someone steals one of those links without any context, they can not just reset the password without knowing the username. Once the form is submitted, the back-end first removes all stored tokens which are older than {PasswordTokenExpiry} seconds and then verifies whether an entry with the submitted token and username exists and if they do, it removes the token from the list (so it ca only be used once) and changes the password). On success, a message is displayed directing the user to login again. On failure an error message is shown. [Less]

ResetPassword or UserRegistration sends a one-time access token to the user forcing them to change their password afterwards. However when this is an email account hosted by outlook.com, those emails are preprocessed, i.e. all links are tested and ... [More] rewritten to some https://..safelinks.protection.outlook.com?url=origurl. While doing so the one-time access token is invalidated so that the user cannot use it anymore to proceed on changing the password / confirming the account. -- Main.MichaelDaum - 23 Nov 2021 Any suggestion on how to address this? The obvious way is not to use Outlook. But that is not really a solution. Do we need a different scheme? Should we obfuscate the url? -- Main.BramVanOosterhout - 19 Dec 2021 I think that instead of using a one-time access token we need to come up with another approach here. -- Main.MichaelDaum - 19 Dec 2021 [Less]

WebRss Show all tasks Active tasks topic TopicTitle Priority CurrentState ReportedBy ReportDate Changed By File a new bug or feature request See also: Support.PasswordManagementPlugin, Extensions.PasswordManagementPlugin, Development.PasswordManagementPlugin, Components

The remote domain to fetch regexes from is not available anymore: http://arch.thinkmo.de/cgi-bin/spam-merge As a result the AntiWikiSpamPlugin_regexs file is filled with an http error message. Note that some of its features, i.e. blocking email ... [More] domains during registration is part of the Foswiki core already. We have seen massive spamming recently on foswiki.org, that this plugin unfortunately doesnt offer protection against anymore. -- Main.MichaelDaum - 07 Jul 2024 [Less]

In the newest NatSkin, when one scrolls down the page, the top bar starts flickering (hiding, showing, hiding, showing...) rapidly when one scrolls down the page and then stops scrolling. The CSS class natBodyStickyTopBar keeps getting set and unset. This is with the Matter theme if that … matters.

The following text is appearing at the top right of in the newest NatSkin (7.20) after update, where the logged in account account name would normally appear, next to bookmark icon. Error: (3) can't find %GENIMAGE{ text="Name" in Main (replace ... [More] Name with the full name of the logged in user in my case) Based on the macro name, is there perhaps an undeclared dependency on this plugin: ImageGeneratorPlugin ? I have attached a screenshot for reference [Less]

There still is room for improvements.