Univention Bugzilla – Bug 42267
Integrate self service into 4.2 web structure + improve usability
Last modified: 2017-04-04 18:28:37 CEST
The self service will be integrated into the main menu of the UCS 4.2 portal and UMC. For this, we will also improve some usability aspects as suggested by Alex Kramer. Screenshots can be found at: https://mail.univention.de/appsuite/#!&app=io.ox/files&folder=1206&id=1206/1396
Created attachment 7983 [details] Alex Kramer's changes
*** Bug 40614 has been marked as a duplicate of this bug. ***
*** Bug 40615 has been marked as a duplicate of this bug. ***
r76337: merges the fork Alexander Kramer did as a final project. The service now runs as a UMC module instead of a stand alone web service (done via Bug #42132). r76338: adds old frontend JS file tree for testing during transition to univention-web. r76339: core functionality was reestablished, unfinished port to univention-web.
Revision 76495: Most of the CSS was removed. The design was changed to reflect the changes proposed for 4.2. Duplicate JS modules also found in univention-web were removed. UCS 4.2: Package: univention-self-service Version: 2.0.2-3A~4.2.0.201702071439
Looks good so far. I spotted the following points that need some tuning: (a) JavaScript traceback, it seems that lib.js is not working as it should: * Uninstall univention-self-service-passwordreset-umc to provoke an error. * Choose "Protect account access" * After entering username + password, there will be a traceback in ProtectAccountAccess.js, line 179 ("lib.showMessage()"), it seems that the node handling is not correct here. * All form fields stay gray. This can also be provoked with require('selfservice/lib').showMessage('test') on the JS console. (b) When I enter my email address only once on "Protect Account Access", there is no hint that I have to enter it twice when I press on "Save" (c) When pressing "Save" (with email address entered two times), I get errors on the JavaScript console (similar to (a)). (d) As the WSGI code has been removed, the Self Service cannot be installed anymore on a DC slave, see Bug 43565. (e) The input fields should have a slight grey background. (f) German translations are missing. (g) I cannot submit the values by pressing the "enter" key.
(In reply to Alexander Kläser from comment #6) > [...] > (c) When pressing "Save" (with email address entered two times), I get > errors on the JavaScript console (similar to (a)). In fact when changing the password successfully, there is no information that everything went fine + the form fields are not cleared.
(h) When I request a token to reset the password, the form fields + button are disabled and nothing else happens (no message etc.) → probably similar to (a) ?
(In reply to Alexander Kläser from comment #6) > Looks good so far. I spotted the following points that need some tuning: > > (a) JavaScript traceback, it seems that lib.js is not working as it should: > * Uninstall univention-self-service-passwordreset-umc to provoke an error. > * Choose "Protect account access" > * After entering username + password, there will be a traceback in > ProtectAccountAccess.js, line 179 ("lib.showMessage()"), it seems that the > node handling is not correct here. > * All form fields stay gray. > > This can also be provoked with > require('selfservice/lib').showMessage('test') on the JS console. > > (b) When I enter my email address only once on "Protect Account Access", > there is no hint that I have to enter it twice when I press on "Save" > > (c) When pressing "Save" (with email address entered two times), I get > errors on the JavaScript console (similar to (a)). > > (d) As the WSGI code has been removed, the Self Service cannot be installed > anymore on a DC slave, see Bug 43565. > > (e) The input fields should have a slight grey background. Will be done via Bug 43528. > (f) German translations are missing. Will be done via Bug 43594. > (g) I cannot submit the values by pressing the "enter" key.
At one point, I have been redirected to: /univention/self-service/#newpassword?username=test This is incorrect, the format should be: /univention/self-service/?username=test#newpassword
(In reply to Alexander Kläser from comment #10) > At one point, I have been redirected to: > > /univention/self-service/#newpassword?username=test > > This is incorrect, the format should be: > > /univention/self-service/?username=test#newpassword I changed the behavior to /univention/self-service/#page=newpassword&username=test Which seems the most common way of doing this: https://dojotoolkit.org/reference-guide/1.10/dojo/hash.html#examples https://en.wikipedia.org/wiki/Fragment_identifier#Examples Package: univention-self-service Version: 2.0.4-10A~4.2.0.201702231623 TODO: Menu entries
(In reply to Jürn Brodersen from comment #11) > [...] > TODO: > Menu entries As discussed, I migrated the menu entries. The react dynamically on the login state. univention-self-service (2.0.5-1): r77073 | Bug #42267: move menu entries into JavaScript hook module
I fixed the translation of previously untranslated parts. The web interface is now installed to /usr/share/univention-self-service/www as opposed to /var/www/univention/self-service in order to comply with the behaviour of other packages. NOTE: As there has been a file /var/www/univention/self-service/entries.json in some previous package version, make sure to delete this file prior to updating. Otherwise the symbolic link /var/www/univention/self-service → /usr/share/univention-self-service/www will not be created. With a fresh installation everything should be fine. univention-self-service (2.0.5-4): r77353 | Bug #42267: Fix l10n integration
Reopen: The latest package version was not build, which was done now: univention-self-service 2.0.5-4A~4.2.0.201703061414 There is a new link on the portal page, which was previously not there: "Passwort settings", is this intended? When clicking on that link or choosing any of the self-service links from the side menu, an error appears: Webfrontend-Fehler: Die angegebene Anfrage ist nicht bekannt. The path '/self-service/index.html' was not found.
(In reply to Erik Damrose from comment #14) > Reopen: > > The latest package version was not build, which was done now: > univention-self-service 2.0.5-4A~4.2.0.201703061414 > > There is a new link on the portal page, which was previously not there: > "Passwort settings", is this intended? > > When clicking on that link or choosing any of the self-service links from > the side menu, an error appears: > > Webfrontend-Fehler: Die angegebene Anfrage ist nicht bekannt. > The path '/self-service/index.html' was not found. Yep, exactly what I have written above ;) ... the behaviour is fine as this affects only an interim version: (In reply to Alexander Kläser from comment #13) > [...] > NOTE: As there has been a file /var/www/univention/self-service/entries.json > in some previous package version, make sure to delete this file prior to > updating. Otherwise the symbolic link /var/www/univention/self-service → > /usr/share/univention-self-service/www will not be created. With a fresh > installation everything should be fine.
Please re-add the option for a redirect URL. The function _getUrlForRedirect() already exists, but it is not used. I would suggest to support url=... via the query string as well as url=... via the hash part of the URL. This should work for resetting the password as well as protecting the account. We then need to add the url option to the menu entries in order to be redirected correctly after resetting the password or adding the contact data. Please also add the url option to the email address.
FYI, I adjusted some styling issues. univention-self-service (2.0.9-3): r77574 | Bug #43528: Adjust styling of elements + fix typo
(In reply to Alexander Kläser from comment #16) > Please re-add the option for a redirect URL. The function > _getUrlForRedirect() already exists, but it is not used. I would suggest to > support url=... via the query string as well as url=... via the hash part of > the URL. This should work for resetting the password as well as protecting > the account. If url ist not given, please redirect to "/univention". > We then need to add the url option to the menu entries in order to be > redirected correctly after resetting the password or adding the contact > data. I think if the "/univention" is used here, this would be fine. > Please also add the url option to the email address. Forget this point.
(In reply to Alexander Kläser from comment #18) > (In reply to Alexander Kläser from comment #16) > > Please re-add the option for a redirect URL. The function > > _getUrlForRedirect() already exists, but it is not used. I would suggest to > > support url=... via the query string as well as url=... via the hash part of > > the URL. This should work for resetting the password as well as protecting > > the account. > > If url ist not given, please redirect to "/univention". > > > We then need to add the url option to the menu entries in order to be > > redirected correctly after resetting the password or adding the contact > > data. > > I think if the "/univention" is used here, this would be fine. > > > Please also add the url option to the email address. > > Forget this point. r77596: Redirect after password reset and account protection Package: univention-self-service Version: 2.0.9-4A~4.2.0.201703101642 Branch: ucs_4.2-0
(In reply to Alexander Kläser from comment #18) > (In reply to Alexander Kläser from comment #16) > > Please re-add the option for a redirect URL. The function > > _getUrlForRedirect() already exists, but it is not used. I would suggest to > > support url=... via the query string as well as url=... via the hash part of > > the URL. This should work for resetting the password as well as protecting > > the account. > > If url ist not given, please redirect to "/univention". No, please redirect to /univention/ !
(In reply to Florian Best from comment #20) > (In reply to Alexander Kläser from comment #18) > > (In reply to Alexander Kläser from comment #16) > > > Please re-add the option for a redirect URL. The function > > > _getUrlForRedirect() already exists, but it is not used. I would suggest to > > > support url=... via the query string as well as url=... via the hash part of > > > the URL. This should work for resetting the password as well as protecting > > > the account. > > > > If url ist not given, please redirect to "/univention". > No, please redirect to /univention/ ! Changed
Reopen
Sorry for last comment Reopen: There is no input validation when sending the form. When entering different phone numbers or email adresses, there are JS warnings about that, but i can click 'save' (or press enter) and the wizard will close, redirect me to /univention/, and the values will be set at the user object. I also think that the UMC always has the 'save' button on the lower right, not the cancel button.
(In reply to Erik Damrose from comment #23) > Sorry for last comment > Reopen: There is no input validation when sending the form. When entering > different phone numbers or email adresses, there are JS warnings about that, > but i can click 'save' (or press enter) and the wizard will close, redirect > me to /univention/, and the values will be set at the user object. > > I also think that the UMC always has the 'save' button on the lower right, > not the cancel button. Both fixed: r77738: switch save/cancel button; fix input validation Package: univention-self-service Version: 2.0.10-2A~4.2.0.201703151523 Branch: ucs_4.2-0
Created attachment 8595 [details] Screenshot The label for "E-Mail" is missing and the label for "E-Mail (wiederholen)" is at the wrong place.
The input fields aren't reset after e.g. requesting a token.
(In reply to Florian Best from comment #26) > The input fields aren't reset after e.g. requesting a token. I don't know which fields you mean? After entering your request token you should be redirected. Did that not work? The back and cancel buttons clean reset the fields for me.
(In reply to Florian Best from comment #25) > Created attachment 8595 [details] > Screenshot > > The label for "E-Mail" is missing and the label for "E-Mail (wiederholen)" > is at the wrong place. I think the idea was that the label is for both fields. But afaik we are not using a design like that anywhere else. I changed it. r78028: separate labels for first input and retype input Package: univention-self-service Version: 2.0.10-5A~4.2.0.201703211148 Branch: ucs_4.2-0
(In reply to Jürn Brodersen from comment #27) > (In reply to Florian Best from comment #26) > > The input fields aren't reset after e.g. requesting a token. > > I don't know which fields you mean? After entering your request token you > should be redirected. Did that not work? The back and cancel buttons clean > reset the fields for me. There was no redirection because the request failed. Then I switched to "forgot password" and switched back.
(In reply to Florian Best from comment #29) > (In reply to Jürn Brodersen from comment #27) > > (In reply to Florian Best from comment #26) > > > The input fields aren't reset after e.g. requesting a token. > > > > I don't know which fields you mean? After entering your request token you > > should be redirected. Did that not work? The back and cancel buttons clean > > reset the fields for me. > > There was no redirection because the request failed. Then I switched to > "forgot password" and switched back. I don't see a quick way to fix that. Moved to bug 44021.
I installed the App on a UCS@school edu-slave and had to follow the link in the app center to find the password-reset module. When I enter any username I get a window that says "Verboten". In /var/log/univention/management-console-web-server.log: 24.03.17 13:07:28.392 MAIN ( PROCESS ) : CPCommand (10.205.1.238:59296) response status code: 403 24.03.17 13:07:28.392 MAIN ( PROCESS ) : CPCommand (10.205.1.238:59296) response message: Verboten 24.03.17 13:07:28.392 MAIN ( PROCESS ) : CPCommand (10.205.1.238:59296) response result: None You can see it in 10.200.3.121
(In reply to Daniel Tröder from comment #31) > I installed the App on a UCS@school edu-slave and had to follow the link in > the app center to find the password-reset module. > > When I enter any username I get a window that says "Verboten". > > In /var/log/univention/management-console-web-server.log: > > 24.03.17 13:07:28.392 MAIN ( PROCESS ) : CPCommand > (10.205.1.238:59296) response status code: 403 > 24.03.17 13:07:28.392 MAIN ( PROCESS ) : CPCommand > (10.205.1.238:59296) response message: Verboten > 24.03.17 13:07:28.392 MAIN ( PROCESS ) : CPCommand > (10.205.1.238:59296) response result: None > > You can see it in 10.200.3.121 You need to install univention-self-service-passwordreset-umc on your DC Master.
(In reply to Florian Best from comment #32) > (In reply to Daniel Tröder from comment #31) > > I installed the App on a UCS@school edu-slave and had to follow the link in > > the app center to find the password-reset module. > > > > When I enter any username I get a window that says "Verboten". > > > > In /var/log/univention/management-console-web-server.log: > > > > 24.03.17 13:07:28.392 MAIN ( PROCESS ) : CPCommand > > (10.205.1.238:59296) response status code: 403 > > 24.03.17 13:07:28.392 MAIN ( PROCESS ) : CPCommand > > (10.205.1.238:59296) response message: Verboten > > 24.03.17 13:07:28.392 MAIN ( PROCESS ) : CPCommand > > (10.205.1.238:59296) response result: None > > > > You can see it in 10.200.3.121 > > You need to install univention-self-service-passwordreset-umc on your DC > Master. Fixed in https://forge.univention.org/bugzilla/show_bug.cgi?id=43899#c11
When I want to set my contact information I have to enter my username. That seems unnecessary, as I am already logged in. That the provide-contact-page is outside the UMC is not obvious (or interesting) to the user and there is no navigation to it except from inside the UMC (side bar). Please at least pre-fill the username. If possible provide a session key, so that not even a password is needed.
When UCRV umc/self-service/passwordreset/sms/password_file is not set, a TypeError is not caught: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/modserver.py", line 178, in _recv self.handle(msg) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/modserver.py", line 178, in _recv self.handle(msg) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/modserver.py", line 286, in handle self.__handler.init() File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 226, in init self.send_plugins = get_sending_plugins(MODULE.process) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/sending/__init__.py", line 33, in get_plugins plugins[plugin_class.send_method()] = plugin_class(log) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/sending/send_sms.py", line 72, in __init__ with open(self.password_file) as pw_file: TypeError: Die Initialisierung des Moduls ist fehlgeschlagen: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/modserver.py", line 178, in _recv self.handle(msg) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/modserver.py", line 286, in handle self.__handler.init() File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/__init__.py", line 226, in init self.send_plugins = get_sending_plugins(MODULE.process) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/sending/__init__.py", line 33, in get_plugins plugins[plugin_class.send_method()] = plugin_class(log) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/passwordreset/sending/send_sms.py", line 72, in __init__ with open(self.password_file) as pw_file: TypeError: coercing to Unicode: need string or buffer, NoneType found
Created attachment 8657 [details] handle no password file Either allow "no password file" as in attached patch, or catch and raise on TypeError.
(In reply to Daniel Tröder from comment #34) > there is no navigation to it except from inside > the UMC (side bar). Not true: just found it in the hamburger menu.
Whitelist-checks are not correct: When a whitelist is set, but a user that is in not on any blacklist or whitelist, he should be rejected, but is not. Fix: Index: umc/python/passwordreset/__init__.py =================================================================== --- umc/python/passwordreset/__init__.py (Revision 78343) +++ umc/python/passwordreset/__init__.py (Arbeitskopie) @@ -519,7 +519,7 @@ # not on either black or white list -> not allowed if whitelist exists, else OK MODULE.info("is_blacklisted({}): neither black nor white listed".format(username)) - return not (wh_users or wh_groups) + return bool(wh_users or wh_groups)
(In reply to Daniel Tröder from comment #34) > If possible provide a session key, so that not even a password is needed. If no password is asked an attacker could just enter his own mail address and reset the the user password (if the user was already logged in)
r78373: fix whitelist check; prefill username; allow unset sms secret
(In reply to Jürn Brodersen from comment #39) > (In reply to Daniel Tröder from comment #34) > > If possible provide a session key, so that not even a password is needed. > > If no password is asked an attacker could just enter his own mail address > and reset the the user password (if the user was already logged in) Where would the attacker get the session key from?
(In reply to Daniel Tröder from comment #41) > (In reply to Jürn Brodersen from comment #39) > > (In reply to Daniel Tröder from comment #34) > > > If possible provide a session key, so that not even a password is needed. > > > > If no password is asked an attacker could just enter his own mail address > > and reset the the user password (if the user was already logged in) > Where would the attacker get the session key from? If a user forgets to log out or is away from his keyboard in a public environment (schools etc.). Also everybody does it ;) See for example passwd on linux.
(In reply to Jürn Brodersen from comment #40) > r78373: fix whitelist check; prefill username; allow unset sms secret OK: r78373: fix whitelist check; prefill username; allow unset sms secret (In reply to Jürn Brodersen from comment #42) > (In reply to Daniel Tröder from comment #41) > > (In reply to Jürn Brodersen from comment #39) > > > (In reply to Daniel Tröder from comment #34) > > > > If possible provide a session key, so that not even a password is needed. > > > > > > If no password is asked an attacker could just enter his own mail address > > > and reset the the user password (if the user was already logged in) > > Where would the attacker get the session key from? > > If a user forgets to log out or is away from his keyboard in a public > environment (schools etc.). True - you're right - it's better this way.
I've added a changelog entry: r78452.
UCS 4.2 has been released: https://docs.software-univention.de/release-notes-4.2-0-en.html https://docs.software-univention.de/release-notes-4.2-0-de.html If this error occurs again, please use "Clone This Bug".