@camfindlay This is great!
As @wardi said on the mailing list it would be great to get as many of these as possible in CKAN core. See my comments below:
Stronger password reset tokens
This could be ported straight to core (here)
Brute force protection
Can you describe how this works?
Cookie-based CSRF protection for requests
This has been on our list forever and would be awesome to get integrated in core. Do you think that your implementation is generic enough for this? Do you mind give an overview of the implementation?
Removed ability to change usernames after signup
I just merged this to master and will be part of 2.7.x (ckan/ckan#3531)
Server-side session storage
IIRC this was already available, it's just a matter of configuring the relevant beaker.* config options right? (and perhaps document it better, with a dedicated section in the docs)
Session invalidation on logout
That sounds really sensible and something that could be ported upstream. I could not find where or how you do it though.
Stronger password validators (NZISM compatible)
See ckan/ckan#3601. We definitely want to increase the default requirement but allow extensions to override to fit custom requirements. Obviously the main problem is that there is not an easy way to override the user schema as there is no suitable interface, so you either have to monkey-patch like in your case or override the whole user_update to pass a custom schema. We need to provide an IUserForm that allows the same customization as eg IDatasetForm.
When users try to reset a password for an email address, CKAN will no longer disclose whether or not that email address exists in the DB.
I think this is something that different maintainers may have different views on, so I'm not too worried about getting it into core but also not against it.
It would be great to know your views on this and better yet if some PR come out of it!
cc @ckan/Core
@camfindlay This is great!
As @wardi said on the mailing list it would be great to get as many of these as possible in CKAN core. See my comments below:
This could be ported straight to core (here)
Can you describe how this works?
This has been on our list forever and would be awesome to get integrated in core. Do you think that your implementation is generic enough for this? Do you mind give an overview of the implementation?
I just merged this to master and will be part of 2.7.x (ckan/ckan#3531)
IIRC this was already available, it's just a matter of configuring the relevant
beaker.*config options right? (and perhaps document it better, with a dedicated section in the docs)That sounds really sensible and something that could be ported upstream. I could not find where or how you do it though.
See ckan/ckan#3601. We definitely want to increase the default requirement but allow extensions to override to fit custom requirements. Obviously the main problem is that there is not an easy way to override the user schema as there is no suitable interface, so you either have to monkey-patch like in your case or override the whole
user_updateto pass a custom schema. We need to provide anIUserFormthat allows the same customization as egIDatasetForm.I think this is something that different maintainers may have different views on, so I'm not too worried about getting it into core but also not against it.
It would be great to know your views on this and better yet if some PR come out of it!
cc @ckan/Core