- ugettext functions will be removed in Django 4.0. Each use emits a warning
when running with Django 3.2. Since we have warnings enabled in developer mode,
we see quite a few messages because of this.
- ugettext is already a simple alias of gettext. So, no regressions are
expected.
Tests:
- Accessing an affected app in UI with Django 3.2 and Django 2.2 works fine.
- Using Django 3.2 there are no warnings related to removal of ugettext
functions.
- Ran regular unit tests.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2074
sunil's changes:
- Ensure that secret is not asked for a second time after creating admin user
and logging in (this happens due to discarding of old session and creating new
one).
- Ensure that this logic is not applied to user using FreedomBox images who are
not required to input the first wizard secret.
- Change the name of the session variable for readability.
Tests performed:
- Without the patch, start first boot wizard on the first browser on a
FreedomBox image (or run the file `base64 < /dev/urandom | head -c 16 | sed -e
's+$+\n+' > /var/lib/plinth/firstboot-wizard-secret`). Finish the welcome step
with first wizard secret. Then open a second browser or from another computer
visit the web interface. The first wizard secret is not asked and user can
create an admin account.
- Repeat with fresh image again with the patch. To mimic fresh image, one may
run `sudo rm -f /var/lib/plinth/plinth.sqlite3` and `echo "password" | | sudo
/freedombox/actions/users remove-user tester`. This time when a different
browser other than the one that provided the first wizard secret try to access
the account creation page, a redirection will occur to welcome page. Providing
the first wizard secret takes the user to account creation page.
- Accessing network first wizard page or internal pages on second browser also
takes one back to the welcome page.
- Accessing help pages from second browser requires login.
- Accessing account login page from second browser is allowed. After creating
the account from first browser, second browser can login and continue the
wizard.
- Clearing cookies in the middle of the wizard takes the user back to welcome
page.
- Clear cookies in the middles of the wizard. Visit the wizard, go to first boot
welcome page. Provide secret and the wizard will continue where it was left
off.
- Clear cookies in the middles of the wizard. Visit the wizard, go to first boot
welcome page. Access login page, login as admin. Then first wizard secret is
not asked. First wizard can be continued.
- On a fresh image, simply complete the first wizard. No change to earlier flow
is noticed. First wizard secret is only asked once at the beginning.
- On a fresh image, remove the file /var/lib/plinth/firstboot-wizard-secret.
First wizard can be completed without the secret.
[sunil: improvements to original patch by Kirill Schmidt]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tested-by: Sunil Mohan Adapa <sunil@medhas.org>
No longer showing network connections in firstboot. Removed dead code.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- A freshly installed FreedomBox can be hijacked by a third party and an admin
account can be created which can be used to inject malware or simply take over
the instance. Password protecting the firstboot step is a good way to avoid
this. A secret will be displayed to the user as soon as the Plinth package
is installed, which they have to enter during firstboot welcome step. Also,
writing this to a file in plinth's home in case the user loses it.
- This protection is not applicable for images built by freedom-maker and for
Amazon Machine Images.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Fix major regression so that steps can submitted multiple times in
case of errors.
- Don't serve the welcome page (and other pages) only once. Show it
until action is an taken. This does not apply to the final step.
- Eliminate all coupling of one first boot step on another.
- Move first boot helper methods to __init__.py instead of middleware as
it is more generic than middleware.
- Implement caching the first boot state to avoid an SQL query on every
page load. The down side is that if first boot state is modified in
the backend DB outside Plinth, Plinth will need to be restarted to
catch the modified value.
- Mark some methods as private.
- Refactor middleware code for slightly more simplicity.
- Don't show sidebar in pagekite first boot step. Set width like other
pages.
- As discussed in the first boot redesign proposal.
- Images are taken from Tango icon set, GNOME icons or created.
- Responsive, works for very small widths also.
- First cut, special cases of network connectivity are not handled.
- Setting a new hostname is not one of the most buring issues to be take
care of during the setup process.
- Also, most likely the user will access the FreedomBox machine using
mDNS hostname such as freedombox.local. Changing the hostname mid
setup might have consequences that need to thought about properly.
The package license (AGPL3+) implicitly indicates the license of each
file. However, it is desirable to have license headers in each file.
This is the case for many prominent projects like GNU project, Mozilla
etc.
