23 Jan
2010
23 Jan
'10
3:47 p.m.
Guillaume Lerouge wrote:
Hi Caleb,
On Sat, Jan 23, 2010 at 4:08 AM, Caleb James DeLisle <
calebdelisle(a)lavabit.com> wrote:
I plan to leave the original registerinline.vm in place if I make this an
application, although I will need to modify it to stop using RegisterAction
and disable RegisterAction to prevent RegisterAction being a hole for
unverified registrations.
A full list of checks currently implemented:
1. All fields must contains something.
Checked on client and server side.
A red * is put next to the mandatory fields.
2. firstName and lastName can's contain ' " < > \
Checked on client and server side.
3. Username can't be the name of an existing document.
(this was already checked by createUser but the velocity
can provide more friendly error messages)
4. Passwords must match
Checked on client and server side.
5. Email must match regex (adapted from LiveValidation)
Checked on client and server side.
Notably missing is a regex check of the username but it is checked by createUser
using an expression specified in the configuration and I didn't want to interfere
with this functionality.
Additional behavior:
If a user gets a something wrong (and LiveValidation doesn't stop them)
they get the form again but all of the fields are filled in so they only have
to correct their mistake.
Because this opens a reflective XSS hole, if there are any parameters other than
xredirect, then it checks to make sure the method is POST and the referer is
the same page, otherwise it redirects to itself with the only parameter being
xredirect (if it already existed).
Also posted this to the jira issue http://jira.xwiki.org/jira/browse/XWIKI-4778
Caleb
I would like to make the new registration page an
application because it
will
make it much easier for the wiki administrator to add fields because the
code
has to have the right to save information which is passed to it.
It is also very big, about 300 lines of code and 300 lines of configuration
and
comments. Something this size doesn't seem suited for the templates
directory.
Finally it is highly extendable. It contains a large configuration which
defines
all of it's fields because it is meant to be edited and have more fields
added.
I think placing it in the templates section would put it where wiki
administrators
would not have such easy access to it.
Available here are the current velocity template and the (slightly older)
syntax2.0
code snippet http://jira.xwiki.org/jira/browse/XWIKI-4778
By the way, a quick thought: I think the current validation code doesn't
check whether the username entered by the user exists already before trying
to register. It would be nice to check for that too.
Guillaume
Caleb
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs