Difference between revisions of "Future Plans"

From GeeklogWiki
Jump to: navigation, search
(OAuth)
(minor updates and additions)
Line 3: Line 3:
 
== Clean up Remote Authentication ==
 
== Clean up Remote Authentication ==
  
With the addition of OpenID and LDAP support in Geeklog 1.5.0, remote users will become more common and existing problems will become more apparent. For example:
+
With the addition of [[OpenID]] and [[LDAP Remote Authentication|LDAP]] support in Geeklog 1.5.0, remote users will become more common and existing problems will become more apparent. For example:
  
 
* Duplicate email addresses
 
* Duplicate email addresses
Line 9: Line 9:
 
* Ability to make remote users "local" users (and vice versa)
 
* Ability to make remote users "local" users (and vice versa)
 
* Need to clean up and unify / merge the login forms (side block and users.php)
 
* Need to clean up and unify / merge the login forms (side block and users.php)
* Add a "service" column in the Admin's user list when remote auth is enabled to easily identify remote users and the service they're using
 
 
* Ability to re-sync data with remote auth service, e.g. change of email address
 
* Ability to re-sync data with remote auth service, e.g. change of email address
 
* Clean up user preferences ("My Account") for remote users: Hide options that are not available (e.g. password change)
 
* Clean up user preferences ("My Account") for remote users: Hide options that are not available (e.g. password change)
* Also: Support for OpenID 2.0 would be nice (Geeklog 1.5.0 supports OpenID 1.1)
+
* Also: [[SoC full openid support|Support for OpenID 2.0]] would be nice (Geeklog 1.5.0 supports OpenID 1.1)
  
  
Line 21: Line 20:
 
* Re-ordering / re-grouping of options
 
* Re-ordering / re-grouping of options
 
* Ability to allow config access for certain user groups (currently requires Root access for everything)
 
* Ability to allow config access for certain user groups (currently requires Root access for everything)
 +
* Searching for a setting
  
  
Line 65: Line 65:
 
** 403 Access denied (obvious; already used in some places)
 
** 403 Access denied (obvious; already used in some places)
 
** 409 Conflict (e.g. when something already exists)
 
** 409 Conflict (e.g. when something already exists)
** 500 Internal Server Errror (sounds like we should send that whenever we display "Unfortunately an error occured ...")
+
** 500 Internal Server Errror (already used for "Unfortunately an error occured ..." - where else?)
 
* Make use of <tt>Last-Modified:</tt> header (where is this actually possible?)
 
* Make use of <tt>Last-Modified:</tt> header (where is this actually possible?)
* Output compression
 
  
 
=== Microformats ===
 
=== Microformats ===
  
 
Somewhat related: Look into using (more) [http://microformats.org/ Microformats]
 
Somewhat related: Look into using (more) [http://microformats.org/ Microformats]
 +
  
 
[[Category:Development]]
 
[[Category:Development]]

Revision as of 12:59, 15 May 2009

Things to consider for future releases

Clean up Remote Authentication

With the addition of OpenID and LDAP support in Geeklog 1.5.0, remote users will become more common and existing problems will become more apparent. For example:

  • Duplicate email addresses
  • Missing email addresses
  • Ability to make remote users "local" users (and vice versa)
  • Need to clean up and unify / merge the login forms (side block and users.php)
  • Ability to re-sync data with remote auth service, e.g. change of email address
  • Clean up user preferences ("My Account") for remote users: Hide options that are not available (e.g. password change)
  • Also: Support for OpenID 2.0 would be nice (Geeklog 1.5.0 supports OpenID 1.1)


Configuration

The configuration GUI, introduced in Geeklog 1.5.0, will probably require adjustments once it's in widespread use, e.g.

  • Re-ordering / re-grouping of options
  • Ability to allow config access for certain user groups (currently requires Root access for everything)
  • Searching for a setting


Security

Passwords

It's about time we replace the md5 password hashes with something more modern and robust.

  • Maybe use phpass
  • To solve: What do we do with existing accounts?

WSSE

Somewhat related: If we wanted to support WSSE for the Webservices, we would either need to store the user's password in a way that's secure but reversible (so that we can get the unencrypted password for use in WSSE authentication) or think of a way to create a token / temp. password that the user can use in WSSE authentication.

HTTP Digest Authentication

Alternatively (instead of WSSE), if we wanted to support HTTP Digest Authentication, we would only have to keep track of the (user:realm:password) hash, probably as a separate field in the gl_users table, that needs to be updated whenever one of the three elements changes.

OAuth

Would OAuth help?

HTML filter

Since kses is no longer maintained, we need a replacement.

Requirements:

  •  ??? (tbd)

Candidates:


Make better use of HTTP

Sounds odd, but there's a lot of room in Geeklog to make better use of specific features of HTTP, especially HTTP status codes and additional HTTP headers.

  • HTTP status code 201: The proper response after creating something would be a 201 status code, accompanied by a Location: header pointing to the newly created resource.
  • HTTP status code 303: When something has more than one URI, we should point the client to the preferred URI, using a 303 and a Location: header.
    Example: when URL rewriting is enabled and the request was for the "non-rewritten" URL.
  • HTTP status codes 4xx and 5xx: In case of an error, we usually only display a human-readable error message, but send a 200 status code. There's a whole range of HTTP status codes that would make more sense to use, for example:
    • 400 Bad Request (invalid / incomplete data)
    • 403 Access denied (obvious; already used in some places)
    • 409 Conflict (e.g. when something already exists)
    • 500 Internal Server Errror (already used for "Unfortunately an error occured ..." - where else?)
  • Make use of Last-Modified: header (where is this actually possible?)

Microformats

Somewhat related: Look into using (more) Microformats