expo/expoweb
1
0
Fork 0
mirror of https://expo.survex.com/repositories/expoweb/.git/ synced 2025-12-08 14:54:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

footnote - online edit of handbook/troggle/trogregistr.html

Browse Source
This commit is contained in:
Philip Sargent
2025-02-16 17:48:24 +00:00
committed by Expo on server
parent 3c7e86cd32
commit 2e8ad46ad4
1 changed files with 14 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
handbook/troggle/trogregistr.html
View File

@@ -5,12 +5,13 @@
<title>Handbook Troggle Development</title>
<link rel="stylesheet" type="text/css" href="/css/main2.css" />
</head>
<body><style>body { background: #fff url(/images/style/bg-system.png) repeat-x 0 0 }</style>
<body>
<style>body { background: #fff url(/images/style/bg-system.png) repeat-x 0 0 }</style>
<h2 id="tophead">CUCC Expedition Handbook: Troggle</h2>
<h1>Troggle Login and user registration</h1>
<h1>Troggle Login and Django-registration</h1>
<h2>Done as of April 2021</h2>
<p>We did option #1. No problem.
<p>We did option #1. No problem. But see 2025 <a href="#footnote">footnote</a>.
<h2>Position as of June 2020 </h2>
<p>Troggle has two "users", each with a password. They are managed by entirely separate systems:
<ol>
@@ -50,12 +51,20 @@ Django gives us fine-grained access control settings for admin users so we can e
<p>We write out own code to manage the "expo" user's capabilities and login GET/POST form (which would still have to use Django's form POST mechanisms because of session handling, CRSF security, cookies etc. etc.).
<p>It might appear that proposal #2 would be on the road to eventually leaving Django, but because of the security issues it wouldn't really. This would all need to be rewritten again when we leave Django. So I think Proposal #1 will require less wasted work.
<hr />
<h3 id = footnote>Footnote 2025</h3>
<p>As troggle expands its capabilities we have been discovering that we could really use an individual user identification system.
<ul>
<li>So that we can individually attribute git commits to people, as opposed to only have "expo" on the records of who edited what.
<li>Having a single anonymous superuser "expoadmin" with superuser capabilities is something of a security hole. Some online actions, such as the recent "logbook entry deletion" capability really require some better handling.
</ul>
<p>So in January 2025 we introduced our own simple user registration system which stores the data as encrypted entries in JSON files, since we have a "file first & re-import" storage architecture whereas all other Django systems use a "database first" system.
<p>This new registration system integrates with the experimental "expo signup" system whereby people we don't (yet) know can sign up to request to come on expo, and be easily distinguished from attendees from previous expos.
<hr />
Return to: <a href="trogdesign.html">Troggle design and future implementations</a><br />
Return to: <a href="trogintro.html">Troggle intro</a><br />
Troggle index:
<a href="trogindex.html">Index of all troggle documents</a><br />
<hr />
</body>
<hr /></body>
</html>