Commit 6aa8a6a0 authored by IKEDA Soji's avatar IKEDA Soji
Browse files

[feature] WWSympa: New "auth" action to confirm actions.

- request_auth.tt2 will show web link instead of mailto link by default.
- potentially risky one-time ticket will no longer used to authorize subscription and unsubscription.
parent 70e8323e
[%# request_auth.tt2 ~%]
To: [% to %]
[% IF user_interfaces.size() == 1 and user_interfaces.0 == 'mail' -%]
Subject: [% FILTER qencode %]AUTH [%keyauth%] [%cmd%][%END%]
[%- ELSIF type == 'signoff' -%]
Subject: [% FILTER qencode %][%|loc(conf.title,list.name)%]%1 / unsubscribing from %2[%END%][%END%]
[%- ELSIF type == 'subscribe' -%]
Subject: [% FILTER qencode %][%|loc(conf.title,list.name)%]%1 / subscribing to %2[%END%][%END%]
[%- ELSE -%]
Subject: [% FILTER qencode %]AUTH [%keyauth%] [%cmd%][%END%]
[%- END %]
[% IF type == 'signoff' -%]
[% IF type == 'signoff' -%]
[%|loc(list.name)-%]You asked for your e-mail address to be removed from list '%1'.[%- END -%]
[%- ELSIF type == 'subscribe' -%]
[%- ELSIF type == 'subscribe' -%]
[%|loc(list.name)-%]You asked for your e-mail address to be added to list '%1'.[%- END -%]
[%- ELSIF type == 'add' -%]
[%- ELSIF type == 'add' -%]
[%|loc(list.name)-%]You requested a user subscription in list %1.[%- END -%]
[%- ELSIF type == 'del' -%]
[%- ELSIF type == 'del' -%]
[%|loc(list.name)-%]You requested a user removal from list %1.[%- END -%]
[%- ELSIF type == 'remind' -%]
[%- ELSIF type == 'remind' -%]
[%|loc(list.name)-%]You requested a subscription reminder to be sent to each subscriber of list %1[%- END -%]
[%- ELSIF type == 'global_remind' -%]
[%- ELSIF type == 'global_remind' -%]
[%|loc-%]You requested a subscription reminder to be sent to each subscriber of list '*'[%- END -%]
[%- END -%]
[% sympa = BLOCK %][% conf.email %]@[% conf.host %][%END%]
[%- ELSE -%]
[%|loc(type)%]You requested an action '%1'.[% END -%]
[%- END -%]
[% IF user_interfaces.size() == 1 and user_interfaces.0 == 'mail' -%]
[% sympa = BLOCK %][% conf.email %]@[% conf.host %][%END -%]
[%|loc(sympa,"AUTH ${keyauth} ${cmd}") %]If you want this action to be taken, please
- reply to this mail
......@@ -30,8 +43,10 @@ OR
%2
OR
- hit the following mailto[% END %]
[% | mailtourl({subject => "AUTH ${keyauth} ${cmd}"}) ~%]
[% conf.email %]@[% conf.host %]
[%~ END %]
[% sympa | mailtourl({subject => "AUTH ${keyauth} ${cmd}"}) %]
[%- ELSE -%]
[%|loc%]If you want this action to be taken, please hit the following link:[%END%]
[% 'auth' | url_abs([keyauth,type],{email=>to}) ~%]
[%- END %]
[%|loc-%]If you do not want this action to be taken, you can safely ignore this message.[% END %]
......@@ -25,6 +25,25 @@
<p><strong>
[%|loc%]Do you really want to delete Selected Archives?[%END%]
</strong></p>
[%~ ELSIF confirm_action == 'auth' ~%]
<h2><i class="fa fa-check-square"></i>
[% IF heldaction == 'add' ~%]
[%|loc%]Add subscribers[%END%]
[%~ ELSIF heldaction == 'del' ~%]
[%|loc%]Delete selected email addresses[%END%]
[%~ ELSIF heldaction == 'remind' || heldaction == 'global_remind' ~%]
[%|loc%]Remind all subscribers[%END%]
[%~ ELSIF heldaction == 'signoff' ~%]
[%|loc%]Unsubscribe[%END%]
[%~ ELSIF heldaction == 'subscribe' ~%]
[%|loc%]Subscribe[%END%]
[%~ ELSE ~%]
[%|loc%]Validation[%END%]
[%~ END %]
</h2>
<p><strong>
[%|loc%]Do you really want this action to be taken?[%END%]
</strong></p>
[%~ ELSIF confirm_action == 'close_list' ~%]
<h2><i class="fa fa-check-circle"></i>
[%|loc%]Remove List[%END%]
......@@ -159,6 +178,10 @@
<input type="checkbox" id="zip" name="zip" value="1" checked="checked" />
<label for="zip">[%|loc%]Download deleted archives[%END%]</label>
</div>
[%~ ELSIF confirm_action == 'auth' ~%]
<input type="hidden" name="id" value="[% id %]" />
<input type="hidden" name="heldaction" value="[% heldaction %]" />
<input type="hidden" name="email" value="[% email %]" />
[%~ ELSIF confirm_action == 'del' ~%]
[% FOREACH e = email ~%]
<input type="hidden" name="email" value="[% e %]" />
......@@ -228,6 +251,15 @@
value="[%|loc%]I am not a spammer[%END%]" />
</div>
<p>[%|loc%]This button aims at protecting mailing lists archives against Spam Harvester.[%END%]</p>
[%~ ELSIF confirm_action == 'auth' ~%]
<div>
<input class="MainMenuLinks" type="submit"
id="response_action_confirm" name="response_action_confirm"
value="[%|loc%]Confirm[%END%]" />
<input class="MainMenuLinks" type="submit"
id="response_action_cancel" name="response_action_cancel"
value="[%|loc%]Cancel[%END%]" />
</div>
[%~ ELSE ~%]
<div>
<input class="MainMenuLinks" type="submit"
......
......@@ -339,6 +339,7 @@ our %comm = (
'automatic_lists_management' => 'do_automatic_lists_management',
'automatic_lists_request' => 'do_automatic_lists_request',
'automatic_lists' => 'do_automatic_lists',
'auth' => 'do_auth',
);
 
my %comm_aliases = (
......@@ -492,6 +493,7 @@ our %action_args = (
'automatic_lists_management' => [],
'automatic_lists_request' => ['family'],
'automatic_lists' => [],
'auth' => ['id', 'heldaction'],
);
 
## Define the required parameters for each action
......@@ -516,6 +518,7 @@ our %required_args = (
'arcsearch' => ['param.list'],
'arcsearch_form' => ['param.list'],
'arcsearch_id' => ['param.list'],
'auth' => ['id', 'heldaction', 'email'],
'automatic_lists_request' => ['family'],
'automatic_lists' => ['family'],
'attach' => ['param.list'],
......@@ -18107,6 +18110,57 @@ sub do_automatic_lists {
return 'compose_mail';
}
 
sub do_auth {
wwslog('info', '(%s, %s, %s)', $in{'id'}, $in{'heldaction'}, $in{'email'});
my $keyauth = $in{'id'};
my $heldaction = $in{'heldaction'};
my $email = Sympa::Tools::Text::canonic_email($in{'email'});
my $default_home = Conf::get_robot_conf($robot, 'default_home');
return $default_home
unless $keyauth
and $heldaction
and $email
and Sympa::Tools::Text::valid_email($email);
@{$param}{qw(id heldaction email)} = ($keyauth, $heldaction, $email);
# Action confirmed?
my $next_action = $session->confirm_action(
$in{'action'}, $in{'response_action'},
arg => "$keyauth,$heldaction,$email",
previous_action => $default_home
);
return $next_action unless $next_action eq '1';
my $spindle = Sympa::Spindle::ProcessRequest->new(
context => $robot,
action => 'auth',
keyauth => $keyauth,
sender => $email,
scenario_context => {},
);
unless ($spindle and $spindle->spin) {
return $default_home;
}
foreach my $report (@{$spindle->{stash} || []}) {
if ($report->[1] eq 'notice') {
Sympa::Report::notice_report_web(@{$report}[2, 3],
$param->{'action'});
} else {
Sympa::Report::reject_report_web(@{$report}[1 .. 3],
$param->{action});
}
}
unless (@{$spindle->{stash} || []}) {
Sympa::Report::notice_report_web('performed', {}, $param->{'action'});
}
return $default_home;
}
sub prevent_visibility_bypass {
wwslog('debug2', 'Starting');
if (defined $list and ref $list eq 'Sympa::List') {
......
......@@ -45,11 +45,17 @@ sub _twist {
my $key = $request->{keyauth};
my $sender = $request->{sender};
my $req = $request->{request}; # Request to be authorized.
# Optional $request->{request} is given by Sympa::Request::Message to
# check if "cmd" argument of e-mail command matches with held request.
my $req = $request->{request};
my $spindle = Sympa::Spindle::ProcessAuth->new(
context => $req->{context},
action => $req->{action},
email => $req->{email},
( $req
? ( context => $req->{context},
action => $req->{action},
email => $req->{email}
)
: ()
),
keyauth => $key,
confirmed_by => $sender,
......@@ -81,7 +87,8 @@ Sympa::Request::Handler::auth - auth request handler
=head1 DESCRIPTION
Fetchs the request matching with {request} attribute from held request spool,
Fetchs the request matching with {authkey} and optional {request} attributes
from held request spool,
and if succeeded, processes it with C<md5> authentication level.
=head1 SEE ALSO
......
......@@ -41,7 +41,7 @@ sub _init {
if ($state == 0) {
die 'bug in logic. Ask developer'
unless $self->{confirmed_by}
and $self->{context}
#and $self->{context}
and $self->{keyauth};
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment