posted by
NCommander
on Thursday April 10 2014, @05:40PM
from the if-we-accidently-implemented-something-we-promised-is-it-still-a-bug? dept.
I'm pleased to announce that moderate then post has now been implemented. In truth, its been implemented since the last major update due to a bug. Before releasing slashcode 14.04, I was experimenting with moderate^post code on dev, and the code was merged in with the basis that it would be enabled as part of the moderation reworks. Theoretically, this code should have been disabled. In actuality, I skewed a variable; the global that controls this functionality was not 100% properly implemented.
mrcoolbp noticed the bug today, and seeing as we needed a code change either way to properly fix it, I decided to roll this bit of the moderation rework out early. I'm not thrilled on squishing two bugs in production on the same day, and I'm going to be working with the dev team to get a rigorous QA plan put together (which will be posted here) before we do any more major updates to the site.
Until then, enjoy the new functionality.
NCommander adds: I'm giving this a one time bump on the main index as it was posted very late for US based users. We *really really* need a featured story feature.
This discussion has been archived.
No new comments can be posted.
Security feature in slashcode, you CAN disable it (though the option is buried on the Set Password screen, here's a link: http://soylentnews.org/my/password [soylentnews.org]).
We've discussed changing this default but as this feature needs a rework for IPv6ification, its somewhat moot at the moment.
Thanks for explaining that, I hadn't worked out why my phone kept having to re-authenticate. Now I know it was every time there was a wifi/mobile data switch! And even better I can fix it myself in preferences.
By the way, in your great bug hunt, I presume from this version of Slashcode sends a proper auth cookie of some sort, as opposed to the old version which used to send you a cookie with a base-64 encoded copy of your own password...
I generally agree with this, but the amount of work to architect in thread ids should not be under-estimated, and I'm not completely convinced that this is a good idea. Moderate then post was what was discussed, and it solves the primary problem of creating a chilling effect on comments.
I have noticed that I have to re log in after we we restart apache and kick varinsh. So the cookie may be getting invalidated as well by these server side changes.
Not 100% sure on this, but it is possibly a factor.
While we're on this topic... I read the headlines via RSS and click on interesting subjects; I always have to log in too. This isn't b/c I have a different IP, I assume it is because the referral address isn't soylentnews. If I reload the page it shows me as logged in.
Is there a setting to display my page as logged in the first time?
-- "Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
My own tt-rss instance running on a vps from kazilla. Like I said, I can just click in the address line and hit enter (reload) the site and my id pops-in instead of the login form. If I hit refresh I think it says logged out (... original referrer address given on a refresh?).
BTW, this all happens on "the other site" as well.:/
-- "Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
I just started firefox with a new vanilla profile and the behavior is working as expected. It must be a combination of my noscript/greasemonkey/adblock/flashblock/ghostery/ paranoid settings/etc... that is doing it.
Strange thing is while "debugging" this I found I can open a new tab, browse to soylentnews.org and get a login form; even though I am logged in. And then just reload and find my id there. So this isn't a rss-website 2 soylent-website issue. I was surprised that opening a new tab and going to soylentnews.org failed to find my user cookie.(??)
Thanks for following up, but this is obviously on my end.
-- "Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
Culprit found, it is the add-on CsFire. If I disable it everything works as expected; it fixes the other site too. CsFire has been installed forever, I don't even remember when/why I got it.
-- "Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
I see in the logs where it strips the cookie because the From address is "about" and the Destination is soylentnews.org. I added a rule for From (blank) To soylentnews.org Decision ACCEPT. That seems to make it happy and accept all cookies, even the first/initial one. The follow up reloads were ok because they were From soylentnews.org To soylentnews.org.
CsFire claims to protect you from Cross-Site Request Forgery (CSRF) attacks. Websites that make requests to other sites can be used to track the user and CsFire claims to stop that too.
Just FYI, thanks for your time!
-- "Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
(Score: 4, Informative) by NCommander on Thursday April 10 2014, @05:57AM
Security feature in slashcode, you CAN disable it (though the option is buried on the Set Password screen, here's a link: http://soylentnews.org/my/password [soylentnews.org]).
We've discussed changing this default but as this feature needs a rework for IPv6ification, its somewhat moot at the moment.
Still always moving
(Score: 2) by Adrian Harvey on Thursday April 10 2014, @06:18AM
Thanks for explaining that, I hadn't worked out why my phone kept having to re-authenticate. Now I know it was every time there was a wifi/mobile data switch! And even better I can fix it myself in preferences.
By the way, in your great bug hunt, I presume from this version of Slashcode sends a proper auth cookie of some sort, as opposed to the old version which used to send you a cookie with a base-64 encoded copy of your own password...
(Score: 2) by NCommander on Thursday April 10 2014, @04:49PM
I don't know on the cookie front, but we haven't changed anything in this regard.
We could fix this, or we could just go SSL by default as the quick fix. I'm liking that second one more :-)
Still always moving
(Score: 2) by egcagrac0 on Thursday April 10 2014, @07:02PM
Please don't go for the quick fix for the sake of expedience.
Strive to apply the Right fix to either the quick-to-fix problems, or the Important problems.
I'm not above picking low-hanging fruit, but doing it the Right Way is a Good Thing. ("Fix it once, properly, and be done.")
It may well be that your quick fix is the Right fix, but it should be done because it's Right, not because it's quick.
(Score: 2) by NCommander on Thursday April 10 2014, @08:23PM
I generally agree with this, but the amount of work to architect in thread ids should not be under-estimated, and I'm not completely convinced that this is a good idea. Moderate then post was what was discussed, and it solves the primary problem of creating a chilling effect on comments.
Still always moving
(Score: 1) by paulej72 on Thursday April 10 2014, @07:51PM
I have noticed that I have to re log in after we we restart apache and kick varinsh. So the cookie may be getting invalidated as well by these server side changes.
Not 100% sure on this, but it is possibly a factor.
Team Leader for SN Development
(Score: 1) by iWantToKeepAnon on Thursday April 10 2014, @02:43PM
While we're on this topic ... I read the headlines via RSS and click on interesting subjects; I always have to log in too. This isn't b/c I have a different IP, I assume it is because the referral address isn't soylentnews. If I reload the page it shows me as logged in.
Is there a setting to display my page as logged in the first time?
"Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
(Score: 2) by NCommander on Thursday April 10 2014, @03:14PM
Odd, what are you using for your RSS reader?
Still always moving
(Score: 1) by iWantToKeepAnon on Thursday April 10 2014, @06:33PM
My own tt-rss instance running on a vps from kazilla. Like I said, I can just click in the address line and hit enter (reload) the site and my id pops-in instead of the login form. If I hit refresh I think it says logged out (... original referrer address given on a refresh?).
BTW, this all happens on "the other site" as well. :/
"Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
(Score: 2) by NCommander on Thursday April 10 2014, @08:23PM
Very odd. Are you using HTTP or HTTPS?
Still always moving
(Score: 1) by iWantToKeepAnon on Thursday April 10 2014, @08:51PM
HTTP for both tt-rss and soylentnews.org.
I just started firefox with a new vanilla profile and the behavior is working as expected. It must be a combination of my noscript/greasemonkey/adblock/flashblock/ghostery/ paranoid settings/etc... that is doing it.
Strange thing is while "debugging" this I found I can open a new tab, browse to soylentnews.org and get a login form; even though I am logged in. And then just reload and find my id there. So this isn't a rss-website 2 soylent-website issue. I was surprised that opening a new tab and going to soylentnews.org failed to find my user cookie.(??)
Thanks for following up, but this is obviously on my end.
"Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
(Score: 2) by NCommander on Thursday April 10 2014, @09:07PM
The odds are the user cookie is getting lost due to the redirect. I recommend you start your search there.
Still always moving
(Score: 1) by iWantToKeepAnon on Thursday April 10 2014, @09:27PM
Culprit found, it is the add-on CsFire. If I disable it everything works as expected; it fixes the other site too. CsFire has been installed forever, I don't even remember when/why I got it.
"Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
(Score: 1) by iWantToKeepAnon on Thursday April 10 2014, @09:37PM
I see in the logs where it strips the cookie because the From address is "about" and the Destination is soylentnews.org. I added a rule for From (blank) To soylentnews.org Decision ACCEPT. That seems to make it happy and accept all cookies, even the first/initial one. The follow up reloads were ok because they were From soylentnews.org To soylentnews.org.
CsFire claims to protect you from Cross-Site Request Forgery (CSRF) attacks. Websites that make requests to other sites can be used to track the user and CsFire claims to stop that too.
Just FYI, thanks for your time!
"Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy