Guillaume Lerouge wrote: > Hi Caleb, > > On Sat, Jan 23, 2010 at 4:08 AM, Caleb James DeLisle < > [email protected]> wrote: > >> I would like to make the new registration page an application because it >> will >> make it much easier for the wiki administrator to add fields because the >> code >> has to have the right to save information which is passed to it. >> >> It is also very big, about 300 lines of code and 300 lines of configuration >> and >> comments. Something this size doesn't seem suited for the templates >> directory. >> >> Finally it is highly extendable. It contains a large configuration which >> defines >> all of it's fields because it is meant to be edited and have more fields >> added. >> I think placing it in the templates section would put it where wiki >> administrators >> would not have such easy access to it. >> >> Available here are the current velocity template and the (slightly older) >> syntax2.0 >> code snippet http://jira.xwiki.org/jira/browse/XWIKI-4778 >> > > By the way, a quick thought: I think the current validation code doesn't > check whether the username entered by the user exists already before trying > to register. It would be nice to check for that too.
I plan to leave the original registerinline.vm in place if I make this an application, although I will need to modify it to stop using RegisterAction and disable RegisterAction to prevent RegisterAction being a hole for unverified registrations. A full list of checks currently implemented: 1. All fields must contains something. Checked on client and server side. A red * is put next to the mandatory fields. 2. firstName and lastName can's contain ' " < > \ Checked on client and server side. 3. Username can't be the name of an existing document. (this was already checked by createUser but the velocity can provide more friendly error messages) 4. Passwords must match Checked on client and server side. 5. Email must match regex (adapted from LiveValidation) Checked on client and server side. Notably missing is a regex check of the username but it is checked by createUser using an expression specified in the configuration and I didn't want to interfere with this functionality. Additional behavior: If a user gets a something wrong (and LiveValidation doesn't stop them) they get the form again but all of the fields are filled in so they only have to correct their mistake. Because this opens a reflective XSS hole, if there are any parameters other than xredirect, then it checks to make sure the method is POST and the referer is the same page, otherwise it redirects to itself with the only parameter being xredirect (if it already existed). Also posted this to the jira issue http://jira.xwiki.org/jira/browse/XWIKI-4778 Caleb > > Guillaume > > >> Caleb >> >> _______________________________________________ >> devs mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/devs >> > > > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
