Daily Log for #alfresco IRC Channel

Alfresco discussion and collaboration. Stick around a few hours after asking a question.

Official support for Enterprise subscribers: support.alfresco.com.

Joining the Channel:

Join in the conversation by getting an IRC client and connecting to #alfresco at Freenode. Our you can use the IRC web chat.

More information about the channel is in the wiki.

Getting Help

More help is available in this list of resources.

Daily Log for #alfresco

2018-08-07 00:35:39 GMT *** VoidWhisperer is now known as Guest40160

2018-08-07 06:58:45 GMT <yreg> Good morning !

2018-08-07 09:40:32 GMT <fwu2018> hi all

2018-08-07 10:59:35 GMT <angelborroy> AFaust https://github.com/OrderOfTheBee/ootbee-support-tools/pull/120

2018-08-07 10:59:36 GMT <alfbot> Title:Scheduled Jobs feature adapted to Alfresco 6 by angelborroy-ks · Pull Request #120 · OrderOfTheBee/ootbee-support-tools · GitHub (at github.com)

2018-08-07 11:00:22 GMT <angelborroy> It looks like there were some minor changes in Quartz API

2018-08-07 11:00:44 GMT <angelborroy> This version works but probably you consider making it in another way

2018-08-07 11:00:54 GMT <angelborroy> You can reject the PR, just to share my findings

2018-08-07 11:06:45 GMT <angelborroy> mmmm

2018-08-07 11:07:04 GMT <angelborroy> it looks like LDAP trigger is not included in the list

2018-08-07 11:07:18 GMT <angelborroy> I only wanted the modification for the LDAP trigger :(

2018-08-07 11:35:06 GMT <yreg> angelborroy, does the modified code still works on 5.x ?

2018-08-07 11:35:27 GMT <yreg> Or does it make the add-on a 6.0 only compatible one ?

2018-08-07 11:38:17 GMT <AFaust> angelborroy: If you have created the PR properly, I can also update your branch and still accept the PR afterwards

2018-08-07 11:39:06 GMT <AFaust> i.e. to deal with yreg's concern regarding version compatiblity, since I will definitely try everything in my power to keep the addon multi-version compatible without introducing separate branches

2018-08-07 11:40:37 GMT <AFaust> angelborroy: FYI - the cause of the Travis CI build error is already known and dealt with in a different PR (which Bindu has not reviewed yet)

2018-08-07 11:40:38 GMT <yreg> AFaust, not sure what is a proper PR creation

2018-08-07 11:40:55 GMT <AFaust> When you create a PR you can set a checkbox to allow reviewers write access to your branch

2018-08-07 11:41:19 GMT <yreg> AFaust, good to know

2018-08-07 11:41:37 GMT <AFaust> I don't know what the default value is, so it's good to always look out

2018-08-07 11:42:11 GMT <yreg> If there are pressing PRs and you definitely want to have them peer reviewed before merge, you can add me to the list of reviewers on them and I will try to tackle them during the weekend

2018-08-07 11:49:50 GMT <AFaust> yreg: It is not just a question of being added as a reviewer - douglascrp already did review a PR when I invited him, but his did not count since he is not a user with write access to the repository.

2018-08-07 11:50:40 GMT <yreg> That's not big of a deal I know just the guy to grant me such an access :D

2018-08-07 11:51:11 GMT <AFaust> In essence, only a user set as a "core maintainer" (for which I did ask for volunteers on the OOTBee mailing the year before last) counts, so if you want to be added there, it would be fine by me, but then I would expect / hope for continuous effort to help PR queue short...

2018-08-07 11:51:43 GMT <AFaust> Or put simply "new volunteers to be core maintainers are always welcome, but comes with certain expectations"

2018-08-07 11:55:41 GMT <yreg> Yeah, I know I won't be able to dedicate a fixed amount of time at a recurrent interval, but I can surely help review code/issues within reasonable delays when I get any assigned to me

2018-08-07 11:55:54 GMT <yreg> And by reasonable I mean few weeks

2018-08-07 11:56:06 GMT <yreg> Just applied for that team

2018-08-07 11:56:54 GMT <AFaust> As I always say - it never has to be a commitment about a certain / fixed amount of time. It would suffice if there was some sort of response to new issues / PRs in a certain amount of time (~2 weeks) and reviews would not languish for 3+ months

2018-08-07 11:57:29 GMT <AFaust> FYI: We even have a Gitter channel https://gitter.im/OrderOfTheBee/support-tools

2018-08-07 11:57:30 GMT <alfbot> Title:OrderOfTheBee/support-tools - Gitter (at gitter.im)

2018-08-07 11:58:08 GMT <AFaust> Though it might be a consideration to move that to Discord (which we did not use back then)

2018-08-07 12:00:59 GMT <yreg> That would be nice

2018-08-07 12:03:44 GMT <angelborroy> it’s only compatible with Alfresco 6

2018-08-07 12:04:00 GMT <angelborroy> yreg but it does not work at all, more work is required

2018-08-07 12:04:06 GMT <AFaust> I already saw and commented in the review that we'd need to add some adaptibility

2018-08-07 12:04:18 GMT <AFaust> correction: adaptability

2018-08-07 12:04:49 GMT <angelborroy> Just submitted the PR as sample documentation

2018-08-07 12:04:57 GMT <angelborroy> But I’m not happy with that

2018-08-07 12:05:00 GMT <AFaust> yreg: If we were to move the Gitter channel over to Discord, we should first check out any integrations with GitHub regarding issue / PR updates...

2018-08-07 12:06:17 GMT <yreg> Can you create a task in trollo ? I think we should log these investigation tasks and todo so that we don't lose track on them

2018-08-07 12:06:42 GMT <AFaust> Right... still getting used to having that additional tool to work with

2018-08-07 12:10:12 GMT <AFaust> I'll try and check on the Alfresco 6.0 PR when I get back home this evening and see about improving it

2018-08-07 12:10:33 GMT <AFaust> Might be a good time to also to my planned cache config updates

2018-08-07 12:45:44 GMT <bhagyas> -= THIS MESSAGE NOT LOGGED =-

2018-08-07 12:46:05 GMT <yreg> A second test

2018-08-07 12:46:41 GMT <yreg> bhagyas, my message didn't make it to discord either

2018-08-07 12:47:52 GMT <bhagyas> -= THIS MESSAGE NOT LOGGED =-

2018-08-07 13:05:04 GMT <alfresco-discord> <bhagyas> a

2018-08-07 13:05:08 GMT <bhagyas> b

2018-08-07 13:07:59 GMT <bhagyas> c

2018-08-07 13:08:03 GMT <alfresco-discord> <bhagyas> d

2018-08-07 13:12:27 GMT <AFaust> e

2018-08-07 13:12:41 GMT <AFaust> Are we going through the whole alphabet?

2018-08-07 13:12:58 GMT <bhagyas> hehe

2018-08-07 13:13:17 GMT <bhagyas> it shouldn't but maybe just for once for fun we should

2018-08-07 13:13:21 GMT <bhagyas> who's in?

2018-08-07 13:13:54 GMT <angelborroy> My middle name is “Fernando”, so...

2018-08-07 13:13:55 GMT <angelborroy> f

2018-08-07 13:14:19 GMT <bhagyas> angelborroy: seriously?

2018-08-07 13:14:28 GMT <angelborroy> Angel Fernando Borroy

2018-08-07 13:14:29 GMT <angelborroy> yes

2018-08-07 13:14:42 GMT <bhagyas> Fernando is a very common surname in Sri Lanka as well

2018-08-07 13:14:44 GMT <bhagyas> :D

2018-08-07 13:15:40 GMT <yreg> ~since

2018-08-07 13:15:40 GMT <alfbot> yreg: <alfresco-discord> <bhagyas> a, <bhagyas> b, <bhagyas> c, <alfresco-discord> <bhagyas> d, <AFaust> e, <AFaust> Are we going through the whole alphabet?, <bhagyas> hehe, <bhagyas> it shouldn't but maybe just for once for fun we should, <bhagyas> who's in?, <angelborroy> My middle name is “Fernando”, so..., <angelborroy> f, <bhagyas> angelborroy: seriously?, <angelborroy> Angel Fernando Borroy, and (1 more message)

2018-08-07 13:23:18 GMT <alfresco-discord> <bhagyas> g

2018-08-07 13:23:21 GMT <bhagyas> h

2018-08-07 13:23:31 GMT <bhagyas> ~since

2018-08-07 13:23:31 GMT <alfbot> bhagyas: <angelborroy> AFaust https://github.com/OrderOfTheBee/ootbee-support-tools/pull/120, <angelborroy> It looks like there were some minor changes in Quartz API, <angelborroy> This version works but probably you consider making it in another way, <angelborroy> You can reject the PR, just to share my findings, <angelborroy> mmmm, <angelborroy> it looks like LDAP trigger is not included in the list, and <angelborroy> (1 more message)

2018-08-07 13:23:37 GMT <bhagyas> Alrighty

2018-08-07 13:24:03 GMT <bhagyas> now the discord sync is back, with two way sync and it will also now ignore alfbot to reduce verbosity

2018-08-07 13:25:24 GMT <alfresco-discord> <bhagyas> @everyone Alfresco Discord <-> IRC sync bot is back. Now it will additionally ignore alfbot messages and link description expansions.

2018-08-07 13:25:49 GMT <alfresco-discord> <bhagyas> ❤

2018-08-07 13:26:44 GMT <alfresco-discord> <mbui> Did you solve the issue with bad word filtering not working with bot messages?

2018-08-07 13:27:33 GMT <alfresco-discord> <bhagyas> @mbui Alfresco IRC is now only allowing registered nicks, so the bot issue should be sorted - which means we don't need bad word based spam filtering anymore.

2018-08-07 13:28:05 GMT <fcorti> testing what bhagyas says

2018-08-07 13:28:20 GMT <alfresco-discord> <Francesco Corti> testing what bhagyas says also on Discord

2018-08-07 13:28:34 GMT <fcorti> bhagyas is saying the truth!

2018-08-07 13:28:42 GMT <alfresco-discord> <Francesco Corti> bhagyas is saying the truth also on Discord!

2018-08-07 13:28:56 GMT <alfresco-discord> <Francesco Corti> Thank you @bhagyas ! 😃

2018-08-07 13:29:14 GMT <alfresco-discord> <bhagyas> @Francesco Corti ❤

2018-08-07 13:30:36 GMT <AFaust> @Francesco Corti: Is the "registered nicks on IRC only" going to remain indefinitely now? I thought it only a temporary measure to deal with spam, which apparently has been dealt with by freenode now on a global level by setting all channels to +r for the time being...

2018-08-07 13:30:44 GMT <alfresco-discord> <Loftux> @Francesco Corti Still think you can update the MOTD on irc to say that you need to be registered to post there.

2018-08-07 13:31:10 GMT <AFaust> What about those web-irc users with temporary GuestXXXXX nicks?

2018-08-07 13:31:51 GMT <alfresco-discord> <Francesco Corti> @Loftux doing it now...

2018-08-07 13:31:51 GMT <alfresco-discord> <Loftux> Change the web page to say that you need to be registered as well

2018-08-07 13:32:49 GMT *** ChanServ sets mode: +o fcorti

2018-08-07 13:33:02 GMT <yreg> I would say switch from the +r thingy to the other option to be able to white people from web chat based on nick name structure or something

2018-08-07 13:33:13 GMT <yreg> I also got the code fo auto voicing people

2018-08-07 13:33:21 GMT <yreg> If that help

2018-08-07 13:33:45 GMT <alfresco-discord> <bhagyas> @yreg or get them to move to Discord for anon chat, while keeping IRC for registered nicks

2018-08-07 13:33:54 GMT *** fcorti changes topic to "Alfresco discussion and collaboration. You you need to be registered to post messages. Logs: http://chat.alfresco.com. Please join the Alfresco Community on Discord at https://discordapp.com/invite/f7XntQN"

2018-08-07 13:35:12 GMT <alfresco-discord> <Loftux> yreg: it is set on a global level to +R anyways, so you cannot override locally I guess

2018-08-07 13:44:49 GMT <AFaust> WTF??!? The CSRF mechanism in APS relies on tokens generated on the client-side? How does this make CSRF token validation on the server side (apparently comparing client-provided cookie with client-provided header) at all a valid security mechanism??

2018-08-07 13:45:49 GMT <alfresco-discord> <bhagyas> @Afaust, seriously?

2018-08-07 13:46:47 GMT <AFaust> Just looking at an issue at my customer where - for some reasons - the client app messes up and sends different values for the cookie and the header. And looking at web packets, no CSRF token is ever provided by the server despite token values sent by the client are changing.

2018-08-07 13:47:01 GMT *** CptLuxx_ is now known as CptLuxx

2018-08-07 13:47:14 GMT <AFaust> Looking at source code, I find every separate app of thie AngularJS monstrosity has code to generate the token on the client-side

2018-08-07 13:47:55 GMT <AFaust> Before that I was nearly going mental about the packet traces not making any sense at all...

2018-08-07 13:49:25 GMT <AFaust> And based on that the documentation about APS CSRF is flat-out lying...

2018-08-07 13:49:30 GMT <AFaust> https://docs.alfresco.com/process-services1.8/topics/cross_site_request_forgery.html

2018-08-07 13:49:32 GMT <alfbot> Title:Cross-Site Request Forgery (CSRF) | Alfresco Documentation (at docs.alfresco.com)

2018-08-07 13:49:59 GMT <AFaust> "token values sent from the client to the server are validated to prevent unauthorized requests that were not generated by the server"

2018-08-07 13:50:24 GMT <AFaust> Oh - they actually admit they are doing it wrong there..

2018-08-07 13:50:37 GMT <AFaust> "in Alfresco Process Services, this feature has been implemented slightly differently, wherein, CSRF tokens are generated on the client"

2018-08-07 13:50:52 GMT <AFaust> What the actual F???

2018-08-07 13:51:04 GMT <alfresco-discord> <bhagyas> Can you really blame the engineers for innovation? :3

2018-08-07 13:51:24 GMT <AFaust> This made it through release acceptance, quality management and potentially security audits?

2018-08-07 13:52:19 GMT <AFaust> So, to fix my customers issue I could just disable CSRF altogether and not loose any degree of security. Well, that is quite an easy "fix"

2018-08-07 13:52:34 GMT <alfresco-discord> <bhagyas> Since they have acknowledged it, I don't think they are trying to hide anything here

2018-08-07 13:52:40 GMT <alfresco-discord> <bhagyas> 😃

2018-08-07 13:52:43 GMT <alfresco-discord> <mbui> AFaust: Maybe this is related? https://en.wikipedia.org/wiki/Cross-site_request_forgery#Cookie-to-header_token

2018-08-07 13:52:44 GMT <alfbot> Title:Cross-site request forgery - Wikipedia (at en.wikipedia.org)

2018-08-07 13:53:30 GMT <AFaust> Well - interestingly, APS does not use any sessions at all.

2018-08-07 13:53:40 GMT <AFaust> This is another thing I realised looking at the paket traces.

2018-08-07 13:54:04 GMT <alfresco-discord> <mbui> https://stackoverflow.com/questions/36594516/how-does-angular-2-handle-with-xss-or-csrf

2018-08-07 13:54:05 GMT <alfbot> Title:typescript - How does Angular 2 handle with XSS or CSRF? - Stack Overflow (at stackoverflow.com)

2018-08-07 13:54:19 GMT <AFaust> All of our client requests are executed twice because we have Kerberos enabled, and due to lack of sessions, the handshake occurs for every goddamn Xhr call

2018-08-07 13:54:30 GMT <alfresco-discord> <bhagyas> xD

2018-08-07 13:54:55 GMT <alfresco-discord> <bhagyas> thinks people are taking APS too seriously for production use.

2018-08-07 13:55:47 GMT <AFaust> And checked on client-side code as well: The token generation code supports a salt value, but never uses any

2018-08-07 13:57:14 GMT <alfresco-discord> <bhagyas> AFaust, any chance this would happen to the content-app as well?

2018-08-07 13:57:23 GMT <AFaust> Since I first evaluated, I have consistently voiced my opinion to customers that APS is not really mature, and in most use cases they will never achieve the ideal state of the "no code" marketing BS promise that sales is putting out (unless they have extremely trivial processes to begin with)

2018-08-07 13:58:27 GMT <AFaust> @bhagyas: Well, luckily for content-app we will always have a server component (the Repository), where we already have server-side CSRF token generation.

2018-08-07 13:58:48 GMT <AFaust> I don't know though if that is currently enabled for the Public API endpoint.

2018-08-07 13:59:23 GMT <AFaust> As a system administrator, I would force-enable it, and if content-app cannot deal with that, then it would be disqualified from production use (I mean, it would fail in development and would never see a rollout)

2018-08-07 14:01:03 GMT * AFaust is considering doing a sly PR on alfresco-remote-api project, trying to stealthily inject this as the default behaviour, if it isn't already. Just have to mask it in some elaborate, unrelated feature change / enhancement

2018-08-07 14:02:13 GMT <alfresco-discord> <bhagyas> @AFaust that's how you lose any future PR access, so don't 😛

2018-08-07 14:02:40 GMT <alfresco-discord> <bhagyas> you are too valuable to be lost

2018-08-07 14:03:09 GMT <AFaust> Well - so far I have not done (m)any PRs on the new GitHub structure.

2018-08-07 14:03:56 GMT <AFaust> Though I will likely try it out soon with my changes to the Smart Folders feature from last weekend, which I do not except to be accepted because someone at Alfresco consciously decided that this feature should be restricted in its usability...

2018-08-07 14:04:37 GMT <AFaust> Apparently some specific acceptance criteria had been defined that deliberately castrated the potential

2018-08-07 14:04:47 GMT <AFaust> Too bad those JIRA issues are non-public

2018-08-07 14:05:07 GMT <AFaust> They are only referenced in code comments...

2018-08-07 14:06:12 GMT <angelborroy> ~since

2018-08-07 14:06:12 GMT <alfbot> angelborroy: <AFaust> What about those web-irc users with temporary GuestXXXXX nicks?, <alfresco-discord> <Francesco Corti> @Loftux doing it now..., <alfresco-discord> <Loftux> Change the web page to say that you need to be registered as well, <yreg> I would say switch from the +r thingy to the other option to be able to white people from web chat based on nick name structure or something, <yreg> I also got the code fo (12 more messages)

2018-08-07 14:06:46 GMT <alfresco-discord> <Loftux> @AFaust But we can see your pull request, sounds interesting what you have on Smart Folders

2018-08-07 14:07:31 GMT <AFaust> You mean you can see my branch. I have not yet created the PR since I am still considering to fix other issues / remove other restrictions.

2018-08-07 14:08:33 GMT <yreg> AFaust I think it is better to make many small PRs than providing major changes in a monolithic format

2018-08-07 14:08:47 GMT <alfresco-discord> <Loftux> AFaust: Yes, I mean once you do

2018-08-07 14:08:48 GMT <yreg> It's easier to get them accepted and merged

2018-08-07 14:09:05 GMT <AFaust> yreg: Sure, but only when I have/know the full range of changes will I know how best to slice&dice them

2018-08-07 14:09:31 GMT <AFaust> So I'll have a branch with all changes and can still create separate branches for the (sequentially added) features

2018-08-07 15:36:21 GMT <alfresco-discord> <dgradecak> Afaust, the CSRF issue is not really an issue in ajax calls, it is more in standard html forms. So might be that, although I did not completely read what you were saying

2018-08-07 15:42:08 GMT <AFaust> @dgradecak: Don't really understand why you'd see a differentiation. Since Ajax / standard HTML form calls cannot be distinguished on the server-side, handling of CSRF needs to be applied uniformly. And if the server never provided the client with a salt or the CSRF token itself, and simply trusts everything the clients sends as long as the cookie matches the HTTP header, then that's as good as having no CSRF at all

2018-08-07 15:43:29 GMT <AFaust> Different question: Anyone in here ever used Oracle Universal Connection Pooling with Alfresco (instead of the default DBCP one)?

2018-08-07 17:57:34 GMT <alfresco-discord> <mbui> Anyone working with tenants and encountered "issues" where they should sometimes add the tenants name in the nodeRef like workspace://@tenant-name@SpacesStore/f4d142fc-d928-4439-b8c1-cd3be1273735

2018-08-07 18:33:04 GMT <alfresco-discord> <dgradecak> the difference with a standard form or ajax call is that an ajax call cannot be issued from a different domain and therfore csrf is somehow already inside xhr

2018-08-07 19:15:12 GMT <alfresco-discord> <dgradecak> @mbui I stopped using alfresco tenants, I use tenants on a datasource layer

2018-08-07 20:53:21 GMT <AFaust> @dgradecak: Sure, you can't do Ajax from a different domain in a browser, but that is a very thin layer of security, given DNS spoofing / faking, and again, the server can't know if a request is an Ajax call, so should not trust it in any way based on that alone...

End of Daily Log

The other logs are at http://esplins.org/hash_alfresco