| *** th1a_ has joined #schooltool | 02:02 | |
| *** Fujitsu has quit IRC | 03:53 | |
| *** Fujitsu has joined #schooltool | 03:54 | |
| *** th1a_ has quit IRC | 05:50 | |
| *** lisppaste5 has quit IRC | 06:27 | |
| *** lisppaste5 has joined #schooltool | 06:36 | |
| *** jfroche_ has joined #schooltool | 06:57 | |
| *** jfroche has quit IRC | 07:13 | |
| *** didymo has quit IRC | 08:24 | |
| *** jfroche_ has quit IRC | 09:32 | |
| *** didymo has joined #schooltool | 10:32 | |
| *** jfroche has joined #schooltool | 11:20 | |
| *** ignas has joined #schooltool | 11:59 | |
| *** didymo has quit IRC | 12:26 | |
| *** jfroche has quit IRC | 13:14 | |
| *** jfroche has joined #schooltool | 13:23 | |
| *** ignas has quit IRC | 14:01 | |
| *** jfroche has quit IRC | 14:30 | |
| *** SteveA has quit IRC | 14:30 | |
| *** aelkner has quit IRC | 14:30 | |
| *** jfluhmann has quit IRC | 14:30 | |
| *** Lumiere has quit IRC | 14:30 | |
| *** lisppaste5 has quit IRC | 14:30 | |
| *** JohnnyST has quit IRC | 14:30 | |
| *** jfroche has joined #schooltool | 14:41 | |
| *** lisppaste5 has joined #schooltool | 14:41 | |
| *** aelkner has joined #schooltool | 14:41 | |
| *** jfluhmann has joined #schooltool | 14:41 | |
| *** SteveA has joined #schooltool | 14:41 | |
| *** Lumiere has joined #schooltool | 14:41 | |
| *** JohnnyST has joined #schooltool | 14:41 | |
| *** lisppaste5 has quit IRC | 14:50 | |
| *** alga has joined #SchoolTool | 15:17 | |
| *** jfroche has quit IRC | 15:25 | |
| *** jfroche has joined #schooltool | 15:25 | |
| *** ignas has joined #schooltool | 15:59 | |
| *** th1a has joined #schooltool | 15:59 | |
| *** test123 has joined #schooltool | 16:29 | |
| * th1a shuffles some papers around. | 16:30 | |
| *** test123_ has joined #schooltool | 16:31 | |
| th1a | Good morning test123, aelkner, jfroche, ignas. | 16:31 |
|---|---|---|
| ignas | hi | 16:31 |
| test123_ | good afternoon | 16:32 |
| th1a | So what's your status, test123_? | 16:33 |
| th1a | Wedding go ok? | 16:33 |
| test123_ | yes thanks.. we have an hour of exciting | 16:34 |
| test123_ | home movies streaming from SU | 16:34 |
| test123_ | to test the network | 16:34 |
| test123_ | but i will not bore you with | 16:34 |
| test123_ | that | 16:34 |
| test123_ | Jens has built the 10.5.1 client | 16:35 |
| test123_ | tizard branch | 16:35 |
| test123_ | I am moving it into the production service | 16:35 |
| test123_ | for a demo on Thurs with 10-15 schools | 16:35 |
| test123_ | over | 16:35 |
| th1a | Have you got it set up for your assessments? | 16:36 |
| *** aelkner_ has joined #schooltool | 16:36 | |
| test123_ | Yes, I have all the data from the alpha school | 16:36 |
| test123_ | we set a midterm and a final | 16:36 |
| th1a | Hi aelkner_. | 16:36 |
| test123_ | So this week will use the mid term schedule and test results | 16:36 |
| th1a | OK. Let us know if you're having problems. | 16:36 |
| test123_ | will do | 16:36 |
| * th1a and ignas cross our fingers and figure you know what you're doing. | 16:37 | |
| test123_ | Is Ignas planning any holiday this week? | 16:37 |
| ignas | no, not really | 16:38 |
| th1a | I didn't mean we're leaving you on your own. | 16:38 |
| th1a | Working with distant collaborators is just mysterious. | 16:39 |
| test123_ | OK.. I will email you and Tom with the test data plan | 16:39 |
| th1a | Anything else test123_? | 16:39 |
| test123_ | This will help you to see what we are attempting. Nothing else to report. Thanks for the build. | 16:40 |
| th1a | Thanks test123_. Thanks for getting up early? | 16:41 |
| th1a | Are you in CA? | 16:41 |
| th1a | test123_ is always plus or minus four time zones. | 16:42 |
| test123_ | Nope .. not this week.. nor next. It would be helpful for a later call the following week though? | 16:42 |
| th1a | This time is best for us. It is our regular time. | 16:43 |
| th1a | It is only bad for people in California. | 16:43 |
| test123_ | OK. Then I will email you a report and check the log | 16:43 |
| th1a | Well, and Asia. | 16:43 |
| th1a | OK. Cool. That should be sufficient. | 16:43 |
| th1a | Ignas, what's up? | 16:43 |
| ignas | not too much, spent a lot of time messing with i18n | 16:44 |
| ignas | realization that we have "188 instances of bug A" in the source code | 16:44 |
| ignas | was quite paiful | 16:44 |
| ignas | painful | 16:44 |
| th1a | Which bug? | 16:44 |
| ignas | translating strings that should not be translated | 16:45 |
| ignas | like usernames for example | 16:45 |
| ignas | one more thing i did was refactor most of the buttons | 16:45 |
| ignas | into view macros | 16:45 |
| ignas | so i would not have to fix another bug in 70 places | 16:46 |
| th1a | What happens if you try to translate strings that should not be translated. | 16:46 |
| *** aelkner has quit IRC | 16:46 | |
| ignas | well - you have a user with title that matches some english word | 16:46 |
| ignas | that english word gets translated into lithuanian | 16:46 |
| ignas | if you set the language to lithuanian | 16:46 |
| ignas | enev though it is not a message i | 16:46 |
| ignas | id | 16:46 |
| *** test123 has quit IRC | 16:47 | |
| ignas | and "${DYNAMIC_CONTENT}" is not very clear for translators | 16:47 |
| th1a | The English word has to be one that we use and have translated? | 16:47 |
| ignas | yes | 16:47 |
| ignas | you have probably noticed letters "A" "U" "S" "C" | 16:48 |
| ignas | in our translation templates | 16:48 |
| ignas | that our translators don't know what to do with | 16:48 |
| ignas | this one is the bug that is in every single button in the system | 16:48 |
| th1a | So what is the fix? | 16:48 |
| ignas | instead of writing <input type="submit" accesskey="U" i18n:attributes="accesskey" /> | 16:49 |
| ignas | write <input type="submit" accesskey="U" i18n:attributes="accesskey shortcut-key-for-update" /> | 16:49 |
| th1a | Oh, I see. | 16:50 |
| ignas | but as that bug is in like 70 places or so - i am refactoring it to have the fix in like 10 places | 16:50 |
| ignas | more related bugs are like | 16:50 |
| ignas | <input type="submit" value="Add" i18n:attributes="value apply" /> | 16:50 |
| ignas | <input type="submit" value="Add" i18n:attributes="value apply-button" /> | 16:51 |
| ignas | which for english speakers will make button look like "Add" | 16:51 |
| ignas | while for all the translated instances like "Apply" | 16:51 |
| th1a | Ah. | 16:51 |
| ignas | oh, and I have the store post data in session working | 16:52 |
| ignas | so as soon as i'll write the functional test | 16:52 |
| ignas | i'll commit it | 16:52 |
| th1a | For bug reporting? | 16:52 |
| ignas | got stuck on functional test, because testbrowser can't open 2 windows with same credentials | 16:52 |
| ignas | no, for CAS and LDAP | 16:53 |
| ignas | and schooltool | 16:53 |
| ignas | so if you have some data in the form | 16:53 |
| ignas | click submit | 16:53 |
| ignas | get the log in prompt | 16:53 |
| ignas | log in | 16:53 |
| ignas | data you have entered gets into the system | 16:53 |
| ignas | instead of vanishing | 16:53 |
| th1a | Good. | 16:53 |
| th1a | Is this also useful for redirecting people to the right place after they submit a form? | 16:54 |
| ignas | no | 16:54 |
| th1a | aelkner_: ayt? | 16:54 |
| aelkner_ | yes | 16:55 |
| ignas | preserving the right places is a bit tricky as you have to support going through an intermediate page | 16:55 |
| th1a | OK. | 16:55 |
| aelkner_ | i was gong to say | 16:55 |
| aelkner_ | that we could use a hidden field called nextURL | 16:55 |
| th1a | ignas: Have you worked on implementing easy bug reporting yet? | 16:55 |
| ignas | person calendar -> view event -> edit event -> *some* calendar | 16:55 |
| ignas | th1a: no, not yet | 16:55 |
| Lumiere | aelkner_: hidden fields are very very bad | 16:56 |
| th1a | We should probably explain the bug reporting to aelkner_. | 16:56 |
| th1a | Hi Lumiere. | 16:56 |
| th1a | Didn't mean to shun you. | 16:56 |
| Lumiere | *lurks* | 16:56 |
| ignas | Lumiere: not too bad, but it won't work easily if you have a page in the middle that has no forms in it | 16:56 |
| Lumiere | unless you are properly filtering them... that 'hidden field' could be anything | 16:56 |
| ignas | Lumiere: like "view event" | 16:57 |
| Lumiere | ignas: I am thinking from more a security stand point | 16:57 |
| Lumiere | it's an XSS risk if nothing else | 16:57 |
| ignas | we do hidden fields already in some places | 16:58 |
| aelkner_ | explain XSS risk | 16:58 |
| Lumiere | cross site scripting | 16:58 |
| th1a | This might be a good thing for aelkner_ to know. | 16:58 |
| *** mgedmin has joined #schooltool | 16:58 | |
| Lumiere | if you call the stuff passed in a future piece of code | 16:58 |
| ignas | Lumiere: how precisely is hidden field going to cause the risk? | 16:58 |
| Lumiere | and someone has changed it to say 'phishingsite.com' | 16:59 |
| Lumiere | and we jump to it | 16:59 |
| ignas | if someone can alter content of your page | 16:59 |
| ignas | or can alter url in your browser | 16:59 |
| Lumiere | yes | 16:59 |
| ignas | you are in trouble already | 16:59 |
| Lumiere | which is not too difficult to imaigne these days | 16:59 |
| aelkner_ | how? | 17:00 |
| Lumiere | yes... but lets not let it happen on our end | 17:00 |
| ignas | ? | 17:00 |
| ignas | what do you mean happen? | 17:00 |
| Lumiere | aelkner_: spyware that reads and alters outgoing data | 17:00 |
| Lumiere | lets not let a security hole like that exist at all | 17:00 |
| ignas | Lumiere: you still haven't explained what the hole is ... | 17:00 |
| Lumiere | the hole is that it would be possible for someone to gather data about a SchoolTool user | 17:01 |
| th1a | Yeah, I'm not sure that's a good case. | 17:01 |
| Lumiere | by redirecting them to a site thatl ooks like schooltool | 17:01 |
| ignas | could you please give a step by step example of how a hidden field "nexturl" can be exploited | 17:01 |
| Lumiere | and gets them to enter their user/pass | 17:01 |
| aelkner_ | yeah, please do | 17:01 |
| Lumiere | I just did | 17:02 |
| aelkner_ | not enough detail | 17:02 |
| Lumiere | there are a ton of ways | 17:02 |
| Lumiere | to get there | 17:02 |
| ignas | if you can modify the content of the page you got from schooltool - you can just replace a link, any link | 17:02 |
| Lumiere | w/e | 17:02 |
| th1a | If your client is that compromised, you're screwed. | 17:02 |
| aelkner_ | but a hidden field is NOT a link | 17:02 |
| ignas | if you can make user to click on some link - you can as well make him click on the fake link | 17:02 |
| ignas | i understand that you can give "http://schooltool/foo/bar?next_url=http://fake_tool.com/" | 17:03 |
| aelkner_ | ok, i get that, too | 17:04 |
| Lumiere | and if you make fake_tool | 17:04 |
| Lumiere | look like a page that schooltool failed to login right | 17:04 |
| Lumiere | (easy to get...) | 17:04 |
| aelkner_ | rught, phishing | 17:04 |
| Lumiere | you just got someones user/pass | 17:04 |
| Lumiere | to a highly sensitive data system | 17:05 |
| Lumiere | I am paranoid about it... because of the data in the system | 17:05 |
| ignas | though it is not really related to a hidden field | 17:05 |
| Lumiere | and the controls required by the government | 17:05 |
| ignas | POST can't be compromised that easily | 17:05 |
| Lumiere | it can be though | 17:05 |
| ignas | if you can compromise POST - you have the control over the channel already | 17:06 |
| ignas | and your browser will YELL at you | 17:06 |
| ignas | if you get redirected from one https site to another | 17:06 |
| ignas | and you should be running schooltool under https if you care about security | 17:06 |
| th1a | Hm... OK, are we actually considering using a hidden field here? | 17:06 |
| th1a | I mean, I don't think that's what ignas was thinking anyhow. | 17:06 |
| ignas | we are considering whether anything should be done about all the next_url forms in the system | 17:07 |
| ignas | yes, that's true as well | 17:07 |
| th1a | I do think it is a serious issue. | 17:07 |
| ignas | i was just saying that hidden fields don't work in this case | 17:07 |
| ignas | this case being redirecting to the right calendar after editing an event | 17:07 |
| aelkner_ | right now, the forms use the context to get the next url, but we need the menu item or button to specify what the next url is to be | 17:07 |
| th1a | So we can probably break off this conversation now. | 17:07 |
| aelkner_ | that's why the hidden field | 17:08 |
| th1a | But would we store the value in the session instead of a hidden field? | 17:08 |
| ignas | session has the problem of being "1" | 17:08 |
| ignas | while you can have many browser windows | 17:08 |
| ignas | the right fix would be to keep information about the calendar you were looking before in the url of the "view event" view | 17:09 |
| ignas | but that would take some time to implement | 17:09 |
| th1a | We've got interns that need appropriate tasks. Is this one? | 17:10 |
| ignas | no | 17:10 |
| th1a | OK. | 17:10 |
| th1a | Moving on then... | 17:10 |
| th1a | What I wanted to point out to aelkner (and Lumiere) is that we've been discussing the UI for easy bug reporting by teachers. | 17:11 |
| th1a | I've suggested adding a button next to the "Action" menu, or perhaps in the red bar. | 17:11 |
| th1a | And then just a 1 textbox form that'll also capture as much metadata automatically (user, referring page, etc) as possible. | 17:11 |
| th1a | The button could also go in the footer, but I think that would be too easily overlooked. | 17:12 |
| ignas | th1a: with current css - a button next to actions menu would overlay over some titles in views | 17:12 |
| ignas | that's the point | 17:12 |
| th1a | Titles? | 17:12 |
| ignas | calendar views | 17:12 |
| th1a | ... so the calendar views assume there are only two menus? | 17:12 |
| ignas | Calendar for foo ... | 17:12 |
| ignas | no, actually they assume that menu is as wide as the "portlet" | 17:13 |
| ignas | and i have reported this as a css bug | 17:13 |
| th1a | So do they just need to be pushed down? | 17:13 |
| th1a | I'm confused. | 17:13 |
| ignas | my point is - bug report button is not of the same importance as "navigation" and "actions" | 17:13 |
| ignas | yes - they should be pushed down | 17:13 |
| ignas | at least the calendar views | 17:13 |
| th1a | The title should be pushed down. | 17:13 |
| aelkner_ | what about how firebug works? | 17:13 |
| aelkner_ | lower right corber>? | 17:14 |
| aelkner_ | corner | 17:14 |
| ignas | yes that is what i am suggesting | 17:14 |
| ignas | in the footer | 17:14 |
| th1a | Floating? | 17:14 |
| ignas | lower right corner | 17:14 |
| ignas | no, it's not that important | 17:14 |
| ignas | it must be there | 17:14 |
| ignas | always | 17:14 |
| ignas | but not obstruct anything | 17:14 |
| ignas | at least i think so | 17:15 |
| th1a | Well, I guess this is something we're just going to have to try. | 17:15 |
| th1a | I'd say using the same button styling as our other buttons is fine, if it is going to be in the footer. | 17:16 |
| th1a | Perhaps make it yellow? | 17:16 |
| ignas | i vote for red ;) | 17:16 |
| aelkner_ | me too | 17:16 |
| aelkner_ | but small so as to not distract the user | 17:17 |
| ignas | th1a: as for interns - if there is an intern that can do CSS, we need a lot of IE7 fixes ... | 17:17 |
| th1a | Well, time is probably better spent getting feedback on a prototype than discussing it among ourselves. | 17:17 |
| aelkner_ | that sounds very XP-like | 17:18 |
| th1a | ignas: Those are probably good bugs if we can document them. | 17:18 |
| th1a | Or I guess getting them to find them is also a good task for an intern ;-) | 17:18 |
| ignas | you don't need much time for that | 17:19 |
| ignas | click on the next day button, and tada ... | 17:19 |
| th1a | OK. | 17:20 |
| th1a | aelkner_: What's up? | 17:21 |
| aelkner_ | so last week i got a couple od days work in | 17:21 |
| aelkner_ | one for cando stats in the gradebook | 17:21 |
| aelkner_ | and one for the section tabs in schooltool's gradebook | 17:21 |
| aelkner_ | otherwise, i've been packing for my move | 17:21 |
| aelkner_ | tomorrow i settle and move | 17:22 |
| aelkner_ | wed the cable company comes to hook me up with internet | 17:22 |
| aelkner_ | thursday is thanksgiving | 17:22 |
| th1a | OK. Congratulations! | 17:22 |
| aelkner_ | thanks! | 17:22 |
| aelkner_ | i'm excited | 17:22 |
| aelkner_ | anyway | 17:22 |
| aelkner_ | i saw your note on gradebook tabs | 17:23 |
| aelkner_ | and i will work with Jeff to design then to his liking | 17:23 |
| aelkner_ | he also entered a blueprint for gradebook worksheet agregation | 17:23 |
| aelkner_ | for the final grade and all | 17:23 |
| aelkner_ | i'll work with him on that as well | 17:23 |
| aelkner_ | also | 17:23 |
| aelkner_ | they want ne down in Virginia for two days of meetings | 17:24 |
| aelkner_ | did they talk to you about that? | 17:24 |
| th1a | We didn't discuss it, but I got the email. | 17:24 |
| aelkner_ | would that be ok with you? | 17:24 |
| th1a | It is fine with me. | 17:25 |
| aelkner_ | ok, i'll let them know | 17:25 |
| aelkner_ | anyway, i'll have plenty of work to do | 17:26 |
| aelkner_ | when i get back on line | 17:26 |
| th1a | OK. Good. | 17:26 |
| aelkner_ | that's all i have to report | 17:26 |
| th1a | I'm going to beat the bushes to try to get some help with our zope3 package. | 17:26 |
| th1a | I just realized I don't think I pushed Matt Gallagher to look at them, so perhaps he's most likely to be helpful. | 17:27 |
| *** jfroche has quit IRC | 17:27 | |
| th1a | I guess we're done here. | 17:29 |
| th1a | Have a great week and a Happy Thanksgiving. | 17:30 |
| th1a | Even if you don't celebrate it ;-) | 17:30 |
| * th1a drops the bag of gravel. | 17:30 | |
| ignas | :) | 17:30 |
| *** jfroche has joined #schooltool | 18:33 | |
| *** ignas has quit IRC | 18:41 | |
| *** ignas has joined #schooltool | 18:42 | |
| *** th1a has quit IRC | 19:04 | |
| *** ignas has quit IRC | 20:38 | |
| *** test123_ has quit IRC | 21:17 | |
| *** jfroche has quit IRC | 21:26 | |
| *** mgedmin has quit IRC | 21:44 | |
| *** lisppaste5 has joined #schooltool | 22:04 | |
| *** test123 has joined #schooltool | 22:50 | |
| *** didymo has joined #schooltool | 23:10 | |
Generated by irclog2html.py 2.15.1 by Marius Gedminas - find it at mg.pov.lt!