IRC log of #schooltool for Monday, 2007-11-19

*** th1a_ has joined #schooltool02:02
*** Fujitsu has quit IRC03:53
*** Fujitsu has joined #schooltool03:54
*** th1a_ has quit IRC05:50
*** lisppaste5 has quit IRC06:27
*** lisppaste5 has joined #schooltool06:36
*** jfroche_ has joined #schooltool06:57
*** jfroche has quit IRC07:13
*** didymo has quit IRC08:24
*** jfroche_ has quit IRC09:32
*** didymo has joined #schooltool10:32
*** jfroche has joined #schooltool11:20
*** ignas has joined #schooltool11:59
*** didymo has quit IRC12:26
*** jfroche has quit IRC13:14
*** jfroche has joined #schooltool13:23
*** ignas has quit IRC14:01
*** jfroche has quit IRC14:30
*** SteveA has quit IRC14:30
*** aelkner has quit IRC14:30
*** jfluhmann has quit IRC14:30
*** Lumiere has quit IRC14:30
*** lisppaste5 has quit IRC14:30
*** JohnnyST has quit IRC14:30
*** jfroche has joined #schooltool14:41
*** lisppaste5 has joined #schooltool14:41
*** aelkner has joined #schooltool14:41
*** jfluhmann has joined #schooltool14:41
*** SteveA has joined #schooltool14:41
*** Lumiere has joined #schooltool14:41
*** JohnnyST has joined #schooltool14:41
*** lisppaste5 has quit IRC14:50
*** alga has joined #SchoolTool15:17
*** jfroche has quit IRC15:25
*** jfroche has joined #schooltool15:25
*** ignas has joined #schooltool15:59
*** th1a has joined #schooltool15:59
*** test123 has joined #schooltool16:29
* th1a shuffles some papers around.16:30
*** test123_ has joined #schooltool16:31
th1aGood morning test123, aelkner, jfroche, ignas.16:31
ignashi16:31
test123_good afternoon16:32
th1aSo what's your status, test123_?16:33
th1aWedding go ok?16:33
test123_yes thanks.. we have an hour of exciting16:34
test123_home movies streaming from SU16:34
test123_to test the network16:34
test123_but i will not bore you with16:34
test123_that16:34
test123_Jens has built the 10.5.1 client16:35
test123_tizard branch16:35
test123_I am moving it into the production service16:35
test123_for a demo on Thurs with 10-15 schools16:35
test123_over16:35
th1aHave you got it set up for your assessments?16:36
*** aelkner_ has joined #schooltool16:36
test123_Yes, I have all the data from the alpha school16:36
test123_we set a midterm and a final16:36
th1aHi aelkner_.16:36
test123_So this week will use the mid term schedule and test results16:36
th1aOK.  Let us know if you're having problems.16:36
test123_will do16:36
* th1a and ignas cross our fingers and figure you know what you're doing.16:37
test123_Is Ignas planning any holiday this week?16:37
ignasno, not really16:38
th1aI didn't mean we're leaving you on your own.16:38
th1aWorking with distant collaborators is just mysterious.16:39
test123_OK.. I will email you and Tom with the test data plan16:39
th1aAnything else test123_?16:39
test123_This will help you to see what we are attempting. Nothing else to report. Thanks for the build.16:40
th1aThanks test123_.  Thanks for getting up early?16:41
th1aAre you in CA?16:41
th1atest123_ is always plus or minus four time zones.16:42
test123_Nope .. not this week.. nor next. It would be helpful for a later call the following week though?16:42
th1aThis time is best for us.  It is our regular time.16:43
th1aIt is only bad for people in California.16:43
test123_OK. Then I will email you a report and check the log16:43
th1aWell, and Asia.16:43
th1aOK.  Cool.  That should be sufficient.16:43
th1aIgnas, what's up?16:43
ignasnot too much, spent a lot of time messing with i18n16:44
ignasrealization that we have "188 instances of bug A" in the source code16:44
ignaswas quite paiful16:44
ignaspainful16:44
th1aWhich bug?16:44
ignastranslating strings that should not be translated16:45
ignaslike usernames for example16:45
ignasone more thing i did was refactor most of the buttons16:45
ignasinto view macros16:45
ignasso i would not have to fix another bug in 70 places16:46
th1aWhat happens if you try to translate strings that should not be translated.16:46
*** aelkner has quit IRC16:46
ignaswell - you have a user with title that matches some english word16:46
ignasthat english word gets translated into lithuanian16:46
ignasif you set the language to lithuanian16:46
ignasenev though it is not a message i16:46
ignasid16:46
*** test123 has quit IRC16:47
ignasand "${DYNAMIC_CONTENT}" is not very clear for translators16:47
th1aThe English word has to be one that we use and have translated?16:47
ignasyes16:47
ignasyou have probably noticed letters "A" "U" "S" "C"16:48
ignasin our translation templates16:48
ignasthat our translators don't know what to do with16:48
ignasthis one is the bug that is in every single button in the system16:48
th1aSo what is the fix?16:48
ignasinstead of writing <input type="submit" accesskey="U" i18n:attributes="accesskey" />16:49
ignaswrite <input type="submit" accesskey="U" i18n:attributes="accesskey shortcut-key-for-update" />16:49
th1aOh, I see.16:50
ignasbut as that bug is in like 70 places or so - i am refactoring it to have the fix in like 10 places16:50
ignasmore related bugs are like16:50
ignas<input type="submit" value="Add" i18n:attributes="value apply" />16:50
ignas<input type="submit" value="Add" i18n:attributes="value apply-button" />16:51
ignaswhich for english speakers will make button look like "Add"16:51
ignaswhile for all the translated instances like "Apply"16:51
th1aAh.16:51
ignasoh, and I have the store post data in session working16:52
ignasso as soon as i'll write the functional test16:52
ignasi'll commit it16:52
th1aFor bug reporting?16:52
ignasgot stuck on functional test, because testbrowser can't open 2 windows with same credentials16:52
ignasno, for CAS and LDAP16:53
ignasand schooltool16:53
ignasso if you have some data in the form16:53
ignasclick submit16:53
ignasget the log in prompt16:53
ignaslog in16:53
ignasdata you have entered gets into the system16:53
ignasinstead of vanishing16:53
th1aGood.16:53
th1aIs this also useful for redirecting people to the right place after they submit a form?16:54
ignasno16:54
th1aaelkner_: ayt?16:54
aelkner_yes16:55
ignaspreserving the right places is a bit tricky as you have to support going through an intermediate page16:55
th1aOK.16:55
aelkner_i was gong to say16:55
aelkner_that we could use a hidden field called nextURL16:55
th1aignas: Have you worked on implementing easy bug reporting yet?16:55
ignasperson calendar -> view event -> edit event -> *some* calendar16:55
ignasth1a: no, not yet16:55
Lumiereaelkner_: hidden fields are very very bad16:56
th1aWe should probably explain the bug reporting to aelkner_.16:56
th1aHi Lumiere.16:56
th1aDidn't mean to shun you.16:56
Lumiere*lurks*16:56
ignasLumiere: not too bad, but it won't work easily if you have a page in the middle that has no forms in it16:56
Lumiereunless you are properly filtering them... that 'hidden field' could be anything16:56
ignasLumiere: like "view event"16:57
Lumiereignas: I am thinking from more a security stand point16:57
Lumiereit's an XSS risk if nothing else16:57
ignaswe do hidden fields already in some places16:58
aelkner_explain XSS risk16:58
Lumierecross site scripting16:58
th1aThis might be a good thing for aelkner_ to know.16:58
*** mgedmin has joined #schooltool16:58
Lumiereif you call the stuff passed in a future piece of code16:58
ignasLumiere: how precisely is hidden field going to cause the risk?16:58
Lumiereand someone has changed it to say 'phishingsite.com'16:59
Lumiereand we jump to it16:59
ignasif someone can alter content of your page16:59
ignasor can alter url in your browser16:59
Lumiereyes16:59
ignasyou are in trouble already16:59
Lumierewhich is not too difficult to imaigne these days16:59
aelkner_how?17:00
Lumiereyes... but lets not let it happen on our end17:00
ignas?17:00
ignaswhat do you mean happen?17:00
Lumiereaelkner_: spyware that reads and alters outgoing data17:00
Lumierelets not let a security hole like that exist at all17:00
ignasLumiere: you still haven't explained what the hole is ...17:00
Lumierethe hole is that it would be possible for someone to gather data about a SchoolTool user17:01
th1aYeah, I'm not sure that's a good case.17:01
Lumiereby redirecting them to a site thatl ooks like schooltool17:01
ignascould you please give a step by step example of how a hidden field "nexturl" can be exploited17:01
Lumiereand gets them to enter their user/pass17:01
aelkner_yeah, please do17:01
LumiereI just did17:02
aelkner_not enough detail17:02
Lumierethere are a ton of ways17:02
Lumiereto get there17:02
ignasif you can modify the content of the page you got from schooltool - you can just replace a link, any link17:02
Lumierew/e17:02
th1aIf your client is that compromised, you're screwed.17:02
aelkner_but a hidden field is NOT a link17:02
ignasif you can make user to click on some link - you can as well make him click on the fake link17:02
ignasi understand that you can give "http://schooltool/foo/bar?next_url=http://fake_tool.com/"17:03
aelkner_ok, i get that, too17:04
Lumiereand if you make fake_tool17:04
Lumierelook like a page that schooltool failed to login right17:04
Lumiere(easy to get...)17:04
aelkner_rught, phishing17:04
Lumiereyou just got someones user/pass17:04
Lumiereto a highly sensitive data system17:05
LumiereI am paranoid about it... because of the data in the system17:05
ignasthough it is not really related to a hidden field17:05
Lumiereand the controls required by the government17:05
ignasPOST can't be compromised that easily17:05
Lumiereit can be though17:05
ignasif you can compromise POST - you have the control over the channel already17:06
ignasand your browser will YELL at you17:06
ignasif you get redirected from one https site to another17:06
ignasand you should be running schooltool under https if you care about security17:06
th1aHm... OK, are we actually considering using a hidden field here?17:06
th1aI mean, I don't think that's what ignas was thinking anyhow.17:06
ignaswe are considering whether anything should be done about all the next_url forms in the system17:07
ignasyes, that's true as well17:07
th1aI do think it is a serious issue.17:07
ignasi was just saying that hidden fields don't work in this case17:07
ignasthis case being redirecting to the right calendar after editing an event17:07
aelkner_right now, the forms use the context to get the next url, but we need the menu item or button to specify what the next url is to be17:07
th1aSo we can probably break off this conversation now.17:07
aelkner_that's why the hidden field17:08
th1aBut would we store the value in the session instead of a hidden field?17:08
ignassession has the problem of being "1"17:08
ignaswhile you can have many browser windows17:08
ignasthe right fix would be to keep information about the calendar you were looking before in the url of the "view event" view17:09
ignasbut that would take some time to implement17:09
th1aWe've got interns that need appropriate tasks.  Is this one?17:10
ignasno17:10
th1aOK.17:10
th1aMoving on then...17:10
th1aWhat I wanted to point out to aelkner (and Lumiere) is that we've been discussing the UI for easy bug reporting by teachers.17:11
th1aI've suggested adding a button next to the "Action" menu, or perhaps in the red bar.17:11
th1aAnd then just a 1 textbox form that'll also capture as much metadata automatically (user, referring page, etc) as possible.17:11
th1aThe button could also go in the footer, but I think that would be too easily overlooked.17:12
ignasth1a: with current css - a button next to actions menu would overlay over some titles in views17:12
ignasthat's the point17:12
th1aTitles?17:12
ignascalendar views17:12
th1a... so the calendar views assume there are only two menus?17:12
ignasCalendar for foo ...17:12
ignasno, actually they assume that menu is as wide as the "portlet"17:13
ignasand i have reported this as a css bug17:13
th1aSo do they just need to be pushed down?17:13
th1aI'm confused.17:13
ignasmy point is - bug report button is not of the same importance as "navigation" and "actions"17:13
ignasyes - they should be pushed down17:13
ignasat least the calendar views17:13
th1aThe title should be pushed down.17:13
aelkner_what about how firebug works?17:13
aelkner_lower right corber>?17:14
aelkner_corner17:14
ignasyes that is what i am suggesting17:14
ignasin the footer17:14
th1aFloating?17:14
ignaslower right corner17:14
ignasno, it's not that important17:14
ignasit must be there17:14
ignasalways17:14
ignasbut not obstruct anything17:14
ignasat least i think so17:15
th1aWell, I guess this is something we're just going to have to try.17:15
th1aI'd say using the same button styling as our other buttons is fine, if it is going to be in the footer.17:16
th1aPerhaps make it yellow?17:16
ignasi vote for red ;)17:16
aelkner_me too17:16
aelkner_but small so as to not distract the user17:17
ignasth1a: as for interns - if there is an intern that can do CSS, we need a lot of IE7 fixes ...17:17
th1aWell, time is probably better spent getting feedback on a prototype than discussing it among ourselves.17:17
aelkner_that sounds very XP-like17:18
th1aignas: Those are probably good bugs if we can document them.17:18
th1aOr I guess getting them to find them is also a good task for an intern ;-)17:18
ignasyou don't need much time for that17:19
ignasclick on the next day button, and tada ...17:19
th1aOK.17:20
th1aaelkner_: What's up?17:21
aelkner_so last week i got a couple od days work in17:21
aelkner_one for cando stats in the gradebook17:21
aelkner_and one for the section tabs in schooltool's gradebook17:21
aelkner_otherwise, i've been packing for my move17:21
aelkner_tomorrow  i settle and move17:22
aelkner_wed the cable company comes to hook me up with internet17:22
aelkner_thursday is thanksgiving17:22
th1aOK.  Congratulations!17:22
aelkner_thanks!17:22
aelkner_i'm excited17:22
aelkner_anyway17:22
aelkner_i saw your note on gradebook tabs17:23
aelkner_and i will work with Jeff to design then to his liking17:23
aelkner_he also entered a blueprint for gradebook worksheet agregation17:23
aelkner_for the final grade and all17:23
aelkner_i'll work with him on that as well17:23
aelkner_also17:23
aelkner_they want ne down in Virginia for two days of meetings17:24
aelkner_did they talk to you about that?17:24
th1aWe didn't discuss it, but I got the email.17:24
aelkner_would that be ok with you?17:24
th1aIt is fine with me.17:25
aelkner_ok, i'll let them know17:25
aelkner_anyway, i'll have plenty of work to do17:26
aelkner_when i get back on line17:26
th1aOK.  Good.17:26
aelkner_that's all i have to report17:26
th1aI'm going to beat the bushes to try to get some help with our zope3 package.17:26
th1aI just realized I don't think I pushed Matt Gallagher to look at them, so perhaps he's most likely to be helpful.17:27
*** jfroche has quit IRC17:27
th1aI guess we're done here.17:29
th1aHave a great week and a Happy Thanksgiving.17:30
th1aEven if you don't celebrate it ;-)17:30
* th1a drops the bag of gravel.17:30
ignas:)17:30
*** jfroche has joined #schooltool18:33
*** ignas has quit IRC18:41
*** ignas has joined #schooltool18:42
*** th1a has quit IRC19:04
*** ignas has quit IRC20:38
*** test123_ has quit IRC21:17
*** jfroche has quit IRC21:26
*** mgedmin has quit IRC21:44
*** lisppaste5 has joined #schooltool22:04
*** test123 has joined #schooltool22:50
*** didymo has joined #schooltool23:10

Generated by irclog2html.py 2.15.1 by Marius Gedminas - find it at mg.pov.lt!