- The github repository has been transfered to the trac-hacks organization. Nothing has changed except the github URLs (and the old URLs should continue to work.)
- Avoid
KeyError: 'openid.return_to'error when user cancels verification. (Fix by @sleske) - On login, first try to look up the username by the supplied OpenID identifier. Only create a (new) username if the lookup fails. Thus returning users will no longer get a new username if the data returned by their OpenID provider changes. (Fixes #14.) Note that previous releases would create a new username with the same OpenID identifier in this case. If that has happened in your installation, there will be multiple usernames with the same OpenID identifier. In that case the user will now always be logged into the username that was last used, and a warning will be logged ("Multiple users share the same openid identifier"). You should probably clean up these "duplicate" usernames (usually by joining them). (Fix by @sleske)
- Avoid
AttributeErrorwhen neither name nor email is returned from the OP. (Fixes #9.)
(Another) brown bag release. I botched release 0.4.4, and managed to totally delete the PyPI repository in the process. (Sorry.)
- (Contributed by Patrick Uiterwijk) Users can be added to trac groups according to group membership provided via the OpenIDTeams extension. Only groups listed in the new
groups_to_requestconfig option will be considered for possible membership. To use this feature you must install the python-openid-teams package.
- Previously, if no email address was returned via AX or SREG, the
email_white_listconfig option was being ignored. Now ifemail_white_listis set and no email address can be determined, authorization will be denied. - Do not create new users with a username which already has trac permissions assigned to it. (E.g. this might be the name of a trac group.)
- Updated the example config in the README so that it more closely matches current reality. (Baby steps...)
- Fix so that
check_list_usernameactually works. Now one can actually use thecheck_listweb API to implement custom identity to username mapping. - Fall back to using the identifier URL as the authname (rather than throwing an exception) if the OpenID provider did not return a full name (or nickname).
- README.rst: Patrick Uiterwijk has packaged this plugin for Fedora
These features were contributed by Patrick Uiterwijk.
- New config option
use_nickname_as_authname. If set, the OpenID nickname will be used for the authname (or trac username). - New config option
trust_authname. If set, trust the OpenID-derived authname to be unique. Security warning: do not set this unless you know what you are doing.
This is a brown bag release. Release 0.4 was unusable.
- Packaging: A number of crucial files were omitted from the manifest.
The default for
[trac] check_auth_ipis nowFalse. This has security implications. If you want authorization to be tied to the clients IP address you must now explicitly set this option toTrue.Prior to this change, if
check_auth_ipwas not explicitly set, we ignored the global trac default (False) for the setting and behaved as if it were set toTrue.This change is being made for the sake of backwards compatibility with trac 0.11 whose
Configuration.has_optionmethod does not support the optionaldefaultsargument added in 0.12. Without that there seems to be no clean way to determine whether a setting is explicitly set in the.inifile.
- We will now use the json package if your python version includes it (python >= 2.6). For older pythons, the simplejson package is now required.
- A minor hack has been made which allows at least basic functionality under the development branch, trac-1.0 (formerly know as trac-0.13). Note that only very basic tests under trac-1.0 have not been performed. (The code in this plugin still does not adhere to the modern trac db API usage recommendations.)
Jeff Dairiki has taken over maintenance of this plugin from the original author, Dalius Dobravolskas (who no longer uses trac.)
The source repository for the plugin has moved to https://github.com/trac-hacks/authopenid-plugin.
- Respect the
[trac] auth_cookie_lifetimeconfig value when setting cookie expiration times.
- Using the
[trac] expiressetting to specify the auth cookie lifetime is deprecated. Use[trac] auth_cookie_lifetimeinstead. (Theexpiressetting does not seem to exist in trac 0.12 or 0.11.)
- Don't override the default value for the
[trac] check_auth_ipconfiguration setting. Trac declares this to have a default value of false; we were overriding that default to true.
- Now AX (as well as SREG) are attempted to get the user’s name. This is tested with Google (which does not support SREG).
- The new config setting
[openid] lowercase_authnamespecifies whether to force authnames to lowercase. For backwards compatibility, the default for this option is true (see below). In general, however, I think it makes more sense to set this option to false.
- _Authnames were being lower-cased when recovering them from the cookie, but not when generating them initially. This resulted — unless the user’s name was all lower case to start with — in two sessions being created upon initial login, one of which was ignored thereafter.
- Always uniquify authnames. When they are lowercased, there’s always a chance of collision, even when they include the identity URL.