A created_by field that refers to an entry in the Person model.

Scenario:

• Say you create three invitations for three different badges. Later you may want to login and be able to see a list of the ones you have that are still active, and which ones are expired.

Right now, there's no real way to keep track of them on a per-creator basis.

Some nice sphinx docs would be good. http://sphinx-doc.org/

They should include

• How to install tahrir if you just want to use it.
• How to install tahrir if you want to hack on it/develop it.

..so that people can visit https://badges.fedoraproject.org/users/oddshocks.

This depends on #67.

Admin view's assertion form escapes <input>, but does not escape <label>
(security flaw)

Additionally, anyone knowing an administrator email can access admin page

Links to stylesheets, login, assertions.. ALL kinds of stuff are all hardcoded.

If you run it with pserve, you never notice.

If you run it under mod_wsgi with a /badges script alias, they all fail (like at https://apps.stg.fedoraproject.org/badges/).

We'll end up running this some day at http://badges.fedoraproject.org, so it won't matter as much. But, it'll help with testing before the freeze if we can fix it. Plus, its just good practice.

Currently, we have to do something like this to handle badge images:

% if badge.image.startswith("http"):
    src="${badge_images[assertion.badge_id]}"
% else:
    src="/pngs/${badge_images[assertion.badge_id]}"
% endif

It would be nice to just be able to pass a badge id to a method which would return the appropriate image URL.

The style should be configurable from the .ini file.

Inspector says the row class is "error". Can we, yknow, not have that be a thing unless there is a validation error?

Once Tahrir has a logo, we should use it to make a sweet favicon :)

In the meantime, perhaps we can use the pyramid logo as a favicon?

Right now, to login with FAS, you have to type your fas username in the login box and then click "login". You are taken to the FAS system where you click "OK" and then are redirected back to tahrir.

This was done this way because when it was written, the FAS system would throw an error if you tried to authenticate without providing a username first. This has since been resolved with https://fedorahosted.org/fas/ticket/160

It would be nicer if the user (on tahrir's page) only had to click "login". They would then be taken to FAS which would prompt them for their username if they weren't already logged in, thus removing the extra step from tahrir's side of the equation.

Note that, we won't really get to work on this until https://fedorahosted.org/fas/ticket/160 has been deployed to production.

The GitHub ribbon currently makes the entire square area clickable. Hopefully we can patch it so that only the ribbon area is hyperlinked.

Admin should be able to delete things. :)

That would be really nice. Use the monokai theme :D

An admin should be able to login to tahrir and create a QRcode that is valid for some timespan.

Users who scan that qrcode are taken to a link that then awards them that badge in the db.

This is for stuff like conferences where you want the attendees to get a badge.

In a separate repo there is another project called tahrir-api -> https://github.com/ralphbean/tahrir-api

There in tahrir_api/model.py there is a salt_default function that just returns the default "salt" value that I used when I first wrote tahrir. We need to replace that to instead return the value from the Pyramid config (the value assigned to tahrir.salt in development.ini). This should be available through some Pyramid config object.. but you'll have to read through the docs and experiment to figure it out.

When I first wrote tahrir, I was also learning the Pyramid framework at the same time. I implemented my own is_admin function in tahrir/views.py that checked to see if the logged in user was one of the users listed in the tahrir.admin value in the config.

This works, but is kind of clumsy. Pyramid provides a very robust and scalable security framework that I haven't had a chance to use yet: http://docs.pylonsproject.org/projects/pyramid/en/1.0-branch/narr/security.html

It would be excellent if someone could remove all the references to my clumsy is_admin method and replace it with "proper" pyramid authorization code. This will likely take us a few tries to get it correct.

It would be awesome if you could pip install tahrir and run a copy of your own easily.

I'm going to relicense tahrir from AGPLv3+ to AGPLv3+ with the following additional permission:

If you modify the Program, and your modified version becomes subject
to the requirement stated in AGPLv3, section 13, you may satisfy
this requirement by providing access to the Corresponding Source of
your modified version to each user that explicitly requests such
Corresponding Source, no later than 15 days following the date on
which such request was received.

The following people have contributed commits to tahrir. Their public consent will be required before the relicensing is complete:

• atabas [email protected]
• Chris Lockfort [email protected]
• David Gay [email protected]
• Ralph Bean [email protected]
• Ralph Bean [email protected]
• Remy DeCausemaker [email protected]
• Remy D [email protected]
• Ross Delinger [email protected]
• Ross Delinger [email protected]
• Yash Upadhyay [email protected]

Contributors will need to email this list with their consent.

Little scaled down icons.

@decause has a worthwhile idea, which I will explain with an example:

Joe checks out Antonio's profile and sees that he has earned the Super-Awesome Hackathon 2013 badge. Joe is bummed, because he also attended that event, and wants the badge. Joe can press a button that will open a text box, allowing him to type a special request that the issuer sends him an invite for that badge.

Of course, there are matters of spam to consider. Users who issue many special requests which are denied should be restricted from sending further requests.

There's nothing stopping them and they break the app.

I know we want to keep the authentication pluggable, but we should be able to request the user's username via openid. Let's store it if we can get it.

It'd be easy to make a few parts of Tahrir's theming pluggable so folks can set up their own Tahrir instances with non-Fedora themes.

• There is already a setting to use custom CSS, I do believe it works fine.
• We can add an option for logo URL to the settings file.
• We can potentially set up settings for a few colours (primary, secondary, links, etc) so that people can easily tweak the colour scheme without diving into the CSS. This may be a little more tricky to do well.

Scenario:

• The user is not logged in.
• They try to access the /admin page.

Right now they just get redirected to /.

It would be better if they were automatically redirected to FAS login and then redirected back to /admin (where they originally wanted to go).

Need to get out of my dev environment and run on http://badges.threebean.org

If this is going to be deployed to fedora infrastructure it should have a front end that fits the over all theme for the other fedora sites.

There has been interest in the badges mailing list of producing a simple, embedded widget that can be used to display some badges on another site, like a user's blog, or in a forum signature. This is for down the road, but a good idea that should be implemented.

Working on tahrir in Firefox under Fedora 17. The pop-up with the JSON blob sometimes persists after the mouse is no longer hovering on the link. Getting rid of it requires moving the mouse on and off the link in different fashions until it finally registers and the popup disappears (or just reloading the page).

I'm not sure what's doing this or what determines if it happens, but I think it has to do with how the code is "listening" for the mouseoff event. I will see if I can fix things. :)

edit: forgot to add this handy image:

Right now, tahrir is hardcoded to use FAS/oauth for authentication. This is nice for our use case in Fedora, but if someone else wanted to run an instance of tahrir it wouldn't make sense. They may want to use GitHub or Twitter (or whatever) for authentication.

We already use velruse which gets us halfway there. http://packages.python.org/velruse/index.html

Velruse provides mechanisms for authenticating against all different kinds of identity providers. We should allow the user to specify which identity provider they want to use in the config file (development.ini) and not be biased about which one tahrir "prefers".

Maybe tahrir should authenticate using Github by default "out of the box" but we should include our FAS/oauth setup as an example in the documentation.

It would seem that I've already added improper/incorrect badge information to tahrir. 😐 (My next badge I create will be the 'doing it wrong' badge, which I will award to myself.)

Perhaps it would be a good idea to be able to delete badges, or people, or issuers, via the admin interface?

There are a few variables which are displayed on all/most views via the master template, master.mak. These include:

• awarded_assertions (for logged in users, number of assertions waiting to be accepted)
• logged_in (should be moved to Pyramid authentication)
• base_url (the app's base url)
• title (the page title)
• is_admin (should be moved to Pyramid authentication)

These variables currently are passed to the template via the returned dict in each view. We should move these variables in their proper homes. logged_in and is_admin should be done through Pyramid auth. groups. title and base_url never really need to change, so we should figure out how to pull those from our settings dict and make them always-available. awarded_assertions might find a good home in the Pyramid headers; it could be passed around everywhere, since it is always going to be displayed on the page.

Two things which are sub-fun for me are knowing where to look in Pyramid documentation and writing authentication/authorization code. Therefore, any contributions to this issue are accepted with a huge smile and a high-five.

The second time I log in with OpenID, it works, but the first time, when loading a URL like this one:

http://badges.helixoide.com/dologin.html?janrain_nonce=2012-07-19T18%3A07%3A46ZF2KN0q&openid.assoc_handle=%7BHMAC-SHA1%7D%7B500476e4%7D%7Bk1cF7Q%3D%3D%7D&openid.claimed_id=https%3A%2F%2Fadmin.fedoraproject.org%2Faccounts%2Fopenid%2Fid%2Fclockfort%2F&openid.identity=https%3A%2F%2Fadmin.fedoraproject.org%2Faccounts%2Fopenid%2Fid%2Fclockfort&openid.mode=id_res&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1&openid.op_endpoint=https%3A%2F%2Fadmin.fedoraproject.org%2Faccounts%2Fopenid%2Fserver&openid.response_nonce=2012-07-19T18%3A04%3A21Z2yUabA&openid.return_to=http%3A%2F%2Fbadges.helixoide.com%2Fdologin.html%3Fjanrain_nonce%3D2012-07-19T18%253A07%253A46ZF2KN0q&openid.sig=m6WXXQt%2BFRSxz9Z%2B%2BzZMM1ZhKWU%3D&openid.signed=assoc_handle%2Cclaimed_id%2Cidentity%2Cmode%2Cns%2Cns.sreg%2Cop_endpoint%2Cresponse_nonce%2Creturn_to%2Csigned%2Csreg.email&openid.sreg.email=clockfor%40redhat.com

it fails, with "A server error occurred. Please contact the administrator."

@ralphbean said he should be able to solve this problem.

Tahrir is sweet. It needs a logo :)

I'm going to keep badge descriptions as .rst in the database (sometimes one sentence with no markup. Sometimes three paragraphs with a little markup).

We can use the docutils module to render those to html snippets when serving requests in the tahrir web interface.

This example will be useful in getting a head start on this. It is more complicated than what we need to do. There, it is opening an API.rst file and converting that to html. here we only need to do it for badge.description.

Currently, there are two images displayed on error pages (like 404). In these images, the text within the pink circle is white. With our new white background, this will have to be changed. Perhaps @Jenneh can create some cool logos, or we can use standard Fedora ones?

Admin should be able to upload images.

The AuthTktAuthenticationPolicy secret should be pulled from a separate file. Creating a secret.ini file and shipping Tahrir with a secret.ini.example file should cut it.

You should be required to login when you first visit the site.

It's annoying to have to go there over and over.

Hovering over a badge should give it's description and maybe other data as well.

Right now it just gives a series of commands with no explanation.

It should include instructions about:

• Creating a FAS account at http://admin.fedoraproject.org/accounts
• Altering tahrir.admin in development.ini to match your email.
• Logging in and visiting http://localhost:6543/admin
• Awarding badges.

Right now the auth stuff is homebrewed and lackluster.

We'd like to be able to plugin any auth method around (like https://fedorahosted.org/fas/ for instance).

Gotta grab the appropriate mobile stylesheet from http://unsemantic.com/ and apply it when viewed from the mobile. Easy.

Right now they just tell you to install it, but they don't tell you about setting up WORKON_HOME.

May or may not be necessary, but we should look into it at some point
since its what bodhi2 is going to be using.

• https://github.com/fedora-infra/bodhi/blob/pyramid/development.ini#L38
• https://github.com/fedora-infra/bodhi/blob/pyramid/bodhi/__init__.py#L90
• https://github.com/fedora-infra/bodhi/blob/pyramid/bodhi/views.py#L140

It always appears at the top of the page and is often unviewable.

Since images are being stored locally into the local server's /png/{HASH}.png, there is no reason to not resize them server-side to a standard badge resolution