~sircmpwn/sr.ht-dev

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch
4 3

[PATCH meta.sr.ht] Add query param to pre-fill oauth2 token grants

Details
Message ID
<20211124092229.74730-1-contact@emersion.fr>
DKIM signature
pass
Download raw message
Patch: +2 -1
---
 metasrht/blueprints/oauth2.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/metasrht/blueprints/oauth2.py b/metasrht/blueprints/oauth2.py
index 55351d4d409a..65f59eae2a08 100644
--- a/metasrht/blueprints/oauth2.py
+++ b/metasrht/blueprints/oauth2.py
@@ -109,7 +109,8 @@ def dashboard():
@loginrequired
def personal_token_GET():
    return render_template("oauth2-personal-token-registration.html",
            access_grants=access_grants)
            access_grants=access_grants,
            literal_grants=request.args.get("grants"))

@oauth2.route("/oauth2/personal-token", methods=["POST"])
@loginrequired

base-commit: cd0ef906447aa086f2ffbec80ceaf581a39e943c
-- 
2.34.0

[meta.sr.ht/patches] build success

builds.sr.ht
Details
Message ID
<CFXWHRU55HLE.9557FQLRA9NQ@cirno>
In-Reply-To
<20211124092229.74730-1-contact@emersion.fr> (view parent)
DKIM signature
missing
Download raw message
meta.sr.ht/patches: SUCCESS in 3m26s

[Add query param to pre-fill oauth2 token grants][0] from [Simon Ser][1]

[0]: https://lists.sr.ht/~sircmpwn/sr.ht-dev/patches/26799
[1]: contact@emersion.fr

✓ #634488 SUCCESS meta.sr.ht/patches/alpine.yml    https://builds.sr.ht/~sircmpwn/job/634488
✓ #634490 SUCCESS meta.sr.ht/patches/debian.yml    https://builds.sr.ht/~sircmpwn/job/634490
✓ #634489 SUCCESS meta.sr.ht/patches/archlinux.yml https://builds.sr.ht/~sircmpwn/job/634489
Details
Message ID
<CFXX6PRBPBLW.7XPRC45SDS8T@taiga>
In-Reply-To
<20211124092229.74730-1-contact@emersion.fr> (view parent)
DKIM signature
fail
Download raw message
DKIM signature: fail
I think we should adjust the UI a bit in this situation so that users
know what's going on. Let's open the details element and add an
alert-info which explains that they followed a URL which pre-filled the
necessary permissions.
Details
Message ID
<wpCiXg0WgGOSqUmEnNQrGQetOAJz0i588UufPCnfRuSvULqVGRDOfqaWt09EEg2zz-X0CKE5bsJ8q44z9FbSjZzsHZP7nrWu2THfDV36Fro=@emersion.fr>
In-Reply-To
<CFXX6PRBPBLW.7XPRC45SDS8T@taiga> (view parent)
DKIM signature
pass
Download raw message
On Wednesday, November 24th, 2021 at 10:58, Drew DeVault <sir@cmpwn.com> wrote:

> I think we should adjust the UI a bit in this situation so that users
> know what's going on. Let's open the details element and add an
> alert-info which explains that they followed a URL which pre-filled the
> necessary permissions.

Since the defaults are to grant everything, I figured allowing third-parties
to restrict the grant wouldn't be a big deal. IOW, if a third-party has the
choice between getting all grants without a warning, and restricting the grants
with a scary warning… We're creating an intensive to not restrict the grants.
I don't feel strongly about it, but I think this is worth pointing out.

Definitely agree on opening the details though to not hide the pre-filled stuff
from the user.
Details
Message ID
<CFXXCC88HVQ4.1YQV98HDR3YHU@taiga>
In-Reply-To
<wpCiXg0WgGOSqUmEnNQrGQetOAJz0i588UufPCnfRuSvULqVGRDOfqaWt09EEg2zz-X0CKE5bsJ8q44z9FbSjZzsHZP7nrWu2THfDV36Fro=@emersion.fr> (view parent)
DKIM signature
pass
Download raw message
On Wed Nov 24, 2021 at 11:04 AM CET, Simon Ser wrote:
> Since the defaults are to grant everything, I figured allowing
> third-parties to restrict the grant wouldn't be a big deal. IOW, if a
> third-party has the choice between getting all grants without a
> warning, and restricting the grants with a scary warning… We're
> creating an intensive to not restrict the grants.  I don't feel
> strongly about it, but I think this is worth pointing out.

There's a difference between alert-info and alert-warning. The goal is
just to explain what's going on, and perhaps to dissuade them from
making any changes that might break the program they're issuing a token
for. Maybe we should make the form read-only in this situation, too?
Reply to thread Export thread (mbox)