djangoldp issueshttps://git.startinblox.com/djangoldp-packages/djangoldp/-/issues2024-01-24T18:00:23+01:00https://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/435When communities are imported, groups are created but not linked to the objects2024-01-24T18:00:23+01:00Benoit Alessandronibenoit@startinblox.comWhen communities are imported, groups are created but not linked to the objectsOn https://api.tzcld-dev.startinblox.com there is a lot of communities with members and admins set as null.
The corresponding groups are actually created but are not associated with the community.
Low priority as this import/migration ...On https://api.tzcld-dev.startinblox.com there is a lot of communities with members and admins set as null.
The corresponding groups are actually created but are not associated with the community.
Low priority as this import/migration was necessary for dev but we will migrate using migrations and not import of fixtures for staging and production.https://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/434Specification of scoping/search/pagination2023-11-14T17:10:54+01:00Benoit Alessandronibenoit@startinblox.comSpecification of scoping/search/paginationLet's go back to the spec here:
For scoping:
- https://www.w3.org/TR/ldp/#prefer-parameters
Search:
- See sparql
- See the INRIA project for different mechanism
Pagination
- https://www.w3.org/TR/ldp-paging/
- Explicitely for the re...Let's go back to the spec here:
For scoping:
- https://www.w3.org/TR/ldp/#prefer-parameters
Search:
- See sparql
- See the INRIA project for different mechanism
Pagination
- https://www.w3.org/TR/ldp-paging/
- Explicitely for the redirect scheme: https://www.w3.org/TR/ldp-paging/#ldpp-ex-paging-303https://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/433OPTIONS on resource without permissions2023-09-28T16:53:18+02:00Sylvain Le BonOPTIONS on resource without permissionsThere is no restriction on the OPTIONS method, which might create a permission issue if one sends an OPTIONS request on a resource they shouldn't see.There is no restriction on the OPTIONS method, which might create a permission issue if one sends an OPTIONS request on a resource they shouldn't see.Benoit Alessandronibenoit@startinblox.comBenoit Alessandronibenoit@startinblox.comhttps://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/432403 for edition on an unknown object2023-10-14T15:12:18+02:00Sylvain Le Bon403 for edition on an unknown objectWhen I don't have permissions on an object, and I try a get on its @id, I get a 404. But when I try a PUT on its @id, I get a 403.When I don't have permissions on an object, and I try a get on its @id, I get a 404. But when I try a PUT on its @id, I get a 403.Benoit Alessandronibenoit@startinblox.comBenoit Alessandronibenoit@startinblox.comhttps://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/431What happens if I don't have permissions on a required ForeignKey-related obj...2023-09-02T17:19:49+02:00Sylvain Le BonWhat happens if I don't have permissions on a required ForeignKey-related object?Benoit Alessandronibenoit@startinblox.comBenoit Alessandronibenoit@startinblox.comhttps://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/420Check why developers need to create custom viewsets2023-08-26T23:25:27+02:00Sylvain Le BonCheck why developers need to create custom viewsetsBenoit Alessandronibenoit@startinblox.comBenoit Alessandronibenoit@startinblox.comhttps://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/419Check PUT and POST2023-08-26T22:14:41+02:00Sylvain Le BonCheck PUT and POSTThe permission system bases its decisions on the verb used on the request, assuming that POST is used to add and PUT to change. But I believe we can POST a resource with an @id to change it, and PUT a new resource. We need to check if it...The permission system bases its decisions on the verb used on the request, assuming that POST is used to add and PUT to change. But I believe we can POST a resource with an @id to change it, and PUT a new resource. We need to check if it's the case and if that creates a security issue.Sylvain Le BonSylvain Le Bonhttps://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/415Update bloxs events, projects, circles and resources2023-08-24T16:48:22+02:00Sylvain Le BonUpdate bloxs events, projects, circles and resourceshttps://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/405New permission system2023-09-01T00:54:13+02:00Sylvain Le BonNew permission systemIn most cases, permissions that depend on roles should be based on groups.
Roles on an object should be passed through a ForeignKey to `django.contrib.auth.models.Group`.
Permissions can then be specified through a Meta attribute `role...In most cases, permissions that depend on roles should be based on groups.
Roles on an object should be passed through a ForeignKey to `django.contrib.auth.models.Group`.
Permissions can then be specified through a Meta attribute `role`.
Only one permission class can now be defined on a model.
```
class Circle(Model):
name = models.CharField(max_length=255, blank=True, null=True, default='')
owner = models.ForeignKey(settings.AUTH_USER_MODEL, related_name="owned_circles", on_delete=models.SET_NULL, null=True, blank=True)
members = models.ForeignKey(django.contrib.auth.models.Group, related_name="circles", on_delete=models.SET_NULL, null=True, blank=True)
admins = models.ForeignKey(django.contrib.auth.models.Group, related_name="admin_circles", on_delete=models.SET_NULL, null=True, blank=True)
class Meta(Model.Meta):
permission_class = [AnonymousReadOnly, AuthenticatedCreate, ObjectPermissions, OwnerPermissions]
auto_author = 'owner'
roles = {
'members': {'perms': ['view'], 'add_author': True},
'admins': {'perms': ['view', 'change', 'control'], 'add_author': True},
}
```
This automatically creates a group for each role, the needed ACL entries for this group, adds the author of the object in the group.Sylvain Le BonSylvain Le Bonhttps://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/404Check json-ld support2023-09-12T17:51:01+02:00Sylvain Le BonCheck json-ld supportWe're currently stuck with pyld 1.0 because of our support of semi compacted iris. pyld 2 doesn't accept to compact data containing already compacted iris. See https://git.startinblox.com/djangoldp-packages/djangoldp/-/blob/master/django...We're currently stuck with pyld 1.0 because of our support of semi compacted iris. pyld 2 doesn't accept to compact data containing already compacted iris. See https://git.startinblox.com/djangoldp-packages/djangoldp/-/blob/master/djangoldp/tests/tests_update.py#L235 for example.https://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/402Support types index2023-10-02T15:11:30+02:00Benoit Alessandronibenoit@startinblox.comSupport types indexTo be completed by @lecoqlibre :
Provide a specification about how we could support the solid types index specification to allow querying of what's i n there.
Examples of endpoints we use on our instances
- /projects/
- /users/
- /circ...To be completed by @lecoqlibre :
Provide a specification about how we could support the solid types index specification to allow querying of what's i n there.
Examples of endpoints we use on our instances
- /projects/
- /users/
- /circles/
- /events/
Etc...Benoit Alessandronibenoit@startinblox.comBenoit Alessandronibenoit@startinblox.comhttps://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/398Replace Serializer cache with Django caches2023-10-14T15:18:18+02:00Calum MackervoyReplace Serializer cache with Django cachesDjango's [caching system](https://docs.djangoproject.com/en/2.2/topics/cache/) is much more configurable than ours
We could reuse their code to provide `SERIALIZER_CACHES` (and `ACTIVITY_CACHES`), allowing our users the same degree of c...Django's [caching system](https://docs.djangoproject.com/en/2.2/topics/cache/) is much more configurable than ours
We could reuse their code to provide `SERIALIZER_CACHES` (and `ACTIVITY_CACHES`), allowing our users the same degree of control over the caching system as they receive in Django
The places to begin the investigation of that:
* https://github.com/django/django/blob/stable/2.2.x/django/middleware/cache.py#L156
* https://github.com/django/django/blob/stable/2.2.x/django/core/cache/__init__.py#L57https://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/397Cache persisting despite being disabled by child serializer2022-03-04T17:12:19+01:00Calum MackervoyCache persisting despite being disabled by child serializer@sylvainlehmann reported to me that despite using
```python
class ResponseSerializer(LDPSerializer):
with_cache = False
class ResponseViewSet(LDPViewSet):
serializer_class = ResponseSerializer
```
The serializer cache was stil...@sylvainlehmann reported to me that despite using
```python
class ResponseSerializer(LDPSerializer):
with_cache = False
class ResponseViewSet(LDPViewSet):
serializer_class = ResponseSerializer
```
The serializer cache was still active, when it should not be. First step is to replicate this in a unit testhttps://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/396Disable cache via the model2022-03-04T15:07:25+01:00Calum MackervoyDisable cache via the modelIt would be useful to be able to disable the serializer cache with a meta setting on the model. At the moment it requires the overwriting of the `LDPSerializer` to use `with_cache = False` and then set this as a custom serializer for the...It would be useful to be able to disable the serializer cache with a meta setting on the model. At the moment it requires the overwriting of the `LDPSerializer` to use `with_cache = False` and then set this as a custom serializer for the model or viewsethttps://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/394Truncating add/remove activities to the same target2021-12-01T19:31:18+01:00Calum MackervoyTruncating add/remove activities to the same target### Example
I add 3 skills from my server to a JobOffer from another server
### What happens
The recipient server receives 3 `Add` activities, one for each skill
### What should happen
The recipient server should receive 1 `Add` act...### Example
I add 3 skills from my server to a JobOffer from another server
### What happens
The recipient server receives 3 `Add` activities, one for each skill
### What should happen
The recipient server should receive 1 `Add` activity with all skills contained within ithttps://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/392Refactoring the DPOP mecanism2023-10-14T15:20:24+02:00Ghost UserRefactoring the DPOP mecanismInvestigation on security topics I just figured out the request we sent are huge and this is likely to affect performances.
_Which is more or less related to availability and it's my job to bother you with that !_ :)
I can see in many ...Investigation on security topics I just figured out the request we sent are huge and this is likely to affect performances.
_Which is more or less related to availability and it's my job to bother you with that !_ :)
I can see in many resquest we are sending a `DPOP` header in addition to the expected `Authorization` header. This double the size of a quite heavy sting.
Also we could rework this header to rely on elliptic curves which would lower the size of the result string. As we are supposed to send this header for every authenticated requests. It could make a good improvement.Benoit Alessandronibenoit@startinblox.comBenoit Alessandronibenoit@startinblox.comhttps://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/391Recovering federation automatically2021-05-25T23:39:41+02:00Calum MackervoyRecovering federation automaticallyA bug in a client package caused the federation to become out of sync for some users (https://git.startinblox.com/applications/hubl/issues/1055)
They were members of a distant circle, but their user object was not aware of this connecti...A bug in a client package caused the federation to become out of sync for some users (https://git.startinblox.com/applications/hubl/issues/1055)
They were members of a distant circle, but their user object was not aware of this connection (the backlink had not been created successfully), and so it didn't show up on their user
Fixing the bug and then resending the backlinks manually put the federation back into sync. Other times the federation could become out of sync e.g. if the receiving server goes down and the connection times out
In all cases that the backlink is unsuccessful, the sender will save an `Activity` object to the database with failure information and the payload of the activity. If the activity is old, then it might be out-of-date, so something like resending all of these activities periodically isn't a viable solution in itself
A script which could repair a federation, triggered manually, would be very useful, or at least a way to see in which ways the federation is out of sync, so that we don't need the users to tell us that their circles aren't showing up
Ping @jbpasquier we were discussing this last weekhttps://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/387Failing update activities2021-12-12T10:56:28+01:00Calum MackervoyFailing update activitiesThere are many activities for `Update User` because a link on the user has been updated - the settings update
```
{'@context': ['https://www.w3.org/ns/activitystreams', 'https://cdn.happy-dev.fr/owl/hdcontext.jsonld'], 'type': 'Update',...There are many activities for `Update User` because a link on the user has been updated - the settings update
```
{'@context': ['https://www.w3.org/ns/activitystreams', 'https://cdn.happy-dev.fr/owl/hdcontext.jsonld'], 'type': 'Update', 'actor': {'type': 'Service', 'name': 'Backlinks Service'}, 'object': {'@type': 'foaf:user', '@id': 'https://api.myserver.com/users/alice/', 'settings': {'@id': 'https://api.myserver.com/settings/1/', '@type': 'sib:usersettings'}}, 'summary': 'https://api.myserver.com/users/alice/ was updated'}
```
* Note that this is useless information for the receiver - but it's sent because it's a `Follower` of the user Alice. We create a follower on any backlink to get `Update`s about it. In this case it's superfluous, but if for example I'm being told that the `Circle` my user used to be an owner of has a new owner, I want to know
* The receiver attempts to create a backlink for the `settings` object and it fails because it hits an `IntegrityError`, because of the lack of nested `user` in the activity for a required key. It's not smart enough to see that the user is actually the parent in the activityhttps://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/386Rest Framework LDP2021-05-26T18:34:28+02:00Calum MackervoyRest Framework LDPI've opened a number of issues for ways in which DjangoLDP could be refactored to be more in line with Rest Framework's common usage. I gave an overview of these issues here https://git.startinblox.com/management/core-team/issues/13 whic...I've opened a number of issues for ways in which DjangoLDP could be refactored to be more in line with Rest Framework's common usage. I gave an overview of these issues here https://git.startinblox.com/management/core-team/issues/13 which raises some common issues with nested fields and the design conflict between automatic vs easy-to-extend
Since then we've actually forked from Django itself for some auto-deployment features. Whilst I can see that the auto-deployment features are useful, I think that we could more cleanly repackage DjangoLDP into at least two components:
* Rest-Framework-LDP: extending Django + Rest Framework features to provide the building blocks for an LDP app - I think that ideally this would only include a few things from the `Model`, a (refactored) [LDPSerializer](https://git.startinblox.com/djangoldp-packages/djangoldp/issues/277) and [LDPAPIView](https://git.startinblox.com/djangoldp-packages/djangoldp/issues/282) and anything else loosely like that - Django & Rest Framework tools extended for Linked Data needs
* Sibserver-LDP: to leverage Rest-Framework-LDP to include the things like automated deployment which we need in Startin'Blox applications
With regard to the specs I think that things like the "Permissions classes for WebACLs" should be pushed into other packages. It's undoubtedly useful for Solid but for example there are other efforts in the linked-data ecosystem which aren't using WebACLs (https://git.startinblox.com/documentation/specifications/issues/8#note_61292). I'm sure there could be other separations
Ping @sylvain @balessan this is the direction I eluded to during our call last week
My dream scenario would be to be given 1 or 2 days of funding to make some headway on this and see what can be done easily and then develop a bigger scope from there
My main objectives are:
* cleaner definition and separation of concerns
* allow the use of a "lighter" DjangoLDP which doesn't replace Django
* moving clients with bespoke needs to writing bespoke code will save the core team time and support
* general flexibility
* longer term I think it may be more sympathetic for the use of LDP and DRF features not currently accommodated (e.g. `APIView`, capability-based security)
* longer term we may be able to phase out the monolith automated `ViewSet`s and such and move these to the application developer - saving time and supporthttps://git.startinblox.com/djangoldp-packages/djangoldp/-/issues/382Extend the ActivityQueueService to optionally use Celery2021-10-04T10:56:41+02:00Calum MackervoyExtend the ActivityQueueService to optionally use CeleryWe originally didn't use Celery to avoid another infrastructure dependency on DjangoLDP. The ActivityQueueService we built isn't meant to compete with Celery, so for clients who want to have multiple workers to get the best performance, ...We originally didn't use Celery to avoid another infrastructure dependency on DjangoLDP. The ActivityQueueService we built isn't meant to compete with Celery, so for clients who want to have multiple workers to get the best performance, we intended that they could extend it with their own package
This issue is for tracking any changes to the core which will be needed to allow that package to extend it