The previous code was theoretically subject to timing attacks, where
an attacker could read the key in between the time it was saved to the
file and when the chmod happened. This version prevents that by using
umasks to ensure the files always have the right permissions.
This version also avoids using a key that cannot be saved due to some
system setup bug.
This makes session.__init__ slightly more complicated but probably
simplifies everything else, especially if we make the class smarter
later by having it track changes itself.
Removed the old VideoThumbnailer since it's not used anymore.
VideoThumbnailerMarkII:
Changed the state switching in on_thumbnail_message to only set the
state to "processing thumbnail" if the seek was succesful.
I'm not sure what I'm doing here, but I know at least some of it is
good, and as a whole, it seems to work, so far :)
- pwg.session.getStatus returns the current user as
"fake_user". When we have a session, we'll return
something better.
- pwg.categories.getList add a name and the parent id for
its one and only "collection".
- Improve logging a bit.
shotwell needs a pwg_id cookie to continue.
And really, it's the only cookie it supports, so in the
long run, we need to send a proper session cookie as
pwg_id.
There were some "serializing to json strings" issues. They should be
fixed now... much more careful whitelist and cleaning of the video
"tags" metadata out of gstreamer.
This commit sponsored by Aimee Sullivan. Thanks!
The problem is:
Collection.query.filter_by(id=X, ...)
1. X = form.collection.data
This works nicely for the completely empty form (X = None).
It does not work for a selected collection, because X
will be the collection, not its id.
2. X = request.form.get('collection') (old code).
This one works mostly, except for the completely empty
form on postgres, because in this case X = u"__None" and
postgres does not like comparing an integer column with
a string.
Fix:
collection = form.collection.data
if collection and collection.creator != request.user.id:
collection = None
"vp8 video" is what vp8 is marked as in gstreamer's metadata.
However, the browser expects it just as the name "vp8". So fixing
that.
This commit sponsored by Tyng-Ruey Chuang. Thank you!
