This extension is an advanced workflow that contains a workflow definition, an updated definition for every Teaming user that adds Twitter username and Twitter password, a password.jsp file that hides the password as you type, and a custom Java classs that creates a TinyURL for the Teaming entry and pushes the TinyUrl and the entry title to Twitter for the user that transitions the entry. To use this extension deploy it to a Teaming instance and it will be available as a workflow for any entry. To use it you will need to have users configure their Twitter id and password then attach the workflow to the entries in a folder. If the user does not have a Twitter id and password configured in their Profile it will silently fail. The zip archive contains the source for the custom Java class in the WEB-INF/src directory. NOTE: The password is sent and stored as plain text. If someone wants to add additional security they can by either modify it to add encryption or encode it. See the Extension Development page for how to deploy it.
|
|||||||||||||||||||||||||
First off: nice extension, great work!
Storing the twitter password as plain text in the database is not perfect, but manageable. But(!) ... in line 37 of WEB-INF\src\TwitterWorkflowAction.java , the code logs the Twitter password into catalina.out along with the Twitter username for each tweet that is sent. That is simply wrong! Logging it on DEBUG is understandable in a development environment, but providing it to the outside world with this logging on INFO level... :-(.
It seems that community.kablink.org has this extension enabled, so every user who tested this and tweeted has their twitter password stored in the kablink.org catalina.out, readable for everyone with access to the disk.
Could s/o fix this in the source and update the download? I guess this comment should make sure that no one uses the current version of the extension in production without knowing about the leak.
All the best and keep up the good work.
Christian
--
Christian Giese
Code and Concept - Ebell & Giese GbR, Munich - http://www.CodeAndConcept.de