Opened 3 years ago

Last modified 23 months ago

#2070 new bug

Webui spinners not validating user entries

Reported by: mondalaci Owned by: damoxc
Priority: minor Milestone: 2.0.x
Component: Web-UI Version: 1.3.1
Keywords: Cc:

Description

I've been facing a number of problems regarding the Session Timeout setting of WebUI. Some of these problems render WebUI completely useless, forcing the user to hand-edit web.conf. Other issues involve usability problems.

Incorrect minimum value

The lowest specifiable timeout value is 0 seconds, making the user unable to carry out any actions after logging in. Anything below 1 minute shouldn't be allowed for practical reasons.

According to the tests that I've done there's a threshold timeout value of about 90 seconds. If the timeout is set to anything less than or equal to this value then the login window will pop up directly after the login, not even waiting for this short timespan to time out. I've tried force-reloading the login page in order for the cookies to vanish but this always happened. The threshold value wasn't exact but 90 seconds should be in the ballpark.

Incorrect maximum value

The maximum value that can be specified is 9999999999999 which makes the auth.login method responding with the following JSON:

{"id": 4, "result": null, "error": {"message": "date value out of range", "code": 3}}

and OverflowError gets thrown in the console:

[ERROR   ] 17:46:15 json_api:227 Error calling method `auth.check_session`
[ERROR   ] 17:46:15 json_api:228 date value out of range
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/deluge/ui/web/json_api.py", line 219, in _handle_request
    result = self._exec_local(method, params, request)
  File "/usr/lib/python2.7/dist-packages/deluge/ui/web/json_api.py", line 185, in _exec_local
    component.get("Auth").check_request(request, meth)
  File "/usr/lib/python2.7/dist-packages/deluge/ui/web/auth.py", line 231, in check_request
    expires, expires_str = make_expires(config["session_timeout"])
  File "/usr/lib/python2.7/dist-packages/deluge/ui/web/auth.py", line 88, in make_expires
    expires = time.mktime((datetime.now() + dt).timetuple())
OverflowError: date value out of range

This makes login impossible.

Currently 13 digits of seconds can be specified. If you limited the length to 11 digits you'd be safe because 99999999999 seconds wouldn't throw the above exception. 9 digits would probably be an even better choice considering that 999999999 seconds is ~32 years which should be well enough for everybody.

A related disturbing issue is the maximum limit of 99999 seconds that is forced by the spinbutton control (which can be overridden by simply typing the desired value). This limit doesn't make any sense at all but it's disturbing because values larger than this limit get underlined with red zigzag line. I think this sipinbutton feature shouldn't be used at all in this case.

Impractical unit of measure

Given that specifying anything under 1 minute doesn't make any practical sense and given that users hardly want to specify the timeout value by seconds it'd make a lot of sense to use a larger unit of measure instead of seconds like minutes.

The most graceful solution would be to provide various units of measures, such as minute, hour, day, month and year but I understand if you don't wanna implement all this as it feels a bit overkill for such a simple feature.

Whether you make the unit of measure choosable, the actual unit really should be displayed otherwise one cannot know for sure what unit you assume.

No "Remember forever" option

Rather than expecting the user to specify a large-enough number that makes this feature happen, WebUI could provide an exact way to do that.

Ideally a "Remember Forever" checkbox could be featured next to the timeout field. Upon checking it the spinbutton could get inactivated.

Alternatively, you could expect the user to type the 0 value manually for this feature but in this case please make this crystal clear in the UI.

Whatever way you choose to implement this, on the config file level the 0 value could be great for this purpose.

Change History (2)

comment:1 Changed 23 months ago by Cas

  • Milestone changed from Future to 1.3.x

This is an issue in the way the actual spinner work however I think a check for isValid might be able to prevent values outside limits being set. Would need damoxc's input on how to fix.

comment:2 Changed 23 months ago by Cas

  • Milestone changed from 1.3.x to 1.4.0
  • Summary changed from Problems with the Session Timeout setting in WebUI to Webui spinners not validating user entries
Note: See TracTickets for help on using tickets.