Usability of midgard-project.org
-
Edward Z. Yang
Usability of midgard-project.org
Wed May 21 2008 20:08:50 UTC-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all,
I recently hopped over here in order to answer a few questions regarding
a library I developed that Midgard uses. In the process, I got myself a
user account. Along the way, I found a few gotchas that were really
annoying:
1. The SSL certificate is signed by an unverified certificate authority
and errors in most browsers. With Midgard's strong commercial presence,
wouldn't it make sense for The Midgard Project to invest in, say, a
VeriSign cert? (any CA that ships with the majority of browsers works)
2. The very-essential grey toolbar that offers many essential functions
(in my case, changing passwords), does not appear unless JavaScript is
enabled. I use NoScript, but have no problem turning on JavaScript for
websites that genuinely need it. Midgard gave me *no* indication that I
was missing functionality because JavaScript was turned off. <noscript>
would be helpful in this context.
3. Midgard only supports logins via https. However, static page elements
are occasionally linked to using http, which causes browsers to throw
errors. This problem appears to be intermittent.
4. There is no visual indication if the grey toolbar's buttons (Page /
Folder / Website) are disabled or have no entries. Before I realized
that this toolbar was per page (non-obvious), I was scratching my head
trying to figure out why Page and Folder didn't seem to work. I would
suggest greying them out or simply removing them completely.
5. The first instinct for someone seeking to make a post or answer a
question in the Discussion Forums is to use the facilities listed there.
However, the response gets mirrored to the mailing list, where it gets
caught by the moderator and languishes there. It should be made clear
that the mailing list is the preferred method of communication. If
you're interested in fixing this bug, user registration should also
register users for the mailing lists, but should keep mail delivery off.
6. Midgard's forgotten password messages are cryptic. The one I recieved
looked like this:
From: admin@example.org
Subject: Your password has been reset.
Your password has been reset to:
zgnjtbxt
Why is this from my email address, and not noreply@midgard-project.org?
(At the very least, the site name should be mentioned in the subject)
I'm also a strong proponent of the "Give user a token to change their
password" rather than the random password generation setup. This might
even have the capacity to annoy users, if the old password is not kept
(an arbitrary person could force the user to change their password many
times. Haven't tested, of course).
7. It's extremely difficult an non-intuitive to find the member info
page (Community > Registration). I recommend linkifying the logged in
user name (found in the top right corner) to point to this page.
8. Midgard really should be verifying email addresses on registration.
And that's it for now. Thanks for reading! I hope to be working with you
guys in the future to improve Midgard's integration with HTML Purifier.
Cheers,
Edward
- --
Edward Z. Yang GnuPG: 0x869C48DA
HTML Purifier <http://htmlpurifier.org> Anti-XSS Filter
[[ 3FA8 E9A9 7385 B691 A6FC B3CB A933 BE7D 869C 48DA ]]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFINIFSqTO+fYacSNoRAqgXAJ9FhrGHG1q8ILS8ei9MDNBDC5N4PwCbB0ET
Nl0MDB9Nr+l6glVsJISUsTc=
=Mtd0
-----END PGP SIGNATURE-----
_______________________________________________
user mailing list
user@lists.midgard-project.org
http://lists.midgard-project.org/mailman/listinfo/user -
-
Re: [midgard-user] Usability of midgard-project.org
Fri July 18 2008 23:14:05 UTCHi!
I know it's a bit late to respond now, but I just stumbled across a
company called startssl, which actualy offers (some) SSL certificates
for free:
http://www.startssl.com/?app=1
The good thing is that their root certificate is included in FF3 by
default, so the security warning mentioned below won't appear. So unless
the currently-used self-signed certificate has some enefits I'm not
aware of, I would propose to switch to a startssl one, since the FF3
security warnings really make m-p.org look bad.
Bye,
Andreas
Edward Z. Yang schrieb:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello all,
>
> I recently hopped over here in order to answer a few questions regarding
> a library I developed that Midgard uses. In the process, I got myself a
> user account. Along the way, I found a few gotchas that were really
> annoying:
>
> 1. The SSL certificate is signed by an unverified certificate authority
> and errors in most browsers. With Midgard's strong commercial presence,
> wouldn't it make sense for The Midgard Project to invest in, say, a
> VeriSign cert? (any CA that ships with the majority of browsers works)
>
> 2. The very-essential grey toolbar that offers many essential functions
> (in my case, changing passwords), does not appear unless JavaScript is
> enabled. I use NoScript, but have no problem turning on JavaScript for
> websites that genuinely need it. Midgard gave me *no* indication that I
> was missing functionality because JavaScript was turned off. <noscript>
> would be helpful in this context.
>
> 3. Midgard only supports logins via https. However, static page elements
> are occasionally linked to using http, which causes browsers to throw
> errors. This problem appears to be intermittent.
>
> 4. There is no visual indication if the grey toolbar's buttons (Page /
> Folder / Website) are disabled or have no entries. Before I realized
> that this toolbar was per page (non-obvious), I was scratching my head
> trying to figure out why Page and Folder didn't seem to work. I would
> suggest greying them out or simply removing them completely.
>
> 5. The first instinct for someone seeking to make a post or answer a
> question in the Discussion Forums is to use the facilities listed there.
> However, the response gets mirrored to the mailing list, where it gets
> caught by the moderator and languishes there. It should be made clear
> that the mailing list is the preferred method of communication. If
> you're interested in fixing this bug, user registration should also
> register users for the mailing lists, but should keep mail delivery off.
>
> 6. Midgard's forgotten password messages are cryptic. The one I recieved
> looked like this:
>
> From: admin@example.org
> Subject: Your password has been reset.
>
> Your password has been reset to:
>
> zgnjtbxt
>
> Why is this from my email address, and not noreply@midgard-project.org?
> (At the very least, the site name should be mentioned in the subject)
> I'm also a strong proponent of the "Give user a token to change their
> password" rather than the random password generation setup. This might
> even have the capacity to annoy users, if the old password is not kept
> (an arbitrary person could force the user to change their password many
> times. Haven't tested, of course).
>
> 7. It's extremely difficult an non-intuitive to find the member info
> page (Community > Registration). I recommend linkifying the logged in
> user name (found in the top right corner) to point to this page.
>
> 8. Midgard really should be verifying email addresses on registration.
>
> And that's it for now. Thanks for reading! I hope to be working with you
> guys in the future to improve Midgard's integration with HTML Purifier.
>
> Cheers,
> Edward
>
> - --
> Edward Z. Yang GnuPG: 0x869C48DA
> HTML Purifier <http://htmlpurifier.org> Anti-XSS Filter
> [[ 3FA8 E9A9 7385 B691 A6FC B3CB A933 BE7D 869C 48DA ]]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFINIFSqTO+fYacSNoRAqgXAJ9FhrGHG1q8ILS8ei9MDNBDC5N4PwCbB0ET
> Nl0MDB9Nr+l6glVsJISUsTc=
> =Mtd0
> -----END PGP SIGNATURE-----
> _______________________________________________
> user mailing list
> user@lists.midgard-project.org
> http://lists.midgard-project.org/mailman/listinfo/user -
