Use latest version of python-pushover (forked) to fix issue with diff…#31647
Conversation
probot-home-assistant
Bot
added
integration: pushover
small-pr
|
We won't change libraries to forks. They tend to die and we're stuck with them. Please list all the efforts you have done to reach out to the author to request a new version of PyPI. |
|
I created a new issue on the project and didn't get a response. The last commit is over 2 years ago, the readme is not reflecting the latest code changes. Also if you look at the ha issue, there was already another user that tried to fix it and was always waiting to get his PR accepted. So it looks very dead to me... But if you don't like what I did, what should I do instead. Write and publish a lib on my own (basically the same like the fork I did now)? Or look for another pushover library? Which may lead to a lot more code changes in the integration... |
|
For us to accept a PR to change the lib of an integration:
|
|
Hmm ok, I'll try: I opened another issue on that project to try to reach out to the maintainer, but no reaction at all: Thibauth/python-pushover#32 So I also consider this project as abandoned. But if you don't like forks, here is another try: I'm now using the obviously still maintained library pushover_complete and rewrote the integration to use it. Maybe you can now check the PR... |
| if image.startswith("http"): | ||
| try: | ||
| response = requests.get( | ||
| data[ATTR_ATTACHMENT], stream=True, timeout=5 |
There was a problem hiding this comment.
Remove this. We should not allow Home Assistant to download URLs and then send it out in a notification. Sending out urls is fine. Sending out from a whitelisted path is fine too.
There was a problem hiding this comment.
Hmm, I'm fine with removing it, I'm not using it anyways.
But this was also possible before.
And I think it is not possible to call from outside or without authentication, so I guess it's not harmful? What about sending a picture from a camera with the notification? I guess it would be useful to download urls then?
There was a problem hiding this comment.
It was possible before but it will be removed from all notification integrations. It's dangerous because the Home Assistant machine can now download anything, including pages that are localhost only and send it to another computer.
There was a problem hiding this comment.
Agreed. Now it only checks agains whitelisted path and refuse other attachments.
|
This is a way better approach. One final comment, ok to merge afterwards. |
2 participants
…erent API tokens. (https://community.home-assistant.io/t/different-applications-in-pushover/6985)
Proposed change
There is a problem in the pushover integration. The underlying python lib stored the API token globally, so all notifies used one same API token, instead of possibly different tokens configured.
The code owner of the underlying lib already fixed it in the code, but did not provide a new release eiter in github nor in pypi, so I couldn't use that.
That's why I forked that repo and published the latest version on pypi.
There were also some small changes in the integration needed to reflect the new version.
Type of change
Additional information
Checklist
black --fast homeassistant tests)If user exposed functionality or configuration variables are added/changed:
If the code communicates with devices, web services, or third-party tools:
Updated and included derived files by running:
python3 -m script.hassfest.requirements_all.txt.Updated by running
python3 -m script.gen_requirements_all..coveragerc.The integration reached or maintains the following Integration Quality Scale: