This week we've got some really nice upgrades to three core modules: SessionHandlerDB, ProcessForgotPassword and FieldtypeComments. This post covers all the details.
Last week we didn't have a blog post for ProcessWire 3.0.103, but did have a brief forum post. If you'd like to read that, it's located here.
New feature in Session Database core module
GitHub user @kixe (Christoph Thelen) submitted a PR that adds a nice new feature to the core SessionHandlerDB module. This particular feature enables an option to prevent parallel sessions. That means preventing the same user from having more than one login at a time.
Lets say that you were logged in to your ProcessWire site at work, and forgot to logout before leaving for the evening. You could login at home, and your session at work would automatically be logged out, since only one login session would be allowed at a time. Depending on your case, this may be a nice addition for security, or just for good housekeeping. But it's another addition to the SessionHandlerDB module that makes it worthwhile to consider using over the default file-based sessions.
Since this module is already included with the core, it can be installed just by going to Modules > Core > Session > Session Handler Database. You might already know this, but when the SessionHandlerDB module is installed, you can monitor active user sessions from Setup > Sessions, in your admin, which is another useful aspect of this module.
Major update to “forgot password” core module
Not much has changed in the ProcessForgotPassword module since the early versions of ProcessWire 2.x. And that's been fine, because it is pretty focused in purpose and does its job well. But lately I've been using this module more and more on the front-end of sites (in addition to just the admin) and have been wanting some more options for it, regardless of where it is used. This week a whole lot of updates went in place. Here's a summary:
Ability to use email address rather than username, to initiate a password reset request.
Flood detection and control, preventing someone from initiating lots of requests.
Optional logging of all activity to Setup > Logs > forgot-password.
Ability to make user confirm values of other fields on a User account before password can be reset.
Separate token and confirmation code for even more security in confirming a request by email.
Ability to specify roles that are allowed to reset their password, as well as the ability to specify roles that are blocked from doing this. For instance, you could enable the feature for authenticated users of your site (members) while disabling it for superusers.
Improved front-end support, like when used with LoginRegister module or similar. Now configuration options can make it render notifications inline, rather than those used by the PW admin.
If a reset request can't be completed for some reason on a valid account, it now emails the user the reason why.
It now sends an HTML email for password reset requests (with a plain text alternate). The email can also be customized with newly added hooks.
In addition to a secondary verification code/token (mentioned earlier) other new security features have been added. For instance, in the final step, if the user fails to confirm the verification code, or any other configured confirmation fields, for more than 2 times, the reset request will be abandoned.
To use this latest version of the ProcessForgotPassword module, go to Modules > Refresh, and then Modules > Configure > ProcessForgotPassword. Review and customize the configuration options according to your preferences, and save.
Upgrades to comments search engine
I'm currently working on a client project that uses ProcessWire's comments field pretty extensively in the site. With thousands of comments in the system, the site needed a whole separate search engine dedicated to comments. We've had the FieldtypeComments::find() method since around ProcessWire version 2.2, but it was fairly limited in what it could do. This particular find() method searches all comments in a particular site, regardless of what page they live on.
ProcessWire 3.0.103 upgrades the comments search engine so that it is a lot more capable, and works a lot more like $pages->find(). Below are some of the additions, along with examples of them. In all of the examples, our $field variable is a comments field, i.e.
$field = $fields->get('comments');
1. Ability to search comment text quickly using fulltext index.
$a = $field->type->find("text~=hello world");
The above would return all comments containing the words "hello" and "world" somewhere in the comment. You can use the
~= (contains words),
%= (phrase like),
*= (contains phrase),
^= (starts with), or
$= (ends with) operators. Here's another example below:
$a = $field->type->find("text*=skyscraper, upvotes>0");
2. Ability to sort comments by more than one property.
$a = $field->type->find("sort=-stars, sort=-created");
Previously you could only sort by one property at a time. The above would return all comments sorted by stars (highest to lowest) and second by date created. Meaning, the result would contain all 5-star comments newest-to-oldest, then all 4-star comments newest-to-oldest, etc.
3. Ability to match comments from many page properties (like page references):
$sailing = $pages->get("/blog/topics/sailing/");
$a = $field->type->find("page.topics=$sailing");
The above would return all comments likely related to sailing, because they would be comments on pages that have a Page reference field called "topics" that has "sailing" selected.
4. Ability to use OR values on most properties
$a = $field->type->find("stars=4|5");
The above would return all comments with 4 or 5 stars selected. That could of course also be matched with "stars>=4".
5. Ability to match based on comment status keywords:
$a = $field->type->find("status=pending");
The above would return all comments with a "pending" status. Note that by default, on the front-end, if you don't specify a status, the find() method returns only approved comments. So if you want to return pending and/or spam comments too, you have to specify that.
While this greatly increases the capabilities of our comments search engine, please note that it's not nearly as full featured as our pages finding engine. There's still plenty of room for improvements here, so there will likely be additional tweaks as I continue working on this
Also coming up soon will be some updates to the ProcessCommentsManager module, adding some improvements to take advantage of the features mentioned above.
Thanks for reading and have a great weekend! Enjoy reading the always awesome ProcessWire Weekly.
- 5 years ago
The "forgot password" additions are so cool!
Many thanks for all the work!
Session handling: For some frontsite usecases (with Login/Register/Profile-Module) it would be great to define the allowed max. parallel sessions of a user, not only disallowing any parallel session.