Leaderboard


Popular Content

Showing content with the highest reputation since 07/20/2018 in all areas

  1. 19 points
    In the last blog post I told you about how two-factor authentication was coming to the core and what our plans were. This week it’s ready to use in ProcessWire 3.0.109, so we’ll take a closer look at all the details and how to use it: https://processwire.com/blog/posts/processwire-3.0.109-adds-two-factor-authentication/
  2. 16 points
    Thanks for the new updates @ryan! Do you think for the next week or two the focus could be on bringing the Selectors documentation up to date? This is a really important part of the documentation, especially for new users. New API methods get added to the API documentation automatically which is great, but that doesn't happen for new selector features because the documentation for Selectors isn't derived from code comments in the core. I went back through previous blog posts and compiled a list of things that it would be nice to have covered in the Selectors docs. has_parent now supports multiple values: https://processwire.com/blog/posts/processwire-core-and-profields-updates-2.5.22/#has_parent-selectors-now-support-multi-value The ~= operator now supports words with fewer than 4 characters: https://processwire.com/blog/posts/merry-christmas-heres-processwire-3.0.3-and-2.7.3-and-some-more/#improvements-to-the-operator-in-page-finding-operations Nested sub-selectors are now supported: http://processwire.com/blog/posts/processwire-3.0.6-brings-pages-upgrades-and-link-abstraction/#support-for-nested-sub-selectors It is now possible to sort by custom fields of a parent page: https://processwire.com/blog/posts/processwire-3.0.7-expands-field-rendering-page-path-history-and-more/#whats-new-in-3.0.7 New selector array syntax: https://processwire.com/blog/posts/processwire-3.0.13-selector-upgrades-and-new-form-builder-version/#selector-engine-array-support It would be good to explain about the verbose option for selector arrays too and what circumstances that is needed in. And perhaps some mention of using the Selectors class to merge different types of selector together: https://processwire.com/talk/topic/16651-merge-selectors/?do=findComment&comment=146890 Multiple dot selectors: https://processwire.com/blog/posts/pw-3.0.25/#syntax-and-examples Negative start and limit, and matching by index: https://processwire.com/blog/posts/pw-3.0.46-stocking-stuffers/#support-for-negative-limit-and-start-values-in-selectors Use Fieldtype in selectors: https://processwire.com/blog/posts/processwire-3.0.91-core-updates/ Owner selectors: http://processwire.com/blog/posts/processwire-3.0.95-core-updates/ Use field tags in selectors: https://processwire.com/blog/posts/pw-3.0.106/#a-new-way-to-search-with-upgraded-tags-for-fields If anyone knows any other new selector features not included in the Selectors documentation maybe they could post a reminder about them here? Another thing it would be good to cover in the Selectors docs are the differences between what is supported in a PageFinder selector and what is supported in an in-memory selector. I mentioned a few differences that I know about in a comment here: https://processwire.com/talk/topic/18343-selector-filter-for-multiple-dates/?do=findComment&comment=160451 And perhaps there is a way to bring support for some of those things to in-memory selectors to reduce the differences between the two types of selector?
  3. 14 points
    This week we’re going to discuss a new security feature that’s currently in development on the dev branch: 2-factor authentication. In this post we look at the benefits of 2FA, how it works, the coming implementation in ProcessWire, and more: https://processwire.com/blog/posts/2-factor-authentication-coming-to-processwire/
  4. 13 points
    For once, a joke about programming that actually made me laugh.
  5. 10 points
    I usually post to the blog on Fridays, but I've been working on ProcessWire-based client projects this week, so nothing new to post today. I'm back to working on the core next week and continuing the 2FA development, so will have more next week. Thanks and I hope that you have a great weekend.
  6. 8 points
    This one's not really new, but I forgot to post about it when I did it, plus there are still some unfinished aspects. I have a minimal personal invoice setup allowing me to have multiple identities for my invoices, to represent the different aspects of what I do (it's not all PW)... The child pages of an identity represent permissible payment methods for that identity... Of course, there are multiple clients under which invoice pages are stored, with highlighted status in the page tree... Invoices use repeater fields to store line-items and expenses. The line subtotal is calculated on save. The whole invoice value is worked out too. Profit and Loss is yet to be finished. And here's the result... I like PW!
  7. 8 points
  8. 8 points
    Hello @ryan and @Francesco Schwarz, There are currently a lot of issues (about 20% of the total) that are still open on the processwire-issues repository but marked as "Resolution: fixed (close when ready)." Some of these date back over a year. I doubt many of the older ones will ever be closed by the initiator. There is a similar situation building up with the issues tagged as "Resolution: Not a bug" - though there are less of them. If that's the case, how about closing any issues that are 3+ months old (or that have not been tagged as a discussion) with a polite note that the issue should be re-opened if needed? This would really help reduce the list of open issues.
  9. 8 points
    Hello, Here come a few pointers: payment integration: http://omnipay.thephpleague.com https://www.payrexx.com/en/pricing/pricing/ https://processwire.com/talk/topic/14808-now-my-client-wants-to-add-ecommerce/ https://processwire.com/talk/topic/14511-e-commerce-tutorial-with-processwire-snipcart-your-thoughts/ member restriction: for backend: https://processwire.com/talk/topic/11499-admin-restrict-branch/ https://modules.processwire.com/modules/textformatter-soundmanager/ Subscription management https://processwire.com/talk/topic/16363-recurme-–-processwire-recurring-dates-field-custom-calendar-module/ AJAX front end editing for building playlists & "likes" while PW has frontend editing support: https://processwire.com/blog/posts/front-end-editing-now-in-processwire-3.0-alpha-4/ you might find that rolling out your on frontend solution is more versatile in your case so maybe you want to take a look at this one http://intercoolerjs.org/ or you might want to do it all in the admin: https://processwire.com/blog/posts/building-custom-admin-pages-with-process-modules/ or both frontend AND admin related: https://processwire.com/talk/topic/7913-podcast-profile/ https://processwire.com/talk/topic/12752-pw-podcast-theme-for-podcasts/ Hope this helps.
  10. 8 points
    Yeah keep on wp trolling, it feels good I know. But lets get real for a change, it's 2018 and not 2010 any more when wp was total crap. Plugins and safety have been improved since then. I know people who deliver websites faster than I do and make more money with wp than I do ! All they do is go to themeforest or envato and search for a cool looking template with forms, mail, client base and the whole shebang for around 50 or 80 dollar. It takes them less then a week to set it up and then sell it somewhere between 500 and 1500 dollar. And clients like the wp admin because it only takes simple mouse clicks for them to edit a wp site with new text, pics or prices. How I found out all this ? Simply because I get called by offices, real estates, photographers, etc. because their webmaster/developer took off, disappeared or they ended up with agreement conflicts. They need somebody to take over. No backups were made for half a year, cpanel access has gone, yearly domain registry has gone, etc. All they have left is the wp-admin login. So the more I got involved the more I started to see what is going on in wp land. The reason why I stick to pw ? Because working with wp dumbs you down to a copy and paster - drag and dropper. Working with pw upgrades your skills and you learn to webcode. But really, when it comes to working hours and making money, wp is the better choice.
  11. 8 points
    I don't plan on forcing the option, though had thought that when enabled, we'd give them a login warning notification asking them to enable it, every time they login. I haven't come across any services that forces me to 2FA yet, though I know some companies require it internally. But I think it might depend on the 2FA method being used before you could say if it would be a good idea to force it or not. There are times where you might want to disable 2FA temporarily too. So I think it's best to let the user control it, and maybe annoy them a bit with warnings when they aren't using it. But this is one of those things where I think we'll start fairly simple, but then start fine tuning the options according to what we find are the needs of people using it. I think support in the core is consistent with PW's strategy of making security the top priority. I think we are soon reaching the time (or already have in some cases) where 2FA is considered essential in order for an online application to be taken seriously as having an emphasis on security. I consider it essential for any other online account I maintain (as I imagine many do), so it should be in PW too. If we step outside the security aspect, I think it also builds trust and checks boxes for a lot of bigger companies that may be considering PW or comparing to other options. The support and interface for it will be in the core. The implementation of the interface will be in modules. There will very likely be one implementation module included in the core, though I'm not 100% positive on that yet. Either way, I'll be building and maintaining at least one of the modules that supports it. As I understand it, Google Authenticator is just a standard implementation of RFC 6238 and RFC 4226, like any number of other authenticator apps. As far as I know, they are compatible with each other, but Google Authenticator is just the most widely known/used. I think the compliant you mentioned is the nature of the technology, and not really anything about Google Authenticator in particular. But the complaint is also the reason why it's secure. Once one understands how it works and the steps they should take, I think it all make sense. I'll try to describe. The reality is that 2FA is an extra step, which you can't deny is an inconvenience. But it's like locking your door before you leave the house. Nobody likes having to take extra steps, what they like is the security benefit (if they understand it). And if you lose your keys, then yes you are locked out, unless you've got a backup method. This is why services typically provide backup 2FA methods (like SMS) or one-time use backup codes that you can store securely somewhere in case you ever lose your device. For every place where you use 2FA, you've established "a secret" between your device and the service/website (a long base32 string, which can also be represented by a QR code image). The reason it is secure is because it's not shared anywhere else. If that secret were stored up in the cloud or synced between devices and such, then it is becoming less secure. It is getting passed around networks just like your password, which kind of defeats the purpose of 2FA. If you buy a new phone, and can't restore backup data from your old phone for some reason, the yes you'd want to reset your 2FA for the new phone. If you've got your old device handy, then you'd switch the 2FA to your new device. If your old device is lost or non-functional, then this is where a backup method and/or one-time use code would come into play. If those options weren't available, when it comes to PW, one could also fix any of this by asking a superuser to reset it even temporarily disabling from $config (if nobody had admin access). As I understand it, this is simply a matter of a user 2FA off for some account, then turning it back on, so they can establish a new secret/QR code. There's already a password reset module built into PW. 2FA can be disabled for any individual account as needed. This is what the superuser account is for. This is definitely part of the plan. Though with the 2FA methods I've been working with, we can't enable it for anyone that hasn't set it up themselves. Maybe with Netcarver's PPP module when using email, it could work. Or maybe it would work with SMS when you've already got the user's mobile phone number stored. It needs to know the user name in order to be able to look up the user-specific secret for the codes. Technically it doesn't need the password. But 2FA without a password is no longer two-factor, and would have its own security problems, which might be even worse than not having 2FA in the first place. If someone gets a hold of your device, and needs no password for your account, then they essentially have access to your account. Whereas, the intention with 2FA is that both your password AND your device are necessary. It's that combination of factors that makes it secure.
  12. 7 points
    Not new, but a website I've worked on for a year or so in continous development. http://supercarownerscircle.com/ I originally inherited the site from another web design company - upgraded PW and over the year added ecommerce using the Stripe module and a custom integration, revamped the frontend and added lots of new templates. Also did some frontend work on the shopify shop.
  13. 7 points
    Two or three things come to my mind directly: If there is no unique ID within the feed, you have to create one from the feed data per item and save it into an uneditable or hidden field of your pages. Additionally, you may concatenate all fieldvalues (strings and numbers) on the fly and generate a crc32 checksum or something that like of it and save this into a hidden field (or at least uneditable) with every new created or updated page. Then, when running a new importing loop, you extract or create the ID and create a crc32 checksum from the feed item on the fly. Query if a page with that feed-ID is allready in the sytem; if not create a new page and move on to the next item; if yes, compare the checksums. If they match, move on t the next item, if not, update the page with the new data. Code example: $http = new WireHttp(); // Get the contents of a URL $response = $http->get("feed_url"); if($response !== false) { $decodedFeed = json_decode($response); foreach($decodedFeed as $feed) { // create or fetch the unique id for the current feed $feedID = $feed->unique_id; // create a checksum $crc32 = crc32($feed->title . $feed->body . $feed->status); $u = $pages->get("template=basic-page, parent=/development/, feed_id={$feedID}"); if(0 == $u->id) { // no page with that id in the system $u = createNewPageFromFeed($feed, $feedID, $crc32); $pages->uncache($u); continue; } // page already exists, compare checksums if($crc32 == $u->crc32) { $pages->uncache($u); continue; // nothing changed } // changed values, we update the page $u = updatePageFromFeed($u, $feed, $crc32); $pages->uncache($u); } } else { echo "HTTP request failed: " . $http->getError(); } function createNewPageFromFeed($feed, $feedID, $crc32) { $u = new Page(); $u->setOutputFormatting(false); $u->template = wire('templates')->get("basic-page"); $u->parent = wire('pages')->get("/development/"); $u->name = $feed->title = $feed->id; $u->title = $feed->title; $u->status = $feed->status $u->body = $feed->title; $u->crc32 = $crc32; $u->feed_id = $feedID; $u->save(); return $u; } function updatePageFromFeed($u, $feed, $crc32) { $u->of(false); $u->title = $feed->title; $u->status = $feed->status $u->body = $feed->title; $u->crc32 = $crc32; $u->save(); return $u; }
  14. 7 points
    Get ready for a face palm On line # 145 public function __processInput(WireInputData $input) { the method processInput() is missing one underscore at the beginning and should be public function ___processInput(WireInputData $input) {
  15. 7 points
    Yes, I get the same error. Seems to be caused by two button inputfields being rendered in the same form. I have created a simple test case and have opened a GitHub issue: https://github.com/processwire/processwire-issues/issues/653
  16. 7 points
    @gizomo Here are a few other options for your consideration, in case this is not ready for sharing. In no particular order (and I haven't used any yet - so no recommendations)... https://github.com/nicoknoll/ProcessNewsletter https://github.com/pmarki/ProcessSendNewsletter https://github.com/rolandtoth/pwnl https://github.com/justb3a/processwire-newslettersubscription https://github.com/dauni/processwire-newslettermanagement Hope that helps. </redirect>
  17. 6 points
    Another new site only recently finished (so there still might be bugs :) http://www.ethicalby.design/ Ethical by Design is my new personal project. I've been running a podcast called the Machine Ethics Podcast: about the social impact of AI. Over the last few years I've learnt alot and I'm now hoping to help businesses learn about or implemented AI responsibly. Branding done by Nick Willsher, and the site was designed and coded by myself. Hoping to spin this one out into a more configurable site profile for the community soon.
  18. 6 points
    This is the shortest method using implode(): if($page->authors->count) echo $page->authors->implode("; ", "<a href='{url}'>{title}</a>") . ".";
  19. 6 points
    @teppo and @LostKobrakai Thanks for the pointers, that helps clarify things for me. I was under the mistaken impression that anyone adding a comment to a closed issue re-opened it. @gmclelland Ouch - let's hope we never reach those dizzy heights. @matjazp Thank you. Many thanks to everyone who responded to my promptings via github or PM here on the forum - really happy to see there have been 51 fixed or duplicate issues closed in the last week. We're still awaiting resolution on about another 15 that I've posted on, but I hope some of those will be closed this week. I've been working through some older issues, trying to reproduce them - and I think that we can all help Ryan by trying to do describe the reproduction pathway as clearly as possible (there are issues that are somewhat ambiguous,) and considering if a little screen capture might help. Also, Tracy has a feature that allows versions, modules and the like all to be dumped in a Markdown-friendly format that can be pasted right into issue reports. Once the "Copy for Github" button has been pressed, you can simply paste it in at the end of your issue report. Very helpful - and I only found out about it yesterday .
  20. 6 points
    Hello, here is simplified version of icons font fieldtype module: https://github.com/OLSA/FieldtypeFontIcon This module use the same icons css file like your template (set path relative to template folder, eg. styles/fontawesome5/all.css ). After module install and created field go to field Input tab to set path (and in some cases prefix classes). Examples: Font Awesome 5 IcoMoon If everything is ok you will get something like this: NOTE: "Regular expression pattern parser" input field is not required because it will be set by default (by module itself). Regards.
  21. 6 points
    Clean code, less code than content (ratio), and fast content delivery aren't a guarantee of good SERP results. You can build the smallest, cleanest and bestest website ever and get outranked by a crappy WordPress instance. Sometimes other things matter more than that. Links, links, links, spammy content, PBN links, more PBN links, more spammy content... all those grey to black techniques still work for almost every site. Old domain with trust but spammy content and WordPress footprint? Perfect! We already love it. New domain with better content, better UI, better load times? Are you kidding me? We will never rank that! You build clean, fast sites as a base for more. Good SERP results are a thing you have accomplish with several other things. Spend a few hundred dollars for a good, old, trustworthy domain, create 100 pages of optimized content pages for another 200 - 300 dollars, get lots of links from trusted sources (Reddit, LinkedIn, Blogs, ...), buy 10-30 more good old domains, build spammy sites with matching content, create backlinks, outreach to other spammers bloggers, get more links and you are in the Top 10 to Top 3. Don't play fair on money keywords. That won't work.
  22. 6 points
    New version just committed that adds support for turning off autoloading of css and js assets files. It also fixes the strange issues that @wbmnfktr was having on some pages. It also adds a "pwcmb-active" class to the body of the page when the banner is displayed.
  23. 6 points
    @adrian I guess it will vary. I can't see people with smallish brochure sites wanting it. However, I'm currently using PW to build an admin system for a charity. Most of the users are probably using their (child|spouse|pet)'s name + a year of birth as their password, yet they are trusted to handle their own client's confidential information on the system. I see 2FA as a big win for this kind of user, as a small change in log-in protocol can bring in a big benefit for the charity and its clients, by mitigating the risk of such poor passwords.
  24. 6 points
    Time for a little update. There are many changes again. Most visible: More Ajax, more Drag&Drop, more Wysiwyg. Real containers (Tree hierarchy) instead of "nested groups". Rows are also containers now. In this little video, I will show you how to layout a responsive page from scratch without writing a line of code. http://theowp.bplaced.net/upload/reptile.html This system is not for absolute noobs. You need to have an idea about how responsive web pages and Bootstrap work. But then one can be really fast I think. Still a long way to go, but I hope you like the idea. Thank you.
  25. 5 points
    These look like false positives, especially given the last one (a CSS file served by Apache). What's happening here is that your server is taking a long time to respond to the requests, and the testing tool is making the assumption that because it responded slowly, it must have executed the command it sent (sleep and timeout). Most likely your server took a long time to respond to the request because that testing tool is hitting the server hard, and it's either struggling to keep up, or it's throttling the tool, limiting how many requests it'll respond to at once. It's also possible you've got another server-side security tool that is detecting something trying to mess with it, and interrupting the request. With a tool like ZAP, false positives can happen, so you should use it to find where to look, but use the information it gives you to confirm on your own whether it's an issue or not. And if you ever think you've found some security an issue in any software, contact the author directly, don't post it in a public forum. The only other thing I'd suggest is to look at your site template that serves the first URL it mentions, and check if you are using a GET variable named "query", and if so what you are doing with it. However, I think this is unlikely given that it's reporting the same error on a CSS file, which is served directly by Apache, not ProcessWire.
  • From Twitter