Leaderboard

@rickm this is answered discussed already, but can not find it yet. BUt the good news is, you can use PW 3 right now with PW 2.7 modules or earlier ones. To get more informations you should google in blog posts with the term: FileCompiler https://processwire.com/blog/posts/processwire-3.0.14-updates-file-compiler-fields-and-more/

This might also be of interest...ProcessWire 2.8! https://processwire.com/blog/posts/processwire-3.0.21-and-2.8.21/

okay I was going to complain and argue "but what's the difference..bla bla.." but then I thought.."what ever just try it out" So now I'm having a running staging version on it's own subdomain..so exact clone of the live version but already updated to 3.0.25 only thing I needed to fix cookies by setting session name to default $config->sessionName = session_name(); YIPPIIEEEH!!!!! THANKS A LOT pwired!

@mrkhan You are not handling the uploads correctly at the moment, take a close look at the first comment on the page horst pointed you to. It shows you what you need to know about handling file uploads. You should not trust the file-name supplied by the upload so that example shows you how to validate that the file was supplied via an upload (using the move_uploaded_file() function) how to name it without having to trust the supplied file name how to validate the mime type of the file how to append the extension that represents the file type of the uploaded file You just need to remember the name you gave it when you moved it and attach that to your outgoing email. I've updated part of the code from the comment I linked to so that you can see how you might generate the new name and extension. // You should name it uniquely. // DO NOT USE $_FILES['upfile']['name'] WITHOUT ANY VALIDATION !! // On this example, obtain safe unique name from its binary data. $new_name = "./uploads/" . sha1_file($_FILES['upfile']['tmp_name'] . ".$ext"; if (!move_uploaded_file($_FILES['upfile']['tmp_name'], $new_name))) { throw new RuntimeException('Failed to move uploaded file.'); } // Now attach the uploaded, validated & renamed file to your email. $mail->attachment($new_name); You'll need to tailor the code to do the needed validation on both of the files you want your users to upload of course. Don't forget to change where you want the files copied to as well.

Have made some updates to ALIF: 1.1.0 fixed a bug in method sanitizeColor() 1.1.1 added detection and a toggle button for TracyDebugger (enable/disable) 1.1.2 more security for User-Switcher, (stays in for cases, where TracyDebugger isn't available) http://modules.processwire.com/modules/admin-links-in-frontend/

I would exclude *.min.* per default. I think no one uses this for his work and adding ToDo comments.

Once more but last one too: I strongly suggest to read the php docs on how to upload files: http://php.net/manual/en/features.file-upload.php

thank you adrian, the update solves this. in my case it was a webfont. see attachment. the folder ignore list is great! also the extensions. i'm not sure if it was even better to have a 3rd option "ignore filename". for example i have jquery.min.js inside my folder and that throws a huge todo-entry (like mentioned above). my solution was to move it to a folder "lib" and add this to ignore list fonts.zip

Hello folks I made this simple tutorial of explaining my methodology when creating a PW system. https://medium.com/@clsource/understanding-processwire-templates-fields-and-pages-201aecd0a1a4#.osipvjevk

Dont copy your pw installation. You want to be sure that your new destination environment is compatible with processwire. On your new destination, install a fresh new installation of the same processwire version with the same profile as you did with your running installation. If this doesnt (in your case see if login works normally) work you know you have to check your host settings, if this works then go on delete the site folder on your new destination and copy over the site folder from your running installation and make the salt the same in your config.php. Empty the database on your new destination and import your sql file. Check again if at this stage you can login normally. After this you can go on upgrade your processwire version.

Hi @Macrura and @bernhard - I think the errors you are seeing are likely due to scanning of binary files. I have added config options for setting directories to be completely ignored and also a list of file extensions to be scanned. The ToDo panel is now using a whitelist vs blacklist approach to the file extensions to be scanned. I have set up what I think are reasonable defaults: Hopefully this should take care of all the errors you are seeing - please let me know how it goes for you. Also, if anyone has any suggestions for changes to the defaults, please let me know.

i've just created a pull request that makes it possible to modify less variables. it also adds a check if the js/css file exists and throws a note either in console if tracy is installed or in the processwire log. that's how you can modify your less variables: <?php $config->styles->append('less/theme.less'); $lessVars = array( 'tm-primary-bg' => '#568AEA', 'background-image' => 'url("' . $page->backgroundimage->url . '")', ); ?> <link rel="stylesheet" href="<?php echo AIOM::CSS($config->styles->unique(), $lessVars); ?>"> https://github.com/FlipZoomMedia/ProcessWire-AIOM-All-In-One-Minify/pull/57

MarkupGoogleRecaptcha Google reCAPTCHA for ProcessWire. This module simply adds reCAPTCHA V2 or Invisible reCAPTCHA to your form. How To Install Download the zip file at Github or from the modules repository Drop the module files in /site/modules/MarkupGoogleRecaptcha In your admin, click Modules > Refresh Click "install" for "MarkupGoogleRecaptcha" Official install/uninstall doc: http://modules.processwire.com/install-uninstall/ API You must create an API key prior to use this module. Goto https://www.google.com/recaptcha/admin to create your own. Next, add the API keys information to the module's settings. Usage Call the module : $captcha = $modules->get("MarkupGoogleRecaptcha"); Call $captcha->getScript(); somewhere to get the javascript used by reCAPTCHA Render reCAPTCHA in a standard HTML <form></form> by calling $captcha->render() or Render reCAPTCHA in an InputfieldForm by passing as argument your form to the render function: $captcha->render($form) Call verifyResponse() to get the result. It return TRUE if the challenge was successful. Example Using ProcessWire's form API : $out = ''; $captcha = $modules->get("MarkupGoogleRecaptcha"); // if submitted, check response if ($captcha->verifyResponse() === true) { $out .= "Hi " . $input->post["name"].", thanks for submitting the form!"; } else { $form = $modules->get("InputfieldForm"); $form->action = $page->url; $form->method = "post"; $form->attr("id+name", "form"); $field = $this->modules->get('InputfieldText'); $field->name = "name"; $field->placeholder = "name"; $form->add($field); // CAPTCHA - our form as argument, the function will add an InputfieldMarkup to our form $captcha->render($form); // add a submit button $submit = $this->modules->get("InputfieldSubmit"); $submit->name = "submit"; $submit->value = 'Submit'; $form->add($submit); $out .= $form->render(); // include javascript $out .= $captcha->getScript(); } echo $out; Example using plain HTML Form : $captcha = $modules->get("MarkupGoogleRecaptcha"); // if submitted check response if ($captcha->verifyResponse() === true) { $out .= "Hi " . $input->post["name"] . ", thanks for submitting the form!"; } else { $out .= "<form method='post' action='{$page->url}'>\n" . "\t<input type='text' name='name'>\n" . $captcha->render() // render reCaptcha . "\t<input type='submit'>\n" . "</form>\n"; $out .= $captcha->getScript(); } echo $out;

Right now I am not particular proud of myself, because I maybe had the first occurrence of an hacked ProcessWire installation known to mankind. But not because of ProcessWire itself, but of a stupid mistake I have made. Anyways I want to share my case here: Over one and a half year ago I developed a medium sized website with ProcessWire 2.6.1 for a small community. In the process of releasing the site I had troubles with getting the installation to run on the shared hosting webspace. Because the hoster hadn't configured their file permissions correct, I was forced to loosen up the file permissions inside the site/assets-folder. Because I was desperate and wanted the installation to work I ended up setting every file and folder permissions inside the folder assets to CHMOD 777. I wasn't very happy with this solution and now I know how stupid it was, but I didn't knew better and at least the installation was running. This week I wanted to make a small change to the site and noticed something strange: There was a file called sites.php inside the root folder. At this moment it was clear to me, that my installation was hacked. I immediately downloaded the whole infected installation and compared all files with my local clean installation using a diff tool (Kaleidoscope). After comparing I noticed that inside the index.php one line was inserted which included a functions.php inside the site-folder. Also I noticed that inside the site/assets/files-folder there were several php-files uploaded with the same naming convention like the generated images variants (f.e. filename-large.jpg). So what did those scripts do? Luckily not much, that is the reason I haven't noticed this hack for a long time. The database is as far as I can tell not corrupted and the site was still working properly. All those scripts were doing, was generating spam aliases and redirecting to a medical shop site using the http host of my site. Interestingly on my research I have found out, that most of those malicious scripts were intended to infect Drupal and WordPress installations. A few of those files inside site/assets/files are explicitly targeting WordPress specific functions. If you are interested I can share those scripts for further investigation. But I am not sure if uploading those scripts directly to this board is against the board rules, so if I should upload them to a external service, I am willing to do so. Meanwhile I am confident to have cleaned the site from almost all malicious scripts (I will investigate further) and I am still removing all spam search results from Google using the search console. Also I am in contact with the hoster and try to sort things out, even if it means switching the hoster (which I would prefer). Please don't be to harsh with me. I know I have made a stupid mistake and learned my lesson the hard way, but I wanted to share this story anyway to prevent others from making the same mistake. So always make sure to secure your file permissions! Regards, Andreas

thanks Robin - I've sorted it now and I plan on updating this post.

Hi sudodo, Welcome to the ProcessWire forums. Sorry to hear you're having trouble. The admin login page at http://rightangle.space/processwire/ is loading normally for me. If you are seeing an error message when attempting to access this page could you post back with the contents of the message? Do you still get the error if you try a different browser? And if you access the page in your browser's private/incognito mode?

Awesome! Thanks @horst and @kongondo - much appreciated

To supplement @John the Painter's answer: 1. Update InputfieldMapMarker.module to get your API key however you're managing it: public function init() { $apikey = // get my api key $script_path = ($this->config->https ? 'https' : 'http') . "://maps.googleapis.com/maps/api/js?key={$apikey}"; $this->config->scripts->add($script_path); return parent::init(); } 2. Enable 'Google Maps Geocoding API' in your Google API Console for your site's API key: https://console.developers.google.com/apis/api/geocoding_backend/overview You may need to enable whichever other individual APIs (places, geolocation, etc.) from Google's API library for the client side if you use the same API key: https://console.developers.google.com/apis/library Updating the MapMarker module will remove these changes if this file is affected by the update.

Yeah, TED Talks is stand-up comedy show... It has very little to do with "Ideas worth spreading". Thanks for sharing anyway, the first few minutes were really funny, then I got bored, skipped the end, and came back here to have a lot more fun in the ProcessWire "/talk"

Just tried the User Swither and it seems very nice. My only concern is the GUI, I think the select limited to 1 is not the best control for selecting the active user. How about setting size="5" attribute for example, to save clicks? I would also set "min-width: 100%;" to make the rows full width. Perhaps this full width could be applied also on the session time input, to make it visually more attractive

Thanks for all your kind comments

I don't know about the upgrade from/to because i deleted the previous one - sorry! I also don't know anything about ToDo, i don't use it, and don't know how it works, but I'm sure i have a ton of whack stuff in my template files, so if it is trying to read those for anything particular, then i can easily see why it might crash; all of the templates are in UTF-8 i think but i put stuff like this at the top of some of them: /** __ __ / / / /___ ____ ___ ___ / /_/ / __ \/ __ `__ \/ _ \ / __ / /_/ / / / / / / __/ /_/ /_/\____/_/ /_/ /_/\___/ */ because I have a lot of template files open at once and this makes it easier to see where i am

Assuming you're usine Apache, it's better to use Options +Indexes, without the + you may reset other apache directives that are currently in effect. Take a look about 2/3 of the way down this page: https://httpd.apache.org/docs/2.4/mod/core.html#options

These are two different things: subcriber system and newsletter sending. I suggest to first read / post in the NewsletterSubscriptionModules forum support thread to get this working. In regard to newsletter sending, I suggest to use a service and / or use a module like: http://modules.processwire.com/modules/wire-mail-mandrill/ http://modules.processwire.com/modules/wire-mail-mailgun/ http://modules.processwire.com/modules/altivebirit

Thats what I was talking (thinking) about when agreed to @tpr and @szabesz : the use of the UA-Switcher. Honestly I think, when already using (installed) TracyDebugger, there is no need to have an additional UA-Switcher elsewhere. But I'm using ALIF everytime. In my local (not yet released) version, ALIF even has a toggle button to switch on/off the TracyDebugger And I use it in production sites for frontend edit- and logout- buttons for editors. That was the initial reason why I have written it.

Absolutely true. Rest of this sentence was great too, but just wanted to point out that I fully agree with this: if someone prefers platform Y over PW in a specific case, that's their call to make. They may or may not have good reasoning behind that decision, but that doesn't change the fact that it's still theirs to make. Someone I used to work with once explained to me that "WP is awesome because I don't have to know anything about web development to add new features to my site". For most users, even those who describe themselves as "developers", that's really the gist of it: being able to add features in a cost-effective way and without having to understand what's really going on behind the scenes. While this approach no doubt has it's benefits, sometimes the result is this: "Grade D, 10.29 seconds load time, 3.5 MB page size, and 206 (!!) requests." Or worse, a hacked site because one or more of those plugins you installed were badly written and you didn't have the time, money or knowledge needed to spot those issues, or perhaps you neglected to monitor the site and install all those updates in time. I'm not saying that WP can't be used to develop sites "the proper way", or that you actually have to keep installing stuff until your site breaks, but it's good to realise that what is often considered the biggest benefit of the system (ability to add features with no so-called programming knowledge) is also one of the easiest ways to completely wreck it. Each and every feature you add to the site increases the amount of technical debt, that's just how it works.

I am not so sure about that and it certainly wasn't my intention. ALIF has additional features that make it a worthwhile tool, like: screen dimensions session destroy OPCacheStatus viewer Also for those not using Tracy because they prefer a different PHP debugger, the user switcher in ALIF will still be indispensable.

@Robin S 's solutions are perfect. My personal favourite would be the first one: just working with the basic page tree and hidden / unhidden or published / unpublished states. If you want go with another pagefield solution (checkbox), but want to have a good visual sign rendered in the page tree, there are some code examples in the forums here how to use a hook for that. Other than in the linked example, with recent PW versions, you don't need a module for that. You just can add a code snippet for that hook into your sites init.php. If you need any further help, just ask.

I respectfully disagree, unless you are only talking about depreciating the user switching part of ALIF. I use ALIF all of the time when logged in as an administrator. I only turn-on Tracy Debugger whenever I need to debug something. I have great use for both tools and would not like to see either one of them depreciated. My opinion.

That's correct! This is one more example on how things grow in our community: we work together to make it as good as we can. Someone come up with a good solution for a partial thing. This a) directly help others, it b) inspires other users to new / other solutions, and this, in the end, makes working with our beloved PW a little more better again. And, in this case, (ALIF and Tracy): from now on, everytime when I will use Tracy, I will have the feeling that a little part of my work is into it.

Hi Barido, Welcome to the ProcessWire forums. I think there will be a number of solutions you can choose from. A few that occur to me are below. 1. Without using any modules and just working with the default Pages tree, you could use either the Published/Unpublished state or the Hidden/Unhidden state of the job page to switch a job from Active to Inactive (or vice versa). These states can be set directly from the Pages tree without needing to open the page for editing, as shown in the screenshot below. If inactive jobs need to be shown on the website front-end then the Hidden/Unhidden state would be the one to go with. In your templates you can test for the hidden state using the $page->isHidden() method. 2. You could use the Batch Child Editor module to toggle the Published/Unpublished or Hidden/Unhidden state. 3. You could purchase the Lister Pro module. This module has a number of cool features, one of which is the inline editing of page fields directly in the page list. So if you wanted to use a checkbox field in the job page to store the active/inactive state you could toggle this field via Lister Pro.

There are two potential issues here: your form doesn't seem to have CSRF protection in place and the lack of HTTPS connection would make it possible for someone to grab the credentials from a request, but other than that this looks fine to me. My usual advice would be not to do this (use built-in login form instead), but of course there are cases where you don't want to do that. For those cases check this post out for the CSRF protection and enable HTTPS. If the price of the SSL certificate is an issue, check out Let's Encrypt; their free certificates are pretty awesome. If your host doesn't allow you to use these, that in itself could be a good reason to switch hosts.

You should validate the user input using $sanitizer and use CSRF in the form.

It's a real shame that your site got hacked, but this is definitely something we can learn from, so thanks for sharing it. Shared hosting and lax file permissions are an easy way to get into trouble, but I'm still quite curious about how exactly the site was hacked. From what you've mentioned here (uploaded files, etc.) it kind of sounds like the login credentials might've been compromised, or did you perhaps have something on the front-end that could've caused that? Of course if it really was an "inside job", i.e. if the site was attacked by another user on the same shared server, the files inside /site/assets/ could've been planted there manually. Did you have anything else installed on the same hosting account, another site or web application or anything? If you do find out anything else, please let us know, but just in case: if it turns out that this was actually a result of a flaw in the system itself or perhaps a third party module, please let Ryan know of it before posting to the public forums. I'm extremely confident in the security of the core and have a lot of trust in most of our third party modules, but there's no guarantee that nothing will ever go wrong.

Launched phase 1 of a new site. Still working out a bunch of details, poco a poco. http://vacuumwholesalers.com Modules include MarkupSimpleNav Form Builder Lister Pro Pro Fields

Also... Before the changes, I was having this problem with 2.x and 3.x versions of Processwire. Now both work.

Maybe you could try updating PHP to 5.6? I think PHP 5.4 is unsupported now anyways? Maybe also check your upload_tmp_dir = "/tmp" in php.ini is set to the correct location for your OS. I'm not sure what else to try... You might list your Operating Systems as well in case others chime in here to help.... maybe upload your php.ini file?

Few questions for you: How did you install php on your setup? What version of php are you running? Is xdebug installed? I installed php via homebrew on a mac using php 5.6.23. Using always_populate_raw_post_data = -1 didn't work for me. I had to update/reinstall php with brew unlink php56 brew unlink php56-mcrypt brew unlink php56-xdebug brew install php56 brew install php56-mcrypt brew install php56-xdebug restart apache and then it started working Note: In the github issue I stated that it was only working with xdebug enabled, but now(after following the steps above) I can run it with xdebug disabled. Hope that helps

I'm guessing, and this might not help much, but it sounds like output formatting might be off when you are not logged in.

Hello, A solution should be to bootstrap ProcessWire, coding a function which list the all the files in the current directory and subdirectories. Also, writing a custom function give you full control over the listed files, by example, filtering the files by a given allowed extension. You can test the following: In your /test directory, create a file called index.php. In the index.php write the following the code : <?php include("../index.php"); // bootstrap ProcessWire function scanDirectories($dir, $allowext, $recurse = false) { $retval = array(); // add trailing slash if missing if(substr($dir, -1) != "/") $dir .= "/"; // open pointer to directory and read list of files $d = @dir($dir) or die("Error: Failed opening directory $dir for reading."); while(false !== ($entry = $d->read())) { // skip hidden files if($entry[0] == ".") continue; if(is_dir("$dir$entry")) { if($recurse && is_readable("$dir$entry/")) { $retval = array_merge($retval, scanDirectories("$dir$entry/", $allowext, true)); } } elseif(is_readable("$dir$entry")) { $ext = substr($entry, strrpos($entry, '.') + 1); if(in_array($ext, $allowext)) { $retval[] = array( "name" => "$dir$entry", "type" => mime_content_type("$dir$entry"), "size" => filesize("$dir$entry"), "lastmod" => filemtime("$dir$entry") ); } } } $d->close(); return $retval; } ?> <!DOCTYPE html> <html lang="en"> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <title>Files list</title> <style type="text/css"> body { padding: 5%; max-width: 1260px; margin: 0 auto; } table { width: 100%; border-top: 1px solid #000000; padding: 0; margin: 0; vertical-align: middle; } th, td { text-align: center; border-bottom: 1px solid #000000; border-left: 1px solid #000000; padding: 0; margin: 0; } th:nth-last-child(1), td:nth-last-child(1) { border-right: 1px solid #000000; } </style> </head> <body> <h1>Files list</h1> <?php $rootdir = './'; // root directory $ext = ['jpg', 'png', 'pdf']; // allowed extensions $dirlist = scanDirectories("./", $ext, true); // output file list as HTML table echo "<table cellpadding='0' cellspacing='0'>\n" . "<thead>\n" . "<tr><th></th><th>Name</th><th>Type</th><th>Size</th><th>Last Modified</th></tr>\n" . "</thead>\n" . "<tbody>\n"; foreach($dirlist as $file) { echo "<tr>\n" . "<td><img src='{$file['name']}' width='32'></td>\n" . "<td><a href='{$file['name']}'>". basename($file['name'])."</a></td>\n" . "<td>{$file['type']}</td>\n" . "<td>{$file['size']}</td>\n" . "<td>".date('r', $file['lastmod'])."</td>\n" . "</tr>\n"; } echo "</tbody>\n"; echo "</table>\n\n"; ?> </body> </html> Copy/Upload now some images or files in /test and visit your site at http://mysite/test/ to see the result. @Karl_T code updated.

Maybe it is related to this issue https://github.com/ryancramerdesign/ProcessWire/issues/1174 ?

After more digging and experimenting, I found the functionality I was looking for is (a bit un-intuitively) in the PageRender module. There's methods in there that hook into Pages::save, get the CacheFile for the page, and clear it. Since the method clearCacheFile() is a hook call and not intended to be called directly, I ended up doing this in my module after saving fields: $PageRender = $this->wire('modules')->get('PageRender'); $cf = $PageRender->getCacheFile($page); if ( $cf->exists() ) { $cf->remove(); } Some of my earlier experimentation was calling $this->wire('cache')->maintenance(), but I realized that's WireCache which is different than the cached files created for pages.

Hi, Horst, I just tried to install the module, but got 2 error messages right after downloading, regarding: AdminLinksInFrontend.module, line 153 and ProcessAdminLinksInFrontend.module, line 45 In both cases I had to remove the [...] part to get it working: self::$opcEnabled = opcache_get_status();//['opcache_enabled']; I am running PW 3.0.23 in this particular case. EDIT: Ok, now PW tells me why: I need to install PHP 5.4 or greater... Sorry for bothering you!

Whew! I got help from Caddy developer abiosoft and now I have a working ProcessWire config! It is included below. Note certain things: - the "php" in the fastcgi line defines a preset, so we don't need to use any "ext" stuff. - the new style rewrite which does not use {uri}: to {path} {path}/ /index.php?it={path}&{query} Abiosoft is also looking into a webtrees instance I have. So far the routing is solved by a workaround of adding a /slash to a certain line the webtrees index.php. Once the issue is solved properly, I can publish the Caddy config on the webtrees forum I urge everyone using Caddy with PW to donate bitcoins to abiosoft! https://mysite.com, https://www.mysite.com { root /wherever/your/files/are fastcgi / unix:/var/run/php-fpm/php-fpm.sock php internal /forbidden rewrite { r /\. to /forbidden } rewrite { r /(COPYRIGHT|LICENSE|README|htaccess)\.txt to /forbidden } rewrite { r ^/site(-[^/]+)?/assets/(.*\.php|backups|cache|config|install|logs|sessions) to /forbidden } rewrite { r ^/site(-[^/]+)?/install to /forbidden } rewrite { r ^/(site(-[^/]+)?|wire)/(config(-dev)?|index\.config)\.php to /forbidden } rewrite { r ^/((site(-[^/]+)?|wire)/modules|wire/core)/.*\.(inc|module|php|tpl) to /forbidden } rewrite { r ^/(site(-[^/]+)?|wire)/templates(-admin)?/.*\.(inc|html?|php|tpl) to /forbidden } # GLOBAL rewrite { to {path} {path}/ /index.php?it={path}&{query} } log /var/log/www/access.log { rotate { size 50 age 7 keep 5 } } errors { log /var/log/www/error.log { size 50 age 7 keep 5 } } }

A bit OT, but if you can plan the languages hirarchy right from the start of a new site, you can do it this way: enable languages support set Title / Label of the default language to your desired none english native language, (e.g. 'Deutsch' (German)) drop in the none english language pack (for admin backend) into the default language, (e.g. german langpack) add a new language to it and drop in a language pack for any none english language or simply don't drop in a language pack to get the english version (but not as the default one!) As a nice sideeffect every new user in your system gets the native language per default without have it to select from the list. So, yes, this is no solution if you once have set it up and need to switch the default language afterwards, but just want to note it.