Leaderboard

New version just committed that adds support for turning off autoloading of css and js assets files. It also fixes the strange issues that @wbmnfktr was having on some pages. It also adds a "pwcmb-active" class to the body of the page when the banner is displayed.

If you are not against some dirty css hack, you could do it without js using css counter added to pseudo elements on the list items, and positioning them to the top right corner of the field. As you need the last number only, hide the others using li:not(:last-child) display none. The downside is that you cannot position it directly after the label text and it's kinda hacky but otherwise it's reliable and resource friendly (css power! :)). Sorry I cannot post an example as I'm on mobile, maybe tomorrow if you are interested.

Rather than saving the entire page when you're updating the 'mark' field, try 'setAndSave'. This will save only the nominated field and not trigger another page save event. https://processwire.com/api/ref/page/set-and-save/

This week we’re going to discuss a new security feature that’s currently in development on the dev branch: 2-factor authentication. In this post we look at the benefits of 2FA, how it works, the coming implementation in ProcessWire, and more: https://processwire.com/blog/posts/2-factor-authentication-coming-to-processwire/

FYI - I just merged the 3.0 branch to master - be warned that this is a breaking change because of the new data_country db field so please don't update existing installs unless you're prepared to do some DB manipulation - if you want to and can't figure out the required SQL commands, let me know and I can post something here.

You can use a hook for that wire()->addHookAfter("Inputfield(name=categories)::renderReadyHook", function($e) { $inputfield = $e->object; $inputfield->label = $inputfield->label . " (" . count($inputfield->value) . ")"; }); ProcessField::buildEditForm should also work. To get it working without page-reload will require some custom js. You can find some useful parts in this thread P.S @bernhard was faster than me.

I don't plan on forcing the option, though had thought that when enabled, we'd give them a login warning notification asking them to enable it, every time they login. I haven't come across any services that forces me to 2FA yet, though I know some companies require it internally. But I think it might depend on the 2FA method being used before you could say if it would be a good idea to force it or not. There are times where you might want to disable 2FA temporarily too. So I think it's best to let the user control it, and maybe annoy them a bit with warnings when they aren't using it. But this is one of those things where I think we'll start fairly simple, but then start fine tuning the options according to what we find are the needs of people using it. I think support in the core is consistent with PW's strategy of making security the top priority. I think we are soon reaching the time (or already have in some cases) where 2FA is considered essential in order for an online application to be taken seriously as having an emphasis on security. I consider it essential for any other online account I maintain (as I imagine many do), so it should be in PW too. If we step outside the security aspect, I think it also builds trust and checks boxes for a lot of bigger companies that may be considering PW or comparing to other options. The support and interface for it will be in the core. The implementation of the interface will be in modules. There will very likely be one implementation module included in the core, though I'm not 100% positive on that yet. Either way, I'll be building and maintaining at least one of the modules that supports it. As I understand it, Google Authenticator is just a standard implementation of RFC 6238 and RFC 4226, like any number of other authenticator apps. As far as I know, they are compatible with each other, but Google Authenticator is just the most widely known/used. I think the compliant you mentioned is the nature of the technology, and not really anything about Google Authenticator in particular. But the complaint is also the reason why it's secure. Once one understands how it works and the steps they should take, I think it all make sense. I'll try to describe. The reality is that 2FA is an extra step, which you can't deny is an inconvenience. But it's like locking your door before you leave the house. Nobody likes having to take extra steps, what they like is the security benefit (if they understand it). And if you lose your keys, then yes you are locked out, unless you've got a backup method. This is why services typically provide backup 2FA methods (like SMS) or one-time use backup codes that you can store securely somewhere in case you ever lose your device. For every place where you use 2FA, you've established "a secret" between your device and the service/website (a long base32 string, which can also be represented by a QR code image). The reason it is secure is because it's not shared anywhere else. If that secret were stored up in the cloud or synced between devices and such, then it is becoming less secure. It is getting passed around networks just like your password, which kind of defeats the purpose of 2FA. If you buy a new phone, and can't restore backup data from your old phone for some reason, the yes you'd want to reset your 2FA for the new phone. If you've got your old device handy, then you'd switch the 2FA to your new device. If your old device is lost or non-functional, then this is where a backup method and/or one-time use code would come into play. If those options weren't available, when it comes to PW, one could also fix any of this by asking a superuser to reset it even temporarily disabling from $config (if nobody had admin access). As I understand it, this is simply a matter of a user 2FA off for some account, then turning it back on, so they can establish a new secret/QR code. There's already a password reset module built into PW. 2FA can be disabled for any individual account as needed. This is what the superuser account is for. ? This is definitely part of the plan. Though with the 2FA methods I've been working with, we can't enable it for anyone that hasn't set it up themselves. Maybe with Netcarver's PPP module when using email, it could work. Or maybe it would work with SMS when you've already got the user's mobile phone number stored. It needs to know the user name in order to be able to look up the user-specific secret for the codes. Technically it doesn't need the password. But 2FA without a password is no longer two-factor, and would have its own security problems, which might be even worse than not having 2FA in the first place. If someone gets a hold of your device, and needs no password for your account, then they essentially have access to your account. Whereas, the intention with 2FA is that both your password AND your device are necessary. It's that combination of factors that makes it secure.

Is mod_security enabled in the web server? If yes, it would be the first suspect.

Don't know of a built in way. But it would be easy to do with a little javascript. At least if the field is not loaded via AJAX (only collapsed is fine). $('.Inputfield_pageref label').append(' <span>(' + $('.Inputfield_pageref .asmListItem').length + ')</span>'); Of course you'd need to update that count on several events, but that should also be quite easy ?

I'm glad you could have it fixed, however it is worth to note that the site might also get hit by other mod_security rules in the future, so it is best to turn off mod_security altogether. ProcessWire does not need it.... for example: http://www.amitb.info/dealing-with-a-mod_security-nightmare-with-apache-and-codeigniter/ quote: "First thing, don’t waste your time chatting with your hosting company support staff. The front line support staff is not very equipped with dealing these complicated things. They are usually adept in dealing with normal things which occurs in volumes. So skip them altogether." also: https://stackoverflow.com/questions/12928360/how-can-i-disable-mod-security-in-htaccess-file

I'm looking forward to the 2FA updates. I'm hearing of more and more companies forcing 2FA with their email systems(GSuite or Office365). We've had these discussions and will probably do this at our company as well. Once people start getting used to using it with their email and banks, they will start to expect it with their websites as well. I agree with Ryan, I think it will look good if Processwire already has this security built in. It builds trust with larger organizations. As a website administrator, I currently have to set up a secure password for each of my site editors so they don't get hacked. I can't rely on them doing it. I also have to disable them from reseting their password to something easier to remember. With 2FA, I don't care what they set their password to. It would be nice if we could somehow require/force 2FA for specific roles like Site Editors. I'm not sure if this is a different technology then 2FA, but when using G-Suite, you also have the option to use the Google Prompt. https://support.google.com/accounts/answer/7026266 This makes it much easier to sign into accounts. I wonder if that is just a Google thing, or if that is something that Processwire can utilize as well? They also offer several different ways to authenticate https://support.google.com/a/answer/175197?hl=en including Yubi Keys, Google Authenticator App, Google Prompt, SMS text message codes, and backup codes.

Everybody thanks for your input. I just bought a refurbished macbook pro 15" 2015 with 256Gb with 2 months of apple warranty left and 12 months warranty of the retailer. I got a new display and new accu (complete top casing) with 0 cycles. This should sufficient for the coming years. Will get it tomorrow with the postalservice. Looking forward to unpack it ?

Hi BitPoet, thanks a lot for your reply! I could not change the setting you mentioned myself, so I contacted the host. They added the following code to my .htaccess file: # ModSec Exceptions by cyon <IfModule mod_security2.c> SecRuleRemoveById 340145 </IfModule> A rule in their Web Application Firewall led to the error. Thanks again!

I would go for it. As Ryan pointed out, sending a Mac to a repair shop can cost a lot of money and I think the "safest" Apple laptops these days are the end of the line 2015 models. Generally speaking, end of the line models always suffer from less factory issues than brand new designs (which is the case with the 2017 line).

@Robin S thank you, that works fine.

thanks for the reply @ryan. Very clear, but also creating doubts ? I am afraid the prices for macbooks are higher here in the netherlands. Eur 975 for a sealed 2017 13 is very cheap. I do like your point of getting the oldest model with the most warranty. The cheapest I could find is a 2015 model 15" with a 512Gb SSD for eur 1900. That one is new and comes with full warranty. I have a company so I can deduct the VAT. All other are between 1 and 3 years old (first sold) and so most of them are without warranty. There is only some warranty on the retina display. But that is also only for a period of 4 years. That makes it tricky to buy a 3 year old model. It is a decision between starting cheap (13", 8Gb and 128Gb) with full warranty for eur 975 or invest eur 1900 and have good specs(2015, I7, 512Gb) with full warranty. I can use an external display when I am home.

You should activate ACF + HTML Purifier.

OK, I think I got it solved: I was using this piece of code $form->remove($fieldset); I removed this line and everything is back to normal again.

I'm running on a 2013 macbook pro (15-inch) with 8gb ram and 256gb drive. I find it works well for PhpStorm and other web development tools. I don't have photoshop or docker, so can't say about those. It's the most reliable computer I've ever used, and it runs just as well as the day I bought it (not feeling any need to upgrade anytime soon). I do occasionally wish I had 16gb ram, but I don't think I actually need it. This is essentially what I've got, though mine is a couple years older and has half the ram. If you aren't moving your computer to different locations every day, the 15-inch screen is a lot more real estate than the 13-inch, which is useful when it comes to web dev. The 15-inch screen is a big difference to me, and something I can work off of all day. The 13 inch would probably be more challenging, especially in apps like PhpStorm or Photoshop. However, my eyes aren't great. Other things to mention about the 15-inch: It has a 4-core processor, vs 2-core on the 13-inch. But I'm not sure if it makes any difference for the applications you've mentioned. The 2015 model I think is using the older style keyboard (?) which would be a benefit, because it's a lot more reliable from what I understand. Then again, it is used, so who knows. Markets are different depending on location, but the price of the one you mentioned seems high to me, given that it is used. $1275 EUR is about $1500 USD, which is what I paid for my 15-inch MBP brand new. Though when I bought it, it was "last year's model", so the price had come down. But if you are considering the 15-inch, I would look around to see if there are others you could get for less and perhaps be able to negotiate the price down. Notebook computers are much more likely to break than desktop computers, and much more expensive to fix when they do. So a warranty carries a lot of value, and likewise a lack of a warranty should reduce a lot of value. For this reason, I would usually say to buy notebook computers new or refurb (from Apple) if you can, and get as old of a model as possible, that still carries the full warranty. If you buy used, then factor in the risk of something breaking, and on an Apple notebook that could be a $500 repair or more. In fairness, I've had about 5 Apple notebooks over my life, and only 1 of them has had any issues.

I use the method @psy is talking about and it works well.

I have been using Ubuntu for some time now. I runs way smoother than windows. But I can't get used to gimp and the quality of images exported in photoshop seems much better. On the other hand, I always get word and excel documents. Libre office can open them, but layout is off. And if they use something like review it is a big mess. Therefor I want to go to a macbook. It has all that I need in one. The reason I don't use windows is because it's slower (and my current setup is still pretty fast) and it is a hell to get docker running and keep it running. It costs me too much time.

I think the fact that you have only 2 cores to run all those apps in 8GB will be a struggle. I own a MBP 13inch 2015 model with 16GB and sometimes it struggles with PHPStorm, Chrome, Parallels, MAMP. Yeap. Screen started peeling off in my Retina and luckily it was replaced for free. The keyboard died on mine about a 3/4 months ago. Unfortunately, it was not covered and it costs too much to repair so resigned to using a portable logitech keyboard. (Apparently the main board needs replacing!!!) If you have the budget, go for a 512GB model. IMO 128/256 is going to be too small and you'll be lugging around portable HDDs. If you don't, get the 15inch model as the 13 inch is going to struggle if you intend to run all those at the same time. As an aside, I probably will not buy another Macbook Pro until Apple up its game. Seems like the build quality is not there anymore, and why pay a hefty premium for a machine that seems to break down frequently and costly to repair. I've been using Ubuntu for a month and the ONLY thing I miss from OSX is MAMP. All the other tools I use are easily available on Ubuntu.

thanks @szabesz. The 2017 comes with an invoice and full warranty. The 2015 is out of warranty (don't know I can get the invoice). I also heard about the faults in the retina display. They needed to be replaced in multiple models/years. Do you have the additional GPU on it?

I'm working on this one. I like it a lot. Macs have speedy SSDs so multitasking is NOT an issue, even if you use Adobe programs parallel. In the past I could even work on a Air with 4GB RAM but to speed up 3D rendering (which I do sometimes) I had to switch. I do not know about Docker as I have MAMP Pro, but running NetBeans, 4 or more Adobe programs, 3 browsers, MAMP Pro, Mail app and 10 or more utilities is not an issue for me. It just runs fine. Also, 2017 MacBook Pros have bad record of keys of the keyboard becoming faulty and not working anymore. For this reason I would never buy a 2017 MBP. I hope this year's new keyboard update solves this issue. We'll see... BTW, I guess it is more like a Dev Talk than a General Support as it is not really ProcessWire related.

Instead of assuming clients won't need or want this kind of feature I asked some of my clients today already and some of those who have more than 1 or 2 editors are welcoming such a feature. There are concerns but those shouldn't be the problem as I think that Ryan and therefore ProcessWire will take care of those things. The concerns were: the possibility of a reset for already saved tokens (I don't know how and if this will work with the Google app) the possibility to reset passwords and disabling 2FA for a user the possibility to have exact one user to maintain those settings the possibility to enable/disable it site-wide with a config-entry One client (a one-man business) asked if it's possible to remove username/password and just use this kind of token to login. I personally would use this on my personal sites but won't use it on client sites, as this part could end in an extra amount of work for me.

Yes! Very pleased to see this finally make it into the core. Thanks for mentioning my old module too - as it happens, I'm still using it, and just updated it to work with PHP7.2. Thanks, Ryan.

I was all set to suggest that you do this: but apparently the Sanitizer::translate option forces lowercase (https://github.com/processwire/processwire-issues/issues/643). Here's another interesting thing I just found: https://github.com/processwire/processwire-issues/issues/644 which doesn't seem expected to me. If Ryan agrees that the first one is a bug, then the alpha sanitizer with translate should result in this:

As you said, get the array from session in a temp var, insert your new item then assign back the array to the session var : $order = array(); $order['token'] = 'token'; $order['product'] = 'product-name'; $session->order = $order; bd($session->order); $tmp = $session->order; $tmp['price'] = 'price'; $session->order = $tmp; bd($session->order); Or use $session->setFor() : $session->setFor('shop', 'token', 'token'); $session->setFor('shop', 'product', 'product-name'); bd($session->shop); $session->setFor('shop', 'price', 'price'); bd($session->shop); $session->setFor('shop', 'price', 'new-price'); bd($session->shop);

For anyone who is having the red x problem with images, I was able to solve these missing images by doing 2 things: 1) If you are on https, convert image references to absolute (i think this is because the library uses http when replacing image references ?) $rootPath = $pages->get(1)->httpUrl; $body = str_replace("/site/assets/", $rootPath . "site/assets/" , $page->body); 2) Manually create the temp folder ("WirePDF") inside site/assets/cache/ – this folder did not exist and therefore the core library was throwing image errors. Once these 2 things were completed, now the PDFs generate with the images correctly

Thanks @abdus Relating to the topic, there are other code snippets lurking in the Forum, like: Have a different title of a field across multiple templates? Hook to hide inputfield in Admin Custom Field in Page SettingsTab Remove a fieldset tab from specific pages of a template

Nope, it would give you the same copy that you already have. Unless something cleared the page cache between the time you loaded $page and the time you did your $pages->get(). PW clears the page cache after every save() or delete(), so if you found it was working in your case then chances are there was a save() that occurred after you loaded $page, but before you tried to retrieve $oldPage.