Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation on 03/19/2023 in all areas

  1. Template Access Log is a straightforward module that logs changes made to template level access settings: the useRoles option, or applicable roles and/or role-specific permissions. This module is primarily intended for use cases where an audit log is needed, and (at least for now) it just logs data to a log file template_access_log.txt and provides no admin view (apart from what can be found from the logs section in admin). Data is logged as JSON: 2023-03-18 18:42:05 admin https://example.com/processwire/setup/template/save {"template":"basic-page","template_id":29,"use_roles":1,"permissions":{"view":[37,1061,1062,1125],"edit":[1062],"add":[1061,1062],"create":[]},"permissions_changed":{"edit":[-1061]}} This is something that I needed for some projects, so thought I'd share it here in case someone else has use for it as well. I may add more features later, but at the moment it's already doing pretty much everything it needs to for my use case(s) 🙂 GitHub: https://github.com/teppokoivula/TemplateAccessLog Packagist: https://packagist.org/packages/teppokoivula/template-access-log
    6 points
  2. On this side, I don't really find the spambots or seo bots to be much of an issue, so I mostly ignore them unless they get too aggressive. It's instead the vulnerability scanners that tend to be the issue here. They are fine when they are throttled. But when they are unthrottled (as is usually the case), they eat up a lot of resources. Here's just one basic example: a vulnerability scanner might send through thousands (or tens of thousands) of URL variations looking for SQL files that it can grab, with dozens of different names each, like db.sql, database.sql, backup.sql, [domain].sql, database-[domain].sql, db-[domain.sql], [domain]-db.sql, and so on and on and on. Then add all the extension variations, .sql, .sql.gz, .sql.tar, .sql.tar.gz, and then add every URL with a trailing slash in the site as the prefix path for every check. So just a scan for SQL files in-the-open might account for tens of thousands of requests. And it'll try to do them all in a very short period of time, making the server like ours scale to meet the demand. Yet this is just an example of one vulnerability check out of thousands that it'll do. Once a vulnerability scanner gets started, it'll run for potentially days. But I usually block them well before that. Once I get an email from AWS about things scaling, I watch the logs pretty closely and then start blocking IPs. But the goal is to have the module just block them automatically. What the module does is that it allows you to define suspicious patterns in GET or POST requests, or user agent strings (and it comes with several patterns to start). For example, you might have patterns to match things like wp-login.php, those SQL request variations mentioned above, requests for .py, .cfm, .rb, .exe files, or others that you don't use on the server, requests containing SQL commands in the query string... these are just obvious examples. Then it lets you define a number of strikes till the IP is out. So for every pattern match, the IP gets a strike. So if I set it to "3 strikes and you are out" then once it gets 3 pattern matches, the IP is blocked for a period of time, also defined with the module. If additional strikes occur while an IP is blocked, the block time gets reset so it starts over, ensuring it's always blocked that set amount of time from the last strike.
    5 points
  3. 3 points
  4. Most likely this commit in ProcessField.module (now) at line 2562 - $value = $sanitizer->words($value); + $value = $sanitizer->getTextTools()->strtolower($sanitizer->words($value));
    2 points
  5. This week ProcessWire 3.0.214 is on the dev branch. Relative to 3.0.213 this version has 16 new commits which include the addition of 3 new pull requests, 6 issue fixes, a new WireNumberTools utility class, and improvements to various other classes. A newly added $files->size($path) method was added which returns the total size of the given file or directory. When given a directory, it returns the size of all files in that directory, recursively. Improvements were also made to ProcessWire's log classes (WireLog and FileLog) with new methods for deleting or pruning all log files at once. This version also fixes an issue with the front-end page editor (PageFrontEdit) when used with InputfieldTinyMCE. For more details on these updates and more see the dev branch commit log. Something else I've been working on this weekend is a vulnerability scanner blocker and throttler. I don't know if this is an issue for every site, or if it's because this is an open source project site, but we seem to get a lot of vulnerability scanner bots hitting the site. Sometimes they hit the site pretty hard (with hundreds of thousands of requests) and our AWS cluster servers and databases must scale to meet the demand, using more resources, and thus increasing cost. This is annoying, having to scale for a hyperactive vulnerability scanner rather than real traffic. And it always seems to happen in the middle of the night, when I'm not nearby to manually block it. So I'm working on a module that detects vulnerability scanner traffic patterns and then blocks or throttles requests from their IPs automatically. Once I've got it functioning smoothly here, I'll also plan to add it to ProDevTools board download thread in case it's useful to anyone else. Thanks for reading and have a great weekend!
    1 point
  6. All recipes are now located in the old processwire-recipes/Recipes repository. All links were updated. We lost some parts in the Git log history but is was worth it. So whenever you want to submit a new recipes or update a new one... it's based/should be based on the previous repository. https://processwire.recipes/recipes/create-page-via-api/ (for example / see below recipe / git / raw) All old recipes were tagged with v1 and branched out to the legacy branch. Just in case. Some more minor updates will follow and can be found in the Changelog. @teppo this might be a very good moment to update your footer link again - we are on a new domain now, while being back on the old github/repo. Thanks in advance!
    1 point
  7. I did indeed. And was quite happy in some instances. To be honest... I don't know if it was the 7g or another version. Somehow the 7g sounds unfamiliar at the moment. I might say it was 5g or so. Not sure at the moment. But for sure it was from perishablepress.com. It was recommened quite a few times. Yet it wasn't always working back in the days in all instances and therefore I went on and looked for more solutions and ended somewhere around Cloudflare and some other CDNs. Nowadays I almost always (if possible) sign up and stay there at Cloudflare. I really love what you get there.
    1 point
  8. I face this issue on about 3/4 of all of my projects (client/personal/side) for several years now. Depending on the niche and how well known and established a project is in the search results and elsewhere... the amount of bot/"vulnerability scanner" traffic is impressive. From low 1000s/month to tens-of-thousands/day. Real estate, finance, health, insurance... and some other niches (upcoming topics and trends) are somehow prone to those "visits". I looked for solutions in the forum in the past, got real nice options and solutions, tried them, yet most of the time I went with Cloudflare as CDN and they blocked out most of those visits and even blocked out whole countries therefore. Sure it's another $20/month but for bigger projects necessary. Thought of mine: Look up headers and all possible markers for Scrapebox, Xenu, GSA in addition to your lookups... as those are some of the most used engines/bots/tools to generate bot traffic "regular" users play with (as they are super affordable) to find sources for backlinks, guestbook links, spam comments and such. There are way more out there but they don't even make a dent in your logs/statistics. Not to forget tools like ahrefs, Sistrix, Ubersuggest... and way way more. While those last mentioned tools are just for auditing, you might even want to use, all others should be... blocked in some kind or another. Or maybe there should be a list of filters looking for matches in some kind. There is yet another one: Screamingfrog (which is acutally a real white hat tool for auditing - I use it almost every day on a lot of domains) yet it can cause a lot of traffic due to audits. I'm not sure if there is a marker for ScreamingFrog to whitelist it on a project/domain but it really just scans the site. For a good reason. In case you want to test ScreamingFrog against your filters... you will find it and can use it for free in respectable way. It's an awesome tool we should be able to whitelist! To anybody that uses that upcoming module in the future, PLEASE let me know your experience. Could be cheaper for my wallet by far!
    1 point
  9. Yes! Seriously, someone pls email @ryan about this. If no one else will do it, I'll do it. My new favorite ProcessWire infographic:
    1 point
  10. @alexm. Customer details live in the field 'padloper_order_customer'. Example: <?php namespace ProcessWire; /** @var Page $orderPage */ $orderPage = $padloper->get("id=3207");// order page ID /** @var WireData $orderCustomer */ $orderCustomer = $orderPage->padloper_order_customer; $out = ""; $out .= $orderCustomer->firstName; $out .= $orderCustomer->middleName; $out .= $orderCustomer->lastName; $out .= $orderCustomer->email; $out .= $orderCustomer->isTaxExempt; // PRIMARY ADDRESS $out .= $orderCustomer->shippingAddressFirstName; $out .= $orderCustomer->shippingAddressMiddleName; $out .= $orderCustomer->shippingAddressLastName; $out .= $orderCustomer->shippingAddressPhone; $out .= $orderCustomer->shippingAddressCompany; $out .= $orderCustomer->shippingAddressLineOne; $out .= $orderCustomer->shippingAddressLineTwo; $out .= $orderCustomer->shippingAddressCity; $out .= $orderCustomer->shippingAddressRegion; $out .= $orderCustomer->shippingAddressCountry; echo $out; // ------ // ETC @see: https://docs.kongondo.com/api/order.html#padloper-getordercustomer for full list of properties. Note that getOrderCustomer() cannot be used in this case. That is only available during an order session. However, the customer properties remain the same, i.e. firstName, billingAddressPostalCode, etc.
    1 point
  11. I don't suppose there's any chance of getting these juicy forum board solutions added to related module documentation as Examples, could we? These are great starting points to common scenarios! The downside would be maintaining them for compatibility, but perhaps explicit notices with dates that the examples were created? So often I end up searching the website for answers to questions, but they're all over the place - the blog, documentation, api, forum (and not always the module forum). ? Just a thought. That said, loving these examples you're providing from actual client work you're doing. Thanks, Ryan!
    1 point
  12. But I was ? And I tried to explain why... IMHO not That's what I was trying to explain. I'm using custom page classes in an object oriented way (similar to PW modules). And that's great because you have all your code pieces in one place - namely in one single php file of your custom page class. Let's say we build a webpage about cats. Step one: Create a custom page class and place it in /site/classes <?php namespace ProcessWire; class Cat extends Page { } Now all cats in our system are of type "Cat", and that's great! Now we want a custom headline for every cat on our frontend based on the title field, easy: <?php namespace ProcessWire; class Cat extends Page { public function headline() { if(!$this->title) return "This cat has no name"; return "Details for Cat '{$this->title}'"; } } In your template <h1><?= $page->headline() ?></h1> And that you'll do for any kind of business logic your application needs. Now what if we wanted to manage thousands of cats and we wanted every cat have a unique 4-letter page name instead of one based on the title (to prevent ugly suffix urls like catname-1, catname-2 etc)? We could do that easily with a hook. In the past one might have put the hook into ready.php and after time your ready.php grows and grows and grows and some day you totally lose control over your hooks and over your software. Not if you place them where they belong: Into the page class to the cat object: <?php namespace ProcessWire; class Cat extends Page { public function init() { $tpl = "template=cat"; $this->addHookAfter("Pages::saveReady($tpl,id=0)", $this, "onCreate"); } public function headline() { if(!$this->title) return "This cat has no name"; return "Details for Cat '{$this->title}'"; } public function onCreate($event) { $page = $event->arguments(0); $page->name = $event->pages->names()->uniqueRandomPageName(4); } } That's how you'd attach a hook in an autoload module, and that's what I suggest: Structure your custom page class just like an autoload pw module. Apply the same principles and your code will get better readable, better understandable and better maintainable. Now the only problem ist, that init() of the page class does not get called like it gets called in an autoload module. Neither does ready(). But it's simple to overcome this - just place this in init.php $cat = new Cat(); $cat->init(); This triggers the init method of your cat on INIT of PW and it attaches all hooks of your cat page class as if they where placed in init.php; The same technique can be used for ready() in ready.php; That does load one instance of cat into memory though. That's a little overhead. IMHO it's worth the overhead, but I can only guess that the overhead is very small... Maybe one could also use loaded() for that, I don't know and I'd have to investigate on this. Maybe someone can try and share their findings ?
    1 point
  13. Thanks @Robin S – that's an excellent explanation. I didn't previously know about the difference between PageFinder and in-memory selectors. It'd probably be good if allowable date formats were explained on the selectors documentation page. (I'm not sure what the best process for suggesting documentation updates is.)
    1 point
×
×
  • Create New...