ryan

Administrators
  • Content count

    11,955
  • Joined

  • Last visited

  • Days Won

    632

ryan last won the day on August 12

ryan had the most liked content!

Community Reputation

14,644 Excellent

About ryan

  • Rank
    Reiska

Contact Methods

  • Website URL
    http://processwire.com

Profile Information

  • Gender
    Male
  • Location
    Atlanta, GA

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. This week the focus has been on fixing various issues in the queue at our GitHub processwire-issues repository. So while there aren't any new/exciting features to write a blog post about, there are a lot of commits in ProcessWire 3.0.110 that fix various minor issues. If you are running on the dev branch, the upgrade is definitely worthwhile. You can review this week's commits in our commit log in the date range from August 6 to August 10. Also a big thanks to @netcarver who is now helping to administer the processwire-issues repository.
  2. In the last blog post I told you about how two-factor authentication was coming to the core and what our plans were. This week it’s ready to use in ProcessWire 3.0.109, so we’ll take a closer look at all the details and how to use it: https://processwire.com/blog/posts/processwire-3.0.109-adds-two-factor-authentication/
  3. I usually post to the blog on Fridays, but I've been working on ProcessWire-based client projects this week, so nothing new to post today. I'm back to working on the core next week and continuing the 2FA development, so will have more next week. Thanks and I hope that you have a great weekend.
  4. ryan

    These look like false positives, especially given the last one (a CSS file served by Apache). What's happening here is that your server is taking a long time to respond to the requests, and the testing tool is making the assumption that because it responded slowly, it must have executed the command it sent (sleep and timeout). Most likely your server took a long time to respond to the request because that testing tool is hitting the server hard, and it's either struggling to keep up, or it's throttling the tool, limiting how many requests it'll respond to at once. It's also possible you've got another server-side security tool that is detecting something trying to mess with it, and interrupting the request. With a tool like ZAP, false positives can happen, so you should use it to find where to look, but use the information it gives you to confirm on your own whether it's an issue or not. And if you ever think you've found some security an issue in any software, contact the author directly, don't post it in a public forum. The only other thing I'd suggest is to look at your site template that serves the first URL it mentions, and check if you are using a GET variable named "query", and if so what you are doing with it. However, I think this is unlikely given that it's reporting the same error on a CSS file, which is served directly by Apache, not ProcessWire.
  5. ryan

    I'm running on a 2013 macbook pro (15-inch) with 8gb ram and 256gb drive. I find it works well for PhpStorm and other web development tools. I don't have photoshop or docker, so can't say about those. It's the most reliable computer I've ever used, and it runs just as well as the day I bought it (not feeling any need to upgrade anytime soon). I do occasionally wish I had 16gb ram, but I don't think I actually need it. This is essentially what I've got, though mine is a couple years older and has half the ram. If you aren't moving your computer to different locations every day, the 15-inch screen is a lot more real estate than the 13-inch, which is useful when it comes to web dev. The 15-inch screen is a big difference to me, and something I can work off of all day. The 13 inch would probably be more challenging, especially in apps like PhpStorm or Photoshop. However, my eyes aren't great. Other things to mention about the 15-inch: It has a 4-core processor, vs 2-core on the 13-inch. But I'm not sure if it makes any difference for the applications you've mentioned. The 2015 model I think is using the older style keyboard (?) which would be a benefit, because it's a lot more reliable from what I understand. Then again, it is used, so who knows. Markets are different depending on location, but the price of the one you mentioned seems high to me, given that it is used. $1275 EUR is about $1500 USD, which is what I paid for my 15-inch MBP brand new. Though when I bought it, it was "last year's model", so the price had come down. But if you are considering the 15-inch, I would look around to see if there are others you could get for less and perhaps be able to negotiate the price down. Notebook computers are much more likely to break than desktop computers, and much more expensive to fix when they do. So a warranty carries a lot of value, and likewise a lack of a warranty should reduce a lot of value. For this reason, I would usually say to buy notebook computers new or refurb (from Apple) if you can, and get as old of a model as possible, that still carries the full warranty. If you buy used, then factor in the risk of something breaking, and on an Apple notebook that could be a $500 repair or more. In fairness, I've had about 5 Apple notebooks over my life, and only 1 of them has had any issues.
  6. I don't plan on forcing the option, though had thought that when enabled, we'd give them a login warning notification asking them to enable it, every time they login. I haven't come across any services that forces me to 2FA yet, though I know some companies require it internally. But I think it might depend on the 2FA method being used before you could say if it would be a good idea to force it or not. There are times where you might want to disable 2FA temporarily too. So I think it's best to let the user control it, and maybe annoy them a bit with warnings when they aren't using it. But this is one of those things where I think we'll start fairly simple, but then start fine tuning the options according to what we find are the needs of people using it. I think support in the core is consistent with PW's strategy of making security the top priority. I think we are soon reaching the time (or already have in some cases) where 2FA is considered essential in order for an online application to be taken seriously as having an emphasis on security. I consider it essential for any other online account I maintain (as I imagine many do), so it should be in PW too. If we step outside the security aspect, I think it also builds trust and checks boxes for a lot of bigger companies that may be considering PW or comparing to other options. The support and interface for it will be in the core. The implementation of the interface will be in modules. There will very likely be one implementation module included in the core, though I'm not 100% positive on that yet. Either way, I'll be building and maintaining at least one of the modules that supports it. As I understand it, Google Authenticator is just a standard implementation of RFC 6238 and RFC 4226, like any number of other authenticator apps. As far as I know, they are compatible with each other, but Google Authenticator is just the most widely known/used. I think the compliant you mentioned is the nature of the technology, and not really anything about Google Authenticator in particular. But the complaint is also the reason why it's secure. Once one understands how it works and the steps they should take, I think it all make sense. I'll try to describe. The reality is that 2FA is an extra step, which you can't deny is an inconvenience. But it's like locking your door before you leave the house. Nobody likes having to take extra steps, what they like is the security benefit (if they understand it). And if you lose your keys, then yes you are locked out, unless you've got a backup method. This is why services typically provide backup 2FA methods (like SMS) or one-time use backup codes that you can store securely somewhere in case you ever lose your device. For every place where you use 2FA, you've established "a secret" between your device and the service/website (a long base32 string, which can also be represented by a QR code image). The reason it is secure is because it's not shared anywhere else. If that secret were stored up in the cloud or synced between devices and such, then it is becoming less secure. It is getting passed around networks just like your password, which kind of defeats the purpose of 2FA. If you buy a new phone, and can't restore backup data from your old phone for some reason, the yes you'd want to reset your 2FA for the new phone. If you've got your old device handy, then you'd switch the 2FA to your new device. If your old device is lost or non-functional, then this is where a backup method and/or one-time use code would come into play. If those options weren't available, when it comes to PW, one could also fix any of this by asking a superuser to reset it even temporarily disabling from $config (if nobody had admin access). As I understand it, this is simply a matter of a user 2FA off for some account, then turning it back on, so they can establish a new secret/QR code. There's already a password reset module built into PW. 2FA can be disabled for any individual account as needed. This is what the superuser account is for. This is definitely part of the plan. Though with the 2FA methods I've been working with, we can't enable it for anyone that hasn't set it up themselves. Maybe with Netcarver's PPP module when using email, it could work. Or maybe it would work with SMS when you've already got the user's mobile phone number stored. It needs to know the user name in order to be able to look up the user-specific secret for the codes. Technically it doesn't need the password. But 2FA without a password is no longer two-factor, and would have its own security problems, which might be even worse than not having 2FA in the first place. If someone gets a hold of your device, and needs no password for your account, then they essentially have access to your account. Whereas, the intention with 2FA is that both your password AND your device are necessary. It's that combination of factors that makes it secure.
  7. This week we’re going to discuss a new security feature that’s currently in development on the dev branch: 2-factor authentication. In this post we look at the benefits of 2FA, how it works, the coming implementation in ProcessWire, and more: https://processwire.com/blog/posts/2-factor-authentication-coming-to-processwire/
  8. ryan

    Maybe we can support other options here, though I'm not going to be able to remember special characters or combinations in this (or be able to easily communicate that to others), just need to keep it as straightforward as possible. I did try "?" but it's too short for autocomplete. I'm not too worried about people not being able to search for "help", as I'm guessing it's pretty rare, and there's already the much more power Pages > Find, if someone can't accomplish something with the live search. Also, this help thing was really about introducing the feature and communicate how to use it in the blog post. I added it last minute as part of writing the blog post, and not certain it's really needed or will stay long term. Though if it did stick around, I suppose it could show a "type 'help' for instructions" link in a tiny dropdown when you are focused in an empty search box. Any module that manages items of any sort. In the core, these modules implement the searchable interface: ProcessField, ProcessTemplate, ProcessCommentsManager, ProcessPageType, ProcessUser. I left pages and modules implemented internally, because it ended up being more efficient to do so. I can't speak to other people's modules, but for me I'm adding support in FormBuilder, DatabaseBackups, HannaCode and ProcessWireAPI. This is primarily a text searching engine. I wasn't thinking folks would search for pages by ID in this search box. But it looks like "id==1001" or "pages.id==1001" does work (like rafaoski mentioned). I'm not sure I understand what you mean about getting your previous search, this sounds more like Lister?
  9. ryan

    @desbest I don't think the above will work, because most of the time when a 404 occurs, that's because the $page could not be found. So there is no $page available. The only place where you could add such a hook would be in /site/init.php, because usually a 404 would have been thrown already by the time your prependTemplateFile gets called—meaning it won't get called, except for doing the rendering of the actual 404 page. Where you might be able to get it to work is for your own manually thrown 404s in your template files. i.e. throw Wire404Exception(); or for pages that exist, but the user didn't have access to view them due to access control settings. Your $page = $event->object; is not a Page object, but rather a ProcessPageView object. If there was a $page available when the 404 was triggered, it would be in $event->arguments(0); That can either be a Page object, a NullPage, or null. Your $dapath variable probably doesn't have what you need, and needs to be sanitized as well. Try using $input->url() instead. Note that it's going to have slashes in it, since it is a URL, which means it's not going to work for your selector where you've got "name=$dapath". You'll want to extract out the first name in the URL and use that, i.e. $parts = explode('/', trim($input->url(), '/')); $name = array_shift($parts); $name = $sanitizer->pageName($name); // now you can use $name in a selector If you needed to, it should be fine to substitute the $input->url() with $_SERVER['REQUEST_URI'] since it is being sanitized with $sanitizer->pageName(). Though I think the values will likely be identical, so I'd prefer the $input->url().
  10. ryan

    Your first example isn't working for two reasons I can see. Though maybe these are ones you already know, but jut in case: 1) it needs to be in your /site/ready.php or /site/init.php file; 2) The addHookAfter() call is commented out, so it never gets hooked; 3) your str_replace() looks to me like it would result in 2 slashes being present at the end, rather than one (due to the rtrim). Another thing to consider is that $page->path() does not return a URL. It returns a page path. The might be the same in many instances, but if PW is running from a subdirectory, they won't. Also, neither are intended to be returning query strings, so it's kind of taking these methods outside the scope of what they are intended. Maybe it's okay to do, I'm not certain but I might suggest instead adding your own custom URL function or method, and using that to get these custom URLs for when you want them. For instance, you could add Page::myurl() method in your /site/init.php file: $wire->addHookMethod('Page::myurl', function($event) { $page = $event->object; $path = $page->path(); // determine if it's a going to be a custom URL if(strpos($path, '/page/') === 0) { // replace /page/ with /article/ list(,$path) = explode('/page/', $path, 2); $path = "/article/$path"; } // convert path to URL $url = $event->wire('config')->urls->root . ltrim($path, '/'); // add in any query string params stored in $input->whitelist $queryString = $event->wire('input')->whitelist->queryString(); if(strlen($queryString)) $url .= '?' . $queryString; // return the URL $event->return = $url; } Now, rather than calling $page->url(), you can call $page->myurl() for any of the cases where you want to use these custom URLs. Another strategy would be to change everything after the entire page has rendered, like with a after Page::render hook. Though I don't think I'd use that if your intention is to add query strings to URLs.
  11. Continuing from last week's post, ProcessWire 3.0.108 is now available on the dev branch, and it adds support for a new, more powerful live search in the admin. This week we will take a closer look at how it works, as well as how module developers can make their modules searchable too. https://processwire.com/blog/posts/pw-3.0.108/
  12. In this post we preview a new feature coming in ProcessWire 3.0.108, which is a major upgrade to our live search feature in the admin. In this update, PW’s search becomes a lot more versatile and powerful while remaining just as easy to use. Plus, there are some fun and useful power-user features that we’ll cover here too. https://processwire.com/blog/posts/processwire-3.0.108-preview/
  13. This week we've got a lot of updates on our core dev branch, including new features, issue resolutions and more. For starters, we've added support for making the Trash and Restore features available to non-superusers, along with related improvements. Plus we've got several new useful and interesting page traversal methods and properties added to our $page API. https://processwire.com/blog/posts/processwire-3.0.107-core-updates/
  14. ryan

    ProcessWire 2.4.0 is a pretty old version at this point, so if this is a site you are still involved with development on, it'd be worthwhile to update it, regardless of FormBuilder. You'd want to upgrade it to 2.7.3, and that would be a fine version to keep it with, if you'd like. For some of the older 2.x sites that I rarely work on, I keep them running on 2.7.3. You could also update it to the 3.x version, but that would be a more major update, and you might not necessarily need it for an older site. But you'd want to update to 2.7.3 first, either way. The upgrade instructions for going from 2.4 to 2.7 are here. As always, it's a good idea to test a major update in a development environment before applying to the production site... especially in this case where you'll be jumping 3 major versions (2.4 to 2.7). However, chances are, it'll be a smooth upgrade. Another possibility—I'm not positive that the current version of FormBuilder won't work with 2.4. Just that 2.7.3 is currently the minimum version that I'm testing with. You could always try it and see. But I kind of think upgrading to 2.7.3 is a good idea regardless of what you need to do with FormBuilder.
  15. ryan

    Like a lot of the stuff coming from PHP's superglobals, using $_SERVER[HTTP_HOST] in that manner actually isn't safe because it comes from request headers, which can be manipulated by the user (a type of user input). $input->httpUrl() on the other hand would be safe, or for just the equivalent of $_SERVER[HTTP_HOST] use $config->httpHost instead (which is validated). If your server uses both http and https (meaning same page accessible via http OR https), then you'll want to point to the https one as your canonical version, like you are doing in your example above. Here's how you might rewrite your example above. If you aren't using URL segments or pagination, then it's also fine to replace $input->url() with $page->url() like you did. The primary difference between $input->url() and $page->url() is that the $input version represents the actual request (including page URL plus URL segments, page numbers, and optionally query string), rather than just the static URL of the $page that it loaded. <link rel="canonical" href="<?php echo "https://$config->httpHost" . $input->url(); ?>" />