ryan

This week we look at ProcessWire’s strategy of continuous improvement and refactoring on top of our solid foundation, and in ProcessWire 3.0.111 that brought refactoring to a few core classes and some other useful additions… https://processwire.com/blog/posts/pw-3.0.111/

This week we take a look at a couple of reasons why you might want to choose InnoDB as your MySQL database engine when installing ProcessWire— https://processwire.com/blog/posts/using-innodb-with-processwire/

This week the focus has been on fixing various issues in the queue at our GitHub processwire-issues repository. So while there aren't any new/exciting features to write a blog post about, there are a lot of commits in ProcessWire 3.0.110 that fix various minor issues. If you are running on the dev branch, the upgrade is definitely worthwhile. You can review this week's commits in our commit log in the date range from August 6 to August 10. Also a big thanks to @netcarver who is now helping to administer the processwire-issues repository.

In the last blog post I told you about how two-factor authentication was coming to the core and what our plans were. This week it’s ready to use in ProcessWire 3.0.109, so we’ll take a closer look at all the details and how to use it: https://processwire.com/blog/posts/processwire-3.0.109-adds-two-factor-authentication/

I usually post to the blog on Fridays, but I've been working on ProcessWire-based client projects this week, so nothing new to post today. I'm back to working on the core next week and continuing the 2FA development, so will have more next week. Thanks and I hope that you have a great weekend.

These look like false positives, especially given the last one (a CSS file served by Apache). What's happening here is that your server is taking a long time to respond to the requests, and the testing tool is making the assumption that because it responded slowly, it must have executed the command it sent (sleep and timeout). Most likely your server took a long time to respond to the request because that testing tool is hitting the server hard, and it's either struggling to keep up, or it's throttling the tool, limiting how many requests it'll respond to at once. It's also possible you've got another server-side security tool that is detecting something trying to mess with it, and interrupting the request. With a tool like ZAP, false positives can happen, so you should use it to find where to look, but use the information it gives you to confirm on your own whether it's an issue or not. And if you ever think you've found some security an issue in any software, contact the author directly, don't post it in a public forum. The only other thing I'd suggest is to look at your site template that serves the first URL it mentions, and check if you are using a GET variable named "query", and if so what you are doing with it. However, I think this is unlikely given that it's reporting the same error on a CSS file, which is served directly by Apache, not ProcessWire.

I'm running on a 2013 macbook pro (15-inch) with 8gb ram and 256gb drive. I find it works well for PhpStorm and other web development tools. I don't have photoshop or docker, so can't say about those. It's the most reliable computer I've ever used, and it runs just as well as the day I bought it (not feeling any need to upgrade anytime soon). I do occasionally wish I had 16gb ram, but I don't think I actually need it. This is essentially what I've got, though mine is a couple years older and has half the ram. If you aren't moving your computer to different locations every day, the 15-inch screen is a lot more real estate than the 13-inch, which is useful when it comes to web dev. The 15-inch screen is a big difference to me, and something I can work off of all day. The 13 inch would probably be more challenging, especially in apps like PhpStorm or Photoshop. However, my eyes aren't great. Other things to mention about the 15-inch: It has a 4-core processor, vs 2-core on the 13-inch. But I'm not sure if it makes any difference for the applications you've mentioned. The 2015 model I think is using the older style keyboard (?) which would be a benefit, because it's a lot more reliable from what I understand. Then again, it is used, so who knows. Markets are different depending on location, but the price of the one you mentioned seems high to me, given that it is used. $1275 EUR is about $1500 USD, which is what I paid for my 15-inch MBP brand new. Though when I bought it, it was "last year's model", so the price had come down. But if you are considering the 15-inch, I would look around to see if there are others you could get for less and perhaps be able to negotiate the price down. Notebook computers are much more likely to break than desktop computers, and much more expensive to fix when they do. So a warranty carries a lot of value, and likewise a lack of a warranty should reduce a lot of value. For this reason, I would usually say to buy notebook computers new or refurb (from Apple) if you can, and get as old of a model as possible, that still carries the full warranty. If you buy used, then factor in the risk of something breaking, and on an Apple notebook that could be a $500 repair or more. In fairness, I've had about 5 Apple notebooks over my life, and only 1 of them has had any issues.

I don't plan on forcing the option, though had thought that when enabled, we'd give them a login warning notification asking them to enable it, every time they login. I haven't come across any services that forces me to 2FA yet, though I know some companies require it internally. But I think it might depend on the 2FA method being used before you could say if it would be a good idea to force it or not. There are times where you might want to disable 2FA temporarily too. So I think it's best to let the user control it, and maybe annoy them a bit with warnings when they aren't using it. But this is one of those things where I think we'll start fairly simple, but then start fine tuning the options according to what we find are the needs of people using it. I think support in the core is consistent with PW's strategy of making security the top priority. I think we are soon reaching the time (or already have in some cases) where 2FA is considered essential in order for an online application to be taken seriously as having an emphasis on security. I consider it essential for any other online account I maintain (as I imagine many do), so it should be in PW too. If we step outside the security aspect, I think it also builds trust and checks boxes for a lot of bigger companies that may be considering PW or comparing to other options. The support and interface for it will be in the core. The implementation of the interface will be in modules. There will very likely be one implementation module included in the core, though I'm not 100% positive on that yet. Either way, I'll be building and maintaining at least one of the modules that supports it. As I understand it, Google Authenticator is just a standard implementation of RFC 6238 and RFC 4226, like any number of other authenticator apps. As far as I know, they are compatible with each other, but Google Authenticator is just the most widely known/used. I think the compliant you mentioned is the nature of the technology, and not really anything about Google Authenticator in particular. But the complaint is also the reason why it's secure. Once one understands how it works and the steps they should take, I think it all make sense. I'll try to describe. The reality is that 2FA is an extra step, which you can't deny is an inconvenience. But it's like locking your door before you leave the house. Nobody likes having to take extra steps, what they like is the security benefit (if they understand it). And if you lose your keys, then yes you are locked out, unless you've got a backup method. This is why services typically provide backup 2FA methods (like SMS) or one-time use backup codes that you can store securely somewhere in case you ever lose your device. For every place where you use 2FA, you've established "a secret" between your device and the service/website (a long base32 string, which can also be represented by a QR code image). The reason it is secure is because it's not shared anywhere else. If that secret were stored up in the cloud or synced between devices and such, then it is becoming less secure. It is getting passed around networks just like your password, which kind of defeats the purpose of 2FA. If you buy a new phone, and can't restore backup data from your old phone for some reason, the yes you'd want to reset your 2FA for the new phone. If you've got your old device handy, then you'd switch the 2FA to your new device. If your old device is lost or non-functional, then this is where a backup method and/or one-time use code would come into play. If those options weren't available, when it comes to PW, one could also fix any of this by asking a superuser to reset it even temporarily disabling from $config (if nobody had admin access). As I understand it, this is simply a matter of a user 2FA off for some account, then turning it back on, so they can establish a new secret/QR code. There's already a password reset module built into PW. 2FA can be disabled for any individual account as needed. This is what the superuser account is for. ? This is definitely part of the plan. Though with the 2FA methods I've been working with, we can't enable it for anyone that hasn't set it up themselves. Maybe with Netcarver's PPP module when using email, it could work. Or maybe it would work with SMS when you've already got the user's mobile phone number stored. It needs to know the user name in order to be able to look up the user-specific secret for the codes. Technically it doesn't need the password. But 2FA without a password is no longer two-factor, and would have its own security problems, which might be even worse than not having 2FA in the first place. If someone gets a hold of your device, and needs no password for your account, then they essentially have access to your account. Whereas, the intention with 2FA is that both your password AND your device are necessary. It's that combination of factors that makes it secure.

This week we’re going to discuss a new security feature that’s currently in development on the dev branch: 2-factor authentication. In this post we look at the benefits of 2FA, how it works, the coming implementation in ProcessWire, and more: https://processwire.com/blog/posts/2-factor-authentication-coming-to-processwire/

Maybe we can support other options here, though I'm not going to be able to remember special characters or combinations in this (or be able to easily communicate that to others), just need to keep it as straightforward as possible. I did try "?" but it's too short for autocomplete. I'm not too worried about people not being able to search for "help", as I'm guessing it's pretty rare, and there's already the much more power Pages > Find, if someone can't accomplish something with the live search. Also, this help thing was really about introducing the feature and communicate how to use it in the blog post. I added it last minute as part of writing the blog post, and not certain it's really needed or will stay long term. Though if it did stick around, I suppose it could show a "type 'help' for instructions" link in a tiny dropdown when you are focused in an empty search box. Any module that manages items of any sort. In the core, these modules implement the searchable interface: ProcessField, ProcessTemplate, ProcessCommentsManager, ProcessPageType, ProcessUser. I left pages and modules implemented internally, because it ended up being more efficient to do so. I can't speak to other people's modules, but for me I'm adding support in FormBuilder, DatabaseBackups, HannaCode and ProcessWireAPI. This is primarily a text searching engine. I wasn't thinking folks would search for pages by ID in this search box. But it looks like "id==1001" or "pages.id==1001" does work (like rafaoski mentioned). I'm not sure I understand what you mean about getting your previous search, this sounds more like Lister?

@desbest I don't think the above will work, because most of the time when a 404 occurs, that's because the $page could not be found. So there is no $page available. The only place where you could add such a hook would be in /site/init.php, because usually a 404 would have been thrown already by the time your prependTemplateFile gets called—meaning it won't get called, except for doing the rendering of the actual 404 page. Where you might be able to get it to work is for your own manually thrown 404s in your template files. i.e. throw Wire404Exception(); or for pages that exist, but the user didn't have access to view them due to access control settings. Your $page = $event->object; is not a Page object, but rather a ProcessPageView object. If there was a $page available when the 404 was triggered, it would be in $event->arguments(0); That can either be a Page object, a NullPage, or null. Your $dapath variable probably doesn't have what you need, and needs to be sanitized as well. Try using $input->url() instead. Note that it's going to have slashes in it, since it is a URL, which means it's not going to work for your selector where you've got "name=$dapath". You'll want to extract out the first name in the URL and use that, i.e. $parts = explode('/', trim($input->url(), '/')); $name = array_shift($parts); $name = $sanitizer->pageName($name); // now you can use $name in a selector If you needed to, it should be fine to substitute the $input->url() with $_SERVER['REQUEST_URI'] since it is being sanitized with $sanitizer->pageName(). Though I think the values will likely be identical, so I'd prefer the $input->url().

Your first example isn't working for two reasons I can see. Though maybe these are ones you already know, but jut in case: 1) it needs to be in your /site/ready.php or /site/init.php file; 2) The addHookAfter() call is commented out, so it never gets hooked; 3) your str_replace() looks to me like it would result in 2 slashes being present at the end, rather than one (due to the rtrim). Another thing to consider is that $page->path() does not return a URL. It returns a page path. The might be the same in many instances, but if PW is running from a subdirectory, they won't. Also, neither are intended to be returning query strings, so it's kind of taking these methods outside the scope of what they are intended. Maybe it's okay to do, I'm not certain but I might suggest instead adding your own custom URL function or method, and using that to get these custom URLs for when you want them. For instance, you could add Page::myurl() method in your /site/init.php file: $wire->addHookMethod('Page::myurl', function($event) { $page = $event->object; $path = $page->path(); // determine if it's a going to be a custom URL if(strpos($path, '/page/') === 0) { // replace /page/ with /article/ list(,$path) = explode('/page/', $path, 2); $path = "/article/$path"; } // convert path to URL $url = $event->wire('config')->urls->root . ltrim($path, '/'); // add in any query string params stored in $input->whitelist $queryString = $event->wire('input')->whitelist->queryString(); if(strlen($queryString)) $url .= '?' . $queryString; // return the URL $event->return = $url; } Now, rather than calling $page->url(), you can call $page->myurl() for any of the cases where you want to use these custom URLs. Another strategy would be to change everything after the entire page has rendered, like with a after Page::render hook. Though I don't think I'd use that if your intention is to add query strings to URLs.

Continuing from last week's post, ProcessWire 3.0.108 is now available on the dev branch, and it adds support for a new, more powerful live search in the admin. This week we will take a closer look at how it works, as well as how module developers can make their modules searchable too. https://processwire.com/blog/posts/pw-3.0.108/

In this post we preview a new feature coming in ProcessWire 3.0.108, which is a major upgrade to our live search feature in the admin. In this update, PW’s search becomes a lot more versatile and powerful while remaining just as easy to use. Plus, there are some fun and useful power-user features that we’ll cover here too. https://processwire.com/blog/posts/processwire-3.0.108-preview/

This week we've got a lot of updates on our core dev branch, including new features, issue resolutions and more. For starters, we've added support for making the Trash and Restore features available to non-superusers, along with related improvements. Plus we've got several new useful and interesting page traversal methods and properties added to our $page API. https://processwire.com/blog/posts/processwire-3.0.107-core-updates/

ProcessWire 2.4.0 is a pretty old version at this point, so if this is a site you are still involved with development on, it'd be worthwhile to update it, regardless of FormBuilder. You'd want to upgrade it to 2.7.3, and that would be a fine version to keep it with, if you'd like. For some of the older 2.x sites that I rarely work on, I keep them running on 2.7.3. You could also update it to the 3.x version, but that would be a more major update, and you might not necessarily need it for an older site. But you'd want to update to 2.7.3 first, either way. The upgrade instructions for going from 2.4 to 2.7 are here. As always, it's a good idea to test a major update in a development environment before applying to the production site... especially in this case where you'll be jumping 3 major versions (2.4 to 2.7). However, chances are, it'll be a smooth upgrade. Another possibility—I'm not positive that the current version of FormBuilder won't work with 2.4. Just that 2.7.3 is currently the minimum version that I'm testing with. You could always try it and see. But I kind of think upgrading to 2.7.3 is a good idea regardless of what you need to do with FormBuilder.

Like a lot of the stuff coming from PHP's superglobals, using $_SERVER[HTTP_HOST] in that manner actually isn't safe because it comes from request headers, which can be manipulated by the user (a type of user input). $input->httpUrl() on the other hand would be safe, or for just the equivalent of $_SERVER[HTTP_HOST] use $config->httpHost instead (which is validated). If your server uses both http and https (meaning same page accessible via http OR https), then you'll want to point to the https one as your canonical version, like you are doing in your example above. Here's how you might rewrite your example above. If you aren't using URL segments or pagination, then it's also fine to replace $input->url() with $page->url() like you did. The primary difference between $input->url() and $page->url() is that the $input version represents the actual request (including page URL plus URL segments, page numbers, and optionally query string), rather than just the static URL of the $page that it loaded. <link rel="canonical" href="<?php echo "https://$config->httpHost" . $input->url(); ?>" />

For those particular cases, your strategy seems fine, since the site/page/?forgot=1 and site/page/?register=1 are entirely different content from site/page/ without the query string (I'm presuming, as it looks like LoginRegister). Another way would be to block them with a meta robots tag in your document <head>, i.e. if($input->get('forgot') || $input->get('register')) { echo '<meta name="robots" content="noindex, nofollow">'; } Or, you could just deliver unique title tags, and omit the meta description tags, for those cases. But that would take a little more code, and these page variations presumably aren't useful to search engines anyway. So I think what you are doing, or the solution above, is a good way to go. For other cases, where the query string doesn't indicate entirely different content (such as a GET var that changes the sort of a list, or something like that), you'd probably want to use a canonical <link> tag. This will tell the search engine that the request can be considered the same as the one given in the href attribute. And the URL in the href attribute is the canonical, or main one. This will prevent the Google Search Console from flagging duplicate titles or meta descriptions on the query string variations of the page. <link rel='canonical' href='<?=$input->httpUrl()?>'> Btw, the $input->httpUrl() includes URL segments and pagination numbers (when applicable) so is more likely to be preferable to $page->httpUrl() when it comes to canonical link tags.

I think that's a good idea. Though I'm not sure we've got enough existing material on the forums to warrant creating a new board for the purpose just yet (?), but would suggest maybe the Pub or Beer Garden as a good place for now. We can always create a new board when the amount of content reaches a critical mass, which is the strategy we've been using so far. I don't think we can support video uploads here, though embedding from YouTube/Vimeo is a good way to go for this.

I think they are referring to a Drupal setting that maps to CKEditor's config.fullPage, for editing a full HTML document? That's not something we use. Though it's possible I'm missing something. I noticed CKEditor 4 is now up to version 4.9.2 (we are on 4.8.0). Maybe they have fixed the issue in CKE. I'm going to update to 4.9.2 in PW core 3.0.107 this week, hopefully that'll help.

I've been traveling in the second half of this week, so will release ProcessWire version 3.0.107 for next week. This week we look at the WordPress vs. ProcessWire series of videos by Jonathan Lahijani. We talk with him about the how the videos are made, what inspired them, what’s been learned, platform strengths, future plans, and more. https://processwire.com/blog/posts/wordpress-vs-processwire/

I've run into this problem on a client site before. I was never able to duplicate it myself, but noticed there were style attributes ending up in the CKE field of my client's site somehow, and the client said they pasted from Word. I don't have Word, and I'm not observing the issue occurring with pasting from anything else, so there must be some Microsoft trickery going on, who knows. I don't understand why CKE's ACF allows it. It does seem like a CKE bug. I'm sure it's possible to configure HTML Purifier to remove that stuff, but haven't looked too closely into it. While there is a way to force CKE to paste as plain text (see thread that flydev linked), I don't really like losing links and normal CKE formatting when I paste, because I'm often pasting from one CKE field to another, and having to redo all the formatting is a pain. Usually if I want to paste as plain text, I just use SHIFT-CMD-V on Mac (SHIFT-CTRL-V on PC), as this is a pretty universal way to paste as plain text, anywhere. But the reality is, clients aren't likely to remember it, and many are doing Edit > Paste, rather than using the keyboard. I'd rather not have the client have to think about whether they need to use plain text pasting or not. A simple way to remove style attributes from CKE fields is to hook after the process input, look for them, and then remove them. This hook at the top of your /site/templates/admin.php file should do the trick: $wire->addHookAfter('InputfieldCKEditor::processInput', function($event) { $inputfield = $event->object; $value = $inputfield->attr('value'); if(strpos($value, 'style=') === false) return; $qty = 0; $value = preg_replace('/\bstyle=(["\'])([^\1]+?)\1/i', '', $value, -1, $qty); if(!$qty) return; $inputfield->attr('value', $value); $inputfield->trackChange('value'); $inputfield->warning("Stripped $qty style attribute(s) from field $inputfield->name"); }); Word may be adding some other weirdness too, but I don't have a good example to look at to know what else there might be (MSO-specific class names?). In any case, we could probably remove it in a similar manner.

Nicely timed question— this is actually already in 3.0.107, and I've just been testing it locally this morning. If there are any pages in the trash that a user had edit permission to, then they can see the trash, and see those pages in the trash. The trash and restore actions also are now supported for non-superusers. They can't see pages in the trash that they don't have page-edit/page-delete permission, only superuser can see those.

Lenz: If you just output that $config var in your <head>...</head> it will take care of it for you. i.e. <?=$config->pagerHeadTags?> It is just a shorter version of doing this (which you can do in any PW 3.x version): <?php if($config->urls->next) echo "<link rel='next' href='{$config->urls->next}' />"; if($config->urls->prev) echo "<link rel='prev' href='{$config->urls->prev}' />"; ?>

That's right, field names have precedence, and it also warns you if you try to create a tag that collides with a field.