Jump to content


  • Posts

  • Joined

  • Last visited

Posts posted by Loges

  1. Hi,


    I've spent ages trying to work this out, so I'm hoping someone knows the answer.


    I'm writing a class to handle form submission to textarea fields.  Sometimes it will be an RTE (CKEditor) field and sometimes it'll be plaintext textarea and I'm wanting to purify/sanitize whilst keeping line breaks.


    I *think* I've got solutions for both but for the life of me I can't figure out how to get info on the target field via the API on whether it's a field that uses the RTE or not.  I'm hoping I should be able to do a check against the field's inputfieldClass but I can't see how to access that property from the API.


    Any help appreciated (or if there's a sanitize/purify option that works for both that's even better).  Best I can get so far is



    $cleaned = $wire->sanitizer->textarea($inputstr, ['multiLine' => false, 'newlineReplacement' => "<br/>", 'stripTags' => false]); //for RTE textarea fields
  2. Yes that's what I do for the most sensitive data (disclaimer also a relative noob).  For those sensitive fields there's nothing readable on the PW server and it calls a remote server to decrypt - basically exactly as you've outlined - checks the IP address of the incoming request then does the decryption and returns as required.


    It just means that any MySQL dump from either server in isolation is useless, and even if the MySQL dump and the PHP files from the main server are available it's one more step away.  (The remote server MySQL only contains a PW ID key and the encrypted data so nothing identifiable really).  So it's not perfect but would require someone gaining full access to the server in situ (ie on it's current IP address) rather than just hacking a backup somewhere.  Given the data is identifiable but relatively innocuous I hope that's enough to get anyone malicious to give up and go after one of the millions of Wordpress sites :-)


    Backups are (maybe wrongly) really my biggest concern.  Goodness knows how many there are floating around with web hosts doing auto backups, sitting on my own hard drives, backups to Dropbox, sitting in PW database backup folders on the server etc


    Again, I'm not dealing with catastrophic data (eg credit cards) so I figure a level of hackery is OK.  For one site we store a person's bank account number so we can generate batch bank payments to them (ie it's nothing that's not sent around on an invoice - we can pay into the account but not draw from it obviously) but I really didn't want hundreds of names, addresses and bank numbers sitting in a MySQL dump in clear text anywhere.

    • Like 1
  3. Yes I envisage the fields to encrypt would not be searchable.  Eg I wouldn't encrypt City, Gender, Broad Age Range, but I WOULD encrypt street address, date of birth.  So the broad demographic data is searchable (and not overly sensitive personal data), whereas the specific personal data is encrypted (and not searchable - and not needed to be).


    Would another option be to just basically hash the values (with a key to unhash them), so the search would look to match the hash string rather than decrypting everything?  That would only work for exact string matches I suppose and would need some intervention in the find query eg $pages->find("template=person, city=".hashStr('London').") where the hashStr() function converts to the hashed value?


    That would still make the MySQL dump/tables unreadable to the average or low level person whilst retaining some level of searchability?

  4. Thanks @BitPoet


    I'll have a crack at a basic version that really just makes it a bit harder to get into.  I'm really just looking to make it hard enough that it's not worth the hassle trying to crack for an opportunist.  I wouldn't be comfortable (or capable) of more than that, and given the low level personal data that's all it'll need anyway.


    it sounds like you live and breathe this stuff, whereas it's not an area I've spent much time in.  Do you have a recommendation for settings ie I take on board not using AES256 with ECB - are there standard settings that you'd recommend?  I'm assuming we're talking about the openssl encryption module (maybe showing my ignorance here)?


    Given my low level requirements what's my best bang for buck IV generator?



  5. Hi all,


    I'm building my first PW site that will contain user personal info (it's a job matching site where people sign up to create a profile where some is public, some is used by admins in the back end).  Now obviously people are signing up and it's all transparent what info they're providing and what we're doing with it.  My concern is that this info is stored in fields in the database in clear text so if a MySQL database dump goes missing it's got a lot of personal information stored in it.  Frankly there's nothing too private (we don't collect DOB, financial data etc) but it is definitely personal data.  This is in Australia only so not as onerous as GDPR but the new privacy breach reporting/notification laws (and general good practice) mean I want to minimise any potential issue.


    On other sites I've built (non PW) that handle personal data I do a basic encrypt/decrypt for those fields so the database dump is gibberish (not perfect as obviously with the PHP files it can be decrypted but the SQL dump by itself is safer).


    I figure I could create a new fieldtype/inputfield in PW where i do a similar thing, but then that of course means any $pages->find() requests on those fields won't work.


    Has anyone dealt with a similar issue and (hopefully) come up with an elegant solution?



  6. Hi all,

    An issue that I've only discovered on a site I've recently upgraded from 3.0.42 to 3.0.88.  This does NOT affect SuperUsers but DOES affect users who I've set up as Admins with user-admin permission.  If one of those users tries to create a new user it throws the following error.


    Has anyone else seen this, can replicate etc?  I assume something has changed in the core as part of the User upgrades a few versions ago, but no idea why it would work for SuperUsers but not others.  


    Error: Uncaught TypeError: Argument 2 passed to ProcessWire\ProcessUser::checkSaveRoles() must be an instance of ProcessWire\User, instance of ProcessWire\Page given, called in /sitepath_redacted/wire/modules/Process/ProcessUser/ProcessUser.module on line 356 and defined in /sitepath_redacted/wire/modules/Process/ProcessUser/ProcessUser.module:368 

  7. In a module I'm writing I want to run a hook function when a page is saved EXCEPT for when the module creates it's own page.

    So of course the problem is that as part of creating a new page it triggers the after save hook which I don't want in that case.

    I've tried with a session variable hoping that would give me a toggle (as seen below) but it's not going saving for some reason (I've tried with a blunt $_SESSION['newPageCreated'] non-PW session variable too).

    Snipped down code below.  Not even sure if this approach is the best way to go so happy to hear alternative approaches if I'm trying to fit a square peg into a round hole this way.


    	public function init() {
    		// add a hook before the page is added (to auto generate a name)
    		$this->pages->addHookBefore('added', $this, 'beforePageAdd');
    		// add a hook after the $pages->save
    		$this->pages->addHookAfter('save', $this, 'afterPageSave');
    	public function afterPageSave($event) {
    		global $wire;
    		$mypage = $event->arguments[0];
    		//handle what to do if this is a modal popup
    		if(in_array($mypage->template, $this->tplToTransfer) and $wire->session->get("newPageCreated") === false) {
    	public function beforePageAdd() {
    		global $wire;
    		$parid = $this->input->get->parent_id;
    		$parpage = $wire->pages->get($parid);
    		$newTemplate = "templatename";
    		if (in_array($partpl, $this->tplToTransfer)) {
    			$p = new Page();
    			$p->parent = $this->input->get->parent_id;
    			$p->template = $newTemplate;


  8. Hi all,

    Maybe I'm thinking about this the wrong way but I'd like to create a new field that is a Select where the user can select from the list of fields in the CMS.  Just like you'd select from a list of Pages (but in this case fields).

    Wanting to do a "mapping" like is done in the Pro module Form Builder.

    I figured it would be like a normal Page Reference where the parent is the Admin>Setup>Fields page but that doesn't show anything.

    As a result I basically want the ID or name of the field chosen so I can reference it later (in the same way as Form Builder does I guess).


  9. @Xonox have you used template caching at all?  I really don't use template caching on any of my sites except one, which is the only one i have seen the same problem.  May be unrelated, it happens even after I turned all the template caching off.  

    Adding the namespace didn't seem to help for me.

    I also have a bunch of files in the templates folder that don't render as visible templates (basically reusable chunks) so I think that makes them less likely to get checked/recompiled (they just get included in actual rendered templates).

    Haven't gotten to the bottom of it and it's a site that rarely gets dev changes so I just delete the compiled versions whenever anything is changed in those template files and it's fine.  Haven't tried re-installing and frankly for my affected site it's not worth the effort, but would be interested if anyone finds a solution or explanation.

    • Like 1
  10. Hi all,

    I'm building a "news" type site and creating a "related articles" list on article pages.  That's easy enough with tags/categories fields I've setup but I'd like to exclude any articles from the list that have already been viewed by the user that session.

    I can of course store the page IDs that have been viewed in a session array.

    Is there a way to do this with the PW API eg $pages->find("template=articles, category=localnews, pageid!=34,56,87") or similar?

    I know I can pull all pages then exclude in PHP afterwards but would rather do without the extra overhead if possible.



  11. Do you mean in the Inputfield (what you see when editing a ProcessWire page with a Media Manager field) or in the Media Library itself? I ask because there are no tabs in the former. The settings for fields only affect individual fields and are not universally applied to the Media Library (the manager itself). But there was a bug in the former in the text being displayed in the Inputfield and I fixed that in MM version 002.

    I grappled with this (the first part of your statement) during development and settled for highlighting the title with a view to revisiting in the future. Will have a look again. As for the Edit and Crop buttons, I don't understand what you mean. Please clarify.

    Am not sure I follow. Are you talking about the Media Library or a Media Manager field - Inputfield?

    Media Manager displays a notice (success or failure notices) when you select media and click on 'Insert Media'. Are you not seeing this in your tests? As for closing the modal window, the idea is that one may want to insert more media from other Media Library pages not currently in view. Closing the window would mean they have to open the modal again in order to insert the other media. I have explained this in the (upcoming) documentation so as not to confuse users.

    Hi Kongondo, apologies for delayed reply...

    Fore reference I have MM v0.0.2 and PW dev 3.0.12.

    1. Re inputfield - yes I've created a new field and applied to page (only ticked Image when creating the field).  When I then go to edit a page with this field, it says "Allowed Media Types: Image".  If i click Add Media in that field the modal pops up and I see tabs at the top for All, Audio, Document, Image, Video, Upload.  The field type is "Media Manager" - have I used the wrong field type?

    2. Yes I don't know the answer for the highlighting - it's probably just something you get used to.  Same with the Edit and Crop buttons - on a dark image you just can't see them unless you hover on the large image on the right hand side.  Again, probably just something that can be trained into users, I'm being picky :-).

    3. My ideal workflow for users when editing a page is, open media library from the page field to select an image to insert.  There would be only the images displayed (no All, Audio, Document etc).  To upload a file from that window they could just drag n drop a file to that modal window and it would get added to the image list.  This might be a moot point if I've set up wrong re point 1 above.

    4. Yeah I'm seeing the success notifications.  I just can't think of a time when a user would need to do more than one action in that modal window.  If they want to insert multiple images they'd just highlight them all then click Insert (which is what happens now).  If they've done that then they don't need the modal window open any more.  I admit this may not be the workflow for everyone but in the instances I can think of for my users, 95% of the time having the window close on successful insert would be preferable.  I take your point about having multiple pages to scroll through changing this.  I suppose the vast majority of my use cases are inserting only one image per field (ie it's an image field rather than a carousel).  Maybe there could be an "Insert & Close" button in addition to the "Insert Media" button?  Depends whether you think that makes it more cluttered/confusing vs benefit.

  12. The double click issue for Media Manager admin link in Reno looks like it can be solved by setting the Media Manager sub pages to hidden.  Not sure if that breaks anything else (didn't seem to in my quick test) but appears the system is looking for children pages hence the empty dropdown and requirement to double click to go to the main MM admin page.

    • Like 1
  13. Yes the Reno double-click got me stumped for a while before I figured it out - definitely a "gotcha".  As soon as I went back to the default theme it worked as planned - can we get a fix for this?  ATM I'd be rolling out the default Admin theme to end-users rather than trying to explain that Media Manager link works differently to every other link (and I'd prefer the Reno theme if possible).

    I've had a good read through of the Readme and had a play on a test site (so I'm not totally familiar yet), loving the module so far - it's not quite as easy to use as the Wordpress media manager (which is what end users will be comparing to frankly - and maybe limited by being a bolt-on rather than in the core), but an exciting start!

    Really love the "versions" of the image that can be created from duplicates with different cropping etc.

    Couple of quick ones:

    - Even if a field is listed as Image it still shows tabs for Audio/Document/Video which I thought was a bit counter-intuitive (or maybe only happens as a superadmin?).

    - Took me a while to figure out which image was active/highlighted in the modal view - maybe a highlight box around or something would be good rather than just the black highlighted name text (or maybe I was just being dense at the time). Same goes for the Edit & Crop buttons on the active image overlay.

    - Would like to be able to upload directly dropping into the image list rather than having to go to a separate tab (what I'm aiming for is to have a field that is Image only, so end users just see the Image tab and can select from there as well as drag n drop upload on that same div).  

    - Maybe make it more obvious once media is inserted into a page field (should the media manager window close then?).  I found myself adding media multiple times because I didn't realise it'd updated after clicking "Insert Media".

    All just minor UX things, and some of it might just be me (therefore, end users) getting familiar with it.  

    Great job Kongondo.  This module is getting me closer to doing everything on PW rather than the few that I still do on WP when media management is more important to clients than a good CMS.

  • Create New...