Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by DrQuincy

  1. Thanks. Yes, I think you're right on the number: 62^16. So when you put it like that it seems more than fine. The firewall should pick up on repeating attempts anyway. When it comes to stuff like this, I always self-doubt so like to get a second opinion. 🙂 As part of the process the phone number is the only field we will always have. I didn't mean it so much for intercepted SMSs as they would have the token by then, no matter how secure. It was more as a way to only allow the brute forcing of one users at a time. By the way, I'm sure you cited GUIDs because of their length but you should never used them for secure tokens. They're generated for uniqueness, not unpredictability.
  2. A client wishes to send a SMS as well as email to a lead gen system I have built. Users receive emails with a link containing a 128-bit secure token that when clicked shows some PII (Personally identifiable information just to be clear). They click it and get another form with their name, address, phone and email. No banking data or anything, just contact details. With the SMS we are much more limited with characters and don't want to send 128-bit tokens in hex as they are 32 characters long. And hex is inefficient when it comes to characters as it only uses 0–9, A–F. We have a short domain. If I generated a 16 character string from characters 0–9, a–z, A–Z using random_int() (which is cryptographically secure) we could add links like this to the SMS: short.com/x0O56AB1npLxmU3H This would redirect to their form. I am being extra cautious as there is effectively no “user name”. I wanted a second opinion on it. I could make them verify their phone number, acting as a user name, but I'm reluctant as phone numbers can be a bit ambiguous compared to email (spaces, +() — and not everyone will have entered an email (it is optional and some of the older demographic omit this part). I can also make them expire after a time (30 days) and there will only ever be a few hundred valid tokens at any one time. Given the above information, how long would you make the secure token? Thanks.
  3. I have a select field that allows the user to choose from a drop down of repeater pages for that current page. I have set Selector string to id=page.options This works perfectly for me as the superuser but when the client logs in (custom role content-manager) they can't see anything but an empty drop down even though they have edit access for the template. So template typeface has a field called initialStyle (Page select as above). That chooses from a repeater call options. How do I grant permission for content-managers to see the pages from options in initialStyle when editing a typeface template? content-manager already has (I think by default) view access to repeater_options. Thanks.
  4. Thanks @teppo, interesting to see that commit. @Robin S Thank you, that works great! I'm thinking I might change it so that instead of removing brackets it removes (0). My clients are UK-based and (0) is preceded by +44. If you have +440, this is technically invalid and won't always work.
  5. I've noticed that if I have a CKEditor field and add a link that begins with tel: E.g. tel:+44 (0)1234 567 0000 When I view source immediately in CKEditor I see: <p><a href="tel:+44 (0)1234 567 000">TEST</a></p> So it's not being removed by ACF (that seems to run once you close the source dialog). But when I save it I get this: <p><a href="tel:+4420012342056720000">TEST</a></p> It looks like it's encoded it correctly (%20 for each space) and then stripped out the %, making the number invalid. If you omit tel: from the link everything is encoded correctly. It seems to affect all my installs regardless of version (3.0.165+). I have an old site on 3.0.98 that doesn't seem to have this issue. I'm worried now quite a few sites will have invalid numbers. What is happening and is this intended behaviour? Does it run through HTML purifier? It seems to be the same even if you set Content Type to Unknown/Text rather than Markup/HTML. EDIT: It is HTML purifier. If in the Input tab of the field you set Use HTML Purifier? to false, it doesn't do anything with the HTML. It seems fine with a 3.0.98 site though with the same settings. Is there anywhere to switch this feature off while still having Use HTML Purifier? set to true? If not, I guess my options are to either switch it off (I think that's okay within a CMS context since ACF would stripe out anything untoward) or tell clients they can only use +, - and 0-9 in phone numbers.
  6. I've realised what was causing it: It is down to the map-view template being set to not have a slash at the end. If I change this it works. So when it was /maps/submit/test-map and you log in it goes to /maps/submit but when I set it to /maps/submit/test-map/ and you login it, it stays on /maps/submit/test-map/. Is this a bug and, if not, how can I use URLs with no slash to redirect in this way? In this instance, it doesn't matter as it makes no difference to have a slash at the end. I just wondered really whether it was a limitation, bug or feature as I do like to display homogeneous pages without slashes. I know you can pass the page ID to /processwire/ and then, I guess, use hooks to redirect to the page but wondered if it really required hooks as it seems like this should be part of the standard access functionality. Thanks.
  7. I have two templates: map-submit, map-view. map-views are children templates of a single map-submit template/page and this is enforced in the template Family settings. map-view is set to option B in Access: Show the Login page And guest has View pages permission unchecked. What I want to happen is if you access a map-view page and aren't logged in it shows the login page, you login and then go straight to the specific page you were trying to view. However, this is what happens: Login page is presented On successful login you it takes you to the parent page, the single map-submit page, e.g. login on maps/submit/test-map (map-view) and go go to maps/submit (map-submit) If you visit the page it should've redirected to (maps/submit/test-map) you are presented with the login page again and so on The only thing that seems to work is to login via the usual CMS URL: /processwire/ and then visit the page I can't see anything in the logs. Any ideas how I can fix this as it's currently a bit clunky for the client? I don't think I have any unusual modules installed and I have no hooks set up that manipulate the login or the session. I'm on 3.0.184, PHP 7.4. Thanks.
  8. I'm sure this will be something really simple but I am adding repeaters items to a Pro Fields Matrix and each item gets added twice (they are identical). The code definitely only runs once and there are no duplicate items in $basketTable. Am I doing anything wrong? Thanks. (Irrelevant code has been removed) $p = new \ProcessWire\Page(); $p->template = 'account-order'; $p->name = $orderReference; $p->of(false); foreach ($basketTable as $tableItem) { if (isset($tableItem['type']) === true) { if ($tableItem['type'] == 'typeface-trial') { $orderDownload = $p->orderDownloads->getNew(); $orderDownload->repeater_matrix_type = 1; $orderDownload->orderTypeface = $tableItem['id']; $orderDownload->save(); $p->orderDownloads->add($orderDownload); } if ($tableItem['type'] == 'typeface-weight') { $orderDownload = $p->orderDownloads->getNew(); $orderDownload->repeater_matrix_type = 2; $orderDownload->orderDownloadsWeight = $tableItem['weight-id']; $orderDownload->orderDownloadsLicense = $tableItem['license-id']; $orderDownload->save(); $p->orderDownloads->add($orderDownload); } if ($tableItem['type'] == 'typeface-bundle') { $orderDownload = $p->orderDownloads->getNew(); $orderDownload->repeater_matrix_type = 3; $orderDownload->orderDownloadsBundle = $tableItem['bundle-id']; $orderDownload->orderDownloadsLicense = $tableItem['license-id']; $orderDownload->save(); $p->orderDownloads->add($orderDownload); } } } $p->save(); I thought the process is to called getNew(), set the properties, save it and then add it to the page and save that — which I'm doing.
  9. On another thread I've found out how to make the email field unique but EmailNewUser still runs if you use a duplicate email and sends to the old address. Is there any way to prevent this happening?
  10. I want to make it so that both user name and email are unique in template users. I've got this which issues a warning, which is better than nothing: wire()->addHookAfter('Pages::saveReady', function(\ProcessWire\HookEvent $event) { $page = $event->arguments(0); // Don't run on newly created pages if ($page !== null && $page->created !== 0) { if ($page->template == 'user') { $pages = wire('pages')->find('template=user'); foreach ($pages as $p) { // Don't compare to current page if ($p->id != $page->id) { if ($p->email == $page->email) { wire('session')->warning('**' . $p->email . '** is already being used by [' . $p->name . '](/processwire/access/users/edit/?id=' . $p->id . ') — it is highly recommended each account has a unique email address', \ProcessWire\Notice::allowMarkdown); } } } } } }); I am also using the EmailNewUser module. The reason I am issuing a warning as opposed to preventing the page being saved is regardless of what I do if you have the Send welcome email checkbox checked, EmailNewUser seems to always send the email out — and always to the duplicate email. I did try overriding the email to a random non-existent one so the email send would go nowhere — but EmailNewUser always emails the duplicate address, which is going to be confusing for the client. Is there any way to adapt the above code to prevent EmailNewUser from running if the email is a duplicate? Or is there a way to make EmailNewUser used an updated random email instead? I'm not sure how it works but however EmailNewUser is set up it seems to always use the old value. I hope that makes sense! Thanks.
  11. Ah, I get it now. Thanks for such a great explanation!
  12. Thank you. I never knew about the relationship between the hook and the class and function name so that is a huge help. Studying the Page and Pages class shows me how different they are — so that makes sense! ? I'm still not 100% on the second point. From reading about hooks I thought the first condition in parenthesis in a hook was a selector and the second was a filter for fields. So to me, this should work since I want to filter out saves where the page has a specific template: \ProcessWire\wire()->addHookBefore('Pages(template=typeface)::saveReady', function(\ProcessWire\HookEvent $event) { \ProcessWire\wire('session')->error('Hook called'); }); But instead this is what works: \ProcessWire\wire()->addHookBefore('Pages::saveReady(template=typeface)', function(\ProcessWire\HookEvent $event) { \ProcessWire\wire('session')->error('Hook called'); }); Why is that? I'm sure I'm missing something really obvious!
  13. I am preventing pages with a specific template from being deleted. I have it working with Pages::trash(template=foo), Pages::delete(template=foo). I'm after a better understanding of why this works please. Why does it work with Pages and not Page, what's the difference? Why is it Pages::trash(template=foo) and not Pages(template=foo)::trash? I have read the docs page on hooks but still don't quite get it. ?
  14. Got it! Thanks so much for your @ryan. Thanks for the link too @AndZyk, that explains it really well.
  15. Thanks to you both, some very good suggestions. From the template file @Robin S is right, you need to use return. Actually though, just this will work: return '<p>An error occurred</p>'; What would be the advantage of: <p>An error occurred</p> <?php return $this->halt(); ?> What does halt() actually do? I am reluctant to use exit() as I have some code in finished.php to run so the above works well for me, thanks.
  16. I've searched for this but couldn't find anything but am maybe using the wrong terms. Is there a way to do something like exit('<p>an error occurred!</p>'); but still have ProcessWire “shutdown” normally? Specifically, I want to be able to not render the template but still run some logging code in finished.php. Is there a function for this? Thanks.
  17. In my recent question about utf8mb4, I was asking about columns being lowered from 255 to 250. I misunderstood since I've just realised for some time VARCHAR can go way beyond 250 anyway so none of them in the database dump would be affected. The 250 in that quote is referring to column_name values for indexes. Many of PW's tables for fields have indexes: data_exact, BTREE data(250) data, FULLTEXT, data I presume it just uses data or data_exact based on type of selector used (natural language or exact). I've never specified an index length when using BTREE though and didn't realise there was a limit (though databases aren't my strong point). Does this just mean that if you do an exact search it will only apply to the first 250 characters of what is in data? If so, why explicitly set a limit? Wouldn't MySQL just default it to 250 anyway — or if you're in strict mode does it cause errors? I guess when setting up a database myself I would almost always use BTREE on relations where it's just an int, so would never run into this limitation. Thanks!
  18. I have changed a database over to utfmb4 and it seems to work. I: Exported the database Replaced utf8 with utf8mb4 Imported SQL back in Added $config->dbCharset = 'utf8mb4'; to config.php And now I can add Emojis via the CMS. Do I need to do anything else? I know that types like VARCHAR will no longer hold the same amount of characters now some characters take up four bytes but here Ryan says: Modules-wise I am using mainly Pro Fields and core ones. I also notice studying the database schema that most fields would not be affected by this; some use ASCII, most use larger TEXT fields. The few UTF8 VARCHAR fields are system ones set to 250 as above, which from the sounds of it Ryan allocated for years ago. EDIT: I can see the above refers to index lengths and not VARCHAR lengths, the latter can be larger than 250. See my other post. Am I likely to run into any problems? Other than smaller indexes or a huge VARCHAR column being too big to convert over (highly unlikely) what is the worst that can happen?
  19. Ah, thanks — id=page.your_repeater_field_name works perfectly! Also, thanks for your explanation regarding point 2. Regarding point 1, I worked it out, thanks, per my previous post. I am just storing an array of repeaterID => quantity in my session as I wanted to pull the live data on each request.
  20. Ah, well, I've answered point 1. $item = $this->wire('pages')->get('template=repeater_options, id=1255'); I'd love to know the answer to point 3 though. It would be extremely useful if that's an option. If I do a Page Reference field and set the selector string to template=repeater_options it would get every single item — whereas I'd only want the ones for the current page.
  21. I've got a repeater of product options within a single product page template. So template=product has a template file and has a field called options, which is a repeater with title and price. I want to store the repeater IDs in a session for the shopping basket and then read them. E.g. if ID 1255 is in the array, this gets me the repeater item: $item = $this->wire('pages')->get('template=product, options.id=1255')->options->get('id=1255'); Is there a way to access the repeater directly? It just seems a bit clunky and inefficient to have to get the page and then the repeater by expressing the ID twice, when the ID should be able to get me to the repeater item with one call. I can run $pages->get(123) with a top-level page and it gets the page but when using get() from a repeater item I have to do get('id=123') — any reason for this? It doesn't really matter, I just wondered. Is it possible to have a Page Reference field that references a repeater for that page only? So, say I have options in a repeater as above: (Small, £10), (Large, £15), could I have a Page Reference field that let's me pick Small, Large, etc? The use case is specifying product bundles. Thanks!
  22. I'm using Pro fields table (support has expired but will renew it if needed). How do you mean a column field required in the settings (not the overall required setting — but individual columns in the table)? I've tried: required=1 required=true required But you can still leave it blank. Any ideas? Thanks.
  23. This is great, thanks! In my settings I am allowing spans with classes. Do you know how I might adapt your code to allow this? If I have HTML with <span class="foo">bar</span> but no empty spans or style assets, <span class="foo">bar</span> stays. But if I add in <span>foo</span>, <span>foo</span> changes to just foo (great!) but <span class="foo">bar</span> also change to bar. Also, by default, CKEditor seems to allow style="margin: " I assume this is related to indentation. Any idea how you can disable this? Extraneous spans are annoying but harmless. However, the margin styles mess the formatting up. I do not even have the indentation buttons visible in the toolbar. Thanks!
  • Create New...