adrian

It's not quite as simple as a user being unpublished - it could be changes to the account pages referencing them as well and it's multiple different templates. The other reason for this approach is that I want to continue to alert users with a wire()->warning which wouldn't persist if I hooked on unpublished or changes to those other pages. Same kinda goes for emails or other alerts - I feel like this one needs to be a constant reminder. Perhaps a better approach would be to prevent unpublishing any user tied to an account page and prevent saving an account page unless a valid published user is selected. So many options :)

Thanks @BitPoet - it probably is pretty similar in actuality, but it feels semantically correct in your case and just a bit off for my needs which aren't related to the theme's markup or menu etc. Thanks @ryan - I tried without a hook in templates/admin.php but the code was still called twice (again, the AJAX request for the page list), but as you suggest, I could definitely wrap it in a if($!$config->ajax) check. I think that probably makes the most sense. I initially thought things like Processwire::finished or Proccess::execute would only be called once but again that page list AJAX is the problem. And thanks for the session idea which sounds like a good option. Just an FYI - I have a check to make sure the integrity of some page reference fields (selected staff on client accounts) and I need to make sure if a staff member is unpublished that a warning is given. It's pretty efficient but I don't really want to run it on every admin page load, but ProcessLogin::loginSuccess isn't really enough either because our sessions don't often expire given how often we are in the admin.

I feel pretty silly asking this question, but I am realizing that there don't seem to be many options for a hook that is only triggered once when the admin is loaded because most of the usual suspects also get called a second time during the AJAX request to load the page tree. So far the only one I can actually find is: AdminThemeFramework::getUserNavArray Does anyone else have a better idea? And also, what about a hook that is called once when a user first loads the admin in the current browser window. I am not talking about ProcessLogin::loginSuccess because that is only called after the username and password has just been entered, but rather that first time when a user opens the admin while their session is still valid from the last time. Thanks!

@DrQuincy - I think you should really change your entire DB because that utf8mb3_general_ci encoding has caused you other problems as well. IIRC in your other related post I linked to a resource that explains how to make the change.

@ryan - I have responded again to the ones that I think I bugs that still need fixing. You are right that some are feature requests - my point being that I think these are really useful requests that others would also benefit from. Of course it's up to you to decide if you agree, but obviously we are all going to push for things that we'd personally like to see.

@ryan - can I also kindly suggest that Profields Table needs some love. There are lots of weird bugs as well as some things that I think would really improve the experience. In my eyes this is THE banner profield that really demonstrates what PW can do, but is not quite working as it should. eg (in no particular order): https://github.com/processwire/processwire-issues/issues/1947

With huge amounts of gratitude for everything you do to make PW as great as it is: I know this is not in the intended spirit of this thread, so apologies for that, but honestly what I would most like to see is fixing all of the current Github Issues before anything new is implemented. I personally still have 49 open issues, many of which require ugly hook workarounds, some result in things being broken for site editors, and others are inconsistencies in the API which continue to trip me up. I am honestly struggling to put energy into thinking of shiny new feature ideas with these things always impacting my workflow.

Good catch @Jan Romero - I wonder if PW could rely solely on parsing $_SERVER['REQUEST_URI'] ? It seems like there might be an issue with NGINX if that happens: https://www.drupal.org/project/drupal/issues/2490870 but could be worked around with: https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/request_uri/7.x "Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI."

@DrQuincy - you might find this module useful: https://processwire.com/modules/process-redirect-ids/

Thanks, I did see that flag, but as you said it's not a good approach for a fix. I agree this could be a potential issue on lots of sites. Thanks also for posting to get Ryan's attention - the more pings he has on this the better. I tend to think that the correct fix has to be related to that "?it=$1" rewrite rule because it has the potential to break many more things than just the UserActivity module.

Turns out I can reproduce a forbidden error by simply loading a URL like http://pwtest.test/about/?id=%3f It seems like you need to view a page that isn't the root url (hence the about child page) and that you have %3f in there. On some servers http://pwtest.test/about/%3f this also returns a 403 but on others I need the %3f to be part of a URL parameter. This Drupal ticket reports the same issue and references the same apache change that Robin noted: https://www.drupal.org/project/drupal/issues/3460799 If I make a similar change to PW's htaccess rule (as was changed in Drupal), ie: change: RewriteRule ^(.*)$ index.php?it=$1 [L,QSA] to: RewriteRule ^(.*)$ index.php [L,QSA] or: RewriteRule ^ index.php [L,QSA] then everything works again. I expected that would break PW's page routing and/or admin, but initially it looks to be OK which honestly seems weird. So other than the issue with UserActivity, we'll all need to be careful if we ever url_encode anything with a question mark (%3F) in it unless @ryan thinks an htaccess change like (or similar) that would be ok. Perhaps it will need some reworking of some of the $GET['it'] related code in PagesRequest.php to handle all scenarios? Also, I just discovered that the server with what I thought was an old version of apache, was actually not old - I almost exclusively run Debian servers, but the "old one" I mentioned is Ubuntu and someone else is managing it now and they did update to 2.4.41 which in Ubuntu world includes that %3f fix: https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.19

I have updated all but one server to 2.4.61, but yes, I am still seeing the issue on 2.4.41 (including that UnsafeAllow error) so not sure what's up with that :) Figured this out - see my post below:

Hey @Robin S - thanks for your thoughts, but it's happening on VPS servers (all under my control) and also on my local dev machine and it's happening on sites on Digital Ocean and AWS so it's not that. I had a similar issue recently with 7g firewall which I was playing with on one site, but I had already removed that and it was never on the other sites/servers anyway. Oh, and I am not running WireRequestBlocker either. I did recently update apache on all my servers, but I even tested on one with an older version and it was an issue there too. I am seeing these errors in my logs: [rewrite:error] [pid 34046:tid 34126] [remote xxx.xxx.xxx.xxx] AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F, referer: /admin/page/edit/?id=23917 Not certain it's the issue, but my hunch is that it is because of the %3F in the URL I posted in the first post above. But what has changed to make it a 403 issue now?

Ok, I have got things working again by removing the encodeURIComponent() from '?activity=' + encodeURIComponent(activity) + from UserActivityAdmin.js and I've pinged @ryan about it in a DM but at this stage, I'm really not sure why this became a problem all of a sudden.

@wbmnfktr - it's this one: https://processwire.com/store/pro-dev-tools/user-activity/

Hi everyone, I don't have access to the support board for the User Activity module anymore, so am asking here if anyone else has started getting 403 forbidden errors with the the AJAX requests to URLs like: https://mysite.com/admin/?activity=PageEdit%40page%2Fedit%2F%3Fid%3D1032&started=1721087147&title=Edit Page%3A News • mysite.com&idle=0&hidden=0&changed=0&changes=&pwpdt=pwua If I load it directly in the browser I also get the 403, but if I unencode the URL to be something like this, then it loads the raw html of the page. https://mysite.com/admin/?activity=PageEdit@page/edit/?id=1032&started=1721087147&title=Edit page&idle=0&hidden=0&changed=0&changes=&pwpdt=pwua I am seeing it on multiple servers, on different versions of PW, in different browsers, different sites, etc. I feel like I must be missing something obvious, but wondering if anyone else has seen similar issues start up recently?

@wbmnfktr - sorry about that - looks like you don't use the TracyLogs panel :( Anyway, error is fixed in the latest version.

Hi @Jonathan Lahijani - this automatic conversion for d() and db() calls to echo/print_r is now available in the latest version. Hope it helps.

There have been a few useful updates to the PW and Tracy logs panels. 1) Display json as interactive "dumped" array. 2) Support for @Robin S awesome new CustomLogs module. 3) New options to exclude certain logs from being displayed. By default "modules", "sessions", and "file-compiler" are excluded. I think this is a major improvement because often these logs overwhelm the more important alert/warning/error type logs.

@Robin S - I've committed that new version to support CustomLogs in the PW Logs panel. It was your Logs JSON Viewer module (I found it a couple of weeks ago via Github) that got me thinking about supporting it in the PW and Tracy Logs panels.

Hi @Robin S - yes, it is easy to add custom panels to Tracy from your module, eg: https://github.com/wireframe-framework/Wireframe/tree/master/TracyPanels There isn't a way to hook into the Logs panel though at the moment, however, I think I have reasonable solution based on the new JSON viewing functionality I added recently in the latest version. Here is how that looks when viewing the logs panel with a custom visits log. Obviously not as nice as the PW logs viewer with the way you modified the table, but I think this works well enough and allows easy integration with the PW logs panel and its icon colour change to indicate new entries, combining with the latest from all logs, etc. Any thoughts before I commit?

Really cool Robin! Just an FYI for Tracy users - I have pushed a new version which excludes any CustomLogs logs from the PW logs panel because they were just confusing with the incorrect headers and mismatched number of columns. Not sure yet, but I might build a new CustomLogs Panel to properly handle displaying them.

Tracy's RequestInfo panel has a PagePermissions section which checks the permissions for the current user and each role. One of the permissions it checks is "moveable". If you don't want these calls to happen you can disable this section in Tracy's settings.

Hi @MarkE - sorry, I am really not following what you mean by the hook only called by Tracy. Can you provide a complete example to test?

@poljpocket - I still think it would be worth optimizing the staff poster images - they all seem to be around 2.5MB which even on my fibre optic connection takes time and you can see them visibly loading.