-
Development Update, February 2007-02
(News)
-
release, and some is part of the current nightly build from SVN. The items that are part of the MS3 package are indicated with a (*).
Installer and upgrade path
The installer for .8 now also checks for a web-user writable pnTemp directory. Before, only it's subdirectories had to be writable. However, more and more modules need a (temporary) writable directory of their own (for example cache directories for image creation or rss feeds). With a writable pnTemp, these modules are now easily allowed to create that directory themselves if it does not exist. (*)
The upgrade path from the historic .7 family has been updated: Some code has been added to migrate blocks placements into the new block_placements table. (*)
Furthermore, old style (legacy) blocks can now be stored in the /config/blocks directory. The specific files do need to be copied manually from the old /includes/blocks directory to it's new location. (*)
Core (API) and environment variables
In the core pnAPI, get_magic_quotes_runtime() was called lots of times for different purposes. With an internal caching method, the result is stored in the global PNRuntime array. Big advantage is that the site's speed has been significantly improved. (*)
Robert has added an enhancement to allow the pnSessionGet/Set/DelVar functions to accept an (optional) path argument (arguments 'autocreate' and 'overwriteExistingVar'). This will allow for easy setting of complex array structures. The change only adds extra arguments to the existing functions and are backwards compatible. At this moment, no direct usage has been committed yet.
PostNuke Object library
At this stage of development, a lot of changes are (and have been) made to the object library. Most of them are 'simple' bug fixes, but some changes are worth mentioning here (additional functionality or changed methods).
In the DBUtil class, there now exists a new method to increment a field with the function incrementObjectFieldByID. This can be used by module authors for updating read counts of content items for example. (*)
Additionally, the function selectScalar has been added (which takes a SQL quesry as argument). This is mostly useful for places where you want to do a "select count(*)" or similar scalar selection.
The utf8 conversion functions (convertFromUTF8 and convertToUTF8) have moved from AjaxUtil to DataUtil when solving a bug to keep the users input in Ajax driven fields as they are intended.
While solving a Google AdSense script bug, where the script tags were automatically cleaned by the safeHTL output filter, a new feature has been added to FormUtil: Before cleaning posted input on an already installed site, the FormUtil now checks if the current user has overall admin permissions. This allows site admins to input potentially harmful tags (javascript for example), but it's their site after all!
Jörn has improved CSS style handling in pnForm plugins, as he has changed some pnForm classes to be derived from pnFormStyledPlugin, which in itself is derived from the original pnFormPlugin.
Because it's better to read the languages directory first for available languages and compare that result against the full list of languages in stead of the other way around, the LanguageUtil has a new function getInstalledLanguages. This now significantly reduces the number of directory checks.
To ensure that most commonly used plugins are found as early as possible, the order in the pnRender class, where the system is searching for plugins, has been modified. The current correct order for the 0.8 distribution is:
system/pnRender/plugins
system/Theme/plugins
config/plugins
current theme-directory/templates/modules/$module/plugins
current theme-directory/plugins
current module-directory/pntemplates/plugins
Furthermore, two new variables can be added to the rendered output page using the PageUtil class. First is 'description', which is default set to the current site slogan. Second is 'footer', with the ability to add custom content just prior to the closing body tag. The latter function is applied as an outputfilter.
Finally, an additional parameter 'display' is added to the pager plugin, which can be set to either 'page' or 'offset'. This is (why am I explaning, isn't this rather self-explanatory?) to allow paging by pages, rather than offsets. It also mirrors the 'show' parameter that exists in many templates (based on the example module) but was never actually implemented.
Last but not least, the Theme class has now added support for a filters section in a page configuration file. This allows for loading of, in the first instance, custom output filters. Note there is no user interface to the functionality the moment.And, why not, the Atom theme has been updated to Atom 1.0
Module modifications
The following modules have been updated for improved .8 compatibility, or just to make administering those modules easier.
The User module now has the long awaited alpha pager for browsing users. (*)
All occurences of the block rendering APIs (read by the Blocks module) have changed from the old style call "return themesideblock" to "return pnBlockThemeBlock". (*)
To the Settings module there has been added a configurable separator for permalinks (*)Furthermore, a switch to globally disable JS Quicktags (which adds a set of buttons for common html tags to enabled textareas) is now part of the Settings module. (*)
Both the Ratings and the Multisites module are modified to meet the new standards of coding and templating. Work still needs to be done to both modules, so testing functionality for these modules may not be that worthwhile as yet. (*)
The Theme module takes over from the Xanthia module in an upgrade. This doesn't mean that it is not Xanthia anymore: it still is actually the Xanthia 3.0 engine (*).
To the Recommend_Us module a display hook has been added. This will add a list of social bookmark links, like the Diggers plugin also does.
Language files overhaul
The language defines in some modules have been reviewed and adjusted to the naming conventions of .8 (see also Dev Update 2006-06). This means that module-specific language defines start with a module-name specific prefix. Additionally, some new general language strings (using the pnML function) have been added to the core language file. The major effect this will have is to subtantially reduce the number of strings that need translating.These changes are applied to the following system modules: Admin, Admin_Messages, AuthPN, Blocks, Mailer, legal, Settings and SysInfo. ValueAddons modules will follow later.
PostgreSQL DBMS testers wanted
The .8 DBUtil class, as mentioned many times before, makes it possible to run PostNuke on different DBMS platforms, like PostgreSQL,
Generated on February 20, 2007.
-
Development Update, November 2006-05
(News)
-
New teamlist member: Ammodump
Ammodump was asked to join the team. As quoted from his introduction in the team: "I enjoy being a community member, and that often my comments hold weight. Sometimes my comments and advice are misguided, but sometimes it is hard to understand others questions ;-) ". With two main hobbies (PN and beer), Ammodump seems to be born for the support team here at the community website.
Remote code injection problem
As some people already know, there is a remote code injection problem with the language parameter as mentioned in the Feedback Forum. Both the .7 and the .8 versions have been updated to fix this security vulnerability, so everybody is urged to upgrade their PostNuke version to the latest release (see also Release Announcement). Some background information: The FormUtil::getPassedValue() function also accepts an input vector GETPOST now. It allows to ensure that the contents of _COOKIE are not taken into account when you get data (as it would be when you go through _REQUEST). The input domain is limited to _GET and _POST and not through _REQUEST / _COOKIE anymore. This is applied firstly to the newlang and thistheme parameters, and has been (and will be) applied to the rest of the core functions additionally.
Session handling
Some features have been added to the session handling in the core system:
Session id regeneration (random and on login/logout), making it even more difficult to hijack a session. This has been achieved without any extra writes to the database, so the feature has no overheads.
The ability to rename the session variable (always was POSTNUKESID), and changing from session file storage to session db storage has been enhanced.
Auth-id check to the user login screen (and block) - this has introduced a login bug which has been entered into the bug tracker and will be fixed by the release of MS3.
The session regeneration options are available in the (upgraded) Settings module.
Also fixed for both the 0.764 release as well as the 0.8 release are some PHP >= 5.2.0 issues due to session handling (See the forums, credits to fredatwork). It seems to solve the problems with PostNuke installations running on 5.2.0 or higher.
Minimum MySQL and PHP versions
The minimum version for MySQL has been raised to 4.1.x, due to some installer problems that are related to old 3.x databases. See also MySQL's lifetime philosophy at Planet MySQL. Due to security reasons, the recommended minimum php-version is at least 4.3.10.
Installer
Now fixed are some install problems with register_globals ON. In addition, there has been added a check for register_globals at the .76x install process for information only. The installation of PostNuke on these environments is nevertheless still possible. Sync with the .8 installer is to be done.
System and core modules
The internal variables statusmsg and errormsg are now arrays: it is now possible to capture (and display) multiple errors. Therefore, pnGetStatusMsg() is renamed to pnGetStatusMsgs() and LogUtil::getStatusMessagesText().
Float handling returns from Ajax has been discussed within the team. It appears that floats in the Non-US locales did not correctly set the decimal delimiters. Therefore, the locale has been set to en_US to ensure this. A solution for writing floats to the DB is still pending.
Robert has added the encryption / decryption methods, using the mcrypt library function, for use in the API.
In the Theme module, the plugins for showing the sitename, slogan and complete title have been altered to use multilanguage support.
The Settings module has some nice dynamic interface elements added to the Security and General function types, increasing useability in this one.
The magic_quotes_gpc recommendation for .8 has been changed. It should be off in stead of on. According to php security group, this feature is inconsistent in blocking attacks, and can in some cases cause data loss with uploaded files. Besides the revert of magic_quotes_gpc recommendation, the SysInfo module now also checks for allow_url_include (new in PHP 5.2) and the suhosin patch/extension.
Finally, all variables retrieved through FormUtil::getPassedValue() are now cached
ValueAddons modules
The Pages module now displays the category that each page belongs to in the overview.
The Error module (or Error handler, where error pages within PostNuke are handled) has been undergoing some changes. System errors, forbidden / not-found errors and specific API errors have their own templates and level of error reporting. A no-auth error will result in a more suitable 403 response rather than a 200-response with a status message. As a result, a lot of code has been altered to correctly use the new Log- and Error message handling.
The Wiki module has been renamed to more suitable 'Wiki_Code', as this module is a transform hook to enable Wiki formatting in content items.
The ExampleObj module has been reviewed, revised and updated by Robert. It should serve as a good example for any module writers
Generated on November 20, 2006.
-
Single Login to a Multisite
(News)
-
1. Backup each file you edit before proceding.
2. In your multisite configuration, edit each pntables.php for each multisites under your parameters/sub.domain to share nuke_session_info, e.g.$session_info = 'nuke_session_info';2. Edit includes/pnSession.php and search for session.cookie_domain and you will find the line:
ini_set('session.cookie_domain', $domain); which I changed to
ini_set('session.cookie_domain', 'postnuke.com');3. Flush the nuke_session_info table in your database deleting all current session records.
In the 0.8 series we will revisit the multisite system making the system easier to administer.
Good luck :)
Generated on August 10, 2004.
-
Custom User Fields Storing Problem
(News)
-
pnUserSetVar($name, $value, $uid = 0){ list($dbconn) = pnDBGetConn(); $pntable = pnDBGetTables(); if (empty($name)) return false;
if (empty($uid)) { $uid = pnSessionGetVar('uid'); if (empty($uid)) return false; }...
#2Making use of the previous change to the API code, the problem could be solved with altering newuser_user_finishnewuser function (modules/NS-NewUser/user.php).Right after the lines that update user table, insert the following:...$result = $dbconn->Execute("sql statement to insert new user...");$uid = $dbconn->PO_Insert_ID($pntable['users'], $column['uid']); if (!empty($dynadata) && is_array($dynadata)) {
while (list($key, $val) = each($dynadata)) {
pnUserSetVar($key, $val, $uid);
}
}...
I found that this change completely solved the problem with custom user data fields storing.
Miklos Kovac
Generated on February 24, 2004.
-
Security Fix Package for Postnuke .723
(News)
-
FIXES
/modules/Modules/pnadminapi.php (fixed regeneration bug, thx to cmgrote, jojodee, jnapp)
/includes/pnAPI.php (updated pnanticracker)
/includes/pnSession.php (fixed globals)
/modules/Credits/pnuser.php (fixed path disclosure, thx to Alexander GQ Gerasiov)
/includes/blocks/topic.php (fixed permission check, thx to ddrury)
/includes/blocks/weblinks.php (fixed permission check, thx to cs)
/includes/blocks/stories.php (fixed permission check)
larsneo, pnDev
Generated on January 4, 2003.
-
Successful PostNuke Phoenix Installation on Windows 2000 Server -- HOW TO
(News)
-
few hours trying to solve a problem that was just waiting for a reboot. Take my word for it, especially with the MySQL install.
The Config:
Hardware: PIII slot 1, 384 Megs RAM, 1 FAT32 drive(2 partitions), 1 NTFS drive (single partition)
Windows 2000 Server Sp3
IIS 5.0 included with windows 2000
PHP 4.2.3 (via installer)
MyODBC 2.50.39
mySQL 3.23.52
The Details
Windows Server
This is a multi role machine running DNS, Active Directory(AD) and other network services, and IIS. It's basically my intranet, Domain Controller(AD), File Server and development web server. It's locked down behind a router with its own security protocols, so if you hack the router, you still have to hack AD, which grants access through IP first, Domain second and user third. It's pretty tightly locked up, and its a good way to have a fairly secure development platform.
IIS
IIS is configured to run a default site, which is locked down using AD. If the machine dns name is theMachine, I can easily access the default web site using my browser and going to http://theMachine. The default site is basically a default installation with nothing on it and I use virtual directories to point to development file structures - this is documented in IIS documentation. Basically I took a default PostNuke installation file structure and copied it to a directory on one of my development partitions (I used a FAT32 partition -- no reason for it, just thought this may be a useful fact), and made that a virtual directory of the main site. If I name the virtual directory PNdev, I can now access that directory via http://theMachine/PNdev.
PHPDownload the installer version of PHP for Windows (link in heading title) stop the IIS serverexecute the php installer and follow the instructions (pay attention to the checkboxes for what kind of webserver you wish to install it on, there should be one for IIS 4.0 and up)reboot. After reboot run a search for php.ini(because I'm too lazy to look for it in the C:/Winnt folder), and change the register_globals to 'On'. NOTE: DOING THIS POSES A SECURITY ISSUE FOR THE WEBSERVER. Read about it in the PHP documentation. Now you're ready install mySQL.
MyODBC
I downloaded and installed this driver for MySQL because I'm developing some desktop packages that may be using MySQL in the future -- but it's part of the environment and thought I should mention it. Just do it if you're not sure.
mySQLdownload (link in title)and and unzip this file to it's own directory Go to IIS and stop the server!Install using the setup program and use all the default values,( if you install it other than to the default directories, don't come crying to me)reboot
After Rebooting, run a search for the my.ini file and delete it, if you don't find one - good - it means you need to create one.
Creating a my.ini file with winmysqladmin.exe
You will find a folder in c:\mysql\bin\ called winmysqladmin.exe, if you don't find it here, you screwed up somewhere or installed mysql in another directory - run a search to find it. Once you have located winmysqladmin.exe, I would advise putting a shortcut to it on your desktop.
Open winmysqladmin.exe, a window should pop up asking for a user name and password. Enter a username and password that you wish to use, this will be the MASTER USERNAME AND PASSWORD for your mysql installation. You will need this password very shortly, so write it down! Once you submit the info, look in the sys tray for an icon that looks like a trafficlight. If the 'light' is red, mySQL needs to be started. Do this by right clicking the icon, choose 'win NT' and then click 'start this service'. (If you wish to set more u/n & p/w for other users on their own dbs -read about in the mySQL documentation.)
Creating a Database with winmysqladmin.exe
If the traffic light icon is in the tray, open the gui by right clicking the icon, choose 'show me'. If not in the tray, open winmysqladmin.exe by opening from the shortcut you placed on your desktop earlier, or find it again and open it. When it opens, you will see the window appear and then disappear, look in the tray and you will see the traffic light. Right click the icon, choose 'show me'.
The GUI will appear, click on the 'Databases' Tab. Right click on the server name in the upper left frame and click 'create database'. Input a database name and click ok. This will create a new blank database. Now you are ready to install Postnuke.
PostNuke Install Notes
At this point, I am assuming that you have the files in place on the server and will refer to the directory that holds those files as 'POSTNUKEweb'. Some preliminary steps:make sure that config.php and config-old.php both are world-writable.Note that once the install/upgrade has been completed these files can be re-set to read-only.
your config file should be modified to reflect the username and password that you set up during the installation of mySQL. Remember? I told you to write them down!!! It should also reflect of the name of the database that you created with winmysqladmin.exe.
additionally your config.php file should be set to Windows. Do this by changing $pnconfig['system'] = '0'; to $pnconfig['system'] = '1'; on line 48.
KICK ITgo to your post nuke installation (i.e. http://POSTNUKEweb/install.php).
choose the language and click 'Set Language'. If this page just refreshes and you can't get beyond it, you need to change your php.ini file described above in the PHP heading.
when you get to the DB info page DO NOT check box for use with intranets, I check this on my first run through and could not log in after installation, by not checking it, I could log in fine. I have a feeling that its because of the server setup, but it works for me. You can play with this setting after install:make a backup copy of the pnSession.php file (located in the includes directory). Then, open the file in your favorite editor, and find the line (somewhere around line #88) that looks like this:
Code:
if (pnConfigGetVar('intranet') == false) {
You can toggle the intranet functionality by changing the boolean false to true and vice-versa on this line to see how you system/server/nuke responds.
By following these guidelines you can implement PostNuke pretty seemlessly on your Windows 2000 server. I haven't experimented with XP, win2k (non server), or 98, but I'll be sure to post my findings if I do.
Also, thanks to the entire dev team on PostNuke for creating a kickass solution platform --- you guys ROCK (and so does the community
Generated on October 8, 2002.
-
Starting page localized
(News)
-
To achieve our goal, we will use a global variable named HTTP_ACCEPT_LANGUAGE which tell us the prefered language of the user.
Now we need to hack the file pnAPI.php (under the includes directory).
Go to the pnInit() function and add this line somewhere at the first lines:
global $HTTP_ACCEPT_LANGUAGE;
Now that we know what is the language that the user wants, we just need to set the PostNuke language to it or to the default site's language if we do not support it.This can be done with a simple switch by replacing the original lines (under pnInit() function) :
this are the original lines
// Load global language defines
if (isset ($lang) && file_exists('language/' . pnVarPrepForOS($lang) . '/global.php')) {
$currentlang = $lang;
} else {
$currentlang = pnConfigGetVar('language');
pnSessionSetVar('lang', $currentlang);
}
with something like this:
This examples search for English, Spanish and German languages.
// Load global language defines
if (isset ($lang) && file_exists('language/' . pnVarPrepForOS($lang) . '/global.php')) {
$currentlang = $lang;
} else {
$BrowserLang=substr($HTTP_ACCEPT_LANGUAGE,0,2);
switch ($BrowserLang) {
case "es" :
case "ES":
$currentlang = "spa";
break;
case "en":
case "EN" :
$currentlang = "eng";
break;
case "de":
case "DE" :
$currentlang = "deu";
break;
default :
$currentlang = pnConfigGetVar('language');
} // fin del switch
pnSessionSetVar('lang', $currentlang);
}
As you can see with only a few lines of code your users will not have to click on their flag to choose their favourite language.
For those about to Nuke....we salute you
Jorge Alvarez
jalvarez at regamallorca dot com
Generated on June 6, 2002.
-
PN .71 through .713 & Andromeda
(News)
-
and the .713 change log (here) says that it fixed the problem, but that does not seem to be the case. And now Jim has moved on...
One user experiencing the problem (thanks Bert!) had some luck changing:
Header('Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0');
- to -
Header('Cache-Control: cache, must-revalidate, post-check=0, pre-check=0');
- in -
pnSession.php (at roughly line 200)
But that seems to interfere with the behavior of his browser's back button.
I very much hope to resolve the issue, but it does appear to come from a change to pnSession.php, and Andromeda still works fine in 'standalone' mode.
I'd be happy to talk to any PN dev, and I can be reached at scott@turnstyle.com.
-Scot
Generated on April 23, 2002.
-
Rogue .71 Teaser
(News)
-
for their work in making this release what it is. Sorry, for leaving out so many names, but my fingers are starting to bleed!
* What's New? *
Fully ADODB compliant -- works with PGSQL and MSSQL.
Session: Providing privacy to users is a priority, sessions provides you with a safer way of handling user logins without exposing information through the browser.
Three level security -- High, medium and low so that you can control when your users site access expires.
Improved performance -- optimization of many parts of the code, often through direct replacement, to improve performance throughout.
Improved stability - new core codebase provides far greater stability than any other Nuke variant
New default theme. -- fresh new look to your PostNuke. Voting on the default theme will take place this week.
Improved security -- new system for handling user input and automatically protecting sites against the most common PHP and cross-site attacks.
New modules system - allows for future versions of PostNuke to be backwards compatible with older modules, no more being stuck on an old version of PostNuke because you use a module which has not been upgraded.
Modules Developer Guide -- A full featured guide on how the API works.
E_ALL Errors corrected -- Errors that slowed performance, and left phantom problems in the codebase have all been corrected.
Blocks Performance Enhanced -- More optimizations to the core that fall under performance enhancements.
Configuration moved to database - site configuration now held in a database table for improved ease of use and speed of access. Also allows modules and plugins to add to the site configuration without the hacking of core scripts.
Admin control of themes -- allow users to control their theme or set a site-wide theme for all users through the use of a setting.
Dynamic User Data -- Allow you to choose what information to be collected on your site. In the beginning stages of development, but is very well integrated into the system.
Block hiding -- An admin configurable selection that gives the ability for users to hide any of the admin-defined blocks if they do not wish to see them.
XML-RPC Integration -- More on this closer to release!
Ratings Module -- By itself, does nothing, but is a tool for module developers to add ratings to content without having to develop new code.
Center Blocks (Otherwise known as Centre Blocks) -- Now the ability to add center blocks in conjunction with left and right blocks.
*End Spoiler*
More announcements to follow. .71 is feature packed, and is very close to being a complete rewrite of the core. More work has been packed into this release than any other. We have managed to close most of the loose ends with the separation of the core from the modular functionality. This release is in my opinion a giant step towards the 1.0 release and is in complete compliance with our roadmap.
Thanks for reading, and I hope that this gives you a little insight on what is to come
Generated on February 18, 2002.