phprojekt-devel — PHProjekt Developer Mailinglist

[Phprojekt-devel] PHProjekt 6.0.2 released

[David S. P. <dav...@ma...>]

PHProjekt 6.0.2 is out. More information can be found at
http://phprojekt.com/node/1909.

Downloads can be found as usual on github and on
http://phprojekt.com/download

Greetings
David

-- 
David Soria Parra                   Mayflower GmbH
Mannhardtstraße 6                   Tel.: +49 89 24 20 54 1
D-80538 München                     Fax : +49 89 24 20 54 29
dav...@ma...      http://www.mayflower.de

Mayflower GmbH, Standort München
Firmensitz: Mannhardtstraße 6, 80538 München
Registergericht: Amtsgericht München, HRB 142039
Geschäftsführer: Gregor Streng, Björn Schotte,
Albrecht Günther, Johann-Peter Hartmann

Re: [Phprojekt-devel] WebDAV for P6

[Albrecht G. <alb...@ma...>]

Hi Gustavo,

can you install this somewhere, so we can test it?
(not on the official demo, but IIRC we do have another vhost for testing)

TIA
Albrecht

> We was agree that try to copy the PEAR webDav implementation and make
> the code P6-Zend Framework-PHP5 compatible.
> 
> As i know, the author of the library was agree.
> 
> You can see the result here:
> http://github.com/gsolt/PHProjekt/tree/WebDAV
> 
> Greetings,
> Gustavo
> 
> On 27/04/2010 02:28 p.m., David Soria Parra wrote:
>> Hi Gustavo
>>
>> Am 06.04.10 16:23, schrieb Gustavo Solt:
>>> Hi all,
>>>  Since many people ask about the WebDAV implementation on P6, let see
>>> what we need for it.
>>> 1. Server
>>> In P5 we use the PEAR server, that is just a php 4 class that translates
>>> the request into a WebDAV function.
>>> We can make a new server class, using the PEAR one as example, in this
>>> case the steps are:
>>>  - Make a new Zend class using the PEAR as model.
>>>  - Transform all the PHP4 structure to PHP5.
>>>  - Use all as we can the Zend functions.
>>>  - Define an Auth method that should be easy to configure.
>>> After that, we will have something like Zend_Webdav_Abstract that will
>>> have all the necessaries function for catch the request and call the
>>> correct function.
>> Did you take a look at ezComponents Webdav (ez Componenets is now called
>> Zeta Components). It is proper PHP 5 Code. I haven't used it so I don't
>> know if there are many issues with.
>>
>> I would prefer if we do WebDAV not before 6.2 but try to focus on what
>> we have at the moment and enhance that .
>>
>> David
>>
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Phprojekt-devel mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phprojekt-devel

Re: [Phprojekt-devel] WebDAV for P6

[Gustavo S. <gus...@gm...>]

Alo David,

We was agree that try to copy the PEAR webDav implementation and make
the code P6-Zend Framework-PHP5 compatible.

As i know, the author of the library was agree.

You can see the result here:
http://github.com/gsolt/PHProjekt/tree/WebDAV

Greetings,
Gustavo

On 27/04/2010 02:28 p.m., David Soria Parra wrote:
> Hi Gustavo
> 
> Am 06.04.10 16:23, schrieb Gustavo Solt:
>> Hi all,
>>  Since many people ask about the WebDAV implementation on P6, let see
>> what we need for it.
>> 1. Server
>> In P5 we use the PEAR server, that is just a php 4 class that translates
>> the request into a WebDAV function.
>> We can make a new server class, using the PEAR one as example, in this
>> case the steps are:
>>  - Make a new Zend class using the PEAR as model.
>>  - Transform all the PHP4 structure to PHP5.
>>  - Use all as we can the Zend functions.
>>  - Define an Auth method that should be easy to configure.
>> After that, we will have something like Zend_Webdav_Abstract that will
>> have all the necessaries function for catch the request and call the
>> correct function.
> 
> Did you take a look at ezComponents Webdav (ez Componenets is now called
> Zeta Components). It is proper PHP 5 Code. I haven't used it so I don't
> know if there are many issues with.
> 
> I would prefer if we do WebDAV not before 6.2 but try to focus on what
> we have at the moment and enhance that .
> 
> David
> 

Re: [Phprojekt-devel] Private folder on P6

[Gustavo S. <gus...@gm...>]

Hi all,

 David's suggestion implemented.

http://github.com/gsolt/PHProjekt/commit/93ee227fd5bc8b29a396da120646504ece27b963

Greetings.

On 27/04/2010 01:50 p.m., David Soria Parra wrote:
> Hi Gustavo
> 
> Am 27.04.10 03:48, schrieb Gustavo Solt:
>> Hi all,
>>  since many people complain about the "DocumentRoot" limitation in the
>> installation of PHProjekt 6, for a better solution about the security,
>> there is an idea about to make 2 improves:
> 
>> 1. Make the configuration.ini file, a php file, so nobody can read it,
>> only the web server can execute it or read it.
> 
>> 2. Make a private folder for save there the logs, the temporally and the
>> uploaded files. (All the files written by the API/User).
> 
>> --- About 1. ---
>> The best solution that i found, is to keep the configuration.ini file as
>> format, add a <?php in the first line, rename it to configuration.php
>> and change the comments from ; to #.
>> There is a new Config parser, that just drop the first line, and take
>> the file as ini.
> 
>> Pros:
>> 	1. The format is read friendly, like all the ini files.
>> Contra:
>> 	1. Since is a php file, the common editor should provide a correct
>> interface for edit files, but since the ini structure is not PHP, maybe
>> the user have ugly messages in the editor.
>> 	2. If you want to access directly to the file
>> http://p6/configuration.php => you will get a parser error. Maybe is not
>> a contra, but is ugly.
> 
> Yes the solution might work, but still other files might be accessable,
> things like README, tests, VERSION and so on.
> 
>> --- About 2. ---
>> Here i want to discuss some scenarios.
>> First, the zip or the tarball, provide a folder phprojekt with all the
>> files and folders in it.
>> Currently the structure is:
>> phprojekt/
>> 	application/
>> 	htdocs/
>> 	library/
>> 	logs/
>> 	tmp/
>> 	upload/
>> 	configuration.ini
>> And the limitation say that a vhost must be set to the htdocs folder.
> 
>> With the private folder, the idea is something like:
> 
>> phprojekt/
>> 	application/
>> 	htdocs/
>> 	library/
>> 	configuration.ini
>> private/
>> 	logs/
>> 	tmp/
>> 	upload/
> 
> I like the approach, but I think it gets difficult, as PHProjekt looks
> different on disk depending on the way you set it up. In fact using the
> private folder method we can separate htdocs and the rest, as the rest
> doesn't need to be access from the outside and that's what we care about.
> 
>> 		Contra: Even if the private folder have a random name set by the user,
>> is accessible by web http://my.domain/private.
>> For solve that, we provide a .htaccess with Deny from all, but the
>> folder is still writable and public.
>> The user can set the write rights for this folder to "only owner"?, yes,
>> but ONLY in Linux, in Windows system, the folder is public and writable
>> (only the admin of the system can set the rights there).
> No write access cannot be by owner only, most webhosts user a group for
> the webserver and different owners, in that case the webserver will not
> be able to write to the directory.
> 
> 
>> 	2. Outside the public_html:
> 
> we cannot do this, as this is particularly what people that just have a
> usual web host, complain about. They just have webspace that is
> accessable from the outside.
> 
>> 		Pros: Is not accessible by Web.
>> 		Contra:
>> 			- The web user in general don't have access to write folders there,
>> or for rights or for groups limitation. If the setup routine can't
>> create the folder, the user/admin must do it.
>> If there are many problem for the common users to create a vhost, you
>> think that create a folder outside public is easy for them?
>> 			- If the folder is created, must have the correct right access, since
>> the API don't have right for change them, and again, the access system
>> works only for Linux, in windows is ALL 777. Do you think that the user
>> can do it?
> 
> My suggestions is the following:
> 
>   We add .htaccess files to the phprojekt/ folder and to
>   phprojekt/htdocs. The .htaccess in phprojekt/ forbids
>   access. This is done by putting the following into the
>   .htaccess file:
> 
>       deny from all
> 
>   and in htdocs/.htaccess:
> 
>       allow from all
> 
>   This way we keep our setup the way it is, we just have
>   to remove the check for the vhost. Well not remove, we
>   should state a message that says:
> 
>   Please note that your webserver needs to support .htaccess
>   files to deny access to the configuration files. Running
>   PHProjekt 6 without using the provided .htaccess files
>   to deny access to certain files and folders, might not
>   be secure and is not recommended.
> 
>   This is still not a perfect solution as we do rely on
>   .htaccess (apache only) and that the webserver is configured
>   to allow access overwriting. So Apache might be configured
>   to use .htaccess but not to allow forbidding access using .htaccess.
> 
>   But I personally think 90% of the users have a setup that will
>   work with what I suggested, while it keeps our changes low and
>   the code base stable.
> 
> David

Re: [Phprojekt-devel] WebDAV for P6

[David S. P. <dav...@ma...>]

Hi Gustavo

Am 06.04.10 16:23, schrieb Gustavo Solt:
> Hi all,
>  Since many people ask about the WebDAV implementation on P6, let see
> what we need for it.
> 1. Server
> In P5 we use the PEAR server, that is just a php 4 class that translates
> the request into a WebDAV function.
> We can make a new server class, using the PEAR one as example, in this
> case the steps are:
>  - Make a new Zend class using the PEAR as model.
>  - Transform all the PHP4 structure to PHP5.
>  - Use all as we can the Zend functions.
>  - Define an Auth method that should be easy to configure.
> After that, we will have something like Zend_Webdav_Abstract that will
> have all the necessaries function for catch the request and call the
> correct function.

Did you take a look at ezComponents Webdav (ez Componenets is now called
Zeta Components). It is proper PHP 5 Code. I haven't used it so I don't
know if there are many issues with.

I would prefer if we do WebDAV not before 6.2 but try to focus on what
we have at the moment and enhance that .

David

-- 
David Soria Parra                   Mayflower GmbH
Mannhardtstraße 6                   Tel.: +49 89 24 20 54 1
D-80538 München                     Fax : +49 89 24 20 54 29
dav...@ma...      http://www.mayflower.de

Mayflower GmbH, Standort München
Firmensitz: Mannhardtstraße 6, 80538 München
Registergericht: Amtsgericht München, HRB 142039
Geschäftsführer: Gregor Streng, Björn Schotte,
Albrecht Günther, Johann-Peter Hartmann

Re: [Phprojekt-devel] Private folder on P6

[David S. P. <ds...@gm...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Gustavo

Am 27.04.10 03:48, schrieb Gustavo Solt:
> Hi all,
>  since many people complain about the "DocumentRoot" limitation in the
> installation of PHProjekt 6, for a better solution about the security,
> there is an idea about to make 2 improves:
> 
> 1. Make the configuration.ini file, a php file, so nobody can read it,
> only the web server can execute it or read it.
> 
> 2. Make a private folder for save there the logs, the temporally and the
> uploaded files. (All the files written by the API/User).
> 
> --- About 1. ---
> The best solution that i found, is to keep the configuration.ini file as
> format, add a <?php in the first line, rename it to configuration.php
> and change the comments from ; to #.
> There is a new Config parser, that just drop the first line, and take
> the file as ini.
> 
> Pros:
> 	1. The format is read friendly, like all the ini files.
> Contra:
> 	1. Since is a php file, the common editor should provide a correct
> interface for edit files, but since the ini structure is not PHP, maybe
> the user have ugly messages in the editor.
> 	2. If you want to access directly to the file
> http://p6/configuration.php => you will get a parser error. Maybe is not
> a contra, but is ugly.

Yes the solution might work, but still other files might be accessable,
things like README, tests, VERSION and so on.

> --- About 2. ---
> Here i want to discuss some scenarios.
> First, the zip or the tarball, provide a folder phprojekt with all the
> files and folders in it.
> Currently the structure is:
> phprojekt/
> 	application/
> 	htdocs/
> 	library/
> 	logs/
> 	tmp/
> 	upload/
> 	configuration.ini
> And the limitation say that a vhost must be set to the htdocs folder.
> 
> With the private folder, the idea is something like:
> 
> phprojekt/
> 	application/
> 	htdocs/
> 	library/
> 	configuration.ini
> private/
> 	logs/
> 	tmp/
> 	upload/

I like the approach, but I think it gets difficult, as PHProjekt looks
different on disk depending on the way you set it up. In fact using the
private folder method we can separate htdocs and the rest, as the rest
doesn't need to be access from the outside and that's what we care about.

> 		Contra: Even if the private folder have a random name set by the user,
> is accessible by web http://my.domain/private.
> For solve that, we provide a .htaccess with Deny from all, but the
> folder is still writable and public.
> The user can set the write rights for this folder to "only owner"?, yes,
> but ONLY in Linux, in Windows system, the folder is public and writable
> (only the admin of the system can set the rights there).
No write access cannot be by owner only, most webhosts user a group for
the webserver and different owners, in that case the webserver will not
be able to write to the directory.

> 
> 	2. Outside the public_html:

we cannot do this, as this is particularly what people that just have a
usual web host, complain about. They just have webspace that is
accessable from the outside.

> 		Pros: Is not accessible by Web.
> 		Contra:
> 			- The web user in general don't have access to write folders there,
> or for rights or for groups limitation. If the setup routine can't
> create the folder, the user/admin must do it.
> If there are many problem for the common users to create a vhost, you
> think that create a folder outside public is easy for them?
> 			- If the folder is created, must have the correct right access, since
> the API don't have right for change them, and again, the access system
> works only for Linux, in windows is ALL 777. Do you think that the user
> can do it?

My suggestions is the following:

  We add .htaccess files to the phprojekt/ folder and to
  phprojekt/htdocs. The .htaccess in phprojekt/ forbids
  access. This is done by putting the following into the
  .htaccess file:

      deny from all

  and in htdocs/.htaccess:

      allow from all

  This way we keep our setup the way it is, we just have
  to remove the check for the vhost. Well not remove, we
  should state a message that says:

  Please note that your webserver needs to support .htaccess
  files to deny access to the configuration files. Running
  PHProjekt 6 without using the provided .htaccess files
  to deny access to certain files and folders, might not
  be secure and is not recommended.

  This is still not a perfect solution as we do rely on
  .htaccess (apache only) and that the webserver is configured
  to allow access overwriting. So Apache might be configured
  to use .htaccess but not to allow forbidding access using .htaccess.

  But I personally think 90% of the users have a setup that will
  work with what I suggested, while it keeps our changes low and
  the code base stable.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJL1vmlAAoJEAT0aMuPE7Z1dr8P/ibs3PsgD49+j8WlEgtruAMr
FLM0hf8J+tSvUOwhkxrfcLUtMQRNpL066R1fTgI9XuLQoycIN3Qoed27/wkvsTOM
21RZRUBejVEz0TsxoUr6DP2glpCkC59hApQ2GkMl8TvTUMit8a1e8d+3CysKsjUB
1kxuQL0qoKLEp2FczaqkbBRGi5WclMGUbmINYAo+23NQz3eZyFPi7wLhxbVj8T7d
W0ikjh/eV7NMNSVEuThlBObnBrvhhTnIcp3KuEaCm448UOy070dOgFOGpFpoKbDS
s81IGwm/P+eT3WbrRLwwfcaA4K+lhQS6SHkBxhx93tnS4z7xVm1MsY8jdqBH06jj
WEsScyHfqnJNW4yJiXlRqvCg8v5Ll1lWRAOLPLMXxPo54or/iXH2165RuPzXp3li
dduxZDF7JNuc/L/TLLhKXwW7zNR7u1kXP/R9cAD9fnGKpmx0eK7UmvVycPTUzRLh
oVzv347JbukP6ZUguOOnfcf3AkBHRfvH26Sit6fcwB5JL7yB043FuFvcqUP6zPNs
K0N/EwpBuDZx310v6l/WgGpfzJ7yBk5Q37eoOhbsB0gtaN6/5ixUb2eEP4sGfU0K
nqU8MSsveFVZ1SiNKa3DBRvGr/gw+BVLFoFSG6Rvpo+/dNUER/iu6XWyb5HRiS6e
UbH26YuWVxo1Q1zKS9dc
=q8wZ
-----END PGP SIGNATURE-----

Re: [Phprojekt-devel] Private folder on P6

[Albrecht G. <alb...@ma...>]

Hi Gustavo, hi David,

Gustavo, thank you for the scetch of the possible solution on the
".htaccess" issue.

David: can you please check this and give feedback to Gustavo?
It is pretty urgent, since this is the last point we have to integrate
beofre the release of 6.0.2

thank you and all the best
Albrecht

>  since many people complain about the "DocumentRoot" limitation in the
> installation of PHProjekt 6, for a better solution about the security,
> there is an idea about to make 2 improves:
> 
> 1. Make the configuration.ini file, a php file, so nobody can read it,
> only the web server can execute it or read it.
> 
> 2. Make a private folder for save there the logs, the temporally and the
> uploaded files. (All the files written by the API/User).
> 
> --- About 1. ---
> The best solution that i found, is to keep the configuration.ini file as
> format, add a <?php in the first line, rename it to configuration.php
> and change the comments from ; to #.
> There is a new Config parser, that just drop the first line, and take
> the file as ini.
> 
> Pros:
> 	1. The format is read friendly, like all the ini files.
> Contra:
> 	1. Since is a php file, the common editor should provide a correct
> interface for edit files, but since the ini structure is not PHP, maybe
> the user have ugly messages in the editor.
> 	2. If you want to access directly to the file
> http://p6/configuration.php => you will get a parser error. Maybe is not
> a contra, but is ugly.
> 
> --- About 2. ---
> Here i want to discuss some scenarios.
> First, the zip or the tarball, provide a folder phprojekt with all the
> files and folders in it.
> Currently the structure is:
> phprojekt/
> 	application/
> 	htdocs/
> 	library/
> 	logs/
> 	tmp/
> 	upload/
> 	configuration.ini
> And the limitation say that a vhost must be set to the htdocs folder.
> 
> With the private folder, the idea is something like:
> 
> phprojekt/
> 	application/
> 	htdocs/
> 	library/
> 	configuration.ini
> private/
> 	logs/
> 	tmp/
> 	upload/
> 
> Scenario 1 - Common German structure:
> 	If i drop the phprojekt folder in my public_html, then i have:
> public_html/
> 	phprojekt/
> 		application/
> 		htdocs/
> 		library/
> 		configuration.ini
> And the link to the API is http://my.domain/phprojekt/htdocs/index.php
> In this scenario, the setup routine can try to create a private folder
> in 2 places:
> 	1. in the same level as phprojekt.
> 		Pros: The setup should can, since is a public folder with full access
> to the web server.
> 		Contra: Even if the private folder have a random name set by the user,
> is accessible by web http://my.domain/private.
> For solve that, we provide a .htaccess with Deny from all, but the
> folder is still writable and public.
> The user can set the write rights for this folder to "only owner"?, yes,
> but ONLY in Linux, in Windows system, the folder is public and writable
> (only the admin of the system can set the rights there).
> 
> 	2. Outside the public_html:
> 		Pros: Is not accessible by Web.
> 		Contra:
> 			- The web user in general don't have access to write folders there,
> or for rights or for groups limitation. If the setup routine can't
> create the folder, the user/admin must do it.
> If there are many problem for the common users to create a vhost, you
> think that create a folder outside public is easy for them?
> 			- If the folder is created, must have the correct right access, since
> the API don't have right for change them, and again, the access system
> works only for Linux, in windows is ALL 777. Do you think that the user
> can do it?
> 
> Scenario 2 - Personal systems:
> 	In general, for the Scenario 1, we can use the DOCUMENT_ROOT var for
> get the public folder, but for example, i have a windows system with
> apache and the document root set on for example D:www, then i have many
> sub folders for many pages.
> 	My DOCUMENT_ROOT, is www, and the API will try to create a folder in:
> 	- D:/www/phprojekt (in the same level as phprojekt)
> 	- or in D: (Outside the public folder)
> 
> Add to all this, if the server use safe_mode = ON, the API have problems
> to access this private folder, depend on where is it.
> 
> Also, if the rule is "no writable folders in the public one", what we
> can do whit the application folder?.
> Yes, we can make it read only, and add a private/application/ where the
> user can add new modules.
> But then the user can't delete the current modules like "Calendar" if he
> don't want it in the system.
> Also, we must change the routines that scan the application folder for
> new modules, or custom ones, and we will have TWO applications folders,
> one for the system and one for the users...if this don't generate
> misunderstandings...
> 
> For finish, i am agree with a private folder where we can write stuff in
> a safe way, but reading the post, and the comments, there are many
> "normal users" playing with P6, and are not "administrators", so maybe
> this folder will provide more problems than solutions to these users.
> 
> What do you think?
> 
> If you want to test a bit, one of these implementations is in:
>  - http://github.com/gsolt/PHProjekt/tree/privateFolder
> Works fine in windows, since don't try to set access, in Linux i tried
> to install it in the MF server, and neither the API or myself, can
> create a private folder with 0600 access in the before public_html.
> 
> Greetings,
> Gustavo
> 
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Phprojekt-devel mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phprojekt-devel

[Phprojekt-devel] Private folder on P6

[Gustavo S. <gus...@gm...>]

Hi all,
 since many people complain about the "DocumentRoot" limitation in the
installation of PHProjekt 6, for a better solution about the security,
there is an idea about to make 2 improves:

1. Make the configuration.ini file, a php file, so nobody can read it,
only the web server can execute it or read it.

2. Make a private folder for save there the logs, the temporally and the
uploaded files. (All the files written by the API/User).

--- About 1. ---
The best solution that i found, is to keep the configuration.ini file as
format, add a <?php in the first line, rename it to configuration.php
and change the comments from ; to #.
There is a new Config parser, that just drop the first line, and take
the file as ini.

Pros:
	1. The format is read friendly, like all the ini files.
Contra:
	1. Since is a php file, the common editor should provide a correct
interface for edit files, but since the ini structure is not PHP, maybe
the user have ugly messages in the editor.
	2. If you want to access directly to the file
http://p6/configuration.php => you will get a parser error. Maybe is not
a contra, but is ugly.

--- About 2. ---
Here i want to discuss some scenarios.
First, the zip or the tarball, provide a folder phprojekt with all the
files and folders in it.
Currently the structure is:
phprojekt/
	application/
	htdocs/
	library/
	logs/
	tmp/
	upload/
	configuration.ini
And the limitation say that a vhost must be set to the htdocs folder.

With the private folder, the idea is something like:

phprojekt/
	application/
	htdocs/
	library/
	configuration.ini
private/
	logs/
	tmp/
	upload/

Scenario 1 - Common German structure:
	If i drop the phprojekt folder in my public_html, then i have:
public_html/
	phprojekt/
		application/
		htdocs/
		library/
		configuration.ini
And the link to the API is http://my.domain/phprojekt/htdocs/index.php
In this scenario, the setup routine can try to create a private folder
in 2 places:
	1. in the same level as phprojekt.
		Pros: The setup should can, since is a public folder with full access
to the web server.
		Contra: Even if the private folder have a random name set by the user,
is accessible by web http://my.domain/private.
For solve that, we provide a .htaccess with Deny from all, but the
folder is still writable and public.
The user can set the write rights for this folder to "only owner"?, yes,
but ONLY in Linux, in Windows system, the folder is public and writable
(only the admin of the system can set the rights there).

	2. Outside the public_html:
		Pros: Is not accessible by Web.
		Contra:
			- The web user in general don't have access to write folders there,
or for rights or for groups limitation. If the setup routine can't
create the folder, the user/admin must do it.
If there are many problem for the common users to create a vhost, you
think that create a folder outside public is easy for them?
			- If the folder is created, must have the correct right access, since
the API don't have right for change them, and again, the access system
works only for Linux, in windows is ALL 777. Do you think that the user
can do it?

Scenario 2 - Personal systems:
	In general, for the Scenario 1, we can use the DOCUMENT_ROOT var for
get the public folder, but for example, i have a windows system with
apache and the document root set on for example D:www, then i have many
sub folders for many pages.
	My DOCUMENT_ROOT, is www, and the API will try to create a folder in:
	- D:/www/phprojekt (in the same level as phprojekt)
	- or in D: (Outside the public folder)

Add to all this, if the server use safe_mode = ON, the API have problems
to access this private folder, depend on where is it.

Also, if the rule is "no writable folders in the public one", what we
can do whit the application folder?.
Yes, we can make it read only, and add a private/application/ where the
user can add new modules.
But then the user can't delete the current modules like "Calendar" if he
don't want it in the system.
Also, we must change the routines that scan the application folder for
new modules, or custom ones, and we will have TWO applications folders,
one for the system and one for the users...if this don't generate
misunderstandings...

For finish, i am agree with a private folder where we can write stuff in
a safe way, but reading the post, and the comments, there are many
"normal users" playing with P6, and are not "administrators", so maybe
this folder will provide more problems than solutions to these users.

What do you think?

If you want to test a bit, one of these implementations is in:
 - http://github.com/gsolt/PHProjekt/tree/privateFolder
Works fine in windows, since don't try to set access, in Linux i tried
to install it in the MF server, and neither the API or myself, can
create a private folder with 0600 access in the before public_html.

Greetings,
Gustavo

Re: [Phprojekt-devel] New screencast: Why to choose Phprojekt 6

[Mariano La P. <mar...@gm...>]

Done

I put 'PHProjekt 6 - The users view'.

I hope you like it or else tell me.

Mariano


El 06/04/2010 07:43 a.m., Albrecht Günther escribió:
> Hi Mariano,
>
> say, could you rename the title of the youtube entry to
> 'Why to choose PHProjekt - the users view' or
> 'PHProjekt - the users view' of something similar - the question mark
> implies some critics :-)
>
> But this week we should release it, yes :-)
>
> all the best
> Albrecht
>
>   
>> http://www.youtube.com/watch?v=KZbBK-N1UAU&fmt=6
>>
>>   I think it is highly recommended to publish it in 480p resolution.
>> This link has the suffix '&fmt=6' that makes the video to get opened in
>> this resolution, instead of 360p. When seen in 360p the URL in the
>> browser and the text of P6 itself is not clearly seen (from 0:49 until
>> the end of the video).
>>
>>
>> Let's choose Phprojekt, the one with the bee logo! :-)
>>
>> Mariano
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Phprojekt-devel mailing list
>> Php...@li...
>> https://lists.sourceforge.net/lists/listinfo/phprojekt-devel
>>     
>
>   

Re: [Phprojekt-devel] WebDAV for P6

[Albrecht G. <alb...@ma...>]

Hi Thorsten,

>> I suggest to implement the Zend_Webdav_Abstract and to create the webdav
>> part for the files module for PHProjekt 6.1
>> After this, in a next version we can enhance it with the caldav api.
> we should wait with the development of PHProjekt 6.1 until we decided
> how we will work with branches and when we PHProjekt 6.0 is in a good
> and stable state.
Gustavo works only in his branch, so no fear that the main branch will
be compromised.

Since David is on holidays, we need a plan what to do until he can
return to P6, which will take until end of April.

all the best
Albrecht

Re: [Phprojekt-devel] WebDAV for P6

[Thorsten R. <tho...@ma...>]

Hi,

> I suggest to implement the Zend_Webdav_Abstract and to create the webdav
> part for the files module for PHProjekt 6.1
> 
> After this, in a next version we can enhance it with the caldav api.

we should wait with the development of PHProjekt 6.1 until we decided
how we will work with branches and when we PHProjekt 6.0 is in a good
and stable state.

Cheers
Thorsten

-- 
Thorsten Rinne, Dipl.-Inf. (FH)     Mayflower GmbH
Mannhardtstr. 6                     Tel.: +49 89 24 20 54 31
D-80538 München                     Fax : +49 89 24 20 54 29
tho...@ma...         http://www.mayflower.de

Mayflower GmbH, Standort München
Firmensitz: Mannhardtstraße 6, 80538 München
Registergericht: Amtsgericht München, HRB 142039
Geschäftsführer: Gregor Streng, Björn Schotte,
Albrecht Günther, Johann-Peter Hartmann

Re: [Phprojekt-devel] WebDAV for P6

[Albrecht G. <alb...@ma...>]

Hi Gustavo,

this sound pretty reasonable.
I suggest to implement the Zend_Webdav_Abstract and to create the webdav
part for the files module for PHProjekt 6.1

After this, in a next version we can enhance it with the caldav api.

all the best
Albrecht

>  Since many people ask about the WebDAV implementation on P6, let see
> what we need for it.
> 
> 1. Server
> In P5 we use the PEAR server, that is just a php 4 class that translates
> the request into a WebDAV function.
> We can make a new server class, using the PEAR one as example, in this
> case the steps are:
>  - Make a new Zend class using the PEAR as model.
>  - Transform all the PHP4 structure to PHP5.
>  - Use all as we can the Zend functions.
>  - Define an Auth method that should be easy to configure.
> After that, we will have something like Zend_Webdav_Abstract that will
> have all the necessaries function for catch the request and call the
> correct function.
> 
> 1.2. Extension
> Using the Zend_Webdav_Abstract, we can extend it for make custom servers
> like:
> 1.2.1. For files -Zend_Webdav_Files- (almost all done in the
> Zend_Webdav_Abstract).
> 
> 1.2.2. For events -Zend_Webdav_Caldav- (using the CalDAV RFC).
> For the CalDAV class, we need also some extra functions,
> first for customized the WebDAV using the CalDAV RFC, and second for
> translate the P6 events or "any event data" into a ICAL format, and
> vice-versa.
> 
> 1.2.3. Others.
> 
> Other structure can be:
> Zend/
>     Webdav/
>         Abstract.php  (Zend_Webdav_Abstract)
>     Webdav.php        (Zend_Webdav extend Zend_Webdav_Abstract)
>     Caldav.php        (Zend_Caldav extend Zend_Webdav_Abstract)
> 
> 
> About the times,
> For 1. can be something like 24 hs.
> For 1.2.1 (for files) can be something like 1 hs.
> For 1.2.2 (for events) can be something like 12 hs.
> 
> 2. Client
> After that we can use the "server", but we need some page that call it,
> so the next step is to write a controller that get the request, call the
> auth, call the server , and return the response.
> This implementation should be done only for P6.
> The url can be something like:
> index.php/Default/webdav/index
> and the controller: Default/WebdavController.php.
> We can define other one for the caldav or not.
> 
> About the times,
> Can be something like 4 hs.
> 
> About the times, as always, are "code" time, but we must add the test
> and some problems that always appear in the process.
> 
> I think that working on it 1 week(40 hs), we can have a good aprouch.
> 
> What do you think?
> 
> Greetings,
> Gustavo Solt.
> 
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Phprojekt-devel mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phprojekt-devel

[Phprojekt-devel] WebDAV for P6

[Gustavo S. <gus...@gm...>]

Hi all,
 Since many people ask about the WebDAV implementation on P6, let see
what we need for it.

1. Server
In P5 we use the PEAR server, that is just a php 4 class that translates
the request into a WebDAV function.
We can make a new server class, using the PEAR one as example, in this
case the steps are:
 - Make a new Zend class using the PEAR as model.
 - Transform all the PHP4 structure to PHP5.
 - Use all as we can the Zend functions.
 - Define an Auth method that should be easy to configure.
After that, we will have something like Zend_Webdav_Abstract that will
have all the necessaries function for catch the request and call the
correct function.

1.2. Extension
Using the Zend_Webdav_Abstract, we can extend it for make custom servers
like:
1.2.1. For files -Zend_Webdav_Files- (almost all done in the
Zend_Webdav_Abstract).

1.2.2. For events -Zend_Webdav_Caldav- (using the CalDAV RFC).
For the CalDAV class, we need also some extra functions,
first for customized the WebDAV using the CalDAV RFC, and second for
translate the P6 events or "any event data" into a ICAL format, and
vice-versa.

1.2.3. Others.

Other structure can be:
Zend/
    Webdav/
        Abstract.php  (Zend_Webdav_Abstract)
    Webdav.php        (Zend_Webdav extend Zend_Webdav_Abstract)
    Caldav.php        (Zend_Caldav extend Zend_Webdav_Abstract)


About the times,
For 1. can be something like 24 hs.
For 1.2.1 (for files) can be something like 1 hs.
For 1.2.2 (for events) can be something like 12 hs.

2. Client
After that we can use the "server", but we need some page that call it,
so the next step is to write a controller that get the request, call the
auth, call the server , and return the response.
This implementation should be done only for P6.
The url can be something like:
index.php/Default/webdav/index
and the controller: Default/WebdavController.php.
We can define other one for the caldav or not.

About the times,
Can be something like 4 hs.

About the times, as always, are "code" time, but we must add the test
and some problems that always appear in the process.

I think that working on it 1 week(40 hs), we can have a good aprouch.

What do you think?

Greetings,
Gustavo Solt.

Re: [Phprojekt-devel] New screencast: Why to choose Phprojekt 6

[Albrecht G. <alb...@ma...>]

Hi Mariano,

say, could you rename the title of the youtube entry to
'Why to choose PHProjekt - the users view' or
'PHProjekt - the users view' of something similar - the question mark
implies some critics :-)

But this week we should release it, yes :-)

all the best
Albrecht

> http://www.youtube.com/watch?v=KZbBK-N1UAU&fmt=6
> 
>   I think it is highly recommended to publish it in 480p resolution.
> This link has the suffix '&fmt=6' that makes the video to get opened in
> this resolution, instead of 360p. When seen in 360p the URL in the
> browser and the text of P6 itself is not clearly seen (from 0:49 until
> the end of the video).
> 
> 
> Let's choose Phprojekt, the one with the bee logo! :-)
> 
> Mariano
> 
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Phprojekt-devel mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phprojekt-devel

[Phprojekt-devel] New URL's for the demo

[Albrecht G. <alb...@ma...>]

Hi,

after the run on the release (with more than ten thousand visitors only
on friday afternoon), we close our small cloud and return to our usual
sites.

the old/new url's are:
try.phprojekt.com for our P6 demo
demo.old.phprojekt.com for our P5 demo

Gustavo, one special request: all demo users have the first and last
name 'john doe', which is a bit boring in user select boxes. Can you
give them different names and update the sql file?

all the best
Albrecht

Re: [Phprojekt-devel] Access, cache and multi users

[Gustavo S. <gus...@gm...>]

Hi Johann,
 thanks for the answer.

About Zend_Cache, yes you are right, seams to be the right solution for
these cases, but as i said, the point is which cache type we want to use.

Since now we use SESSION, in the client side, and is really fast (since
is memory), but have these problems.

Here is a list of possibles cache type:

http://framework.zend.com/manual/en/zend.cache.backends.html

The file, is which we use now for common data (project tree and language
strings). Do you think is better to switch from "save the data in
session" to "save the data in a file on the server" ?

Other option is Memcached, but we must put it as a requirement.
(all the others also have extra requirements)

Maybe we can make a new one for use the database, using the
Zend_Cache_Backend_Sqlite as template.
(If we want to support many database types in the future, we should make
an abstract one that can be used with all of these types)

Resume:
SESSION  => fast, don't works for multi-users.
File     => slow, works for multi-users.
Database => fast (less than SESSION), works for multi-users, must be
implemented.

Suggestions?

Greetings,
Gustavo Solt

On 24/03/2010 05:42 a.m., Johann-Peter Hartmann wrote:
> Hi,
> 
> Gustavo Solt schrieb:
>> Point b)
>>   - If the User A was IN the TODO #1, and try to change something, he
>> will get a message "The item don't exist" (for him, don't exists anymore)
> 
> That's a misleading error message, it should be "You are not allowed to
> do this!" ;-) (better: "Missing access rights for this item")
> 
>>
>> Point c)
>>   - The User B, since is still in the item, get a front message that the
>> TODO was changed by the admin, but when he want to see the changes,
>> the access still say "User A and User B", since the access is cached in
>> the server.
>>
>> That is more or less not so important, since is an strange case,
>> but what about the same on a project?
>>
>> If the User A is removed from a project, then he will have some errors
>> when try to access to it (an Exception since the "node" don't exists).
> 
> This should be the same error message as above. Any access control error
> should result in a clear error message documenting the user does not
> have access rights to the current item (anymore).
> 
>> If the User A is ADDED to one project, the user will receive a front
>> message, but he DON'T will see the new project, since the access for all
>> the projects is already cached from the server for him.
>> The solution is "logout, and login again".
>>
>> These cases, are not so commons, but can happen and we should offer some
>> solutions for that.
> 
> For me it looks like a wrong caching strategy. The caching should work
> with active invalidation, i.e. if an item changes on the server, every
> cache for it should be cleared - even client-side caches.
> 
> The Zend_Cache provides tagging and the clean method for this purpose.
> 
> 
> Greetings,
> Johann
> 
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Phprojekt-devel mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phprojekt-devel
> 

Re: [Phprojekt-devel] Access, cache and multi users

[Johann-Peter H. <har...@ma...>]

Hi,

Gustavo Solt schrieb:
> Point b)
>   - If the User A was IN the TODO #1, and try to change something, he
> will get a message "The item don't exist" (for him, don't exists anymore)

That's a misleading error message, it should be "You are not allowed to
do this!" ;-) (better: "Missing access rights for this item")

> 
> Point c)
>   - The User B, since is still in the item, get a front message that the
> TODO was changed by the admin, but when he want to see the changes,
> the access still say "User A and User B", since the access is cached in
> the server.
> 
> That is more or less not so important, since is an strange case,
> but what about the same on a project?
> 
> If the User A is removed from a project, then he will have some errors
> when try to access to it (an Exception since the "node" don't exists).

This should be the same error message as above. Any access control error
should result in a clear error message documenting the user does not
have access rights to the current item (anymore).

> If the User A is ADDED to one project, the user will receive a front
> message, but he DON'T will see the new project, since the access for all
> the projects is already cached from the server for him.
> The solution is "logout, and login again".
> 
> These cases, are not so commons, but can happen and we should offer some
> solutions for that.

For me it looks like a wrong caching strategy. The caching should work
with active invalidation, i.e. if an item changes on the server, every
cache for it should be cleared - even client-side caches.

The Zend_Cache provides tagging and the clean method for this purpose.


Greetings,
Johann

[Phprojekt-devel] Access, cache and multi users

[Gustavo S. <gus...@gm...>]

Hi all,
 I have a question, about how we can resolve that:

Imagine this case:

User A have access to a TODO #1
User B have access to a TODO #1

1- User A is online, see the TODO #1 (the access is cached)
2- User B is online, see the TODO #1 (the access is cached)
3- Now the admin for example, remove the User A from the TODO #1, and
keep only the access to the User B.

Point a)
  - The User A that is online, since he is not anymore in the item TODO
#1, he don't receive any message about the change.

Point b)
  - If the User A was IN the TODO #1, and try to change something, he
will get a message "The item don't exist" (for him, don't exists anymore)

Point c)
  - The User B, since is still in the item, get a front message that the
TODO was changed by the admin, but when he want to see the changes,
the access still say "User A and User B", since the access is cached in
the server.

That is more or less not so important, since is an strange case,
but what about the same on a project?

If the User A is removed from a project, then he will have some errors
when try to access to it (an Exception since the "node" don't exists).

If the User A is ADDED to one project, the user will receive a front
message, but he DON'T will see the new project, since the access for all
the projects is already cached from the server for him.
The solution is "logout, and login again".

These cases, are not so commons, but can happen and we should offer some
solutions for that.

In resume, the problem is, if you keep the data PER USER in the SESSION,
for improve the speed, then when other user change something, the
current user have the old data cached in the server side.

Solutions:
  1- An extra request to the server that say "remove all the cache".
	- That can be called when a front message appear, but will work only if
the front page is activated.

  2- Don't cache the access of several users.
	- The speedy will decrees.

  3- Keep the cache in the server as a file instead of the SESSION (like
the project tree or the language), so any user can access to it, and
delete it for be re-calculated.
	- Access to a file have always less performance that access to the memory.

Suggestions are welcome :D

Greetings,
Gustavo Solt

Re: [Phprojekt-devel] How many people uses Phprojekt?

[Albrecht G. <alb...@ma...>]

Unfortunately not, since it is an open source project :-/

>   Do you have a number, of how many people/companies use Phprojekt
> currently? I mean, 5th version and previous ones? (from now on, also the
> 6th!)
> 
>   Just a total number for all versions, or something that gives me an
> idea of the world scope of it.
> 
> Thanks
> Mariano
> 
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Phprojekt-devel mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phprojekt-devel

[Phprojekt-devel] How many people uses Phprojekt?

[Mariano La P. <mar...@gm...>]

Hello people

  Do you have a number, of how many people/companies use Phprojekt
currently? I mean, 5th version and previous ones? (from now on, also the
6th!)

  Just a total number for all versions, or something that gives me an
idea of the world scope of it.

Thanks
Mariano

Re: [Phprojekt-devel] New screencast: Why to choose Phprojekt 6

[Albrecht G. <alb...@ma...>]

Hi Mariano,

> http://www.youtube.com/watch?v=KZbBK-N1UAU&fmt=6
this one looks pretty good, and I thzink we should
publish it on thursday, since we have today we have 6.0.1 to release.

all the best
Albrecht


>   I think it is highly recommended to publish it in 480p resolution.
> This link has the suffix '&fmt=6' that makes the video to get opened in
> this resolution, instead of 360p. When seen in 360p the URL in the
> browser and the text of P6 itself is not clearly seen (from 0:49 until
> the end of the video).
> 
> 
> Let's choose Phprojekt, the one with the bee logo! :-)
> 
> Mariano
> 
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Phprojekt-devel mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phprojekt-devel

Re: [Phprojekt-devel] New screencast: Why to choose Phprojekt 6

[David S. P. <ds...@gm...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 19.03.10 01:36, schrieb Mariano La Penna:
> New screencast ready.
> 
> http://www.youtube.com/watch?v=KZbBK-N1UAU&fmt=6
> 
>   I think it is highly recommended to publish it in 480p resolution.
> This link has the suffix '&fmt=6' that makes the video to get opened in
> this resolution, instead of 360p. When seen in 360p the URL in the
> browser and the text of P6 itself is not clearly seen (from 0:49 until
> the end of the video).

really great. Good story and good implementation. It's very convincing.

Keep on the good work.
David

> 
> Let's choose Phprojekt, the one with the bee logo! :-)
> 
> Mariano
> 
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Phprojekt-devel mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phprojekt-devel

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkuk+p4ACgkQ/snRGA1Vb0sdawCgroSYtxO4YioVH9h5Kt9XaAgg
tsIAoJykExK3pCBWcnJgMstSSMmPwzPp
=6gUC
-----END PGP SIGNATURE-----

[Phprojekt-devel] New screencast: Why to choose Phprojekt 6

[Mariano La P. <mar...@gm...>]

New screencast ready.

http://www.youtube.com/watch?v=KZbBK-N1UAU&fmt=6

  I think it is highly recommended to publish it in 480p resolution.
This link has the suffix '&fmt=6' that makes the video to get opened in
this resolution, instead of 360p. When seen in 360p the URL in the
browser and the text of P6 itself is not clearly seen (from 0:49 until
the end of the video).


Let's choose Phprojekt, the one with the bee logo! :-)

Mariano

[Phprojekt-devel] bug in migration

[Albrecht G. <alb...@ma...>]

Hi Guys,

well, this first bug came pretty fast :-)

Here the plan for the next days:
1. ticket in bugtracker is created, this is
   always the first action

2. then fix it and validate the fix

3. commit it into the trunk

4. make a remark on the ticket, that
   it is solved in the trunk on
   github

5. post a news (for this bug, we
   will do this NOT NOW - in order not
   to spoil our nice release posting!)
   I propose to do this on tuesday

6. release the bug with the next update
   maybe friday to collect more bugs.

any other opinion?

all the best
Albrecht

[Phprojekt-devel] Timecard new layout: remarks

[Albrecht G. <alb...@ma...>]

Hi Gustavo,

thank you for the improved layout of the timecard!
Here are my remarks:

- I think it is very good, that the day view looks
  like the day view in the calendar - this is usability!
  Question: how difficult would it be to have the
  same funcktionality here as in the calendar?
  (aka: drag and expand also here possible?)
  So the only difference would be the form ...

  (of curse it would mean to have the same classses
   in the code, yes)

- For calendar AND timecard a small feature
  request: booked items should have a different
  backgorund colour than the both colours of the
  day view (at the moment it is rather transparent,
  which is puzzling).

- Month view (=list of days in month), right pane:
  - since fpor me it seems, that we still have
    space to the button, can we:
    - move the month name above the list?
      Please list month name and year
    - move the day selector there, too?
    - give a bit more space between the days?

- entries in day view:
  - separation is done, thnx. Maybe the remark
    is more important than the project - but
    leave it like it is, we can change it after
    the release very easily.

  - Borders should have the same layout as in
    the calendar.

- Day view: Please give a short feedback,
  whether it is possible just to display a part
  of the whole day (e.g. 8-18) and to make
  it scrollable. If yes, we can have 30 minutes
  instead of one hour as the unit.

- Form:
  - we need a 'cancel' button here.

- Popup favourite projects:
  Please add the text:
  "Favorite projects appear first in the
   select box of the form"
  so the user knows for what the selection
  is good for.

What do you think?

all the best
Albrecht