Thread: Re: [psa-devel]Next Steps
Brought to you by:
koivi
Menu
▾
▴
phpsecurityadm-devel
|
From: Justin K. <ju...@ko...> - 2003-05-29 19:12:36
|
Albert Lash wrote:
> On 5/29/03 12:22 PM, "Justin Koivisto" <ju...@ko...> wrote:
>
>>Albert Lash wrote:
>>
>>>What's next for PSA? Do you want to keep testing CVS before we release?
>>
>>There are still some things that can be cleaned up with the password
>>reset. Really, they are minor, but all the form fields and variables
>>used in the GUI pages should be prefixed with PSA_ so it doesn't clash
>>with other applications. Other than that, it is time to start doing some
>>documentation.
>>
>>>Some small additions we should include now are a prefix setting so
>>the app
>>>can be moved to different folders with reference to the security folder.
>>
>>Do you mean like $PSA_PATH in index.php on line 24 and _restrict.php on
>>line 4?
>
> No, that's not what I'm talking about. If I built the site structure off the
> document root as is done now, but then realized I wanted to put in into
> another folder on a different server, I would have to add that folder name
> to the beginning of every page in the site structure. I hacked it in using
> this:
>
> $PSA_page = $_SERVER['PHP_SELF'];
> $PSA_page = str_replace("$MMHOME", "", $PSA_page);
>
> Where $MMHOME points to the root of the app. It would be nice if this were a
> part of the config file.
>
> I'm not talking about if you move psa, but if you move the app that it is
> controlling the access to.
Gotcha.
OK, so now I have in config.php:
$PSA_SCR=array(
'Type' => 'mysql',
'Host' => 'localhost',
'User' => 'user',
'Password' => 'pass',
'Database' => 'psa_db',
'Language' => 'en',
'SiteName' => 'www.your_domain.com',
'SitePath' => $_SERVER['DOCUMENT_ROOT'],
'IncludePath' => dirname(__FILE__).'/../../metabase',
'MbSchemaDir' => dirname(__FILE__).'/..'
);
in the constructor:
if(isset($PSA_SCR['SitePath'])){
$this->SITE_PATH=$PSA_SCR['SitePath'];
}else{
$this->SITE_PATH=$_SERVER['DOCUMENT_ROOT'];
}
and the hasRights method:
function hasRights($url,$url2=''){
$this->ERROR=array();
// Make sure that the database will contain the full URI for
the page
$url=preg_replace('/(\?|&)'.session_name().'=[A-Z0-9]{32}/i','',$url);
$url2=preg_replace('/(\?|&)'.session_name().'=[A-Z0-9]{32}/i','',$url2);
$url3=$this->scr['SitePath'].$url;
$url4=$this->scr['SitePath'].$url2;
$query="SELECT groups FROM psa_users WHERE
id=".$this->db->GetTextFieldValue($_SESSION['PSA_psaun']);
$result=$this->db->Query($query);
if(!$result){
$this->ERROR[]=$this->db->Error();
return FALSE;
}
$groups=explode(',',$this->db->FetchResult($result,0,0,0));
$query='SELECT id FROM psa_pages WHERE
page='.$this->db->GetTextFieldValue($url).
' OR page='.$this->db->GetTextFieldValue($url2).
' OR page='.$this->db->GetTextFieldValue($url3).
' OR page='.$this->db->GetTextFieldValue($url4);
$tmp=explode('/',$url2);
$running='';
$running2=$this->SITE_PATH;
foreach($tmp as $part){
$running.=$part.'/';
$running2.=$part.'/';
$query.=' OR page='.$this->db->GetTextFieldValue($running.'*').
' OR page='.$this->db->GetTextFieldValue($running2.'*');
}
$result=$this->db->Query($query);
if(!$result){
$this->ERROR[]=$this->db->Error();
return FALSE;
}
for($i=0;$i<$this->db->NumberOfRows($result);++$i){
$pageid=$this->db->FetchResult($result,$i,0);
reset($groups);
while(list($k,$gid)=@each($groups)){
$rightsar=$this->getProfile($gid);
$page_rights=unserialize($rightsar['rights']);
if(isset($page_rights[$pageid]))
return TRUE;
}
}
// no match in the database
$this->ERROR[]=_("You do not have access rights to this content");
return FALSE;
}
I haven't tested these yet, but I will sometime today
> Good point, but I really suck at documentation and I had forgot you had
> suggested that. I'll hack some stuff together - do you want me to work off
> the documentation that exists?
Yes, you can start with that. There shouldn't be a whole lot to change,
but maybe some re-phrasing is in order.
> I like the $PSA_ prepend for the variables, very smart.
SuperAlberT suggested that one a while back. ;)
> Are wildcards already included?
In the documentation? I think so... In the app, yes, I've been using it
for my mod-rewrite sites ;)
|
|
From: Albert L. <al...@pl...> - 2003-05-30 12:54:06
|
> > OK, so now I have in config.php: > > $PSA_SCR=array( > 'Type' => 'mysql', > 'Host' => 'localhost', > 'User' => 'user', > 'Password' => 'pass', > 'Database' => 'psa_db', > 'Language' => 'en', > 'SiteName' => 'www.your_domain.com', > 'SitePath' => $_SERVER['DOCUMENT_ROOT'], > 'IncludePath' => dirname(__FILE__).'/../../metabase', > 'MbSchemaDir' => dirname(__FILE__).'/..' > ); > > in the constructor: > > if(isset($PSA_SCR['SitePath'])){ > $this->SITE_PATH=$PSA_SCR['SitePath']; > }else{ > $this->SITE_PATH=$_SERVER['DOCUMENT_ROOT']; > } > > and the hasRights method: > > function hasRights($url,$url2=''){ > $this->ERROR=array(); > // Make sure that the database will contain the full URI for > the page > > $url=preg_replace('/(\?|&)'.session_name().'=[A-Z0-9]{32}/i','',$url); > > $url2=preg_replace('/(\?|&)'.session_name().'=[A-Z0-9]{32}/i','',$url2); > $url3=$this->scr['SitePath'].$url; > $url4=$this->scr['SitePath'].$url2; > $query="SELECT groups FROM psa_users WHERE > id=".$this->db->GetTextFieldValue($_SESSION['PSA_psaun']); > $result=$this->db->Query($query); > if(!$result){ > $this->ERROR[]=$this->db->Error(); > return FALSE; > } > $groups=explode(',',$this->db->FetchResult($result,0,0,0)); > > $query='SELECT id FROM psa_pages WHERE > page='.$this->db->GetTextFieldValue($url). > ' OR page='.$this->db->GetTextFieldValue($url2). > ' OR page='.$this->db->GetTextFieldValue($url3). > ' OR page='.$this->db->GetTextFieldValue($url4); > > $tmp=explode('/',$url2); > $running=''; > $running2=$this->SITE_PATH; > foreach($tmp as $part){ > $running.=$part.'/'; > $running2.=$part.'/'; > $query.=' OR page='.$this->db->GetTextFieldValue($running.'*'). > ' OR page='.$this->db->GetTextFieldValue($running2.'*'); > } > $result=$this->db->Query($query); > if(!$result){ > $this->ERROR[]=$this->db->Error(); > return FALSE; > } > for($i=0;$i<$this->db->NumberOfRows($result);++$i){ > $pageid=$this->db->FetchResult($result,$i,0); > reset($groups); > while(list($k,$gid)=@each($groups)){ > $rightsar=$this->getProfile($gid); > $page_rights=unserialize($rightsar['rights']); > if(isset($page_rights[$pageid])) > return TRUE; > } > } > // no match in the database > $this->ERROR[]=_("You do not have access rights to this content"); > return FALSE; > } > > I haven't tested these yet, but I will sometime today That's the right idea. I updated some of the documentation a little today, just to get started. Has the GetText for translations been implemented? I've been testing out the problem I had with manual password change and it appears to have been fixed. I've prepended all the variables in user_passwordreset with psa_. Have you thought any more about the idea of replacing the site structure with an xml document? Albert |
|
From: Justin K. <ju...@ko...> - 2003-05-30 13:40:46
|
Albert Lash wrote: > That's the right idea. I updated some of the documentation a little today, > just to get started. Has the GetText for translations been implemented? Yes, gettext is being used... (Man that documentation must be old! LOL) > I've been testing out the problem I had with manual password change and it > appears to have been fixed. I've prepended all the variables in > user_passwordreset with psa_. Cool. > Have you thought any more about the idea of replacing the site structure > with an xml document? Hmm.. I forgot about that... Run it by me again to refresh my memory. Also, if you post it to the list, maybe we'll be able to get some more input from other developers... However, it does seem like it is just the two of us right now ;) That reminds me... do have experience with the SourceForge CVS? Specifically setting up write access for developers to certain directories? |
|
From: Albert L. <al...@pl...> - 2003-05-30 14:07:07
|
>> Have you thought any more about the idea of replacing the site structure >> with an xml document? > > Hmm.. I forgot about that... Run it by me again to refresh my memory. > Also, if you post it to the list, maybe we'll be able to get some more > input from other developers... However, it does seem like it is just the > two of us right now ;) True, but I'm sure in time they will come. Rather than having the db define the site structure, you can have an xml document that specifies the site structure. Often called a sitemap. This concept is tried and true - used in Cocoon (a Java CMS), Popoon (a php CMS framework used in BitFlux), and Nexista (a php application platform). PSA would then read the sitemap file rather that the page urls from the db. The best part of this is that developers could then use the sitemap file to also specify class includes based on uri, and much much more. I would have to suggest checking out Nexista. http://www.nexista.com/ The code is very clean and well thought out though a little nebulous and tries to be everything to everyone. It at least is a very good example of how a sitemap is used. > That reminds me... do have experience with the SourceForge CVS? > Specifically setting up write access for developers to certain directories? I don't! And I'm getting a bit frustrated at Sourceforge in general. There is also Tigris which seems very nice. http://www.tigris.org/ This is where Nexista will be hosted once the developer releases the most up to date version to the public. |
|
From: Justin K. <ju...@ko...> - 2003-05-30 14:46:46
|
Albert Lash wrote: >>>Have you thought any more about the idea of replacing the site structure >>>with an xml document? >> >>Hmm.. I forgot about that... Run it by me again to refresh my memory. > > Rather than having the db define > the site structure, you can have an xml document that specifies the site > structure. Often called a sitemap. This concept is tried and true - used in > Cocoon (a Java CMS), Popoon (a php CMS framework used in BitFlux), and > Nexista (a php application platform). PSA would then read the sitemap file > rather that the page urls from the db. The best part of this is that > developers could then use the sitemap file to also specify class includes > based on uri, and much much more. It does sound like a good idea. I don't know how you'd go about using wildcards in a site map though - especially if your site uses the XML file to generate it as a navigation point for users. I can see how this would be good for initializing and updating the site structure. However, we'd have to add functionality to automatically determine how to create wildcard entries where they want them in a way that it wouldn't effect the site map XML file if it is being used for the site itself. I will take a look into this some more and post a few ideas of how it can work. Once the plan is laid out, we could proceed from there. > I would have to suggest checking out Nexista. http://www.nexista.com/ The > code is very clean and well thought out though a little nebulous and tries > to be everything to everyone. It at least is a very good example of how a > sitemap is used. I will try to check this out. >>That reminds me... do have experience with the SourceForge CVS? >>Specifically setting up write access for developers to certain directories? > > I don't! And I'm getting a bit frustrated at Sourceforge in general. There > is also Tigris which seems very nice. http://www.tigris.org/ This is where > Nexista will be hosted once the developer releases the most up to date > version to the public. I will check this out as well. |
|
From: Justin K. <ju...@ko...> - 2003-05-30 14:59:51
|
OK, I have tested and made a few changes. I had a few problems with using the wildcards and SITE_PATH at first. I have added entries in the config for SitePath and SiteOldPath. If the app is moved, the SiteOldPath would hold the previous value of the SitePath, and SitePath would then hold the new site or app root (based on URI). Doing this elminimated problems of files having the same name in different folders being applied the same access rights. I am thinking that the XML file idea would work much better for this stuff because once you updated the file, you could run an update method that would actually update the database, eliminating the need for the stuff that I just hacked in. I won't commit to CVS just yet, I want to check out about using the XML file for initializing/updating the structure instead. |
|
From: Albert L. <al...@pl...> - 2003-05-30 16:10:30
|
On 5/30/03 10:59 AM, "Justin Koivisto" <ju...@ko...> wrote: > OK, I have tested and made a few changes. I had a few problems with > using the wildcards and SITE_PATH at first. I have added entries in the > config for SitePath and SiteOldPath. > > If the app is moved, the SiteOldPath would hold the previous value of > the SitePath, and SitePath would then hold the new site or app root > (based on URI). Doing this elminimated problems of files having the same > name in different folders being applied the same access rights. Very smart. > I am thinking that the XML file idea would work much better for this > stuff because once you updated the file, you could run an update method > that would actually update the database, eliminating the need for the > stuff that I just hacked in. That's not exactly what I was thinking but it makes sense. The sitemap is usually transformed and cached - I guess the db structure could be the "cache". I'll have to think about this some more. > I won't commit to CVS just yet, I want to check out about using the XML > file for initializing/updating the structure instead. We should hold off on integrating this right now. I just wanted to see if you would consider doing so as we move forward and it sounds like you will. It will be smart to do as it make it easier to integrate with newer style web app architectures. It is complicated though and we should consider the different possibilities. I'll spend some more time thinking about how this can work and get back to you. For now, lets just release a well tested version 3.1 that is solid. I'll try to bring in some other developers to improve discussions for the sitemap considerations. Lets stay with SF for now, the problem with CVS is for the translations? You want to make lang accessible to other developers? I don't think you can have different groups of developers, can you? |
|
From: Albert L. <al...@pl...> - 2003-06-05 14:56:02
|
Hi Justin, Are you feeling confident about the documentation I've updated? I just added a bit about the password recovery Q&A. If so, let's release version 3.1 to sourceforge.net. I'm still researching the xml sitemaps. I definitely do not want to re-invent the wheel. Thanks, Alby |
|
From: Justin K. <ju...@ko...> - 2003-06-05 16:33:44
|
Albert Lash wrote: > Are you feeling confident about the documentation I've updated? I just added > a bit about the password recovery Q&A. If so, let's release version 3.1 to > sourceforge.net. Actually, I haven't had a chance, things suddenly got hectic here. Hopefully I'll be able to review it this week. > I'm still researching the xml sitemaps. I definitely do not want to > re-invent the wheel. Yes, that is a great idea. The biggest thing that I wanted to look at is if someone is going to use an xml site map for PSA, then it should be in a form that could be useful un dynamically generating a site map page for their visitors as well. I don't know what formats are out there now doing this, but if we can base it off one of those with minor changes, that would likely be best. Also, see my concerns about structure and xml file updating. I am trying to get to work on this thing, but I just don't have the time right now, sorry. |
|
From: Albert L. <al...@pl...> - 2003-06-05 20:52:33
|
On 6/5/03 12:19 PM, "Justin Koivisto" <ju...@ko...> wrote: > Albert Lash wrote: >> Are you feeling confident about the documentation I've updated? I just added >> a bit about the password recovery Q&A. If so, let's release version 3.1 to >> sourceforge.net. > > Actually, I haven't had a chance, things suddenly got hectic here. > Hopefully I'll be able to review it this week. > Not to worry. I've just been doing a lot of programming lately. >> I'm still researching the xml sitemaps. I definitely do not want to >> re-invent the wheel. > > Yes, that is a great idea. The biggest thing that I wanted to look at is > if someone is going to use an xml site map for PSA, then it should be in > a form that could be useful un dynamically generating a site map page > for their visitors as well. I don't know what formats are out there now > doing this, but if we can base it off one of those with minor changes, > that would likely be best. Also, see my concerns about structure and xml > file updating. That's exactly right. The plan is that it will be able do a whole lot more that that! Nexista is the best one but the developer is MIA right now. My main concern is that I don't know much about XML transformation. In the mean time I'll work on the XML structure, how to transform it, and how to cache it. > I am trying to get to work on this thing, but I just don't have the time > right now, sorry. No sweat. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X