Welcome to Elgg's documentation

This is the place to find documentation on all aspects of Elgg. If you would like to contribute your own documentation please do; we want this to be a real community effort!

From Elgg Documentation

<ewout> listen, I saw Stallman yesterday! 
<misja> hey, really?!?
<ewout> http://stoa.usp.br/ewout/weblog/10287.html
<ewout> yeah, the living legend himself, at our university.
<ewout> Hahaa, it was weird. He is a rather strange person.
<misja> cool
<ewout> but it was nice to see the legend himself, at least once in a lifetime
<misja> I can imagine
<ewout> I have a security issue that I want to put on the agenda
<misja> ok
<ewout> can I upload files here? I don't think so
<misja> you can send them via gtalk?
<ewout> I can cut and past, it is very small
<misja> btw, I've created http://elgg.org/mod/mediawiki/wiki/index.php/Developer_meetings
<ewout> do you want do do it now?
<misja> sure
<ewout> ok, consider this file, uploaded to a users space
<ewout> <html><head><title></title></head>
<ewout> <body>
<ewout>   <iframe id="mf" name="mf" src="/elgg/mod/blog/edit.php" style="width:0;height:0"></iframe>
<ewout> <script>
<ewout> setTimeout("goninja(window.document.mf)",5000);
<ewout> function goninja(){
<ewout>     mf.document.getElementById ("new_weblog_title").value="Go ninja go!";
<ewout>     mf.document.getElementById ("new_weblog_post").value="Be careful where you go while logged into Elgg!";
<ewout>     mf.document.elggform.new_weblog_access.selectedIndex=0;
<ewout>     mf.document.elggform.submit();
<ewout> }
<ewout> </script>
<ewout> <p>Original idea: <a href="stoa.usp.br/oda">Oda</a></p>
<ewout> </body>
<ewout> </html>
<misja> ah, I see
<ewout> Other logged in users visiting this file will be invaded by a blog post that was added automatically
<misja> hmm
<ewout> but you can put this code also on your profile, if the generic widget plugin is installed
<ewout> but the uploaded file attack works on a clean elgg install also
<ewout> and also passwords, etc. could have been changed
<ewout> if this would be on another site, it would be called a cross site request forgery attack, I think
<ewout> I would probably work also?!
<misja> nasty - ok, do you have a suggestion how to prevent this?
<ewout> I just learned about it today
<ewout> from what I gather, CSRF http://en.wikipedia.org/wiki/Cross-site_request_forgery are protected by putting 
<ewout> hidden fields in all <forms>, based on the users session id 
<ewout> so that you can be sure that the elgg server made the <form>
<ewout> but I don't know whether that will help here, because the iframe uses the mod/blog/edit.php page generated by elgg itself
<ewout> maybe it is not possible to protect against?
<misja> pff, this will need a close look, rho?
<misja> brb - 5 mins
<ewout> we need some web specialist here... (not me :)
<ewout> but this takes some careful thinking
<rho> i'm here
<ewout> let's think about it, and try to ask for advice
<misja> hi rho, do you have any experience in these matters?
<rho> maybe use in forms some hash hidden input based on time and form name and user session?
<misja> yes, but as ewout mentioned, it can call the url directly?
<ewout> yeah, but the form is generated by elgg. The iframe submits the actual elgg form
<ewout> the form is not forged
<rho> but elgg will expect the form secret key
<rho> stored in session var
<misja> ok
<misja> but I agree we should think about a solution
<rho> but, one problem would be that the forms are hardcoded around elgg
<misja> true
<rho> this also would prevent double submitting
<ewout> yeah, just like the sql code very early in the project, that had to be rewritten too to protect against sql injection attacks, right? 
<ewout> (although that was before I got involved in elgg)
<misja> yes
<ewout> as I see it, in the long term, permitting Javascript on profiles is not optional
<misja> yes, true
<ewout> people will come to expect being able to put javascript / flash aplications there
<ewout> we might just as well get ready now
<misja> I agree
<misja> let's leave this for now and think about this more
<ewout> ok
<rho> i'll take a look on how other projects secure their forms
<misja> yes, whatever we can fin
<misja> *find*
<misja> ok, to the agenda?
<ewout> what else is on it?
<misja> http://elgg.org/mod/mediawiki/wiki/index.php/Developer_meetings
<misja> shout if you've got other stuff
<misja> basically seeing if 0.9 is on track and doable,
<misja> and other things that popped up in the mentime
<misja> meantime
<ewout> I don't know, there seem to be many buglets
<misja> e.g. rho's suggestion to do control file the Debian way
<ewout> the move from units to mod is not painless
<rho> there is some issues related to run('init')
<ewout> who knows wheter we will find more
<misja> what have you discovered?
<rho> as mod/ is loaded before run('init'), modules that register 'init' function don't get executed
<rho> before? i mean after
<misja> o yes
<rho> http://elgg.org/trac/ticket/144
<misja> it will need to be checked again, more modules have moved
<misja> the fix looks good, though
<rho> or init $functions could be moved into plugin_init function
<ewout> Ah, I see, that means this checkin should be changed, also http://elgg.org/trac/changeset/1293 
<ewout> I didn't understand what the issue was
<rho> content flagging
<rho> the flag action is on admin_init that is registered to function[init]
<misja> moving them to plugin_init is the cleanest, but will there be time enough?
<rho> but isn't executed becase run('init') was executed before 
<misja> I'm afraid we'll need your workaround for now
<rho> yes
<rho> at future $function will be deprecated, right?
<misja> yes, we'll need to get rid of those globals
<rho> i think elgg will run faster is doesn't have to load lot of files, reduce disk seeks
<misja> exactly, load on demand
<rho> or wrap into a php function
<misja> yes, that was the idea
<misja> something for 1.0,
<misja> but to start thinking about already
<misja> other current issues?
<misja> that is, issues which need particular attention?
<rho> include templates by default?
<ewout> ok, maybe that has to do with my work on default content
<ewout> I decided to implement it as a plugin
<ewout> a skeleton is ready, I will put it into the repo tomorrow
<misja> which is the smartest thing to do
<ewout> I could include default templates also
<misja> but rho, are you referring to a ticket?
<rho> no, there is some templates available, but some users wish to have by default. Also needs to check if are working out of the box
<misja> ok,
<misja> there is two people working on templates right now
<rho> great
<misja> not sure what the result will be, of course :)
<ewout> so what do you think, all of those ticket can be closed within 1.5 weeks?
<misja> one is Jose Maria
<misja> I think we can close a good deal of them
<misja> but not sure if we can have all features in as well,
<misja> e.g. your installer and page editor, rho
<misja> i.e. the roadmap http://elgg.org/trac/roadmap
<ewout> well, let's move on to svn branching and .htaccess?
<misja> got a message from Diego, will forward it
<ewout> rho, what did you decide on the .htaccess issue?
<ewout> put it in the repo?
<rho> i didn't take a decision
<ewout> as I said, do whatever is best for new users
<misja> I agree
<rho> ewout, have you tested the installer?
<ewout> no
<ewout> where can I find it?
<misja> did you manage to incorporate the things we talked about?
<rho> i added admin username option
<rho> and started the "configuration manager"
<misja> great
<misja> just post a patch  when you've got something
<misja> ewout, try the current patch to get an idea
<rho> ewout: http://elgg.org/trac/ticket/158
<rho> about the pages module, what improvements is needed?
<ewout> hmm, dificult patch to apply
<ewout> any hints?
<misja> mainly for users to have the ability to create static pages
<misja> patch -p1 < patch.dif worked for me?
<ewout> yes!
<ewout> sorry
<rho> also show the menu on frontpage?
<misja> what do you mean?
<rho> the pages menu
<rho> on sidebar
<misja> ah, I'll need to take a look
<rho> please take a look, i think administrator should be able to execute php code
<rho> and normal user's pages only html, like on blog posting
<misja> yes, exactly
<rho> maybe add visual editor for normal user's pages
<misja> yes, defenitely
<ewout> just tried the new installer with a fresh elgg checkout
<ewout> it does't create the database, right?
<ewout> also: maybe there should be instructions on how to change the permission on the elgg tree? 
<ewout> something like "to change these permission, do chmod -R 777 . " or something like that
<ewout> same with : "please revert your  permissions", better to be more explicit
<rho> chmod is only applicable if users are in unix-like system with shell access
<ewout> yes
<misja> plus there are numbers of users doing installs via cpanel type of tools ...
<ewout> but all of our users are in a unix like environment, elgg does not really run in windows, right?
<misja> yes it does
<misja> only not well with iid
<ewout> :)
<misja> **IIS
<misja> but really, there are people doing this on windows with apache and mysql ...
<ewout> my point is: if the database has to be created manually, let's say explicitly how that can be done
<ewout> same with changing permission, give explicit instructions
<ewout> or pointers
<rho> did you mean the "create database ..." command?
<misja> rho - about the sidebar menu, that will probably need to be there for users too, but with their context
<ewout> yeah, I guess also explain how to enter into mysql...
<rho> i agree, but that information with steps could be go into install file
<misja> pff, it should not totally get dumbed down ...
<ewout> haahaha, did you see the forum?
<rho> ok, these days i'll post advances on installer
<rho> what about posgres support?
<ewout> anyway, other sugestion: why no empty passwords?
<rho> where?
<ewout> what's the point of a mysql passwd anyway, if only accessible from localhost?
<misja> postgresql has always been number two, I think it should get covered too
<ewout> in your installer, it won't let me write a config.php with an empty passwd
<rho> as far i tested, adodb can not connect with empty password
<rho> or it is?
<ewout> well, I run elgg at home with an empty passwd
<misja> ewout, the one about 0.9 on the forum?
<ewout> yes?
<rho> ok, installer will allow empty db password
<misja> asking for a thanksgiving present?
<rho> hahahaha
<misja> unbelievable ...
<ewout> haha
<rho> funny
<misja> don't even ask about the type of email I recieve daily ...
<misja> anyway, we were talking about the installer and pages
<rho> about the installer
<rho> as you can see, there is a config.php stripped down with few options, just wwwroot  and db related
<rho> all others options should be managed from administration panel (not elggadmin)
<rho> stored in datalists
<rho> there is already get_config() function that store in $CFG values from datalists table
<rho> but, one point if config.php should take precedence
<rho> to force values
<rho> did i explain right?
<ewout> I like the idea
<ewout> only essential things first, than fine-tune
<misja> btw, did you read Diego's message?
<ewout> yes
<misja> he is not in favour of the .htaccess file
<ewout> listen, I will finish the first version of the newuser plugin (default content)
<ewout> and also try to find as many bugs as possible
<ewout> that is what I can promise
<misja> sounds good to me
<misja> but what shall we do with the .htaccess - it remains troublesome
<rho> Diego says before to rename .htaccess only on distribution, not in repository
<rho> that's an option
<ewout> rho, your installer looks good. But keep in mind, you cannot imagine how little our users know
<ewout> better too much hand-holding than too little!
<misja> it looks very good already, I agree, plus the pages plugin is nice, very nice
<misja> about .htacces, ok, in the distribution only
<rho> my point is to reduce steps on installation, not hide things to user
<misja> I'll have another good look at the INSTALL file
<misja> e.g. there are now many tips and tricks on the wiki which could get referenced
<misja> ok, shall we try to round this of for today?
<ewout> yep
<misja> rho - are you ok with your workload?
<ewout> do you have somebody to ask about the security issue?
<ewout> do you want the file?
<misja> yes, sure
<misja> and no, I haven't got someone
<ewout> I'll send it to you
<misja> will also forward it to Ben
<misja> he might have some ideas
<misja> and we all look around to see how others do it
<rho> pages module need some tweaks and integration, not too much problem. On configuration manager i'll work more
<misja> ok
<misja> plus I want a photo and short description of yourself :)
<rho> should installer only support mysql?
<rho> oh yes... i just don't have time to make a short description ;)
<misja> preferably also postgresql, but only if you can do it
<rho> if user choose postgres, elgg will not install
<rho> plugins doesn't support it and will die
<rho> let me check again
<rho> well, pages module haven't tested on postgres
<rho> would be cool if somebody can test and port to postgres
<misja> I'll have a look - the schema is final?
<rho> no
<rho> needs owner column
<misja> give me a nudge when it's final, I can do postgres
<misja> ok, everybody ok now?
<misja> oh yes, rho, about the control file for plugins
<rho> who's working on new sidebar?
<misja> has not been assigned, it will be integrating your work
<misja> re: control file, I like the Debian syntax, but thought that would be too much too ask from the average developer?
<misja> anyway, it's not that important right now, we'll contue it on the list - I do like you already uploaded some parsing code :)
<misja> rho, ewout, time to close off?
<rho> i see more difficult the syntax   key = "string"   than    key:  string
<misja> well, it's fine by me actually, I thought people would be more comfortable with the ini syntax
<rho> ok, just my thought
<misja> no, it's good
<misja> we'll continue this another time
<misja> ewout, still there?
<misja> probably not :)
<rho> well, when will be the next meeting?
<misja> shall we schedule two shorer meetings next week, because of the release dat?
<misja> *date*
<misja> and I meant shorter, getting late here
<misja> I'll email a proposal
<rho> ok
<misja> ok, I'll leaving now, we'll be keeping in touch
<misja> bye all
* misja (~misja@99-144.surfsnel.dsl.internl.net) ha abandonado #elggdev (Leaving.)
* tim (~46300084@207.250.49.24) ha entrado en #elggdev
<rho> tim?
<tim> hello. sorry I couldn't get here earlier - snow storm today
<rho> oh, really?
<tim> the fun part of being in Canada
<rho> misja just leave seconds ago
<tim> sorry i missed the chat
<tim> did anyone copy the transcipt?
<rho> i do
<rho> let me upload to wiki
<tim> could you email to me (tim.is.usually@gmail.com)
<tim> wiki is better. thanks