Author Topic: Neues Modul: "Members"  (Read 48751 times)

Offline gottfried

  • Posts: 1339
Re: Neues Modul: "Members"
« Reply #125 on: February 02, 2010, 11:56:44 AM »
@ crnogorac !  :-)

Beg your pardon - i did not test it till now, i had another problem.
Your path is  from yesterday?
But i will test it because it solves some problems with customers then.
They allways want to have thomething at another place.


@chio !  :-)
Hi Chio ! I took away the nl2br function in then treatment of long1 from view.php and now everything works fine. That also solved a problem i had, when i used tables in the wysiwyg editor. This arrays appeared always under the div where i wanted to place them. Thank you for your tip with nl2br  :-D


Offline crnogorac081

  • Posts: 1912
  • Gender: Male
Re: Neues Modul: "Members"
« Reply #126 on: February 02, 2010, 12:32:02 PM »
Sorry chio I just noticed your post..

@crnogorac
Thanks! Seems to work great!
GREAT :)
Did you test it on local server or live server ? I only tested it on local server

@crnogorac
On small problem: Moving by arrow-klick (as use before) doesnt work if you move a little bit while clicking.  Could there be a minimum movement (eg 2 pixels)

Not sure what you mean..
When you reorder via drag N drop the arrows are not reloaded.. So you need to refresh the page so they can reload..

So far I left them as they were, but maybe further we shall remove it..?
 
Quote
Why do we need those #dragableTable_X li styles for each group? It would be better ti highlite the one moved element. is this possible?
By highliting you mean to change for eg. background color or something for the element while you drag it ?
If you mean that, that is easy, that element already have opacity. I will replace opacity code with background..

Because Java script wthic is written to backend_body_js file trigers group taken from #dragableTable_X
This script is written from modify.php file

For first group it is #dragableTable_1 , so when you reorder, group id (in this case = 1) will be sent via java sccript from backend_body_js to reorderDND.php where SQL will be = REORED members WHERE group = 1 --- this way only elements from group 1 gets reorder..
It is the $_POST['group']) variable about which we disscussed (needs to be sanitized)

Just to mention that I just used some example from some site to adapt this for WB, and I am glad that it works, and I hope more experienced coders will help to improve the code even more.. that is better for all bakers..

« Last Edit: February 02, 2010, 12:41:21 PM by crnogorac081 »
no bb in signature

doc

  • Guest
Re: Neues Modul: "Members"
« Reply #127 on: February 02, 2010, 12:36:11 PM »
Hi,

Quote from: crnogorac
sorry, it was in my signature for over an year, and I removed it half month ago since I coded Searchbox with suggestions
Well I have disabled signature and user avatars by default. So I certainly missed that statements. Anyway, code posted in the forum (or modules) is used as own risk. There will never be a guarantee of bug free code. However a worked out example with do's and don'ts and also some guidelines would help to avoid the most critical mistakes from the very beginning  :wink:

Quote from: chio"
With a little help from doc and his coming up "Do's and Don'ts Guide"
I have no plans to release any guidelines. Made my experience with the template guidelines and also with parts of the module primer :wink:

Doc

Offline Stefek

  • Posts: 6177
  • Gender: Male
  • ("ړ)
Re: Neues Modul: "Members"
« Reply #128 on: February 02, 2010, 02:29:13 PM »
Hello Ivan,
congratulations.

This is a step in a very good direction!

I'd like to thank you for your efforts.

Keep on your good work.

Regards,
Stefek
"Gemeinsam schafft man mehr."

gemeinsam
1. mehreren Personen oder Dingen in gleicher Weise gehörend, eigen
2. in Gemeinschaft [unternommen, zu bewältigen]; zusammen, miteinander
#Duden

Offline crnogorac081

  • Posts: 1912
  • Gender: Male
Re: Neues Modul: "Members"
« Reply #129 on: February 02, 2010, 03:31:08 PM »
@Stefek
Thanks !!

I am still wondering how to sanitize there two variables:

   $action                 = $_POST['action'];
   $updateRecordsArray     = $_POST['recordsArray'];

The seccond one is array.. Can someone help ?
no bb in signature

doc

  • Guest
Re: Neues Modul: "Members"
« Reply #130 on: February 02, 2010, 04:42:48 PM »
Hi,

if $_POST['action'] is numeric (integer), just use (int) $_POST['action']. For text strings, you could use the WB function $admin->add_slashes(var) (see /framework/class.wb.php), which takes into account magic quote settings of your php.ini.

Further details can be found on the PHP site:
http://php.net/manual/de/function.addslashes.php
http://www.php.net/manual/de/mysqli.real-escape-string.php

Note that the two PHP functions above do not check the magic quotes settings of GPC data

Further hints to improve security:
You should use the WB access functions to limit access to the file which does the DB update to those users, which have access to the module itself. Basically only people loged into the backend with access to the members module should be able to access the file - right? In that case you could use:

Code: [Select]
$admin = new admin('Modules', 'module_view', false, false);
if (!($admin->is_authenticated() && $admin->get_permission('members', 'module')))
    die(header('Location: ../../index.php'));

To get the example working, you need to include the WB class.admin.php first. Check out the file "store_postits.php" of the Post-its module for further details.

Doc
« Last Edit: February 02, 2010, 05:59:19 PM by doc »

Offline crnogorac081

  • Posts: 1912
  • Gender: Male
Re: Neues Modul: "Members"
« Reply #131 on: February 02, 2010, 05:56:27 PM »
thanks doc for much usefull tips !!!! much appreciated !!! Ill jump into this asap
no bb in signature

chio

  • Guest
Re: Neues Modul: "Members"
« Reply #132 on: February 03, 2010, 08:41:37 AM »
With
Code: [Select]
if ($action=='up') {do something, but dont use $action}
if ($action=='down') {do something else, but dont use $action}

there is no need to validate $action. One can use the function "file_name()" (I dont know the name exactly at the moment) to remove all blank and ',",/...


Code: [Select]
$admin = new admin('Modules', 'module_view', false, false);
if (!($admin->is_authenticated() && $admin->get_permission('members', 'module')))
    die(header('Location: ../../index.php'));

Does this work with wb 2.7 also? Is there a documentation for these functions?

Offline crnogorac081

  • Posts: 1912
  • Gender: Male
Re: Neues Modul: "Members"
« Reply #133 on: February 03, 2010, 09:26:24 AM »
With
Code: [Select]
if ($action=='up') {do something, but dont use $action}
if ($action=='down') {do something else, but dont use $action}

there is no need to validate $action. One can use the function "file_name()" (I dont know the name exactly at the moment) to remove all blank and ',",/...

Hi chio,

I dont understand what do you mean by this Up and Down, are there arrows for reordering ?
no bb in signature

doc

  • Guest
Re: Neues Modul: "Members"
« Reply #134 on: February 03, 2010, 01:02:15 PM »
Hi,

Quote from: chio
Does this work with wb 2.7 also? Is there a documentation for these functions?
The code should also work with WB 2.7. I used it in my page type modules where required. For admin tools I use something different. Worked out examples can be found in my Postits module (page type) or AFE (admin tool).

The function is the default authentification method of the WB admin class (framework/class.admin.php) and e.g. used by WB itself to protect core files from unauthorized access. I planned to document stuff like this in Step 4 of the module primer .. but as you know I stopped project after Step 2c :wink:

Doc
« Last Edit: February 03, 2010, 01:13:09 PM by doc »

Offline crnogorac081

  • Posts: 1912
  • Gender: Male
Re: Neues Modul: "Members"
« Reply #135 on: February 03, 2010, 03:58:31 PM »
Ok,

Now I think this is totaly secured :)

Code: [Select]
<?php
// First we prevent direct access and check for variables
if(!isset($_POST[&#39;action&#39;]) OR !isset($_POST[&#39;recordsArray&#39;]) OR !isset($_POST[&#39;group&#39;]) OR (!is_numeric($_POST[&#39;group&#39;]))) {
    // now we redirect to index, if you are in subfolder use ../index.php
    
header( &#39;Location: index.php&#39; ) ;
} else {

    
// Now we set the path to config file
    
require(&#39;../../config.php&#39;);

    // check if user has permissions to access the Members module
    
require_once(&#39;../../framework/class.admin.php&#39;);
    
$admin = new admin(&#39;Modules&#39;, &#39;module_view&#39;, false, false);
    
if (!($admin->is_authenticated() && $admin->get_permission(&#39;members&#39;, &#39;module&#39;))) 
        
die(header(&#39;Location: ../../index.php&#39;));
    
// DO I NEED THEESE TWO LINES BELOW ?????
    
global $database;
    global 
$wb;
   
    
//    Unsanitized variables 
    //    $action = $_POST[&#39;action&#39;];
    //    $updateRecordsArray     = $_POST[&#39;recordsArray&#39;];
    
    // Sanitized variables
    
$action $admin->add_slashes($_POST[&#39;action&#39;]);
    
$updateRecordsArray = isset($_POST[&#39;recordsArray&#39;]) ? $_POST[&#39;recordsArray&#39;] : array();

    // Also get group_id so we can reorder multiple groups    
    
$group_id $admin->add_slashes($_POST[&#39;group&#39;]); 
     
// This line verifies that in &action is not other text than "updateRecordsListings", if something else is inputed (to try to HACK the DB), there will be no DB access..
    
if ($action == "updateRecordsListings"){
     
        
$listingCounter 1;
        foreach (
$updateRecordsArray as $recordIDValue) {
     
            
$database->query("UPDATE `".TABLE_PREFIX."mod_members` SET `position` = ".$listingCounter." WHERE `member_id` = ".$recordIDValue." AND `group_id` = ".$group_id." ");


            
$listingCounter $listingCounter 1;
        }
     
        
// now we can print the result in green field
        
echo &#39;Reorder result: &#39;;
        
echo &#39;<pre>&#39;;
        
print_r($updateRecordsArray);
        echo &
#39;</pre>&#39;;
        
echo &#39;You successfuly reordered group: &#39;.$group_id;

    
}
// this ends else statement from the top of the page
?>


Could somebody verify the code, so we can include the code to official release

all best,
Ivan
« Last Edit: February 03, 2010, 04:37:47 PM by crnogorac081 »
no bb in signature

doc

  • Guest
Re: Neues Modul: "Members"
« Reply #136 on: February 03, 2010, 06:47:17 PM »
Hi,

Quote from: crnogorac081
Now I think this is totaly secured
At least it is less open to hackers. Kidding, looks much better than the first release :-)

Personally I would also mask $recordIDValue in the loop BEFORE passing it into the SQL query.
Code: [Select]
$recordIDValue = $admin->add_slashes($recordIDValue);
Regards Doc

Offline crnogorac081

  • Posts: 1912
  • Gender: Male
Re: Neues Modul: "Members"
« Reply #137 on: February 03, 2010, 08:22:32 PM »
Hi doc

I like that you like the code now :)

Just 3 more quoestions:
Code: [Select]
   
// DO I NEED THEESE TWO LINES BELOW ?????
    global $database;
    global $wb;
and where to add this line:
Code: [Select]
$recordIDValue = $admin->add_slashes($recordIDValue);
and is this a way to sanitize array ? I found this piece of code in your postit module
Code: [Select]
$updateRecordsArray = isset($_POST['recordsArray']) ? $_POST['recordsArray'] : array();

After this I think it is secure to update official release

all best
I.
no bb in signature

doc

  • Guest
Re: Neues Modul: "Members"
« Reply #138 on: February 03, 2010, 08:56:38 PM »
Hi,

you have to add the add_slahses stuff just before you use the variable in the SQL statement.
Code: [Select]
foreach ($updateRecordsArray as $recordIDValue) {
   $recordIDValue = $admin->add_slashes($recordIDValue);
   $database->query("....
   ...
}

Why are you not testing if global $database and global $wb is required by yourself? Simply comment those line out and run the code. If the DB stuff gets updated, the lines are not required :-)

Regards Doc

Offline crnogorac081

  • Posts: 1912
  • Gender: Male
Re: Neues Modul: "Members"
« Reply #139 on: February 03, 2010, 09:07:42 PM »
And final question, just to be sure for next tine:

is this a way to sanitize array ? I found this piece of code in your postit module
Code: [Select]
$updateRecordsArray = isset($_POST['recordsArray']) ? $_POST['recordsArray'] : array();


no bb in signature

doc

  • Guest
Re: Neues Modul: "Members"
« Reply #140 on: February 03, 2010, 09:10:27 PM »
Hi,

the answer is no. This code just creates an empty array if the POST variable is not set, thats all.
The example uses the PHP ternary operator to assign either value a or b depending on status of expression c.

Simple example:
Code: [Select]
$test = (1 == 2) ? 'yes' : 'no';
echo $test;

Doc
« Last Edit: February 03, 2010, 09:19:34 PM by doc »

Offline crnogorac081

  • Posts: 1912
  • Gender: Male
Re: Neues Modul: "Members"
« Reply #141 on: February 03, 2010, 09:32:54 PM »
thanks a lot doc for your time and tutorials !
no bb in signature

Offline crnogorac081

  • Posts: 1912
  • Gender: Male
Re: Neues Modul: "Members"
« Reply #142 on: February 04, 2010, 12:15:28 AM »
I cleaned some code and if chio agrees I will send him the code to repack the module. 
no bb in signature

chio

  • Guest
Re: Neues Modul: "Members"
« Reply #143 on: February 04, 2010, 08:59:36 AM »
I'm quite busy these days, but I think next week I will find the time to care about some other bugs in members (gottfrieds <br\> Problem, the problem with the search.. somenthing else?)
And I will add another way to choose the pictures.

So we can release a next version.

Offline crnogorac081

  • Posts: 1912
  • Gender: Male
Re: Neues Modul: "Members"
« Reply #144 on: February 04, 2010, 09:13:56 AM »
cool, I also had problem with search, maybe it will solve this problem too.. :)
no bb in signature

chio

  • Guest
Re: Neues Modul: "Members"
« Reply #145 on: March 09, 2010, 05:00:19 PM »
????
Da hat sich nix verändert.. Die Platzhalter heißen genauso, wie immer schon. Gibt es auch eine Hilfe...

Offline gottfried

  • Posts: 1339
Re: Neues Modul: "Members"
« Reply #146 on: March 12, 2010, 01:11:41 AM »
ÄÄäähhh tatsächlich.  :roll:
Da ist ganz groß ein Hilfebutton im Modul  im Backend in dem alles Wichtige erklärt wird.
Bin wohl wieder mal am "Bäume - Wald" Problem gescheitert
:-o
« Last Edit: March 12, 2010, 01:13:14 AM by gottfried »

Offline gottfried

  • Posts: 1339
Re: Neues Modul: "Members"
« Reply #147 on: November 22, 2010, 05:39:39 PM »
Hallo Chio !  :-)

nichts los hier in der thread - über 250 Tage schon ?? Läuft halt.

Hab mit deinen members und jqueryadmin ein nettes Plugin  gebaut
http://WebsiteBaker.root-net.de/pages/polaroitfoto.php  wird wohl ein paar Wochen dort zu finden sein.

Ist es eigentlich denkbar in der Suche nach einem Bild im backend Unterordner einzubeziehen und den Pfad mit abzuspeichern?
So könnt man diverse Sachen schön auf die Verzeichnisstruktur und Thumbs der Foldergallerie aufsetzen ?!

 :-)

mr-fan

  • Guest
Re: Neues Modul: "Members"
« Reply #148 on: November 22, 2010, 05:57:31 PM »
Hallo Chio !  :-)

nichts los hier in der thread - über 250 Tage schon ?? Läuft halt.

Hab mit deinen members und jqueryadmin ein nettes Plugin  gebaut
http://WebsiteBaker.root-net.de/pages/polaroitfoto.php  wird wohl ein paar Wochen dort zu finden sein.

Ist es eigentlich denkbar in der Suche nach einem Bild im backend Unterordner einzubeziehen und den Pfad mit abzuspeichern?
So könnt man diverse Sachen schön auf die Verzeichnisstruktur und Thumbs der Foldergallerie aufsetzen ?!

 :-)

sieht echt klasse aus gottfried!

wäre an dem preset interessiert?

Für die Pfadgeschichte findet sich bestimmt ein Lösung - was meinst du genau? praktisch wählst du kein bild aus sondern einen Ordner?

Hab was ähnliches in Topics wo ich mit einem XTRA Feld (ist ja nigs anderes als in Members die Felder auch) + ein Droplet das mir jeweils Ordner + Unterordner "thumbs" (kann man ja in der Foldergal einstellen) ausspuckt!

grüße Martin

chio

  • Guest
Re: Neues Modul: "Members"
« Reply #149 on: November 22, 2010, 09:16:07 PM »
Joup!
Members läuft halt, ebenso wie Topics. Featureitis ist abgesagt, aber mit Droplets und ein bissel Hirn 2.0 geht ja eh alles ;-)