Duplicatable V2.1 has two weak point.
1. it is necessary to append a number into dirname
2. it is hard to update the module
I know a site installing TinyD more than 10.
In the site, the site's admin have to update EVERY TinyD at once.
I also know some module based on V2.1 rewrite templates/* and sql/*.
Though the problem of 1 can be solved in such modules, it will be much harder to update the module
They are the spec of Duplicatable V3 (D3).
(1) use XOOPS_TRUST_PATH out of DocumentRoot
(2) it puts just wrappers under XOOPS_ROOT_PATH/modules/(dirname)
(3) D3 creates templates and tables in the function for onInstall.
(4) D3 updates templates in function for onUpdate.
(5) D3 drops tables in function for onUninstall.
(6) adopt front controller system. (eg index.php?mode=admin)
(dirname) will be free completely.
And you have to update just once about XOOPS_TRUST_PATH/modules/(trustdirname) even if you install 10 or 100 instances of the module.
I've just made a sample module of D3 as wraps.
Try it if you are interested with it.
wraps
I declare I'll modify all of my works D3 and XOOPS_TRUST_PATH
Redundant IDs are well used in XOOPS.
for example, newbb makes such URL.
viewtopic.php?topic_id=3656&forum=18&post_id=48548#forumpost48548
But, both forum(forum number=18) and topic_id(topic number=3656) are useless informations.
The only valid ID is post_id(post number=48548).
There are no topic number=3656 nor post number=48548 in forum number=18.
There are no post number=48548 in topic number=3656.
Such redundant ID makes bad effects like this:
- lost unique nature of the URL
Appending redundant (nonsense) query variables makes URL increase like arithmatic series.
This is serious problem against SEO.
- cause mistakes around privileges etc.
This is the true reason of newbb's bug.
http://www.peak.ne.jp/xoops/md/news/article.php?storyid=98
However, there are many modules create such redundant URLs.
Why?
I think the reason is for XOOPS core feature like notifications etc.
for examle, I light the module of mydownloads.
mydownloads also has redundant ID of cid in singlefile.php, though only lid is valid ID.
But, please let's see the notifications area in these links after loggin in.
lid=65
cid=4&lid=65
Both URL points the same file.
But options for notifications are different each other.
And the notification options for category are also displayed such URL.
cid=1&lid=65
The cid is obviously invalid.
But if someone register the category's notifications, he gets notifications about cid=1 instead of cid=4.
Though this can be said mistakes of planning of XOOPS, it is easy to solve it if you are one of the module developer.
Set proper redundant(category etc.) ID generated from the right ID into $_GET.
You can get the best result if cid is included or not in URL.
And you also have to remove redundant IDs from URLs.
This looks very important things.
Good luck!
I've just found many bugs around access controlling in *newbb*.
-- a moderator can moderate any forums
-- anyone can post into any locked topics
-- anyone can read any posts in the private forums
Though this is not "vulnerabilities", it might be a problem if you rely *newbb*'s access controlling system.
I've just fixed in xhnewbb.
But there are many modules other than xhnewbb based on newbb.
If you are a developer of such a module, check it please.
Reference:
http://www.peak.ne.jp/xoops/md/news/article.php?storyid=63
With Smarty 2.6.12 (XOOPS 2.0.14JP etc), the theme will be notified some Warnings.
The codes are should be modified like this.
A ticket/token class named XoopsGTicket is updated.
In the version named gticket2, repost form will be opened if ticket error occurrs.
This feature must reduce user's stresses.
The usage of gticket2 is almost the same as gticket.
- include_once include/gtickets.php
- add hidden into your form
- add check() into your transaction
form side with XoopsForm:
$form = new XoopsThemeForm( ... );
$GLOBALS['xoopsGTicket']->addTicketXoopsFormElement( $form , __LINE__ , 1800 , '(your area name)' ) ;
$xoopsGTicket->getTicketHtml( __LINE__ , 1800 , '(your area name)' )
if ( ! $xoopsGTicket->check( true , '(your area name)' ) ) {
redirect_header(XOOPS_URL.'/',3,$xoopsGTicket->getErrors());
}
if ( ! $xoopsGTicket->check( true , '(your area name)' , false ) ) {
redirect_header(XOOPS_URL.'/',3,$xoopsGTicket->getErrors());
}