Re: Ohloh: the open source network

Ok Ohloh have updated our project (they update projects about once a week), so now, I am not the only developer, yƩ !!!

http://www.ohloh.net/projects/10042/analyses/latest/contributors

Can I ask the people who have committed in our SVN to go on the previous link, click on your name and then on "I am this person" link on the upper right so Ohloh can associate your SF username with your Ohloh account (of course, if you don't yet have an Ohloh account, please creat one first).

Also, in your profile, please edit your physical location so the map can show the physical location of all ImpressCMS developer.

I know all this may sound not usefull, but I believe this is important from a marketing's perspective. It is important to show the project does not rely on only 1 developer, and that contributors are spread all around the world.

Thanks for your collaboartion on that matter !

Marc-André Lanciault
Founder and CEO INBOX International inc.
Co-Founder ImpressCMS
Topic | Forum


Re: Adding a Remember Me on this very site

agreed with james & dave's points.

we just need to weigh up the convenience vs potential risks involved and agree to them either way.

which brings me to another feature request i think would be useful.

in admin we could do with a function that will instantly flush the session table and basicly destroy all current valid sessions without the need for going into the db manually, or changing the session name.

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!
Topic | Forum


Re: Adding a Remember Me on this very site

It is a potential security risk. One reason is using the feature on a shared computer, and neglecting to log out. Another reason is that it makes it easier for an attacker to gain access by hijacking an existing active session.

For these reasons, it should be disabled by default, and the setting in the admin page should have a note explaining the risk.

But it's also a very convenient feature. I think that the individual webmaster should have the choice of whether to use the feature for his site.

Topic | Forum


Re: ImpressCMS Theme

Yeah, it's still rough. My brain is mush right now. I'll have to take a look at it tomorrow. Thanks!

JMorris (aka James Morris)
ImpressCMS Professional Services: INBOX International inc.
James Morris Online | Frolicking on the playground that is the Internet...
Topic | Forum


Re: Welcome Kurak !

Welcome!

Christian Web Resources
Facebook
Topic | Forum


Re: Modules

I agree and disagree on this one.

I think there should be some form of content management that is native to the core. Perhaps a "page" functionality with native WYSIWYG. Also a set of classes that enable you to output a ordered listed of recent pages in either templates or blocks.

If we are going more in the direction of Community Management Software, then I don't think modules should be bundled with the core. Core devs could still work on Mod dev teams, take Marcan for instance, but I don't think modules should be packaged with the core.

Now, if it is decided we move more towards true Content Management, then I would retract the above statement about bundling modules. Provided the modules bundled pertained to content management. (news, document management, blog, etc).

JMorris (aka James Morris)
ImpressCMS Professional Services: INBOX International inc.
James Morris Online | Frolicking on the playground that is the Internet...
Topic | Forum


Re: Adding a Remember Me on this very site

Any "feature" that introduces a potential security risk that only provides functionality that can easily be replicated with one mouse click in a browser is a "feature" that has too high of a risk to justify its usefulness IMHO. But then again, I am p@r@n0!d.

JMorris (aka James Morris)
ImpressCMS Professional Services: INBOX International inc.
James Morris Online | Frolicking on the playground that is the Internet...
Topic | Forum


Re: Adding a Remember Me on this very site

james, i understand some of the security ramifications of 'remember me', but i honestly don't think it's as big an issue as all the other exploits and vulnerabilities that crackers/hackers & script kiddies use to gain access.

I haven't seen or heard of any sites being hacked where the entry point was via the remember me hack.. most of what i have come across have been some kind of SQLi or input validation methods, or files placed on the server through various methods.

but of course it's open to discussion :)

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!
Topic | Forum


Re: usage of rel="external nofollow"

rel="nofollow" will be interpreted by Google as a paid link. Also, rel=nofollow does not pass PR.

See: Use rel=nofollow Only When Needed for my views on rel=nofollow

rel=external is a different story. I know there is the relationship defined by the XFN and microformats, but we need to also look at the SEO implications.

JMorris (aka James Morris)
ImpressCMS Professional Services: INBOX International inc.
James Morris Online | Frolicking on the playground that is the Internet...
Topic | Forum


Re: Adding a Remember Me on this very site

-1 For security reasons.

JMorris (aka James Morris)
ImpressCMS Professional Services: INBOX International inc.
James Morris Online | Frolicking on the playground that is the Internet...
Topic | Forum


Re: Remember me

Since it's a potential security risk, I think it should be "off" by default.

Topic | Forum


Re: Remember me

Yeah, webmaster should be able to turn it on-off using some config parameter. Let me evaluate the implementation part. I've a feeling that it may become a big change running across core and modules.

Thanks,

Topic | Forum


Re: Adding a Remember Me on this very site

yes i think it maybe a good idea. it has my vote.

i think once we become community.impresscms.org tho, we should be using impresscms core imo. think gijoe hack should be included in impresscms core as default (but with an option in admin to disable it on a group basis)

for now i've set the session time here to 24hrs.

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!
Topic | Forum


Re: Welcome Sudhaker !

Thanks everyone for this warm welcome! It is really my honor to become part of this great team

- Sudhaker
http://sudhaker.com
Topic | Forum


Re: Adding a Remember Me on this very site

+1

Topic | Forum


Our different mailing lists

Hi everyone,

Just to inform you that we have 4 mailing lists for you to subscribe if you want to stay informed of :

- SVN Commits
- Bug tracker items
- Feature tracker items
- Task items

Simply go here to subscribe or see the archived : Mailing Lists Summary

Cheers!

Topic | Forum


Adding a Remember Me on this very site

QUick thing,

When this site becomes community.impresscms.org, would it be possible to add Gijoe's remember me feature ? I think I have loged here about 30 times today !

Thoughts

Topic | Forum


Re: Welcome Sudhaker !

  • 2007/12/10 13:18:30
  • herko

Sudhaker, isn't your specialty federated sign in? I would love to see your views on what the best pluggable and expandable login system would be for a new CMS like this one...

Herko

p.s. this is a 'welcome to the team' post of course

Tomorrow never comes until it's too late
Topic | Forum


Re: Auditing Code (security wise)

Quote:

I don't think queryf bypasses the text sanitizer; it just allows non-SELECT queries, such as UPDATE and INSERT, to be done when processing a GET request. But I agree that queryf should only be used in special situations when it's really needed.


Correct. XOOPS database factory automatically prevent UPDATE and DELETE query to be used in a GET request. So if you absolutely need to use on of these queries in a GET request, then you would need to use queryF().

For example, updating the counter of an article when a user gets to the page would need a queryF as the user is not accessing the article via a POST request...

But indeed, queryF needs to be used with extra care. The concept behind is that all queries that changes the database need to be within a POST request.

Marc-André Lanciault
Founder and CEO INBOX International inc.
Co-Founder ImpressCMS
Topic | Forum


Re: usage of rel="external nofollow"

  • 2007/12/10 13:16:22
  • herko

I'll look into this, as this is a webstandards issue. Thanks for proviing the quick and easy solution at the start It makes it easier

Herko

Tomorrow never comes until it's too late
Topic | Forum



 Top