From reijnders at tor.nl Fri Mar 1 07:19:10 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Fri, 01 Mar 2013 08:19:10 +0100 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <3C80447A-12E1-436B-86B7-52094EF1721C@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCC4F@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> Message-ID: <5130566E.5010507@tor.nl> This should be it... Op 1-3-2013 0:46, Pat @ Pgogy schreef: > I have no server to test, Ron and Julian would need a patch > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 28 Feb 2013, at 20:54, Tom Reijnders > wrote: > >> I've got it... >> >> This is the result: >> >> >> >> >> >> Do you want me to check this in, or do you want the files first.... >> >> Tom >> >> Op 28-2-2013 11:44, Pat @ Pgogy schreef: >>> I will write a how to guide to do it, whilst doing it >>> >>> *returns to cave* *plots* >>> >>> Pgogy Webstuff - http://www.pgogywebstuff.com >>> Makers of web things of a fair to middling quality >>> >>> On 28 Feb 2013, at 10:25, Tom Reijnders >> > wrote: >>> >>>> I'll have a look. I am not too familiar with Ajax and xot, but... >>>> one is never too old to learn ;-) >>>> >>>> Tom >>>> >>>> Op 28-2-2013 10:49, Julian Tenney schreef: >>>>> >>>>> I think you might be missing the subtle manager speak in 'would >>>>> that be hard to do' >>>>> >>>>> ;-) >>>>> >>>>> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >>>>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of >>>>> *Pat @ Pgogy >>>>> *Sent:* 28 February 2013 09:37 >>>>> *To:* For Xerte technical developers >>>>> *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP >>>>> >>>>> Rewrite the query as a list of usernames, make the username an >>>>> Ajax function which fires and then returns just the data for that user >>>>> >>>>> One new js function, and splitting the existing php into two files >>>>> >>>>> Pgogy Webstuff - http://www.pgogywebstuff.com >>>>> >>>>> Makers of web things of a fair to middling quality >>>>> >>>>> >>>>> On 28 Feb 2013, at 09:08, Julian Tenney >>>>> >>>> > wrote: >>>>> >>>>> It still times out. I think we probably need to limit the >>>>> searching to a particular user name, entered by the admin >>>>> user. I think that makes more sense, I don't really need to >>>>> browse all users LOs, would that be hard to do? >>>>> >>>>> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >>>>> >>>>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf >>>>> Of *Tom Reijnders >>>>> *Sent:* 28 February 2013 08:59 >>>>> *To:* For Xerte technical developers >>>>> *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP >>>>> >>>>> There were a lot of queries inside loops. If you have say 8000 >>>>> LO's and 800 users, it would do at least 8800 queries. >>>>> >>>>> Try this one (this is a minor rewrite just re-arranging >>>>> queries, it does 2 queries) >>>>> >>>>> Tom >>>>> >>>>> Op 27-2-2013 18:05, Pat @ Pgogy schreef: >>>>> >>>>> Guess that page is timing out. >>>>> >>>>> The page will need rewriting, or a new query doing I guess. >>>>> >>>>> Pgogy Webstuff - http://www.pgogywebstuff.com >>>>> >>>>> Makers of web things of a fair to middling quality >>>>> >>>>> >>>>> On 27 Feb 2013, at 16:23, Julian Tenney >>>>> >>>> > wrote: >>>>> >>>>> This is what happens: >>>>> >>>>> >>>>> >>>>> Nothing more. >>>>> >>>>> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >>>>> >>>>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On >>>>> Behalf Of *Pat @ Pgogy >>>>> *Sent:* 27 February 2013 14:41 >>>>> *To:* For Xerte technical developers >>>>> *Subject:* [Xerte-dev] Re: Changing Ownership in >>>>> Management PHP >>>>> >>>>> Management.php is all ajaxed - so the front page >>>>> should work regardless. >>>>> >>>>> You can watch the speed of requests in console in >>>>> firebug or chrome to see if that is a problem >>>>> >>>>> Pgogy Webstuff - http://www.pgogywebstuff.com >>>>> >>>>> Makers of web things of a fair to middling quality >>>>> >>>>> >>>>> On 27 Feb 2013, at 13:36, Julian Tenney >>>>> >>>> > wrote: >>>>> >>>>> I had thought it was due to the size of the >>>>> database, because I noticed it really starting >>>>> slow up as the number of LOs increased -- we have >>>>> about 8000 now. Does management.php work OK on the >>>>> sandpit On? You've got a similar number of LOs in >>>>> there haven't you? >>>>> >>>>> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >>>>> >>>>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>>>> *On Behalf Of *Pat @ Pgogy >>>>> *Sent:* 27 February 2013 12:53 >>>>> *To:* For Xerte technical developers >>>>> *Subject:* [Xerte-dev] Re: Changing Ownership in >>>>> Management PHP >>>>> >>>>> Yes changing ownership has been there for ages. >>>>> >>>>> If it freezes it suggests a JavaScript problem has >>>>> occurred >>>>> >>>>> Pgogy Webstuff - http://www.pgogywebstuff.com >>>>> >>>>> Makers of web things of a fair to middling quality >>>>> >>>>> >>>>> On 27 Feb 2013, at 11:56, Julian Tenney >>>>> >>>> > wrote: >>>>> >>>>> Can I change ownership in management.php? When >>>>> I log in, it just appears to freeze, clicking >>>>> any of the top menus doesn't appear to do >>>>> anything, >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Xerte-dev mailing list >>>>> Xerte-dev at lists.nottingham.ac.uk >>>>> >>>>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>>>> >>>>> _______________________________________________ >>>>> Xerte-dev mailing list >>>>> Xerte-dev at lists.nottingham.ac.uk >>>>> >>>>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>>>> >>>>> _______________________________________________ >>>>> Xerte-dev mailing list >>>>> Xerte-dev at lists.nottingham.ac.uk >>>>> >>>>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> >>>>> Xerte-dev mailing list >>>>> >>>>> Xerte-dev at lists.nottingham.ac.uk >>>>> >>>>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> -- >>>>> >>>>> >>>>> >>>>> Tom Reijnders >>>>> >>>>> TOR Informatica >>>>> >>>>> Chopinlaan 27 >>>>> >>>>> 5242HM Rosmalen >>>>> >>>>> Tel: 073 5226191 >>>>> >>>>> Fax: 073 5226196 >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Xerte-dev mailing list >>>>> Xerte-dev at lists.nottingham.ac.uk >>>>> >>>>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Xerte-dev mailing list >>>>> Xerte-dev at lists.nottingham.ac.uk >>>>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>>> >>>> -- >>>> -- >>>> >>>> Tom Reijnders >>>> TOR Informatica >>>> Chopinlaan 27 >>>> 5242HM Rosmalen >>>> Tel: 073 5226191 >>>> Fax: 073 5226196 >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Xerte-dev mailing list >>>> Xerte-dev at lists.nottingham.ac.uk >>>> >>>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> -- >> -- >> >> Tom Reijnders >> TOR Informatica >> Chopinlaan 27 >> 5242HM Rosmalen >> Tel: 073 5226191 >> Fax: 073 5226196 >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: usertemplate_patch.zip Type: application/zip Size: 6424 bytes Desc: not available URL: From ronm at mitchellmedia.co.uk Fri Mar 1 08:49:37 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Fri, 1 Mar 2013 08:49:37 -0000 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <5130566E.5010507@tor.nl> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <3C80447A-12E1-436B-86B7-52094EF1721C@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCC4F@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> Message-ID: <004d01ce1659$b5b017c0$21104740$@co.uk> Hi Tom When clicking on users templates I see the drop down list with names but if I select a user and then view I get This user has no templates at present which isn't correct e.g. if I select my account which has lots of LO's I get the same message. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 07:19 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP This should be it... Op 1-3-2013 0:46, Pat @ Pgogy schreef: I have no server to test, Ron and Julian would need a patch Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 20:54, Tom Reijnders wrote: I've got it... This is the result: Do you want me to check this in, or do you want the files first.... Tom Op 28-2-2013 11:44, Pat @ Pgogy schreef: I will write a how to guide to do it, whilst doing it *returns to cave* *plots* Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 10:25, Tom Reijnders wrote: I'll have a look. I am not too familiar with Ajax and xot, but... one is never too old to learn ;-) Tom Op 28-2-2013 10:49, Julian Tenney schreef: I think you might be missing the subtle manager speak in 'would that be hard to do' ;-) From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 28 February 2013 09:37 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Rewrite the query as a list of usernames, make the username an Ajax function which fires and then returns just the data for that user One new js function, and splitting the existing php into two files Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 09:08, Julian Tenney wrote: It still times out. I think we probably need to limit the searching to a particular user name, entered by the admin user. I think that makes more sense, I don't really need to browse all users LOs, would that be hard to do? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 28 February 2013 08:59 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP There were a lot of queries inside loops. If you have say 8000 LO's and 800 users, it would do at least 8800 queries. Try this one (this is a minor rewrite just re-arranging queries, it does 2 queries) Tom Op 27-2-2013 18:05, Pat @ Pgogy schreef: Guess that page is timing out. The page will need rewriting, or a new query doing I guess. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 16:23, Julian Tenney wrote: This is what happens: Nothing more. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 14:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Management.php is all ajaxed - so the front page should work regardless. You can watch the speed of requests in console in firebug or chrome to see if that is a problem Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 13:36, Julian Tenney wrote: I had thought it was due to the size of the database, because I noticed it really starting slow up as the number of LOs increased - we have about 8000 now. Does management.php work OK on the sandpit On? You've got a similar number of LOs in there haven't you? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 12:53 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Yes changing ownership has been there for ages. If it freezes it suggests a JavaScript problem has occurred Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 11:56, Julian Tenney wrote: Can I change ownership in management.php? When I log in, it just appears to freeze, clicking any of the top menus doesn't appear to do anything, _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: From reijnders at tor.nl Fri Mar 1 09:06:54 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Fri, 01 Mar 2013 10:06:54 +0100 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <004d01ce1659$b5b017c0$21104740$@co.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <3C80447A-12E1-436B-86B7-52094EF1721C@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCC4F@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> Message-ID: <51306FAE.8030502@tor.nl> Ron, It indicates the code is basically working, because you get a reply. Something goes wrong with one of the mysql queries though. Could you please try this one (should be in website_code/php/management), turn on debugging and look in '/tmp/debug.log' file for 'Query for templates of user' (and the next line)? Any php errors? Tom Op 1-3-2013 9:49, Ron Mitchell schreef: > > Hi Tom > > When clicking on users templates I see the drop down list with names > but if I select a user and then view I get This user has no templates > at present which isn't correct e.g. if I select my account which has > lots of LO's I get the same message. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Tom > Reijnders > *Sent:* 01 March 2013 07:19 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP > > This should be it... > > Op 1-3-2013 0:46, Pat @ Pgogy schreef: > > I have no server to test, Ron and Julian would need a patch > > Pgogy Webstuff - http://www.pgogywebstuff.com > > Makers of web things of a fair to middling quality > > > On 28 Feb 2013, at 20:54, Tom Reijnders > wrote: > > I've got it... > > This is the result: > > > > > > Do you want me to check this in, or do you want the files > first.... > > Tom > > Op 28-2-2013 11:44, Pat @ Pgogy schreef: > > I will write a how to guide to do it, whilst doing it > > *returns to cave* *plots* > > Pgogy Webstuff - http://www.pgogywebstuff.com > > Makers of web things of a fair to middling quality > > > On 28 Feb 2013, at 10:25, Tom Reijnders > wrote: > > I'll have a look. I am not too familiar with Ajax and > xot, but... one is never too old to learn ;-) > > Tom > > Op 28-2-2013 10:49, Julian Tenney schreef: > > I think you might be missing the subtle manager > speak in 'would that be hard to do' > > ;-) > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Pat @ Pgogy > *Sent:* 28 February 2013 09:37 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in > Management PHP > > Rewrite the query as a list of usernames, make the > username an Ajax function which fires and then > returns just the data for that user > > One new js function, and splitting the existing > php into two files > > Pgogy Webstuff - http://www.pgogywebstuff.com > > Makers of web things of a fair to middling quality > > > On 28 Feb 2013, at 09:08, Julian Tenney > > wrote: > > It still times out. I think we probably need > to limit the searching to a particular user > name, entered by the admin user. I think that > makes more sense, I don't really need to > browse all users LOs, would that be hard to do? > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Tom Reijnders > *Sent:* 28 February 2013 08:59 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership > in Management PHP > > There were a lot of queries inside loops. If > you have say 8000 LO's and 800 users, it would > do at least 8800 queries. > > Try this one (this is a minor rewrite just > re-arranging queries, it does 2 queries) > > Tom > > Op 27-2-2013 18:05, Pat @ Pgogy schreef: > > Guess that page is timing out. > > The page will need rewriting, or a new > query doing I guess. > > Pgogy Webstuff - http://www.pgogywebstuff.com > > Makers of web things of a fair to middling > quality > > > On 27 Feb 2013, at 16:23, Julian Tenney > > > wrote: > > This is what happens: > > > > Nothing more. > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Pat @ Pgogy > *Sent:* 27 February 2013 14:41 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing > Ownership in Management PHP > > Management.php is all ajaxed - so the > front page should work regardless. > > You can watch the speed of requests in > console in firebug or chrome to see if > that is a problem > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things of a fair to > middling quality > > > On 27 Feb 2013, at 13:36, Julian > Tenney > > wrote: > > I had thought it was due to the > size of the database, because I > noticed it really starting slow up > as the number of LOs increased -- > we have about 8000 now. Does > management.php work OK on the > sandpit On? You've got a similar > number of LOs in there haven't you? > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Pat @ Pgogy > *Sent:* 27 February 2013 12:53 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: > Changing Ownership in Management PHP > > Yes changing ownership has been > there for ages. > > If it freezes it suggests a > JavaScript problem has occurred > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things of a fair to > middling quality > > > On 27 Feb 2013, at 11:56, Julian > Tenney > > > wrote: > > Can I change ownership in > management.php? When I log in, > it just appears to freeze, > clicking any of the top menus > doesn't appear to do anything, > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: get_templates_for_user.php Type: application/x-httpd-php Size: 7012 bytes Desc: not available URL: From ronm at mitchellmedia.co.uk Fri Mar 1 09:29:41 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Fri, 1 Mar 2013 09:29:41 -0000 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <51306FAE.8030502@tor.nl> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <3C80447A-12E1-436B-86B7-52094EF1721C@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCC4F@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> Message-ID: <007401ce165f$4e6a3310$eb3e9930$@co.uk> Hi Tom I changed the debug.log path to write to error_logs and set development to true and then tried again but still getting the same message without any error log being written. If I put the svn code back I see all the users and templates. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 09:07 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Ron, It indicates the code is basically working, because you get a reply. Something goes wrong with one of the mysql queries though. Could you please try this one (should be in website_code/php/management), turn on debugging and look in '/tmp/debug.log' file for 'Query for templates of user' (and the next line)? Any php errors? Tom Op 1-3-2013 9:49, Ron Mitchell schreef: Hi Tom When clicking on users templates I see the drop down list with names but if I select a user and then view I get This user has no templates at present which isn't correct e.g. if I select my account which has lots of LO's I get the same message. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 07:19 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP This should be it... Op 1-3-2013 0:46, Pat @ Pgogy schreef: I have no server to test, Ron and Julian would need a patch Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 20:54, Tom Reijnders wrote: I've got it... This is the result: Do you want me to check this in, or do you want the files first.... Tom Op 28-2-2013 11:44, Pat @ Pgogy schreef: I will write a how to guide to do it, whilst doing it *returns to cave* *plots* Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 10:25, Tom Reijnders wrote: I'll have a look. I am not too familiar with Ajax and xot, but... one is never too old to learn ;-) Tom Op 28-2-2013 10:49, Julian Tenney schreef: I think you might be missing the subtle manager speak in 'would that be hard to do' ;-) From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 28 February 2013 09:37 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Rewrite the query as a list of usernames, make the username an Ajax function which fires and then returns just the data for that user One new js function, and splitting the existing php into two files Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 09:08, Julian Tenney wrote: It still times out. I think we probably need to limit the searching to a particular user name, entered by the admin user. I think that makes more sense, I don't really need to browse all users LOs, would that be hard to do? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 28 February 2013 08:59 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP There were a lot of queries inside loops. If you have say 8000 LO's and 800 users, it would do at least 8800 queries. Try this one (this is a minor rewrite just re-arranging queries, it does 2 queries) Tom Op 27-2-2013 18:05, Pat @ Pgogy schreef: Guess that page is timing out. The page will need rewriting, or a new query doing I guess. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 16:23, Julian Tenney wrote: This is what happens: Nothing more. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 14:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Management.php is all ajaxed - so the front page should work regardless. You can watch the speed of requests in console in firebug or chrome to see if that is a problem Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 13:36, Julian Tenney wrote: I had thought it was due to the size of the database, because I noticed it really starting slow up as the number of LOs increased - we have about 8000 now. Does management.php work OK on the sandpit On? You've got a similar number of LOs in there haven't you? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 12:53 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Yes changing ownership has been there for ages. If it freezes it suggests a JavaScript problem has occurred Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 11:56, Julian Tenney wrote: Can I change ownership in management.php? When I log in, it just appears to freeze, clicking any of the top menus doesn't appear to do anything, _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: From reijnders at tor.nl Fri Mar 1 09:44:05 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Fri, 01 Mar 2013 10:44:05 +0100 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <007401ce165f$4e6a3310$eb3e9930$@co.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <3C80447A-12E1-436B-86B7-52094EF1721C@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCC4F@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> Message-ID: <51307865.9090808@tor.nl> What platform are you on? Can you send me your version of _debug (in functions.php) There should be diagnostic info there. Tom Op 1-3-2013 10:29, Ron Mitchell schreef: > > Hi Tom > > I changed the debug.log path to write to error_logs and set > development to true and then tried again but still getting the same > message without any error log being written. > > If I put the svn code back I see all the users and templates. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Tom > Reijnders > *Sent:* 01 March 2013 09:07 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP > > Ron, > > It indicates the code is basically working, because you get a reply. > Something goes wrong with one of the mysql queries though. > > Could you please try this one (should be in > website_code/php/management), turn on debugging and look in > '/tmp/debug.log' file for 'Query for templates of user' (and the next > line)? > > Any php errors? > > > Tom > > Op 1-3-2013 9:49, Ron Mitchell schreef: > > Hi Tom > > When clicking on users templates I see the drop down list with > names but if I select a user and then view I get This user has no > templates at present which isn't correct e.g. if I select my > account which has lots of LO's I get the same message. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of > *Tom Reijnders > *Sent:* 01 March 2013 07:19 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP > > This should be it... > > Op 1-3-2013 0:46, Pat @ Pgogy schreef: > > I have no server to test, Ron and Julian would need a patch > > Pgogy Webstuff - http://www.pgogywebstuff.com > > Makers of web things of a fair to middling quality > > > On 28 Feb 2013, at 20:54, Tom Reijnders > wrote: > > I've got it... > > This is the result: > > > > > > Do you want me to check this in, or do you want the files > first.... > > Tom > > Op 28-2-2013 11:44, Pat @ Pgogy schreef: > > I will write a how to guide to do it, whilst doing it > > *returns to cave* *plots* > > Pgogy Webstuff - http://www.pgogywebstuff.com > > Makers of web things of a fair to middling quality > > > On 28 Feb 2013, at 10:25, Tom Reijnders > > wrote: > > I'll have a look. I am not too familiar with Ajax > and xot, but... one is never too old to learn ;-) > > Tom > > Op 28-2-2013 10:49, Julian Tenney schreef: > > I think you might be missing the subtle > manager speak in 'would that be hard to do' > > ;-) > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Pat @ Pgogy > *Sent:* 28 February 2013 09:37 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership > in Management PHP > > Rewrite the query as a list of usernames, make > the username an Ajax function which fires and > then returns just the data for that user > > One new js function, and splitting the > existing php into two files > > Pgogy Webstuff - http://www.pgogywebstuff.com > > Makers of web things of a fair to middling quality > > > On 28 Feb 2013, at 09:08, Julian Tenney > > wrote: > > It still times out. I think we probably > need to limit the searching to a > particular user name, entered by the admin > user. I think that makes more sense, I > don't really need to browse all users LOs, > would that be hard to do? > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Tom Reijnders > *Sent:* 28 February 2013 08:59 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing > Ownership in Management PHP > > There were a lot of queries inside loops. > If you have say 8000 LO's and 800 users, > it would do at least 8800 queries. > > Try this one (this is a minor rewrite just > re-arranging queries, it does 2 queries) > > Tom > > Op 27-2-2013 18:05, Pat @ Pgogy schreef: > > Guess that page is timing out. > > The page will need rewriting, or a new > query doing I guess. > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things of a fair to > middling quality > > > On 27 Feb 2013, at 16:23, Julian > Tenney > > wrote: > > This is what happens: > > > > Nothing more. > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Pat @ Pgogy > *Sent:* 27 February 2013 14:41 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: > Changing Ownership in Management PHP > > Management.php is all ajaxed - so > the front page should work regardless. > > You can watch the speed of > requests in console in firebug or > chrome to see if that is a problem > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things of a fair to > middling quality > > > On 27 Feb 2013, at 13:36, Julian > Tenney > > > wrote: > > I had thought it was due to > the size of the database, > because I noticed it really > starting slow up as the number > of LOs increased -- we have > about 8000 now. Does > management.php work OK on the > sandpit On? You've got a > similar number of LOs in there > haven't you? > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Pat @ Pgogy > *Sent:* 27 February 2013 12:53 > *To:* For Xerte technical > developers > *Subject:* [Xerte-dev] Re: > Changing Ownership in > Management PHP > > Yes changing ownership has > been there for ages. > > If it freezes it suggests a > JavaScript problem has occurred > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things of a fair > to middling quality > > > On 27 Feb 2013, at 11:56, > Julian Tenney > > > wrote: > > Can I change ownership in > management.php? When I log > in, it just appears to > freeze, clicking any of > the top menus doesn't > appear to do anything, > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: From reijnders at tor.nl Fri Mar 1 10:13:23 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Fri, 01 Mar 2013 11:13:23 +0100 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <51307865.9090808@tor.nl> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <3C80447A-12E1-436B-86B7-52094EF1721C@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCC4F@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> Message-ID: <51307F43.4010601@tor.nl> Hmmm.... don't know why it even worked here... Is this one better? Tom Op 1-3-2013 10:44, Tom Reijnders schreef: > What platform are you on? > > Can you send me your version of _debug (in functions.php) > > There should be diagnostic info there. > > Tom > > > Op 1-3-2013 10:29, Ron Mitchell schreef: >> >> Hi Tom >> >> I changed the debug.log path to write to error_logs and set >> development to true and then tried again but still getting the same >> message without any error log being written. >> >> If I put the svn code back I see all the users and templates. >> >> HTH >> >> Ron >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Tom >> Reijnders >> *Sent:* 01 March 2013 09:07 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP >> >> Ron, >> >> It indicates the code is basically working, because you get a reply. >> Something goes wrong with one of the mysql queries though. >> >> Could you please try this one (should be in >> website_code/php/management), turn on debugging and look in >> '/tmp/debug.log' file for 'Query for templates of user' (and the next >> line)? >> >> Any php errors? >> >> >> Tom >> >> Op 1-3-2013 9:49, Ron Mitchell schreef: >> >> Hi Tom >> >> When clicking on users templates I see the drop down list with >> names but if I select a user and then view I get This user has no >> templates at present which isn't correct e.g. if I select my >> account which has lots of LO's I get the same message. >> >> HTH >> >> Ron >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of >> *Tom Reijnders >> *Sent:* 01 March 2013 07:19 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP >> >> This should be it... >> >> Op 1-3-2013 0:46, Pat @ Pgogy schreef: >> >> I have no server to test, Ron and Julian would need a patch >> >> Pgogy Webstuff - http://www.pgogywebstuff.com >> >> Makers of web things of a fair to middling quality >> >> >> On 28 Feb 2013, at 20:54, Tom Reijnders > > wrote: >> >> I've got it... >> >> This is the result: >> >> >> >> >> >> Do you want me to check this in, or do you want the files >> first.... >> >> Tom >> >> Op 28-2-2013 11:44, Pat @ Pgogy schreef: >> >> I will write a how to guide to do it, whilst doing it >> >> *returns to cave* *plots* >> >> Pgogy Webstuff - http://www.pgogywebstuff.com >> >> Makers of web things of a fair to middling quality >> >> >> On 28 Feb 2013, at 10:25, Tom Reijnders >> > wrote: >> >> I'll have a look. I am not too familiar with Ajax >> and xot, but... one is never too old to learn ;-) >> >> Tom >> >> Op 28-2-2013 10:49, Julian Tenney schreef: >> >> I think you might be missing the subtle >> manager speak in 'would that be hard to do' >> >> ;-) >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> *On Behalf Of *Pat @ Pgogy >> *Sent:* 28 February 2013 09:37 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: Changing Ownership >> in Management PHP >> >> Rewrite the query as a list of usernames, >> make the username an Ajax function which >> fires and then returns just the data for that >> user >> >> One new js function, and splitting the >> existing php into two files >> >> Pgogy Webstuff - http://www.pgogywebstuff.com >> >> Makers of web things of a fair to middling >> quality >> >> >> On 28 Feb 2013, at 09:08, Julian Tenney >> > > wrote: >> >> It still times out. I think we probably >> need to limit the searching to a >> particular user name, entered by the >> admin user. I think that makes more >> sense, I don't really need to browse all >> users LOs, would that be hard to do? >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> *On Behalf Of *Tom Reijnders >> *Sent:* 28 February 2013 08:59 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: Changing >> Ownership in Management PHP >> >> There were a lot of queries inside loops. >> If you have say 8000 LO's and 800 users, >> it would do at least 8800 queries. >> >> Try this one (this is a minor rewrite >> just re-arranging queries, it does 2 queries) >> >> Tom >> >> Op 27-2-2013 18:05, Pat @ Pgogy schreef: >> >> Guess that page is timing out. >> >> The page will need rewriting, or a >> new query doing I guess. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com >> >> Makers of web things of a fair to >> middling quality >> >> >> On 27 Feb 2013, at 16:23, Julian >> Tenney >> > > >> wrote: >> >> This is what happens: >> >> >> >> Nothing more. >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> *On Behalf Of *Pat @ Pgogy >> *Sent:* 27 February 2013 14:41 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: >> Changing Ownership in Management PHP >> >> Management.php is all ajaxed - so >> the front page should work >> regardless. >> >> You can watch the speed of >> requests in console in firebug or >> chrome to see if that is a problem >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com >> >> Makers of web things of a fair to >> middling quality >> >> >> On 27 Feb 2013, at 13:36, Julian >> Tenney >> > > >> wrote: >> >> I had thought it was due to >> the size of the database, >> because I noticed it really >> starting slow up as the >> number of LOs increased -- we >> have about 8000 now. Does >> management.php work OK on the >> sandpit On? You've got a >> similar number of LOs in >> there haven't you? >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> *On Behalf Of *Pat @ Pgogy >> *Sent:* 27 February 2013 12:53 >> *To:* For Xerte technical >> developers >> *Subject:* [Xerte-dev] Re: >> Changing Ownership in >> Management PHP >> >> Yes changing ownership has >> been there for ages. >> >> If it freezes it suggests a >> JavaScript problem has occurred >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com >> >> Makers of web things of a >> fair to middling quality >> >> >> On 27 Feb 2013, at 11:56, >> Julian Tenney >> > > >> wrote: >> >> Can I change ownership in >> management.php? When I >> log in, it just appears >> to freeze, clicking any >> of the top menus doesn't >> appear to do anything, >> >> >> >> >> >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> >> -- >> >> -- >> >> >> >> Tom Reijnders >> >> TOR Informatica >> >> Chopinlaan 27 >> >> 5242HM Rosmalen >> >> Tel: 073 5226191 >> >> Fax: 073 5226196 >> >> >> >> >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> -- >> >> -- >> >> >> >> Tom Reijnders >> >> TOR Informatica >> >> Chopinlaan 27 >> >> 5242HM Rosmalen >> >> Tel: 073 5226191 >> >> Fax: 073 5226196 >> >> >> >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> -- >> >> -- >> >> >> >> Tom Reijnders >> >> TOR Informatica >> >> Chopinlaan 27 >> >> 5242HM Rosmalen >> >> Tel: 073 5226191 >> >> Fax: 073 5226196 >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> -- >> >> -- >> >> >> >> Tom Reijnders >> >> TOR Informatica >> >> Chopinlaan 27 >> >> 5242HM Rosmalen >> >> Tel: 073 5226191 >> >> Fax: 073 5226196 >> >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> -- >> -- >> >> Tom Reijnders >> TOR Informatica >> Chopinlaan 27 >> 5242HM Rosmalen >> Tel: 073 5226191 >> Fax: 073 5226196 >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: get_templates_for_user.php Type: application/x-httpd-php Size: 7103 bytes Desc: not available URL: From reijnders at tor.nl Fri Mar 1 10:13:49 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Fri, 01 Mar 2013 11:13:49 +0100 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <51307865.9090808@tor.nl> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <3C80447A-12E1-436B-86B7-52094EF1721C@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCC4F@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> Message-ID: <51307F5D.40608@tor.nl> Oh, and Ron, thank you for testing... :-) Op 1-3-2013 10:44, Tom Reijnders schreef: > What platform are you on? > > Can you send me your version of _debug (in functions.php) > > There should be diagnostic info there. > > Tom > > > Op 1-3-2013 10:29, Ron Mitchell schreef: >> >> Hi Tom >> >> I changed the debug.log path to write to error_logs and set >> development to true and then tried again but still getting the same >> message without any error log being written. >> >> If I put the svn code back I see all the users and templates. >> >> HTH >> >> Ron >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Tom >> Reijnders >> *Sent:* 01 March 2013 09:07 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP >> >> Ron, >> >> It indicates the code is basically working, because you get a reply. >> Something goes wrong with one of the mysql queries though. >> >> Could you please try this one (should be in >> website_code/php/management), turn on debugging and look in >> '/tmp/debug.log' file for 'Query for templates of user' (and the next >> line)? >> >> Any php errors? >> >> >> Tom >> >> Op 1-3-2013 9:49, Ron Mitchell schreef: >> >> Hi Tom >> >> When clicking on users templates I see the drop down list with >> names but if I select a user and then view I get This user has no >> templates at present which isn't correct e.g. if I select my >> account which has lots of LO's I get the same message. >> >> HTH >> >> Ron >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of >> *Tom Reijnders >> *Sent:* 01 March 2013 07:19 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP >> >> This should be it... >> >> Op 1-3-2013 0:46, Pat @ Pgogy schreef: >> >> I have no server to test, Ron and Julian would need a patch >> >> Pgogy Webstuff - http://www.pgogywebstuff.com >> >> Makers of web things of a fair to middling quality >> >> >> On 28 Feb 2013, at 20:54, Tom Reijnders > > wrote: >> >> I've got it... >> >> This is the result: >> >> >> >> >> >> Do you want me to check this in, or do you want the files >> first.... >> >> Tom >> >> Op 28-2-2013 11:44, Pat @ Pgogy schreef: >> >> I will write a how to guide to do it, whilst doing it >> >> *returns to cave* *plots* >> >> Pgogy Webstuff - http://www.pgogywebstuff.com >> >> Makers of web things of a fair to middling quality >> >> >> On 28 Feb 2013, at 10:25, Tom Reijnders >> > wrote: >> >> I'll have a look. I am not too familiar with Ajax >> and xot, but... one is never too old to learn ;-) >> >> Tom >> >> Op 28-2-2013 10:49, Julian Tenney schreef: >> >> I think you might be missing the subtle >> manager speak in 'would that be hard to do' >> >> ;-) >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> *On Behalf Of *Pat @ Pgogy >> *Sent:* 28 February 2013 09:37 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: Changing Ownership >> in Management PHP >> >> Rewrite the query as a list of usernames, >> make the username an Ajax function which >> fires and then returns just the data for that >> user >> >> One new js function, and splitting the >> existing php into two files >> >> Pgogy Webstuff - http://www.pgogywebstuff.com >> >> Makers of web things of a fair to middling >> quality >> >> >> On 28 Feb 2013, at 09:08, Julian Tenney >> > > wrote: >> >> It still times out. I think we probably >> need to limit the searching to a >> particular user name, entered by the >> admin user. I think that makes more >> sense, I don't really need to browse all >> users LOs, would that be hard to do? >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> *On Behalf Of *Tom Reijnders >> *Sent:* 28 February 2013 08:59 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: Changing >> Ownership in Management PHP >> >> There were a lot of queries inside loops. >> If you have say 8000 LO's and 800 users, >> it would do at least 8800 queries. >> >> Try this one (this is a minor rewrite >> just re-arranging queries, it does 2 queries) >> >> Tom >> >> Op 27-2-2013 18:05, Pat @ Pgogy schreef: >> >> Guess that page is timing out. >> >> The page will need rewriting, or a >> new query doing I guess. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com >> >> Makers of web things of a fair to >> middling quality >> >> >> On 27 Feb 2013, at 16:23, Julian >> Tenney >> > > >> wrote: >> >> This is what happens: >> >> >> >> Nothing more. >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> *On Behalf Of *Pat @ Pgogy >> *Sent:* 27 February 2013 14:41 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: >> Changing Ownership in Management PHP >> >> Management.php is all ajaxed - so >> the front page should work >> regardless. >> >> You can watch the speed of >> requests in console in firebug or >> chrome to see if that is a problem >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com >> >> Makers of web things of a fair to >> middling quality >> >> >> On 27 Feb 2013, at 13:36, Julian >> Tenney >> > > >> wrote: >> >> I had thought it was due to >> the size of the database, >> because I noticed it really >> starting slow up as the >> number of LOs increased -- we >> have about 8000 now. Does >> management.php work OK on the >> sandpit On? You've got a >> similar number of LOs in >> there haven't you? >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> *On Behalf Of *Pat @ Pgogy >> *Sent:* 27 February 2013 12:53 >> *To:* For Xerte technical >> developers >> *Subject:* [Xerte-dev] Re: >> Changing Ownership in >> Management PHP >> >> Yes changing ownership has >> been there for ages. >> >> If it freezes it suggests a >> JavaScript problem has occurred >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com >> >> Makers of web things of a >> fair to middling quality >> >> >> On 27 Feb 2013, at 11:56, >> Julian Tenney >> > > >> wrote: >> >> Can I change ownership in >> management.php? When I >> log in, it just appears >> to freeze, clicking any >> of the top menus doesn't >> appear to do anything, >> >> >> >> >> >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> >> -- >> >> -- >> >> >> >> Tom Reijnders >> >> TOR Informatica >> >> Chopinlaan 27 >> >> 5242HM Rosmalen >> >> Tel: 073 5226191 >> >> Fax: 073 5226196 >> >> >> >> >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> -- >> >> -- >> >> >> >> Tom Reijnders >> >> TOR Informatica >> >> Chopinlaan 27 >> >> 5242HM Rosmalen >> >> Tel: 073 5226191 >> >> Fax: 073 5226196 >> >> >> >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> -- >> >> -- >> >> >> >> Tom Reijnders >> >> TOR Informatica >> >> Chopinlaan 27 >> >> 5242HM Rosmalen >> >> Tel: 073 5226191 >> >> Fax: 073 5226196 >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> -- >> >> -- >> >> >> >> Tom Reijnders >> >> TOR Informatica >> >> Chopinlaan 27 >> >> 5242HM Rosmalen >> >> Tel: 073 5226191 >> >> Fax: 073 5226196 >> >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> -- >> -- >> >> Tom Reijnders >> TOR Informatica >> Chopinlaan 27 >> 5242HM Rosmalen >> Tel: 073 5226191 >> Fax: 073 5226196 >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ronm at mitchellmedia.co.uk Fri Mar 1 11:07:11 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Fri, 1 Mar 2013 11:07:11 -0000 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <51307F43.4010601@tor.nl> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <3C80447A-12E1-436B-86B7-52094EF1721C@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCC4F@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> <51307F43.4010601@tor.nl> Message-ID: <00b401ce166c$ed21afd0$c7650f70$@co.uk> Hi Tom sorry juggling other things and very short of time to get everything done before the end of the day :-( The previous version seemed to work on xampp but not on the Ubuntu server I was testing with. The new version works on the Ubuntu server and I tested changing ownership of a project which worked but... I changed ownership, logged in as the new owner in a separate browser and could see and edit the changed project so that bit works and the filtering of users works. But when I select the new owner via users templates I don't see the new project even after logging out and back in again to management. It is gone from the previous owner but isn't showing under the new owner in management even though it is available to the new owner in their workspace. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 10:13 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hmmm.... don't know why it even worked here... Is this one better? Tom Op 1-3-2013 10:44, Tom Reijnders schreef: What platform are you on? Can you send me your version of _debug (in functions.php) There should be diagnostic info there. Tom Op 1-3-2013 10:29, Ron Mitchell schreef: Hi Tom I changed the debug.log path to write to error_logs and set development to true and then tried again but still getting the same message without any error log being written. If I put the svn code back I see all the users and templates. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 09:07 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Ron, It indicates the code is basically working, because you get a reply. Something goes wrong with one of the mysql queries though. Could you please try this one (should be in website_code/php/management), turn on debugging and look in '/tmp/debug.log' file for 'Query for templates of user' (and the next line)? Any php errors? Tom Op 1-3-2013 9:49, Ron Mitchell schreef: Hi Tom When clicking on users templates I see the drop down list with names but if I select a user and then view I get This user has no templates at present which isn't correct e.g. if I select my account which has lots of LO's I get the same message. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 07:19 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP This should be it... Op 1-3-2013 0:46, Pat @ Pgogy schreef: I have no server to test, Ron and Julian would need a patch Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 20:54, Tom Reijnders wrote: I've got it... This is the result: Do you want me to check this in, or do you want the files first.... Tom Op 28-2-2013 11:44, Pat @ Pgogy schreef: I will write a how to guide to do it, whilst doing it *returns to cave* *plots* Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 10:25, Tom Reijnders wrote: I'll have a look. I am not too familiar with Ajax and xot, but... one is never too old to learn ;-) Tom Op 28-2-2013 10:49, Julian Tenney schreef: I think you might be missing the subtle manager speak in 'would that be hard to do' ;-) From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 28 February 2013 09:37 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Rewrite the query as a list of usernames, make the username an Ajax function which fires and then returns just the data for that user One new js function, and splitting the existing php into two files Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 09:08, Julian Tenney wrote: It still times out. I think we probably need to limit the searching to a particular user name, entered by the admin user. I think that makes more sense, I don't really need to browse all users LOs, would that be hard to do? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 28 February 2013 08:59 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP There were a lot of queries inside loops. If you have say 8000 LO's and 800 users, it would do at least 8800 queries. Try this one (this is a minor rewrite just re-arranging queries, it does 2 queries) Tom Op 27-2-2013 18:05, Pat @ Pgogy schreef: Guess that page is timing out. The page will need rewriting, or a new query doing I guess. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 16:23, Julian Tenney wrote: This is what happens: Nothing more. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 14:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Management.php is all ajaxed - so the front page should work regardless. You can watch the speed of requests in console in firebug or chrome to see if that is a problem Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 13:36, Julian Tenney wrote: I had thought it was due to the size of the database, because I noticed it really starting slow up as the number of LOs increased - we have about 8000 now. Does management.php work OK on the sandpit On? You've got a similar number of LOs in there haven't you? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 12:53 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Yes changing ownership has been there for ages. If it freezes it suggests a JavaScript problem has occurred Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 11:56, Julian Tenney wrote: Can I change ownership in management.php? When I log in, it just appears to freeze, clicking any of the top menus doesn't appear to do anything, _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: From J.J.Smith at gcu.ac.uk Fri Mar 1 11:15:07 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 1 Mar 2013 11:15:07 +0000 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <00b401ce166c$ed21afd0$c7650f70$@co.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <3C80447A-12E1-436B-86B7-52094EF1721C@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCC4F@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> <51307F43.4010601@tor.nl> <00b401ce166c$ed21afd0$c7650f70$@co.uk> Message-ID: Hi Ron, The ajaxed file 'might' be being cached... Tom, maybe you need to add a timestamp parameter to the ajaxed URL to make it unique?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: Friday, March 01, 2013 11:07 AM To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hi Tom sorry juggling other things and very short of time to get everything done before the end of the day :-( The previous version seemed to work on xampp but not on the Ubuntu server I was testing with. The new version works on the Ubuntu server and I tested changing ownership of a project which worked but... I changed ownership, logged in as the new owner in a separate browser and could see and edit the changed project so that bit works and the filtering of users works. But when I select the new owner via users templates I don't see the new project even after logging out and back in again to management. It is gone from the previous owner but isn't showing under the new owner in management even though it is available to the new owner in their workspace. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 10:13 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hmmm.... don't know why it even worked here... Is this one better? Tom Op 1-3-2013 10:44, Tom Reijnders schreef: What platform are you on? Can you send me your version of _debug (in functions.php) There should be diagnostic info there. Tom Op 1-3-2013 10:29, Ron Mitchell schreef: Hi Tom I changed the debug.log path to write to error_logs and set development to true and then tried again but still getting the same message without any error log being written. If I put the svn code back I see all the users and templates. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 09:07 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Ron, It indicates the code is basically working, because you get a reply. Something goes wrong with one of the mysql queries though. Could you please try this one (should be in website_code/php/management), turn on debugging and look in '/tmp/debug.log' file for 'Query for templates of user' (and the next line)? Any php errors? Tom Op 1-3-2013 9:49, Ron Mitchell schreef: Hi Tom When clicking on users templates I see the drop down list with names but if I select a user and then view I get This user has no templates at present which isn't correct e.g. if I select my account which has lots of LO's I get the same message. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 07:19 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP This should be it... Op 1-3-2013 0:46, Pat @ Pgogy schreef: I have no server to test, Ron and Julian would need a patch Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 20:54, Tom Reijnders > wrote: I've got it... This is the result: Do you want me to check this in, or do you want the files first.... Tom Op 28-2-2013 11:44, Pat @ Pgogy schreef: I will write a how to guide to do it, whilst doing it *returns to cave* *plots* Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 10:25, Tom Reijnders > wrote: I'll have a look. I am not too familiar with Ajax and xot, but... one is never too old to learn ;-) Tom Op 28-2-2013 10:49, Julian Tenney schreef: I think you might be missing the subtle manager speak in 'would that be hard to do' ;-) From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 28 February 2013 09:37 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Rewrite the query as a list of usernames, make the username an Ajax function which fires and then returns just the data for that user One new js function, and splitting the existing php into two files Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 09:08, Julian Tenney > wrote: It still times out. I think we probably need to limit the searching to a particular user name, entered by the admin user. I think that makes more sense, I don't really need to browse all users LOs, would that be hard to do? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 28 February 2013 08:59 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP There were a lot of queries inside loops. If you have say 8000 LO's and 800 users, it would do at least 8800 queries. Try this one (this is a minor rewrite just re-arranging queries, it does 2 queries) Tom Op 27-2-2013 18:05, Pat @ Pgogy schreef: Guess that page is timing out. The page will need rewriting, or a new query doing I guess. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 16:23, Julian Tenney > wrote: This is what happens: Nothing more. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 14:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Management.php is all ajaxed - so the front page should work regardless. You can watch the speed of requests in console in firebug or chrome to see if that is a problem Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 13:36, Julian Tenney > wrote: I had thought it was due to the size of the database, because I noticed it really starting slow up as the number of LOs increased - we have about 8000 now. Does management.php work OK on the sandpit On? You've got a similar number of LOs in there haven't you? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 12:53 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Yes changing ownership has been there for ages. If it freezes it suggests a JavaScript problem has occurred Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 11:56, Julian Tenney > wrote: Can I change ownership in management.php? When I log in, it just appears to freeze, clicking any of the top menus doesn't appear to do anything, _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From ronm at mitchellmedia.co.uk Fri Mar 1 11:24:21 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Fri, 1 Mar 2013 11:24:21 -0000 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <3C80447A-12E1-436B-86B7-52094EF1721C@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCC4F@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> <51307F43.4010601@tor.nl> <00b401ce166c$ed21afd 0$c7650f70$@co.uk> Message-ID: <00d801ce166f$53829210$fa87b630$@co.uk> Hi John if it is it must be server cache rather than client? I logged in to management with a separate browser and still can't see the project under the new owner even though it does show in that new owners workspace. HTH Cheers Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 01 March 2013 11:15 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hi Ron, The ajaxed file 'might' be being cached. Tom, maybe you need to add a timestamp parameter to the ajaxed URL to make it unique?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: Friday, March 01, 2013 11:07 AM To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hi Tom sorry juggling other things and very short of time to get everything done before the end of the day :-( The previous version seemed to work on xampp but not on the Ubuntu server I was testing with. The new version works on the Ubuntu server and I tested changing ownership of a project which worked but... I changed ownership, logged in as the new owner in a separate browser and could see and edit the changed project so that bit works and the filtering of users works. But when I select the new owner via users templates I don't see the new project even after logging out and back in again to management. It is gone from the previous owner but isn't showing under the new owner in management even though it is available to the new owner in their workspace. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 10:13 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hmmm.... don't know why it even worked here... Is this one better? Tom Op 1-3-2013 10:44, Tom Reijnders schreef: What platform are you on? Can you send me your version of _debug (in functions.php) There should be diagnostic info there. Tom Op 1-3-2013 10:29, Ron Mitchell schreef: Hi Tom I changed the debug.log path to write to error_logs and set development to true and then tried again but still getting the same message without any error log being written. If I put the svn code back I see all the users and templates. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 09:07 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Ron, It indicates the code is basically working, because you get a reply. Something goes wrong with one of the mysql queries though. Could you please try this one (should be in website_code/php/management), turn on debugging and look in '/tmp/debug.log' file for 'Query for templates of user' (and the next line)? Any php errors? Tom Op 1-3-2013 9:49, Ron Mitchell schreef: Hi Tom When clicking on users templates I see the drop down list with names but if I select a user and then view I get This user has no templates at present which isn't correct e.g. if I select my account which has lots of LO's I get the same message. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 07:19 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP This should be it... Op 1-3-2013 0:46, Pat @ Pgogy schreef: I have no server to test, Ron and Julian would need a patch Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 20:54, Tom Reijnders wrote: I've got it... This is the result: Do you want me to check this in, or do you want the files first.... Tom Op 28-2-2013 11:44, Pat @ Pgogy schreef: I will write a how to guide to do it, whilst doing it *returns to cave* *plots* Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 10:25, Tom Reijnders wrote: I'll have a look. I am not too familiar with Ajax and xot, but... one is never too old to learn ;-) Tom Op 28-2-2013 10:49, Julian Tenney schreef: I think you might be missing the subtle manager speak in 'would that be hard to do' ;-) From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 28 February 2013 09:37 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Rewrite the query as a list of usernames, make the username an Ajax function which fires and then returns just the data for that user One new js function, and splitting the existing php into two files Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 09:08, Julian Tenney wrote: It still times out. I think we probably need to limit the searching to a particular user name, entered by the admin user. I think that makes more sense, I don't really need to browse all users LOs, would that be hard to do? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 28 February 2013 08:59 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP There were a lot of queries inside loops. If you have say 8000 LO's and 800 users, it would do at least 8800 queries. Try this one (this is a minor rewrite just re-arranging queries, it does 2 queries) Tom Op 27-2-2013 18:05, Pat @ Pgogy schreef: Guess that page is timing out. The page will need rewriting, or a new query doing I guess. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 16:23, Julian Tenney wrote: This is what happens: Nothing more. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 14:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Management.php is all ajaxed - so the front page should work regardless. You can watch the speed of requests in console in firebug or chrome to see if that is a problem Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 13:36, Julian Tenney wrote: I had thought it was due to the size of the database, because I noticed it really starting slow up as the number of LOs increased - we have about 8000 now. Does management.php work OK on the sandpit On? You've got a similar number of LOs in there haven't you? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 12:53 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Yes changing ownership has been there for ages. If it freezes it suggests a JavaScript problem has occurred Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 11:56, Julian Tenney wrote: Can I change ownership in management.php? When I log in, it just appears to freeze, clicking any of the top menus doesn't appear to do anything, _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From J.J.Smith at gcu.ac.uk Fri Mar 1 11:27:36 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 1 Mar 2013 11:27:36 +0000 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <00d801ce166f$53829210$fa87b630$@co.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <3C80447A-12E1-436B-86B7-52094EF1721C@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCC4F@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> <51307F43.4010601@tor.nl> <00b401ce166c$ed21afd 0$c7650f70$@co.uk> <00d801ce166f$53829210$fa87b630$@co.uk> Message-ID: Just a thought... even if a long one ;-) You could try comparing the entry in the database to see if the query is just slightly more picky in the new code... not really sure what I'd be looking for though... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: Friday, March 01, 2013 11:24 AM To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hi John if it is it must be server cache rather than client? I logged in to management with a separate browser and still can't see the project under the new owner even though it does show in that new owners workspace. HTH Cheers Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 01 March 2013 11:15 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hi Ron, The ajaxed file 'might' be being cached... Tom, maybe you need to add a timestamp parameter to the ajaxed URL to make it unique?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: Friday, March 01, 2013 11:07 AM To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hi Tom sorry juggling other things and very short of time to get everything done before the end of the day :-( The previous version seemed to work on xampp but not on the Ubuntu server I was testing with. The new version works on the Ubuntu server and I tested changing ownership of a project which worked but... I changed ownership, logged in as the new owner in a separate browser and could see and edit the changed project so that bit works and the filtering of users works. But when I select the new owner via users templates I don't see the new project even after logging out and back in again to management. It is gone from the previous owner but isn't showing under the new owner in management even though it is available to the new owner in their workspace. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 10:13 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hmmm.... don't know why it even worked here... Is this one better? Tom Op 1-3-2013 10:44, Tom Reijnders schreef: What platform are you on? Can you send me your version of _debug (in functions.php) There should be diagnostic info there. Tom Op 1-3-2013 10:29, Ron Mitchell schreef: Hi Tom I changed the debug.log path to write to error_logs and set development to true and then tried again but still getting the same message without any error log being written. If I put the svn code back I see all the users and templates. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 09:07 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Ron, It indicates the code is basically working, because you get a reply. Something goes wrong with one of the mysql queries though. Could you please try this one (should be in website_code/php/management), turn on debugging and look in '/tmp/debug.log' file for 'Query for templates of user' (and the next line)? Any php errors? Tom Op 1-3-2013 9:49, Ron Mitchell schreef: Hi Tom When clicking on users templates I see the drop down list with names but if I select a user and then view I get This user has no templates at present which isn't correct e.g. if I select my account which has lots of LO's I get the same message. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 07:19 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP This should be it... Op 1-3-2013 0:46, Pat @ Pgogy schreef: I have no server to test, Ron and Julian would need a patch Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 20:54, Tom Reijnders > wrote: I've got it... This is the result: Do you want me to check this in, or do you want the files first.... Tom Op 28-2-2013 11:44, Pat @ Pgogy schreef: I will write a how to guide to do it, whilst doing it *returns to cave* *plots* Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 10:25, Tom Reijnders > wrote: I'll have a look. I am not too familiar with Ajax and xot, but... one is never too old to learn ;-) Tom Op 28-2-2013 10:49, Julian Tenney schreef: I think you might be missing the subtle manager speak in 'would that be hard to do' ;-) From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 28 February 2013 09:37 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Rewrite the query as a list of usernames, make the username an Ajax function which fires and then returns just the data for that user One new js function, and splitting the existing php into two files Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 09:08, Julian Tenney > wrote: It still times out. I think we probably need to limit the searching to a particular user name, entered by the admin user. I think that makes more sense, I don't really need to browse all users LOs, would that be hard to do? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 28 February 2013 08:59 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP There were a lot of queries inside loops. If you have say 8000 LO's and 800 users, it would do at least 8800 queries. Try this one (this is a minor rewrite just re-arranging queries, it does 2 queries) Tom Op 27-2-2013 18:05, Pat @ Pgogy schreef: Guess that page is timing out. The page will need rewriting, or a new query doing I guess. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 16:23, Julian Tenney > wrote: This is what happens: Nothing more. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 14:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Management.php is all ajaxed - so the front page should work regardless. You can watch the speed of requests in console in firebug or chrome to see if that is a problem Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 13:36, Julian Tenney > wrote: I had thought it was due to the size of the database, because I noticed it really starting slow up as the number of LOs increased - we have about 8000 now. Does management.php work OK on the sandpit On? You've got a similar number of LOs in there haven't you? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 12:53 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Yes changing ownership has been there for ages. If it freezes it suggests a JavaScript problem has occurred Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 11:56, Julian Tenney > wrote: Can I change ownership in management.php? When I log in, it just appears to freeze, clicking any of the top menus doesn't appear to do anything, _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From J.J.Smith at gcu.ac.uk Fri Mar 1 11:43:19 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 1 Mar 2013 11:43:19 +0000 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <00d801ce166f$53829210$fa87b630$@co.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <3C80447A-12E1-436B-86B7-52094EF1721C@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCC4F@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> <51307F43.4010601@tor.nl> <00b401ce166c$ed21afd 0$c7650f70$@co.uk> <00d801ce166f$53829210$fa87b630$@co.uk> Message-ID: Hi Ron, There's been a change from joining 2 database tables to joining 4 by the looks of things $query_templates="select td.*, tr.*, ld.*, od.login_id as owner_id, od.firstname as owner_firstname, od.surname as owner_surname, od.username as owner_username from " . $xerte_toolkits_site->database_table_prefix . "templatedetails td," . $xerte_toolkits_site->database_table_prefix . "templaterights tr," . $xerte_toolkits_site->database_table_prefix . "logindetails ld," . $xerte_toolkits_site->database_table_prefix . "logindetails od where tr.user_id = ld.login_id and ld.login_id = " . $login_id . " and od.login_id = td.creator_id and tr.template_id = td.template_id"; >From this //$query_templates="select * from " . $xerte_toolkits_site->database_table_prefix . "templatedetails," . $xerte_toolkits_site->database_table_prefix . "templaterights where " . $xerte_toolkits_site->database_table_prefix . "templaterights.user_id =\"" . $row['login_id'] . "\" and " . $xerte_toolkits_site->database_table_prefix . "templaterights.template_id = " . $xerte_toolkits_site->database_table_prefix . "templatedetails.template_id"; So it is probably missing the record completely for some reason... you could check by getting the new fully formed query from the logs and running it in phpmyadmin (and post the final query here)... But one note - in the new query we have tr.user_id = ld.login_id but in the old we had templaterights.user_id =\"" . $row['login_id'] . "\" so the templaterights.user_id might be expecting a string but getting a number now... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: Friday, March 01, 2013 11:24 AM To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hi John if it is it must be server cache rather than client? I logged in to management with a separate browser and still can't see the project under the new owner even though it does show in that new owners workspace. HTH Cheers Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 01 March 2013 11:15 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hi Ron, The ajaxed file 'might' be being cached... Tom, maybe you need to add a timestamp parameter to the ajaxed URL to make it unique?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: Friday, March 01, 2013 11:07 AM To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hi Tom sorry juggling other things and very short of time to get everything done before the end of the day :-( The previous version seemed to work on xampp but not on the Ubuntu server I was testing with. The new version works on the Ubuntu server and I tested changing ownership of a project which worked but... I changed ownership, logged in as the new owner in a separate browser and could see and edit the changed project so that bit works and the filtering of users works. But when I select the new owner via users templates I don't see the new project even after logging out and back in again to management. It is gone from the previous owner but isn't showing under the new owner in management even though it is available to the new owner in their workspace. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 10:13 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hmmm.... don't know why it even worked here... Is this one better? Tom Op 1-3-2013 10:44, Tom Reijnders schreef: What platform are you on? Can you send me your version of _debug (in functions.php) There should be diagnostic info there. Tom Op 1-3-2013 10:29, Ron Mitchell schreef: Hi Tom I changed the debug.log path to write to error_logs and set development to true and then tried again but still getting the same message without any error log being written. If I put the svn code back I see all the users and templates. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 09:07 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Ron, It indicates the code is basically working, because you get a reply. Something goes wrong with one of the mysql queries though. Could you please try this one (should be in website_code/php/management), turn on debugging and look in '/tmp/debug.log' file for 'Query for templates of user' (and the next line)? Any php errors? Tom Op 1-3-2013 9:49, Ron Mitchell schreef: Hi Tom When clicking on users templates I see the drop down list with names but if I select a user and then view I get This user has no templates at present which isn't correct e.g. if I select my account which has lots of LO's I get the same message. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 07:19 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP This should be it... Op 1-3-2013 0:46, Pat @ Pgogy schreef: I have no server to test, Ron and Julian would need a patch Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 20:54, Tom Reijnders > wrote: I've got it... This is the result: Do you want me to check this in, or do you want the files first.... Tom Op 28-2-2013 11:44, Pat @ Pgogy schreef: I will write a how to guide to do it, whilst doing it *returns to cave* *plots* Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 10:25, Tom Reijnders > wrote: I'll have a look. I am not too familiar with Ajax and xot, but... one is never too old to learn ;-) Tom Op 28-2-2013 10:49, Julian Tenney schreef: I think you might be missing the subtle manager speak in 'would that be hard to do' ;-) From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 28 February 2013 09:37 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Rewrite the query as a list of usernames, make the username an Ajax function which fires and then returns just the data for that user One new js function, and splitting the existing php into two files Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 09:08, Julian Tenney > wrote: It still times out. I think we probably need to limit the searching to a particular user name, entered by the admin user. I think that makes more sense, I don't really need to browse all users LOs, would that be hard to do? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 28 February 2013 08:59 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP There were a lot of queries inside loops. If you have say 8000 LO's and 800 users, it would do at least 8800 queries. Try this one (this is a minor rewrite just re-arranging queries, it does 2 queries) Tom Op 27-2-2013 18:05, Pat @ Pgogy schreef: Guess that page is timing out. The page will need rewriting, or a new query doing I guess. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 16:23, Julian Tenney > wrote: This is what happens: Nothing more. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 14:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Management.php is all ajaxed - so the front page should work regardless. You can watch the speed of requests in console in firebug or chrome to see if that is a problem Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 13:36, Julian Tenney > wrote: I had thought it was due to the size of the database, because I noticed it really starting slow up as the number of LOs increased - we have about 8000 now. Does management.php work OK on the sandpit On? You've got a similar number of LOs in there haven't you? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 12:53 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Yes changing ownership has been there for ages. If it freezes it suggests a JavaScript problem has occurred Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 11:56, Julian Tenney > wrote: Can I change ownership in management.php? When I log in, it just appears to freeze, clicking any of the top menus doesn't appear to do anything, _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From J.J.Smith at gcu.ac.uk Fri Mar 1 11:51:52 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 1 Mar 2013 11:51:52 +0000 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <00d801ce166f$53829210$fa87b630$@co.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <3C80447A-12E1-436B-86B7-52094EF1721C@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCC4F@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> <51307F43.4010601@tor.nl> <00b401ce166c$ed21afd 0$c7650f70$@co.uk> <00d801ce166f$53829210$fa87b630$@co.uk> Message-ID: Sorry scratch that last comment it was this part I was meaning $query_templates="select td.*, tr.*, ld.*, od.login_id as owner_id, od.firstname as owner_firstname, od.surname as owner_surname, od.username as owner_username from " . $xerte_toolkits_site->database_table_prefix . "templatedetails td," . $xerte_toolkits_site->database_table_prefix . "templaterights tr," . $xerte_toolkits_site->database_table_prefix . "logindetails ld," . $xerte_toolkits_site->database_table_prefix . "logindetails od where tr.user_id = ld.login_id and ld.login_id = " . $login_id . " and od.login_id = td.creator_id and tr.template_id = td.template_id"; Should it be this? $query_templates="select td.*, tr.*, ld.*, od.login_id as owner_id, od.firstname as owner_firstname, od.surname as owner_surname, od.username as owner_username from " . $xerte_toolkits_site->database_table_prefix . "templatedetails td," . $xerte_toolkits_site->database_table_prefix . "templaterights tr," . $xerte_toolkits_site->database_table_prefix . "logindetails ld," . $xerte_toolkits_site->database_table_prefix . "logindetails od where tr.user_id = ld.login_id and ld.login_id = \"" . $login_id . "\" and od.login_id = td.creator_id and tr.template_id = td.template_id"; Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: Friday, March 01, 2013 11:24 AM To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hi John if it is it must be server cache rather than client? I logged in to management with a separate browser and still can't see the project under the new owner even though it does show in that new owners workspace. HTH Cheers Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 01 March 2013 11:15 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hi Ron, The ajaxed file 'might' be being cached... Tom, maybe you need to add a timestamp parameter to the ajaxed URL to make it unique?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: Friday, March 01, 2013 11:07 AM To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hi Tom sorry juggling other things and very short of time to get everything done before the end of the day :-( The previous version seemed to work on xampp but not on the Ubuntu server I was testing with. The new version works on the Ubuntu server and I tested changing ownership of a project which worked but... I changed ownership, logged in as the new owner in a separate browser and could see and edit the changed project so that bit works and the filtering of users works. But when I select the new owner via users templates I don't see the new project even after logging out and back in again to management. It is gone from the previous owner but isn't showing under the new owner in management even though it is available to the new owner in their workspace. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 10:13 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hmmm.... don't know why it even worked here... Is this one better? Tom Op 1-3-2013 10:44, Tom Reijnders schreef: What platform are you on? Can you send me your version of _debug (in functions.php) There should be diagnostic info there. Tom Op 1-3-2013 10:29, Ron Mitchell schreef: Hi Tom I changed the debug.log path to write to error_logs and set development to true and then tried again but still getting the same message without any error log being written. If I put the svn code back I see all the users and templates. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 09:07 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Ron, It indicates the code is basically working, because you get a reply. Something goes wrong with one of the mysql queries though. Could you please try this one (should be in website_code/php/management), turn on debugging and look in '/tmp/debug.log' file for 'Query for templates of user' (and the next line)? Any php errors? Tom Op 1-3-2013 9:49, Ron Mitchell schreef: Hi Tom When clicking on users templates I see the drop down list with names but if I select a user and then view I get This user has no templates at present which isn't correct e.g. if I select my account which has lots of LO's I get the same message. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 07:19 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP This should be it... Op 1-3-2013 0:46, Pat @ Pgogy schreef: I have no server to test, Ron and Julian would need a patch Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 20:54, Tom Reijnders > wrote: I've got it... This is the result: Do you want me to check this in, or do you want the files first.... Tom Op 28-2-2013 11:44, Pat @ Pgogy schreef: I will write a how to guide to do it, whilst doing it *returns to cave* *plots* Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 10:25, Tom Reijnders > wrote: I'll have a look. I am not too familiar with Ajax and xot, but... one is never too old to learn ;-) Tom Op 28-2-2013 10:49, Julian Tenney schreef: I think you might be missing the subtle manager speak in 'would that be hard to do' ;-) From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 28 February 2013 09:37 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Rewrite the query as a list of usernames, make the username an Ajax function which fires and then returns just the data for that user One new js function, and splitting the existing php into two files Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 09:08, Julian Tenney > wrote: It still times out. I think we probably need to limit the searching to a particular user name, entered by the admin user. I think that makes more sense, I don't really need to browse all users LOs, would that be hard to do? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 28 February 2013 08:59 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP There were a lot of queries inside loops. If you have say 8000 LO's and 800 users, it would do at least 8800 queries. Try this one (this is a minor rewrite just re-arranging queries, it does 2 queries) Tom Op 27-2-2013 18:05, Pat @ Pgogy schreef: Guess that page is timing out. The page will need rewriting, or a new query doing I guess. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 16:23, Julian Tenney > wrote: This is what happens: Nothing more. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 14:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Management.php is all ajaxed - so the front page should work regardless. You can watch the speed of requests in console in firebug or chrome to see if that is a problem Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 13:36, Julian Tenney > wrote: I had thought it was due to the size of the database, because I noticed it really starting slow up as the number of LOs increased - we have about 8000 now. Does management.php work OK on the sandpit On? You've got a similar number of LOs in there haven't you? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 12:53 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Yes changing ownership has been there for ages. If it freezes it suggests a JavaScript problem has occurred Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 11:56, Julian Tenney > wrote: Can I change ownership in management.php? When I log in, it just appears to freeze, clicking any of the top menus doesn't appear to do anything, _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From reijnders at tor.nl Fri Mar 1 12:27:36 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Fri, 01 Mar 2013 13:27:36 +0100 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <00b401ce166c$ed21afd0$c7650f70$@co.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCC4F@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> <51307F43.4010601@tor.nl> <00b401ce166c$ed21afd0$c7650f70$@co.uk> Message-ID: <51309EB8.4040509@tor.nl> I'll check.... Op 1-3-2013 12:07, Ron Mitchell schreef: > > Hi Tom > > sorry juggling other things and very short of time to get everything > done before the end of the day :-( > > The previous version seemed to work on xampp but not on the Ubuntu > server I was testing with. > > The new version works on the Ubuntu server and I tested changing > ownership of a project which worked but... > > I changed ownership, logged in as the new owner in a separate browser > and could see and edit the changed project so that bit works and the > filtering of users works. But when I select the new owner via users > templates I don't see the new project even after logging out and back > in again to management. It is gone from the previous owner but isn't > showing under the new owner in management even though it is available > to the new owner in their workspace. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Tom > Reijnders > *Sent:* 01 March 2013 10:13 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP > > Hmmm.... don't know why it even worked here... > > Is this one better? > > Tom > > Op 1-3-2013 10:44, Tom Reijnders schreef: > > What platform are you on? > > Can you send me your version of _debug (in functions.php) > > There should be diagnostic info there. > > Tom > > Op 1-3-2013 10:29, Ron Mitchell schreef: > > Hi Tom > > I changed the debug.log path to write to error_logs and set > development to true and then tried again but still getting the > same message without any error log being written. > > If I put the svn code back I see all the users and templates. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf > Of *Tom Reijnders > *Sent:* 01 March 2013 09:07 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP > > Ron, > > It indicates the code is basically working, because you get a > reply. Something goes wrong with one of the mysql queries though. > > Could you please try this one (should be in > website_code/php/management), turn on debugging and look in > '/tmp/debug.log' file for 'Query for templates of user' (and > the next line)? > > Any php errors? > > > Tom > > Op 1-3-2013 9:49, Ron Mitchell schreef: > > Hi Tom > > When clicking on users templates I see the drop down list > with names but if I select a user and then view I get This > user has no templates at present which isn't correct e.g. > if I select my account which has lots of LO's I get the > same message. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On > Behalf Of *Tom Reijnders > *Sent:* 01 March 2013 07:19 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in > Management PHP > > This should be it... > > Op 1-3-2013 0:46, Pat @ Pgogy schreef: > > I have no server to test, Ron and Julian would need a > patch > > Pgogy Webstuff - http://www.pgogywebstuff.com > > Makers of web things of a fair to middling quality > > > On 28 Feb 2013, at 20:54, Tom Reijnders > > wrote: > > I've got it... > > This is the result: > > > > > > Do you want me to check this in, or do you want > the files first.... > > Tom > > Op 28-2-2013 11:44, Pat @ Pgogy schreef: > > I will write a how to guide to do it, whilst > doing it > > *returns to cave* *plots* > > Pgogy Webstuff - http://www.pgogywebstuff.com > > Makers of web things of a fair to middling quality > > > On 28 Feb 2013, at 10:25, Tom Reijnders > > > wrote: > > I'll have a look. I am not too familiar > with Ajax and xot, but... one is never too > old to learn ;-) > > Tom > > Op 28-2-2013 10:49, Julian Tenney schreef: > > I think you might be missing the > subtle manager speak in 'would that be > hard to do' > > ;-) > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Pat @ Pgogy > *Sent:* 28 February 2013 09:37 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing > Ownership in Management PHP > > Rewrite the query as a list of > usernames, make the username an Ajax > function which fires and then returns > just the data for that user > > One new js function, and splitting the > existing php into two files > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things of a fair to > middling quality > > > On 28 Feb 2013, at 09:08, Julian > Tenney > > wrote: > > It still times out. I think we > probably need to limit the > searching to a particular user > name, entered by the admin user. I > think that makes more sense, I > don't really need to browse all > users LOs, would that be hard to do? > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Tom Reijnders > *Sent:* 28 February 2013 08:59 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: > Changing Ownership in Management PHP > > There were a lot of queries inside > loops. If you have say 8000 LO's > and 800 users, it would do at > least 8800 queries. > > Try this one (this is a minor > rewrite just re-arranging queries, > it does 2 queries) > > Tom > > Op 27-2-2013 18:05, Pat @ Pgogy > schreef: > > Guess that page is timing out. > > The page will need rewriting, > or a new query doing I guess. > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things of a fair > to middling quality > > > On 27 Feb 2013, at 16:23, > Julian Tenney > > > wrote: > > This is what happens: > > > > Nothing more. > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Pat @ Pgogy > *Sent:* 27 February 2013 14:41 > *To:* For Xerte technical > developers > *Subject:* [Xerte-dev] Re: > Changing Ownership in > Management PHP > > Management.php is all > ajaxed - so the front page > should work regardless. > > You can watch the speed of > requests in console in > firebug or chrome to see > if that is a problem > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things of a > fair to middling quality > > > On 27 Feb 2013, at 13:36, > Julian Tenney > > > wrote: > > I had thought it was > due to the size of the > database, because I > noticed it really > starting slow up as > the number of LOs > increased -- we have > about 8000 now. Does > management.php work OK > on the sandpit On? > You've got a similar > number of LOs in there > haven't you? > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Pat @ Pgogy > *Sent:* 27 February > 2013 12:53 > *To:* For Xerte > technical developers > *Subject:* [Xerte-dev] > Re: Changing Ownership > in Management PHP > > Yes changing ownership > has been there for ages. > > If it freezes it > suggests a JavaScript > problem has occurred > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things > of a fair to middling > quality > > > On 27 Feb 2013, at > 11:56, Julian Tenney > > > wrote: > > Can I change > ownership in > management.php? > When I log in, it > just appears to > freeze, clicking > any of the top > menus doesn't > appear to do anything, > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: From reijnders at tor.nl Fri Mar 1 20:22:05 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Fri, 01 Mar 2013 21:22:05 +0100 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <51309EB8.4040509@tor.nl> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> <51307F43.4010601@tor.nl> <00b401ce166c$ed21afd0$c7650f70$@co.uk> <51309EB8.4040509@tor.nl> Message-ID: <51310DED.8000309@tor.nl> Jeee.... that was an interesting stupid mistake. Every other LO was not shown, so if you had 9 LO's, only 5 were shown. Fixed. Op 1-3-2013 13:27, Tom Reijnders schreef: > I'll check.... > Op 1-3-2013 12:07, Ron Mitchell schreef: >> >> Hi Tom >> >> sorry juggling other things and very short of time to get everything >> done before the end of the day :-( >> >> The previous version seemed to work on xampp but not on the Ubuntu >> server I was testing with. >> >> The new version works on the Ubuntu server and I tested changing >> ownership of a project which worked but... >> >> I changed ownership, logged in as the new owner in a separate browser >> and could see and edit the changed project so that bit works and the >> filtering of users works. But when I select the new owner via users >> templates I don't see the new project even after logging out and back >> in again to management. It is gone from the previous owner but isn't >> showing under the new owner in management even though it is available >> to the new owner in their workspace. >> >> HTH >> >> Ron >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Tom >> Reijnders >> *Sent:* 01 March 2013 10:13 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP >> >> Hmmm.... don't know why it even worked here... >> >> Is this one better? >> >> Tom >> >> Op 1-3-2013 10:44, Tom Reijnders schreef: >> >> What platform are you on? >> >> Can you send me your version of _debug (in functions.php) >> >> There should be diagnostic info there. >> >> Tom >> >> Op 1-3-2013 10:29, Ron Mitchell schreef: >> >> Hi Tom >> >> I changed the debug.log path to write to error_logs and set >> development to true and then tried again but still getting >> the same message without any error log being written. >> >> If I put the svn code back I see all the users and templates. >> >> HTH >> >> Ron >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf >> Of *Tom Reijnders >> *Sent:* 01 March 2013 09:07 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP >> >> Ron, >> >> It indicates the code is basically working, because you get a >> reply. Something goes wrong with one of the mysql queries though. >> >> Could you please try this one (should be in >> website_code/php/management), turn on debugging and look in >> '/tmp/debug.log' file for 'Query for templates of user' (and >> the next line)? >> >> Any php errors? >> >> >> Tom >> >> Op 1-3-2013 9:49, Ron Mitchell schreef: >> >> Hi Tom >> >> When clicking on users templates I see the drop down list >> with names but if I select a user and then view I get >> This user has no templates at present which isn't correct >> e.g. if I select my account which has lots of LO's I get >> the same message. >> >> HTH >> >> Ron >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On >> Behalf Of *Tom Reijnders >> *Sent:* 01 March 2013 07:19 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: Changing Ownership in >> Management PHP >> >> This should be it... >> >> Op 1-3-2013 0:46, Pat @ Pgogy schreef: >> >> I have no server to test, Ron and Julian would need a >> patch >> >> Pgogy Webstuff - http://www.pgogywebstuff.com >> >> Makers of web things of a fair to middling quality >> >> >> On 28 Feb 2013, at 20:54, Tom Reijnders >> > wrote: >> >> I've got it... >> >> This is the result: >> >> >> >> >> >> Do you want me to check this in, or do you want >> the files first.... >> >> Tom >> >> Op 28-2-2013 11:44, Pat @ Pgogy schreef: >> >> I will write a how to guide to do it, whilst >> doing it >> >> *returns to cave* *plots* >> >> Pgogy Webstuff - http://www.pgogywebstuff.com >> >> Makers of web things of a fair to middling >> quality >> >> >> On 28 Feb 2013, at 10:25, Tom Reijnders >> > >> wrote: >> >> I'll have a look. I am not too familiar >> with Ajax and xot, but... one is never >> too old to learn ;-) >> >> Tom >> >> Op 28-2-2013 10:49, Julian Tenney schreef: >> >> I think you might be missing the >> subtle manager speak in 'would that >> be hard to do' >> >> ;-) >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> *On Behalf Of *Pat @ Pgogy >> *Sent:* 28 February 2013 09:37 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: Changing >> Ownership in Management PHP >> >> Rewrite the query as a list of >> usernames, make the username an Ajax >> function which fires and then returns >> just the data for that user >> >> One new js function, and splitting >> the existing php into two files >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com >> >> Makers of web things of a fair to >> middling quality >> >> >> On 28 Feb 2013, at 09:08, Julian >> Tenney >> > > >> wrote: >> >> It still times out. I think we >> probably need to limit the >> searching to a particular user >> name, entered by the admin user. >> I think that makes more sense, I >> don't really need to browse all >> users LOs, would that be hard to do? >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> *On Behalf Of *Tom Reijnders >> *Sent:* 28 February 2013 08:59 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: >> Changing Ownership in Management PHP >> >> There were a lot of queries >> inside loops. If you have say >> 8000 LO's and 800 users, it would >> do at least 8800 queries. >> >> Try this one (this is a minor >> rewrite just re-arranging >> queries, it does 2 queries) >> >> Tom >> >> Op 27-2-2013 18:05, Pat @ Pgogy >> schreef: >> >> Guess that page is timing out. >> >> The page will need rewriting, >> or a new query doing I guess. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com >> >> Makers of web things of a >> fair to middling quality >> >> >> On 27 Feb 2013, at 16:23, >> Julian Tenney >> > > >> wrote: >> >> This is what happens: >> >> >> >> Nothing more. >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> *On Behalf Of *Pat @ Pgogy >> *Sent:* 27 February 2013 >> 14:41 >> *To:* For Xerte technical >> developers >> *Subject:* [Xerte-dev] >> Re: Changing Ownership in >> Management PHP >> >> Management.php is all >> ajaxed - so the front >> page should work regardless. >> >> You can watch the speed >> of requests in console in >> firebug or chrome to see >> if that is a problem >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com >> >> Makers of web things of a >> fair to middling quality >> >> >> On 27 Feb 2013, at 13:36, >> Julian Tenney >> > > >> wrote: >> >> I had thought it was >> due to the size of >> the database, because >> I noticed it really >> starting slow up as >> the number of LOs >> increased -- we have >> about 8000 now. Does >> management.php work >> OK on the sandpit On? >> You've got a similar >> number of LOs in >> there haven't you? >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> *On Behalf Of *Pat @ >> Pgogy >> *Sent:* 27 February >> 2013 12:53 >> *To:* For Xerte >> technical developers >> *Subject:* >> [Xerte-dev] Re: >> Changing Ownership in >> Management PHP >> >> Yes changing >> ownership has been >> there for ages. >> >> If it freezes it >> suggests a JavaScript >> problem has occurred >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com >> >> Makers of web things >> of a fair to middling >> quality >> >> >> On 27 Feb 2013, at >> 11:56, Julian Tenney >> > > >> wrote: >> >> Can I change >> ownership in >> management.php? >> When I log in, it >> just appears to >> freeze, clicking >> any of the top >> menus doesn't >> appear to do >> anything, >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> Xerte-dev mailing >> list >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> >> >> -- >> >> -- >> >> >> >> Tom Reijnders >> >> TOR Informatica >> >> Chopinlaan 27 >> >> 5242HM Rosmalen >> >> Tel: 073 5226191 >> >> Fax: 073 5226196 >> >> >> >> >> >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> -- >> >> -- >> >> >> >> Tom Reijnders >> >> TOR Informatica >> >> Chopinlaan 27 >> >> 5242HM Rosmalen >> >> Tel: 073 5226191 >> >> Fax: 073 5226196 >> >> >> >> >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> -- >> >> -- >> >> >> >> Tom Reijnders >> >> TOR Informatica >> >> Chopinlaan 27 >> >> 5242HM Rosmalen >> >> Tel: 073 5226191 >> >> Fax: 073 5226196 >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> -- >> >> -- >> >> >> >> Tom Reijnders >> >> TOR Informatica >> >> Chopinlaan 27 >> >> 5242HM Rosmalen >> >> Tel: 073 5226191 >> >> Fax: 073 5226196 >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> -- >> >> -- >> >> >> >> Tom Reijnders >> >> TOR Informatica >> >> Chopinlaan 27 >> >> 5242HM Rosmalen >> >> Tel: 073 5226191 >> >> Fax: 073 5226196 >> >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> -- >> >> -- >> >> >> >> Tom Reijnders >> >> TOR Informatica >> >> Chopinlaan 27 >> >> 5242HM Rosmalen >> >> Tel: 073 5226191 >> >> Fax: 073 5226196 >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> -- >> -- >> >> Tom Reijnders >> TOR Informatica >> Chopinlaan 27 >> 5242HM Rosmalen >> Tel: 073 5226191 >> Fax: 073 5226196 >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: get_templates_for_user.php Type: application/x-httpd-php Size: 7014 bytes Desc: not available URL: From ronm at mitchellmedia.co.uk Sat Mar 2 09:34:53 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Sat, 2 Mar 2013 09:34:53 -0000 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <51310DED.8000309@tor.nl> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> <51307F43.4010601@tor.nl> <00b401ce166c$ed21afd0$c7650f70$@co.uk> <51309EB8.4040509@tor.nl> <51310DED.8000309@tor.nl> Message-ID: <01ac01ce1729$32da5330$988ef990$@co.uk> Hi Tom that seems to work fine now. Having said that the main problem here was the Nottingham installation because of the number of users and LO's - it strikes me that drop down menu will be much longer than the installs I've used to test with so presumably Julian will test this now too. HTH Cheers Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 20:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Jeee.... that was an interesting stupid mistake. Every other LO was not shown, so if you had 9 LO's, only 5 were shown. Fixed. Op 1-3-2013 13:27, Tom Reijnders schreef: I'll check.... Op 1-3-2013 12:07, Ron Mitchell schreef: Hi Tom sorry juggling other things and very short of time to get everything done before the end of the day :-( The previous version seemed to work on xampp but not on the Ubuntu server I was testing with. The new version works on the Ubuntu server and I tested changing ownership of a project which worked but... I changed ownership, logged in as the new owner in a separate browser and could see and edit the changed project so that bit works and the filtering of users works. But when I select the new owner via users templates I don't see the new project even after logging out and back in again to management. It is gone from the previous owner but isn't showing under the new owner in management even though it is available to the new owner in their workspace. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 10:13 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hmmm.... don't know why it even worked here... Is this one better? Tom Op 1-3-2013 10:44, Tom Reijnders schreef: What platform are you on? Can you send me your version of _debug (in functions.php) There should be diagnostic info there. Tom Op 1-3-2013 10:29, Ron Mitchell schreef: Hi Tom I changed the debug.log path to write to error_logs and set development to true and then tried again but still getting the same message without any error log being written. If I put the svn code back I see all the users and templates. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 09:07 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Ron, It indicates the code is basically working, because you get a reply. Something goes wrong with one of the mysql queries though. Could you please try this one (should be in website_code/php/management), turn on debugging and look in '/tmp/debug.log' file for 'Query for templates of user' (and the next line)? Any php errors? Tom Op 1-3-2013 9:49, Ron Mitchell schreef: Hi Tom When clicking on users templates I see the drop down list with names but if I select a user and then view I get This user has no templates at present which isn't correct e.g. if I select my account which has lots of LO's I get the same message. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 07:19 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP This should be it... Op 1-3-2013 0:46, Pat @ Pgogy schreef: I have no server to test, Ron and Julian would need a patch Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 20:54, Tom Reijnders wrote: I've got it... This is the result: Do you want me to check this in, or do you want the files first.... Tom Op 28-2-2013 11:44, Pat @ Pgogy schreef: I will write a how to guide to do it, whilst doing it *returns to cave* *plots* Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 10:25, Tom Reijnders wrote: I'll have a look. I am not too familiar with Ajax and xot, but... one is never too old to learn ;-) Tom Op 28-2-2013 10:49, Julian Tenney schreef: I think you might be missing the subtle manager speak in 'would that be hard to do' ;-) From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 28 February 2013 09:37 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Rewrite the query as a list of usernames, make the username an Ajax function which fires and then returns just the data for that user One new js function, and splitting the existing php into two files Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 09:08, Julian Tenney wrote: It still times out. I think we probably need to limit the searching to a particular user name, entered by the admin user. I think that makes more sense, I don't really need to browse all users LOs, would that be hard to do? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 28 February 2013 08:59 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP There were a lot of queries inside loops. If you have say 8000 LO's and 800 users, it would do at least 8800 queries. Try this one (this is a minor rewrite just re-arranging queries, it does 2 queries) Tom Op 27-2-2013 18:05, Pat @ Pgogy schreef: Guess that page is timing out. The page will need rewriting, or a new query doing I guess. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 16:23, Julian Tenney wrote: This is what happens: Nothing more. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 14:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Management.php is all ajaxed - so the front page should work regardless. You can watch the speed of requests in console in firebug or chrome to see if that is a problem Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 13:36, Julian Tenney wrote: I had thought it was due to the size of the database, because I noticed it really starting slow up as the number of LOs increased - we have about 8000 now. Does management.php work OK on the sandpit On? You've got a similar number of LOs in there haven't you? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 12:53 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Yes changing ownership has been there for ages. If it freezes it suggests a JavaScript problem has occurred Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 11:56, Julian Tenney wrote: Can I change ownership in management.php? When I log in, it just appears to freeze, clicking any of the top menus doesn't appear to do anything, _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: From reijnders at tor.nl Sat Mar 2 10:17:05 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Sat, 02 Mar 2013 11:17:05 +0100 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <01ac01ce1729$32da5330$988ef990$@co.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> <51307F43.4010601@tor.nl> <00b401ce166c$ed21afd0$c7650f70$@co.uk> <51309EB8.4040509@tor.nl> <51310DED.8000309@tor.nl> <01ac01ce1729$32da5330$988ef990$@co.uk> Message-ID: <5131D1A1.8080802@tor.nl> Yeah, I figured the selection box of users could be an issue, but then, the selectionbox of users to assign to, will also be an issue. I didn't want to change that right away. Op 2-3-2013 10:34, Ron Mitchell schreef: > > Hi Tom > > that seems to work fine now. > > Having said that the main problem here was the Nottingham installation > because of the number of users and LO's - it strikes me that drop down > menu will be much longer than the installs I've used to test with so > presumably Julian will test this now too. > > HTH > > Cheers > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Tom > Reijnders > *Sent:* 01 March 2013 20:22 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP > > Jeee.... that was an interesting stupid mistake. > > Every other LO was not shown, so if you had 9 LO's, only 5 were shown. > > Fixed. > > Op 1-3-2013 13:27, Tom Reijnders schreef: > > I'll check.... > > Op 1-3-2013 12:07, Ron Mitchell schreef: > > Hi Tom > > sorry juggling other things and very short of time to get > everything done before the end of the day :-( > > The previous version seemed to work on xampp but not on the > Ubuntu server I was testing with. > > The new version works on the Ubuntu server and I tested > changing ownership of a project which worked but... > > I changed ownership, logged in as the new owner in a separate > browser and could see and edit the changed project so that bit > works and the filtering of users works. But when I select the > new owner via users templates I don't see the new project even > after logging out and back in again to management. It is gone > from the previous owner but isn't showing under the new owner > in management even though it is available to the new owner in > their workspace. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf > Of *Tom Reijnders > *Sent:* 01 March 2013 10:13 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP > > Hmmm.... don't know why it even worked here... > > Is this one better? > > Tom > > Op 1-3-2013 10:44, Tom Reijnders schreef: > > What platform are you on? > > Can you send me your version of _debug (in functions.php) > > There should be diagnostic info there. > > Tom > > > Op 1-3-2013 10:29, Ron Mitchell schreef: > > Hi Tom > > I changed the debug.log path to write to error_logs > and set development to true and then tried again but > still getting the same message without any error log > being written. > > If I put the svn code back I see all the users and > templates. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On > Behalf Of *Tom Reijnders > *Sent:* 01 March 2013 09:07 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in > Management PHP > > Ron, > > It indicates the code is basically working, because > you get a reply. Something goes wrong with one of the > mysql queries though. > > Could you please try this one (should be in > website_code/php/management), turn on debugging and > look in '/tmp/debug.log' file for 'Query for > templates of user' (and the next line)? > > Any php errors? > > > Tom > > Op 1-3-2013 9:49, Ron Mitchell schreef: > > Hi Tom > > When clicking on users templates I see the drop > down list with names but if I select a user and > then view I get This user has no templates at > present which isn't correct e.g. if I select my > account which has lots of LO's I get the same message. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Tom Reijnders > *Sent:* 01 March 2013 07:19 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in > Management PHP > > This should be it... > > Op 1-3-2013 0:46, Pat @ Pgogy schreef: > > I have no server to test, Ron and Julian would > need a patch > > Pgogy Webstuff - http://www.pgogywebstuff.com > > Makers of web things of a fair to middling quality > > > On 28 Feb 2013, at 20:54, Tom Reijnders > > > wrote: > > I've got it... > > This is the result: > > > > > > Do you want me to check this in, or do you > want the files first.... > > Tom > > Op 28-2-2013 11:44, Pat @ Pgogy schreef: > > I will write a how to guide to do it, > whilst doing it > > *returns to cave* *plots* > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things of a fair to > middling quality > > > On 28 Feb 2013, at 10:25, Tom > Reijnders > wrote: > > I'll have a look. I am not too > familiar with Ajax and xot, but... > one is never too old to learn ;-) > > Tom > > Op 28-2-2013 10:49, Julian Tenney > schreef: > > I think you might be missing > the subtle manager speak in > 'would that be hard to do' > > ;-) > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Pat @ Pgogy > *Sent:* 28 February 2013 09:37 > *To:* For Xerte technical > developers > *Subject:* [Xerte-dev] Re: > Changing Ownership in > Management PHP > > Rewrite the query as a list of > usernames, make the username > an Ajax function which fires > and then returns just the data > for that user > > One new js function, and > splitting the existing php > into two files > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things of a fair > to middling quality > > > On 28 Feb 2013, at 09:08, > Julian Tenney > > > wrote: > > It still times out. I > think we probably need to > limit the searching to a > particular user name, > entered by the admin user. > I think that makes more > sense, I don't really need > to browse all users LOs, > would that be hard to do? > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Tom Reijnders > *Sent:* 28 February 2013 08:59 > *To:* For Xerte technical > developers > *Subject:* [Xerte-dev] Re: > Changing Ownership in > Management PHP > > There were a lot of > queries inside loops. If > you have say 8000 LO's and > 800 users, it would do at > least 8800 queries. > > Try this one (this is a > minor rewrite just > re-arranging queries, it > does 2 queries) > > Tom > > Op 27-2-2013 18:05, Pat @ > Pgogy schreef: > > Guess that page is > timing out. > > The page will need > rewriting, or a new > query doing I guess. > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > > Makers of web things > of a fair to middling > quality > > > On 27 Feb 2013, at > 16:23, Julian Tenney > > > wrote: > > This is what happens: > > > > Nothing more. > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Pat > @ Pgogy > *Sent:* 27 > February 2013 14:41 > *To:* For Xerte > technical developers > *Subject:* > [Xerte-dev] Re: > Changing Ownership > in Management PHP > > Management.php is > all ajaxed - so > the front page > should work > regardless. > > You can watch the > speed of requests > in console in > firebug or chrome > to see if that is > a problem > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web > things of a fair > to middling quality > > > On 27 Feb 2013, at > 13:36, Julian > Tenney > > > wrote: > > I had thought > it was due to > the size of > the database, > because I > noticed it > really > starting slow > up as the > number of LOs > increased -- > we have about > 8000 now. Does > management.php > work OK on the > sandpit On? > You've got a > similar number > of LOs in > there haven't you? > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of > *Pat @ Pgogy > *Sent:* 27 > February 2013 > 12:53 > *To:* For > Xerte > technical > developers > *Subject:* > [Xerte-dev] > Re: Changing > Ownership in > Management PHP > > Yes changing > ownership has > been there for > ages. > > If it freezes > it suggests a > JavaScript > problem has > occurred > > Pgogy Webstuff > - > http://www.pgogywebstuff.com > > Makers of web > things of a > fair to > middling quality > > > On 27 Feb > 2013, at > 11:56, Julian > Tenney > > > wrote: > > Can I > change > ownership > in > management.php? > When I log > in, it > just > appears to > freeze, > clicking > any of the > top menus > doesn't > appear to > do anything, > > > > > > > > > > > _______________________________________________ > Xerte-dev > mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev > mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: From johnathan.kemp at ntlworld.com Sun Mar 3 10:49:01 2013 From: johnathan.kemp at ntlworld.com (Kemp Johnathan) Date: Sun, 3 Mar 2013 10:49:01 +0000 Subject: [Xerte-dev] location of latest rlm files Message-ID: I have just updated my copies of the Xerte and XOt svns and then run a comparison of the .rlm files in the following folders xerte svn\runtime\pages\models\ and xot svn\modules\xerte\parent_templates\Nottingham\models\ The following pages show differences in the model files in the two locations accNav.rlm columnPage.rlm connectorPlainText.rlm * cRedirector.rlm * cTabNav.rlm * embedDiv.rlm quiz.rlm slideshow.rlm * These connector pages are no longer offered in XOT but the older models remain in XOT to provide support for older XOT projects that may have used them. The newer version of the models in the Xerte svn are for use only in Xerte. Is the XOT model folder now the definitive location for the latest models? When changes are made in XOT are they no longer being updated also in the Xerte svn? Kind regards Johnathan -------------- next part -------------- An HTML attachment was scrubbed... URL: From reijnders at tor.nl Sun Mar 3 11:04:13 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Sun, 03 Mar 2013 12:04:13 +0100 Subject: [Xerte-dev] Re: location of latest rlm files In-Reply-To: References: Message-ID: <51332E2D.5060601@tor.nl> Hai Jonathan, Good to have you back. You shouldn't compare them, you should check waht the latest are. And yes, they should be synchronised, but that's not always the case. It is my understanding that the xerte one is leading for the .rlms. I noticed that for HTML5, at this point in time the xot one is leading. We should really try to make this VERY clear and or automate the synchronisation... Tom Op 3-3-2013 11:49, Kemp Johnathan schreef: > I have just updated my copies of the Xerte and XOt svns and then run a > comparison of the .rlm files in the following folders > > xerte svn\runtime\pages\models\ > and > xot svn\modules\xerte\parent_templates\Nottingham\models\ > > The following pages show differences in the model files in the two > locations > > accNav.rlm > columnPage.rlm > connectorPlainText.rlm * > cRedirector.rlm * > cTabNav.rlm * > embedDiv.rlm > quiz.rlm > slideshow.rlm > * These connector pages are no longer offered in XOT but the older > models remain in XOT to provide support for older XOT projects that > may have used them. The newer version of the models in the Xerte svn > are for use only in Xerte. > > Is the XOT model folder now the definitive location for the latest models? > When changes are made in XOT are they no longer being updated also in > the Xerte svn? > > Kind regards > > Johnathan > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: From xerte at pgogywebstuff.com Sun Mar 3 12:31:45 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Sun, 3 Mar 2013 12:31:45 +0000 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <5131D1A1.8080802@tor.nl> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> <51307F43.4010601@tor.nl> <00b401ce166c$ed21afd0$c7650f70$@co.uk> <51309EB8.4040509@tor.nl> <51310DED.8000309@tor.nl> <01ac01ce1729$32da5330$988ef990$@co.uk> <5131D1A1.8080802@tor.nl> Message-ID: Maybe set the select list to me multiple (but only ever take the first value) so this way it will scroll more normally? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 2 Mar 2013, at 10:17, Tom Reijnders wrote: > Yeah, I figured the selection box of users could be an issue, but then, the selectionbox of users to assign to, will also be an issue. I didn't want to change that right away. > > > Op 2-3-2013 10:34, Ron Mitchell schreef: >> Hi Tom >> that seems to work fine now. >> Having said that the main problem here was the Nottingham installation because of the number of users and LO's - it strikes me that drop down menu will be much longer than the installs I've used to test with so presumably Julian will test this now too. >> HTH >> Cheers >> Ron >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders >> Sent: 01 March 2013 20:22 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: Changing Ownership in Management PHP >> >> Jeee.... that was an interesting stupid mistake. >> >> Every other LO was not shown, so if you had 9 LO's, only 5 were shown. >> >> Fixed. >> >> Op 1-3-2013 13:27, Tom Reijnders schreef: >> I'll check.... >> Op 1-3-2013 12:07, Ron Mitchell schreef: >> Hi Tom >> sorry juggling other things and very short of time to get everything done before the end of the day :-( >> >> The previous version seemed to work on xampp but not on the Ubuntu server I was testing with. >> >> The new version works on the Ubuntu server and I tested changing ownership of a project which worked but... >> >> I changed ownership, logged in as the new owner in a separate browser and could see and edit the changed project so that bit works and the filtering of users works. But when I select the new owner via users templates I don't see the new project even after logging out and back in again to management. It is gone from the previous owner but isn't showing under the new owner in management even though it is available to the new owner in their workspace. >> >> HTH >> Ron >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders >> Sent: 01 March 2013 10:13 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: Changing Ownership in Management PHP >> >> Hmmm.... don't know why it even worked here... >> >> Is this one better? >> >> Tom >> >> Op 1-3-2013 10:44, Tom Reijnders schreef: >> What platform are you on? >> >> Can you send me your version of _debug (in functions.php) >> >> There should be diagnostic info there. >> >> Tom >> >> >> >> Op 1-3-2013 10:29, Ron Mitchell schreef: >> Hi Tom >> I changed the debug.log path to write to error_logs and set development to true and then tried again but still getting the same message without any error log being written. >> If I put the svn code back I see all the users and templates. >> HTH >> Ron >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders >> Sent: 01 March 2013 09:07 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: Changing Ownership in Management PHP >> >> Ron, >> >> It indicates the code is basically working, because you get a reply. Something goes wrong with one of the mysql queries though. >> >> Could you please try this one (should be in website_code/php/management), turn on debugging and look in '/tmp/debug.log' file for 'Query for templates of user' (and the next line)? >> >> Any php errors? >> >> >> Tom >> >> Op 1-3-2013 9:49, Ron Mitchell schreef: >> Hi Tom >> When clicking on users templates I see the drop down list with names but if I select a user and then view I get This user has no templates at present which isn't correct e.g. if I select my account which has lots of LO's I get the same message. >> HTH >> Ron >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders >> Sent: 01 March 2013 07:19 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: Changing Ownership in Management PHP >> >> This should be it... >> > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julian.Tenney at nottingham.ac.uk Mon Mar 4 09:33:17 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 4 Mar 2013 09:33:17 +0000 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <51310DED.8000309@tor.nl> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> <51307F43.4010601@tor.nl> <00b401ce166c$ed21afd0$c7650f70$@co.uk> <51309EB8.4040509@tor.nl> <51310DED.8000309@tor.nl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E5D02@EXCHANGE1.ad.nottingham.ac.uk> If you've got these files sorted, I'll test them on our server: can you send me (or check in?) the files that work? Thanks, From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 20:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Jeee.... that was an interesting stupid mistake. Every other LO was not shown, so if you had 9 LO's, only 5 were shown. Fixed. Op 1-3-2013 13:27, Tom Reijnders schreef: I'll check.... Op 1-3-2013 12:07, Ron Mitchell schreef: Hi Tom sorry juggling other things and very short of time to get everything done before the end of the day :-( The previous version seemed to work on xampp but not on the Ubuntu server I was testing with. The new version works on the Ubuntu server and I tested changing ownership of a project which worked but... I changed ownership, logged in as the new owner in a separate browser and could see and edit the changed project so that bit works and the filtering of users works. But when I select the new owner via users templates I don't see the new project even after logging out and back in again to management. It is gone from the previous owner but isn't showing under the new owner in management even though it is available to the new owner in their workspace. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 10:13 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hmmm.... don't know why it even worked here... Is this one better? Tom Op 1-3-2013 10:44, Tom Reijnders schreef: What platform are you on? Can you send me your version of _debug (in functions.php) There should be diagnostic info there. Tom Op 1-3-2013 10:29, Ron Mitchell schreef: Hi Tom I changed the debug.log path to write to error_logs and set development to true and then tried again but still getting the same message without any error log being written. If I put the svn code back I see all the users and templates. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 09:07 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Ron, It indicates the code is basically working, because you get a reply. Something goes wrong with one of the mysql queries though. Could you please try this one (should be in website_code/php/management), turn on debugging and look in '/tmp/debug.log' file for 'Query for templates of user' (and the next line)? Any php errors? Tom Op 1-3-2013 9:49, Ron Mitchell schreef: Hi Tom When clicking on users templates I see the drop down list with names but if I select a user and then view I get This user has no templates at present which isn't correct e.g. if I select my account which has lots of LO's I get the same message. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 07:19 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP This should be it... Op 1-3-2013 0:46, Pat @ Pgogy schreef: I have no server to test, Ron and Julian would need a patch Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 20:54, Tom Reijnders > wrote: I've got it... This is the result: Do you want me to check this in, or do you want the files first.... Tom Op 28-2-2013 11:44, Pat @ Pgogy schreef: I will write a how to guide to do it, whilst doing it *returns to cave* *plots* Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 10:25, Tom Reijnders > wrote: I'll have a look. I am not too familiar with Ajax and xot, but... one is never too old to learn ;-) Tom Op 28-2-2013 10:49, Julian Tenney schreef: I think you might be missing the subtle manager speak in 'would that be hard to do' ;-) From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 28 February 2013 09:37 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Rewrite the query as a list of usernames, make the username an Ajax function which fires and then returns just the data for that user One new js function, and splitting the existing php into two files Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 09:08, Julian Tenney > wrote: It still times out. I think we probably need to limit the searching to a particular user name, entered by the admin user. I think that makes more sense, I don't really need to browse all users LOs, would that be hard to do? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 28 February 2013 08:59 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP There were a lot of queries inside loops. If you have say 8000 LO's and 800 users, it would do at least 8800 queries. Try this one (this is a minor rewrite just re-arranging queries, it does 2 queries) Tom Op 27-2-2013 18:05, Pat @ Pgogy schreef: Guess that page is timing out. The page will need rewriting, or a new query doing I guess. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 16:23, Julian Tenney > wrote: This is what happens: Nothing more. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 14:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Management.php is all ajaxed - so the front page should work regardless. You can watch the speed of requests in console in firebug or chrome to see if that is a problem Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 13:36, Julian Tenney > wrote: I had thought it was due to the size of the database, because I noticed it really starting slow up as the number of LOs increased - we have about 8000 now. Does management.php work OK on the sandpit On? You've got a similar number of LOs in there haven't you? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 12:53 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Yes changing ownership has been there for ages. If it freezes it suggests a JavaScript problem has occurred Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 11:56, Julian Tenney > wrote: Can I change ownership in management.php? When I log in, it just appears to freeze, clicking any of the top menus doesn't appear to do anything, _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: From reijnders at tor.nl Mon Mar 4 09:33:10 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Mon, 04 Mar 2013 10:33:10 +0100 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <01ac01ce1729$32da5330$988ef990$@co.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> <51307F43.4010601@tor.nl> <00b401ce166c$ed21afd0$c7650f70$@co.uk> <51309EB8.4040509@tor.nl> <51310DED.8000309@tor.nl> <01ac01ce1729$32da5330$988ef990$@co.uk> Message-ID: <51346A56.2040800@tor.nl> Julian, Do you want to test this as well, on the original problem? Or should I commit this. Tom Op 2-3-2013 10:34, Ron Mitchell schreef: > > Hi Tom > > that seems to work fine now. > > Having said that the main problem here was the Nottingham installation > because of the number of users and LO's - it strikes me that drop down > menu will be much longer than the installs I've used to test with so > presumably Julian will test this now too. > > HTH > > Cheers > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Tom > Reijnders > *Sent:* 01 March 2013 20:22 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP > > Jeee.... that was an interesting stupid mistake. > > Every other LO was not shown, so if you had 9 LO's, only 5 were shown. > > Fixed. > > Op 1-3-2013 13:27, Tom Reijnders schreef: > > I'll check.... > > Op 1-3-2013 12:07, Ron Mitchell schreef: > > Hi Tom > > sorry juggling other things and very short of time to get > everything done before the end of the day :-( > > The previous version seemed to work on xampp but not on the > Ubuntu server I was testing with. > > The new version works on the Ubuntu server and I tested > changing ownership of a project which worked but... > > I changed ownership, logged in as the new owner in a separate > browser and could see and edit the changed project so that bit > works and the filtering of users works. But when I select the > new owner via users templates I don't see the new project even > after logging out and back in again to management. It is gone > from the previous owner but isn't showing under the new owner > in management even though it is available to the new owner in > their workspace. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf > Of *Tom Reijnders > *Sent:* 01 March 2013 10:13 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP > > Hmmm.... don't know why it even worked here... > > Is this one better? > > Tom > > Op 1-3-2013 10:44, Tom Reijnders schreef: > > What platform are you on? > > Can you send me your version of _debug (in functions.php) > > There should be diagnostic info there. > > Tom > > > Op 1-3-2013 10:29, Ron Mitchell schreef: > > Hi Tom > > I changed the debug.log path to write to error_logs > and set development to true and then tried again but > still getting the same message without any error log > being written. > > If I put the svn code back I see all the users and > templates. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On > Behalf Of *Tom Reijnders > *Sent:* 01 March 2013 09:07 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in > Management PHP > > Ron, > > It indicates the code is basically working, because > you get a reply. Something goes wrong with one of the > mysql queries though. > > Could you please try this one (should be in > website_code/php/management), turn on debugging and > look in '/tmp/debug.log' file for 'Query for > templates of user' (and the next line)? > > Any php errors? > > > Tom > > Op 1-3-2013 9:49, Ron Mitchell schreef: > > Hi Tom > > When clicking on users templates I see the drop > down list with names but if I select a user and > then view I get This user has no templates at > present which isn't correct e.g. if I select my > account which has lots of LO's I get the same message. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Tom Reijnders > *Sent:* 01 March 2013 07:19 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in > Management PHP > > This should be it... > > Op 1-3-2013 0:46, Pat @ Pgogy schreef: > > I have no server to test, Ron and Julian would > need a patch > > Pgogy Webstuff - http://www.pgogywebstuff.com > > Makers of web things of a fair to middling quality > > > On 28 Feb 2013, at 20:54, Tom Reijnders > > > wrote: > > I've got it... > > This is the result: > > > > > > Do you want me to check this in, or do you > want the files first.... > > Tom > > Op 28-2-2013 11:44, Pat @ Pgogy schreef: > > I will write a how to guide to do it, > whilst doing it > > *returns to cave* *plots* > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things of a fair to > middling quality > > > On 28 Feb 2013, at 10:25, Tom > Reijnders > wrote: > > I'll have a look. I am not too > familiar with Ajax and xot, but... > one is never too old to learn ;-) > > Tom > > Op 28-2-2013 10:49, Julian Tenney > schreef: > > I think you might be missing > the subtle manager speak in > 'would that be hard to do' > > ;-) > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Pat @ Pgogy > *Sent:* 28 February 2013 09:37 > *To:* For Xerte technical > developers > *Subject:* [Xerte-dev] Re: > Changing Ownership in > Management PHP > > Rewrite the query as a list of > usernames, make the username > an Ajax function which fires > and then returns just the data > for that user > > One new js function, and > splitting the existing php > into two files > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things of a fair > to middling quality > > > On 28 Feb 2013, at 09:08, > Julian Tenney > > > wrote: > > It still times out. I > think we probably need to > limit the searching to a > particular user name, > entered by the admin user. > I think that makes more > sense, I don't really need > to browse all users LOs, > would that be hard to do? > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Tom Reijnders > *Sent:* 28 February 2013 08:59 > *To:* For Xerte technical > developers > *Subject:* [Xerte-dev] Re: > Changing Ownership in > Management PHP > > There were a lot of > queries inside loops. If > you have say 8000 LO's and > 800 users, it would do at > least 8800 queries. > > Try this one (this is a > minor rewrite just > re-arranging queries, it > does 2 queries) > > Tom > > Op 27-2-2013 18:05, Pat @ > Pgogy schreef: > > Guess that page is > timing out. > > The page will need > rewriting, or a new > query doing I guess. > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > > Makers of web things > of a fair to middling > quality > > > On 27 Feb 2013, at > 16:23, Julian Tenney > > > wrote: > > This is what happens: > > > > Nothing more. > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Pat > @ Pgogy > *Sent:* 27 > February 2013 14:41 > *To:* For Xerte > technical developers > *Subject:* > [Xerte-dev] Re: > Changing Ownership > in Management PHP > > Management.php is > all ajaxed - so > the front page > should work > regardless. > > You can watch the > speed of requests > in console in > firebug or chrome > to see if that is > a problem > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web > things of a fair > to middling quality > > > On 27 Feb 2013, at > 13:36, Julian > Tenney > > > wrote: > > I had thought > it was due to > the size of > the database, > because I > noticed it > really > starting slow > up as the > number of LOs > increased -- > we have about > 8000 now. Does > management.php > work OK on the > sandpit On? > You've got a > similar number > of LOs in > there haven't you? > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of > *Pat @ Pgogy > *Sent:* 27 > February 2013 > 12:53 > *To:* For > Xerte > technical > developers > *Subject:* > [Xerte-dev] > Re: Changing > Ownership in > Management PHP > > Yes changing > ownership has > been there for > ages. > > If it freezes > it suggests a > JavaScript > problem has > occurred > > Pgogy Webstuff > - > http://www.pgogywebstuff.com > > Makers of web > things of a > fair to > middling quality > > > On 27 Feb > 2013, at > 11:56, Julian > Tenney > > > wrote: > > Can I > change > ownership > in > management.php? > When I log > in, it > just > appears to > freeze, > clicking > any of the > top menus > doesn't > appear to > do anything, > > > > > > > > > > > _______________________________________________ > Xerte-dev > mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev > mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julian.Tenney at nottingham.ac.uk Mon Mar 4 09:34:29 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 4 Mar 2013 09:34:29 +0000 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <51346A56.2040800@tor.nl> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <6B9AF3A8-B53A-40EF-BFB6-893938CA6864@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> <51307F43.4010601@tor.nl> <00b401ce166c$ed21afd0$c7650f70$@co.uk> <51309EB8.4040509@tor.nl> <51310DED.8000309@tor.nl> <01ac01ce1729$32da5330$988ef990$@co.uk> <51346A56.2040800@tor.nl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E5D08@EXCHANGE1.ad.nottingham.ac.uk> Messages crossed! Commit it and I'll test it. If it works, and I assume it's an improvement, we'll keep It in the build... From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 04 March 2013 09:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Julian, Do you want to test this as well, on the original problem? Or should I commit this. Tom Op 2-3-2013 10:34, Ron Mitchell schreef: Hi Tom that seems to work fine now. Having said that the main problem here was the Nottingham installation because of the number of users and LO's - it strikes me that drop down menu will be much longer than the installs I've used to test with so presumably Julian will test this now too. HTH Cheers Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 20:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Jeee.... that was an interesting stupid mistake. Every other LO was not shown, so if you had 9 LO's, only 5 were shown. Fixed. Op 1-3-2013 13:27, Tom Reijnders schreef: I'll check.... Op 1-3-2013 12:07, Ron Mitchell schreef: Hi Tom sorry juggling other things and very short of time to get everything done before the end of the day :-( The previous version seemed to work on xampp but not on the Ubuntu server I was testing with. The new version works on the Ubuntu server and I tested changing ownership of a project which worked but... I changed ownership, logged in as the new owner in a separate browser and could see and edit the changed project so that bit works and the filtering of users works. But when I select the new owner via users templates I don't see the new project even after logging out and back in again to management. It is gone from the previous owner but isn't showing under the new owner in management even though it is available to the new owner in their workspace. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 10:13 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hmmm.... don't know why it even worked here... Is this one better? Tom Op 1-3-2013 10:44, Tom Reijnders schreef: What platform are you on? Can you send me your version of _debug (in functions.php) There should be diagnostic info there. Tom Op 1-3-2013 10:29, Ron Mitchell schreef: Hi Tom I changed the debug.log path to write to error_logs and set development to true and then tried again but still getting the same message without any error log being written. If I put the svn code back I see all the users and templates. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 09:07 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Ron, It indicates the code is basically working, because you get a reply. Something goes wrong with one of the mysql queries though. Could you please try this one (should be in website_code/php/management), turn on debugging and look in '/tmp/debug.log' file for 'Query for templates of user' (and the next line)? Any php errors? Tom Op 1-3-2013 9:49, Ron Mitchell schreef: Hi Tom When clicking on users templates I see the drop down list with names but if I select a user and then view I get This user has no templates at present which isn't correct e.g. if I select my account which has lots of LO's I get the same message. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 07:19 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP This should be it... Op 1-3-2013 0:46, Pat @ Pgogy schreef: I have no server to test, Ron and Julian would need a patch Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 20:54, Tom Reijnders > wrote: I've got it... This is the result: Do you want me to check this in, or do you want the files first.... Tom Op 28-2-2013 11:44, Pat @ Pgogy schreef: I will write a how to guide to do it, whilst doing it *returns to cave* *plots* Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 10:25, Tom Reijnders > wrote: I'll have a look. I am not too familiar with Ajax and xot, but... one is never too old to learn ;-) Tom Op 28-2-2013 10:49, Julian Tenney schreef: I think you might be missing the subtle manager speak in 'would that be hard to do' ;-) From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 28 February 2013 09:37 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Rewrite the query as a list of usernames, make the username an Ajax function which fires and then returns just the data for that user One new js function, and splitting the existing php into two files Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 09:08, Julian Tenney > wrote: It still times out. I think we probably need to limit the searching to a particular user name, entered by the admin user. I think that makes more sense, I don't really need to browse all users LOs, would that be hard to do? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 28 February 2013 08:59 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP There were a lot of queries inside loops. If you have say 8000 LO's and 800 users, it would do at least 8800 queries. Try this one (this is a minor rewrite just re-arranging queries, it does 2 queries) Tom Op 27-2-2013 18:05, Pat @ Pgogy schreef: Guess that page is timing out. The page will need rewriting, or a new query doing I guess. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 16:23, Julian Tenney > wrote: This is what happens: Nothing more. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 14:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Management.php is all ajaxed - so the front page should work regardless. You can watch the speed of requests in console in firebug or chrome to see if that is a problem Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 13:36, Julian Tenney > wrote: I had thought it was due to the size of the database, because I noticed it really starting slow up as the number of LOs increased - we have about 8000 now. Does management.php work OK on the sandpit On? You've got a similar number of LOs in there haven't you? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 12:53 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Yes changing ownership has been there for ages. If it freezes it suggests a JavaScript problem has occurred Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 11:56, Julian Tenney > wrote: Can I change ownership in management.php? When I log in, it just appears to freeze, clicking any of the top menus doesn't appear to do anything, _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: From reijnders at tor.nl Mon Mar 4 09:42:01 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Mon, 04 Mar 2013 10:42:01 +0100 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E5D08@EXCHANGE1.ad.nottingham.ac.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> <51307F43.4010601@tor.nl> <00b401ce166c$ed21afd0$c7650f70$@co.uk> <51309EB8.4040509@tor.nl> <51310DED.8000309@tor.nl> <01ac01ce1729$32da5330$988ef990$@co.uk> <51346A56.2040800@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E5D08@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <51346C69.1080404@tor.nl> Hmm.... again.... ;-) You want me to commit before you test? Tom Op 4-3-2013 10:34, Julian Tenney schreef: > > Messages crossed! > > Commit it and I'll test it. If it works, and I assume it's an > improvement, we'll keep It in the build... > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Tom > Reijnders > *Sent:* 04 March 2013 09:33 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP > > Julian, > > Do you want to test this as well, on the original problem? Or should I > commit this. > > Tom > > Op 2-3-2013 10:34, Ron Mitchell schreef: > > Hi Tom > > that seems to work fine now. > > Having said that the main problem here was the Nottingham > installation because of the number of users and LO's - it strikes > me that drop down menu will be much longer than the installs I've > used to test with so presumably Julian will test this now too. > > HTH > > Cheers > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of > *Tom Reijnders > *Sent:* 01 March 2013 20:22 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP > > Jeee.... that was an interesting stupid mistake. > > Every other LO was not shown, so if you had 9 LO's, only 5 were shown. > > Fixed. > > Op 1-3-2013 13:27, Tom Reijnders schreef: > > I'll check.... > > Op 1-3-2013 12:07, Ron Mitchell schreef: > > Hi Tom > > sorry juggling other things and very short of time to get > everything done before the end of the day :-( > > The previous version seemed to work on xampp but not on > the Ubuntu server I was testing with. > > The new version works on the Ubuntu server and I tested > changing ownership of a project which worked but... > > I changed ownership, logged in as the new owner in a > separate browser and could see and edit the changed > project so that bit works and the filtering of users > works. But when I select the new owner via users templates > I don't see the new project even after logging out and > back in again to management. It is gone from the previous > owner but isn't showing under the new owner in management > even though it is available to the new owner in their > workspace. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On > Behalf Of *Tom Reijnders > *Sent:* 01 March 2013 10:13 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in > Management PHP > > Hmmm.... don't know why it even worked here... > > Is this one better? > > Tom > > Op 1-3-2013 10:44, Tom Reijnders schreef: > > What platform are you on? > > Can you send me your version of _debug (in functions.php) > > There should be diagnostic info there. > > Tom > > > > Op 1-3-2013 10:29, Ron Mitchell schreef: > > Hi Tom > > I changed the debug.log path to write to > error_logs and set development to true and then > tried again but still getting the same message > without any error log being written. > > If I put the svn code back I see all the users and > templates. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Tom Reijnders > *Sent:* 01 March 2013 09:07 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in > Management PHP > > Ron, > > It indicates the code is basically working, > because you get a reply. Something goes wrong with > one of the mysql queries though. > > Could you please try this one (should be in > website_code/php/management), turn on debugging > and look in '/tmp/debug.log' file for 'Query for > templates of user' (and the next line)? > > Any php errors? > > > Tom > > Op 1-3-2013 9:49, Ron Mitchell schreef: > > Hi Tom > > When clicking on users templates I see the > drop down list with names but if I select a > user and then view I get This user has no > templates at present which isn't correct e.g. > if I select my account which has lots of LO's > I get the same message. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Tom Reijnders > *Sent:* 01 March 2013 07:19 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership > in Management PHP > > This should be it... > > Op 1-3-2013 0:46, Pat @ Pgogy schreef: > > I have no server to test, Ron and Julian > would need a patch > > Pgogy Webstuff - http://www.pgogywebstuff.com > > Makers of web things of a fair to middling > quality > > > On 28 Feb 2013, at 20:54, Tom Reijnders > > wrote: > > I've got it... > > This is the result: > > > > > > Do you want me to check this in, or do > you want the files first.... > > Tom > > Op 28-2-2013 11:44, Pat @ Pgogy schreef: > > I will write a how to guide to do > it, whilst doing it > > *returns to cave* *plots* > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things of a fair to > middling quality > > > On 28 Feb 2013, at 10:25, Tom > Reijnders > wrote: > > I'll have a look. I am not too > familiar with Ajax and xot, > but... one is never too old to > learn ;-) > > Tom > > Op 28-2-2013 10:49, Julian > Tenney schreef: > > I think you might be > missing the subtle manager > speak in 'would that be > hard to do' > > ;-) > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Pat @ Pgogy > *Sent:* 28 February 2013 09:37 > *To:* For Xerte technical > developers > *Subject:* [Xerte-dev] Re: > Changing Ownership in > Management PHP > > Rewrite the query as a > list of usernames, make > the username an Ajax > function which fires and > then returns just the data > for that user > > One new js function, and > splitting the existing php > into two files > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things of a > fair to middling quality > > > On 28 Feb 2013, at 09:08, > Julian Tenney > > > wrote: > > It still times out. I > think we probably need > to limit the searching > to a particular user > name, entered by the > admin user. I think > that makes more sense, > I don't really need to > browse all users LOs, > would that be hard to do? > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Tom > Reijnders > *Sent:* 28 February > 2013 08:59 > *To:* For Xerte > technical developers > *Subject:* [Xerte-dev] > Re: Changing Ownership > in Management PHP > > There were a lot of > queries inside loops. > If you have say 8000 > LO's and 800 users, it > would do at least 8800 > queries. > > Try this one (this is > a minor rewrite just > re-arranging queries, > it does 2 queries) > > Tom > > Op 27-2-2013 18:05, > Pat @ Pgogy schreef: > > Guess that page is > timing out. > > The page will need > rewriting, or a > new query doing I > guess. > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > > Makers of web > things of a fair > to middling quality > > > On 27 Feb 2013, at > 16:23, Julian > Tenney > > > wrote: > > This is what > happens: > > > > Nothing more. > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of > *Pat @ Pgogy > *Sent:* 27 > February 2013 > 14:41 > *To:* For > Xerte > technical > developers > *Subject:* > [Xerte-dev] > Re: Changing > Ownership in > Management PHP > > Management.php > is all ajaxed > - so the front > page should > work regardless. > > You can watch > the speed of > requests in > console in > firebug or > chrome to see > if that is a > problem > > Pgogy Webstuff > - > http://www.pgogywebstuff.com > > Makers of web > things of a > fair to > middling quality > > > On 27 Feb > 2013, at > 13:36, Julian > Tenney > > > wrote: > > I had > thought it > was due to > the size > of the > database, > because I > noticed it > really > starting > slow up as > the number > of LOs > increased > -- we have > about 8000 > now. Does > management.php > work OK on > the > sandpit > On? You've > got a > similar > number of > LOs in > there > haven't you? > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf > Of *Pat @ > Pgogy > *Sent:* 27 > February > 2013 12:53 > *To:* For > Xerte > technical > developers > *Subject:* > [Xerte-dev] Re: > Changing > Ownership > in > Management PHP > > Yes > changing > ownership > has been > there for > ages. > > If it > freezes it > suggests a > JavaScript > problem > has occurred > > Pgogy > Webstuff - > http://www.pgogywebstuff.com > > Makers of > web things > of a fair > to > middling > quality > > > On 27 Feb > 2013, at > 11:56, > Julian > Tenney > > > wrote: > > Can I > change > ownership > in > management.php? > When I > log > in, it > just > appears to > freeze, clicking > any of > the > top > menus > doesn't appear > to do > anything, > > > > > > > > > > > > _______________________________________________ > Xerte-dev > mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev > mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev > mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julian.Tenney at nottingham.ac.uk Mon Mar 4 09:44:01 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 4 Mar 2013 09:44:01 +0000 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <51346C69.1080404@tor.nl> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> <51307F43.4010601@tor.nl> <00b401ce166c$ed21afd0$c7650f70$@co.uk> <51309EB8.4040509@tor.nl> <51310DED.8000309@tor.nl> <01ac01ce1729$32da5330$988ef990$@co.uk> <51346A56.2040800@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E5D08@EXCHANGE1.ad.nottingham.ac.uk> <51346C69.1080404@tor.nl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E5D29@EXCHANGE1.ad.nottingham.ac.uk> Yes please. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 04 March 2013 09:42 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hmm.... again.... ;-) You want me to commit before you test? Tom Op 4-3-2013 10:34, Julian Tenney schreef: Messages crossed! Commit it and I'll test it. If it works, and I assume it's an improvement, we'll keep It in the build... From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 04 March 2013 09:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Julian, Do you want to test this as well, on the original problem? Or should I commit this. Tom Op 2-3-2013 10:34, Ron Mitchell schreef: Hi Tom that seems to work fine now. Having said that the main problem here was the Nottingham installation because of the number of users and LO's - it strikes me that drop down menu will be much longer than the installs I've used to test with so presumably Julian will test this now too. HTH Cheers Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 20:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Jeee.... that was an interesting stupid mistake. Every other LO was not shown, so if you had 9 LO's, only 5 were shown. Fixed. Op 1-3-2013 13:27, Tom Reijnders schreef: I'll check.... Op 1-3-2013 12:07, Ron Mitchell schreef: Hi Tom sorry juggling other things and very short of time to get everything done before the end of the day :-( The previous version seemed to work on xampp but not on the Ubuntu server I was testing with. The new version works on the Ubuntu server and I tested changing ownership of a project which worked but... I changed ownership, logged in as the new owner in a separate browser and could see and edit the changed project so that bit works and the filtering of users works. But when I select the new owner via users templates I don't see the new project even after logging out and back in again to management. It is gone from the previous owner but isn't showing under the new owner in management even though it is available to the new owner in their workspace. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 10:13 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Hmmm.... don't know why it even worked here... Is this one better? Tom Op 1-3-2013 10:44, Tom Reijnders schreef: What platform are you on? Can you send me your version of _debug (in functions.php) There should be diagnostic info there. Tom Op 1-3-2013 10:29, Ron Mitchell schreef: Hi Tom I changed the debug.log path to write to error_logs and set development to true and then tried again but still getting the same message without any error log being written. If I put the svn code back I see all the users and templates. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 09:07 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Ron, It indicates the code is basically working, because you get a reply. Something goes wrong with one of the mysql queries though. Could you please try this one (should be in website_code/php/management), turn on debugging and look in '/tmp/debug.log' file for 'Query for templates of user' (and the next line)? Any php errors? Tom Op 1-3-2013 9:49, Ron Mitchell schreef: Hi Tom When clicking on users templates I see the drop down list with names but if I select a user and then view I get This user has no templates at present which isn't correct e.g. if I select my account which has lots of LO's I get the same message. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 01 March 2013 07:19 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP This should be it... Op 1-3-2013 0:46, Pat @ Pgogy schreef: I have no server to test, Ron and Julian would need a patch Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 20:54, Tom Reijnders > wrote: I've got it... This is the result: Do you want me to check this in, or do you want the files first.... Tom Op 28-2-2013 11:44, Pat @ Pgogy schreef: I will write a how to guide to do it, whilst doing it *returns to cave* *plots* Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 10:25, Tom Reijnders > wrote: I'll have a look. I am not too familiar with Ajax and xot, but... one is never too old to learn ;-) Tom Op 28-2-2013 10:49, Julian Tenney schreef: I think you might be missing the subtle manager speak in 'would that be hard to do' ;-) From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 28 February 2013 09:37 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Rewrite the query as a list of usernames, make the username an Ajax function which fires and then returns just the data for that user One new js function, and splitting the existing php into two files Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Feb 2013, at 09:08, Julian Tenney > wrote: It still times out. I think we probably need to limit the searching to a particular user name, entered by the admin user. I think that makes more sense, I don't really need to browse all users LOs, would that be hard to do? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 28 February 2013 08:59 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP There were a lot of queries inside loops. If you have say 8000 LO's and 800 users, it would do at least 8800 queries. Try this one (this is a minor rewrite just re-arranging queries, it does 2 queries) Tom Op 27-2-2013 18:05, Pat @ Pgogy schreef: Guess that page is timing out. The page will need rewriting, or a new query doing I guess. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 16:23, Julian Tenney > wrote: This is what happens: Nothing more. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 14:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Management.php is all ajaxed - so the front page should work regardless. You can watch the speed of requests in console in firebug or chrome to see if that is a problem Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 13:36, Julian Tenney > wrote: I had thought it was due to the size of the database, because I noticed it really starting slow up as the number of LOs increased - we have about 8000 now. Does management.php work OK on the sandpit On? You've got a similar number of LOs in there haven't you? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 February 2013 12:53 To: For Xerte technical developers Subject: [Xerte-dev] Re: Changing Ownership in Management PHP Yes changing ownership has been there for ages. If it freezes it suggests a JavaScript problem has occurred Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Feb 2013, at 11:56, Julian Tenney > wrote: Can I change ownership in management.php? When I log in, it just appears to freeze, clicking any of the top menus doesn't appear to do anything, _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: From reijnders at tor.nl Mon Mar 4 09:41:20 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Mon, 04 Mar 2013 10:41:20 +0100 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E5D02@EXCHANGE1.ad.nottingham.ac.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCDAF@EXCHANGE1.ad.nottingham.ac.uk> <512F1C40.2090503@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> <51307F43.4010601@tor.nl> <00b401ce166c$ed21afd0$c7650f70$@co.uk> <51309EB8.4040509@tor.nl> <51310DED.8000309@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E5D02@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <51346C40.8070603@tor.nl> Messages crossed... Here is the patch (with corrected files). Op 4-3-2013 10:33, Julian Tenney schreef: > > If you've got these files sorted, I'll test them on our server: can > you send me (or check in?) the files that work? Thanks, > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Tom > Reijnders > *Sent:* 01 March 2013 20:22 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP > > Jeee.... that was an interesting stupid mistake. > > Every other LO was not shown, so if you had 9 LO's, only 5 were shown. > > Fixed. > > Op 1-3-2013 13:27, Tom Reijnders schreef: > > I'll check.... > > Op 1-3-2013 12:07, Ron Mitchell schreef: > > Hi Tom > > sorry juggling other things and very short of time to get > everything done before the end of the day :-( > > The previous version seemed to work on xampp but not on the > Ubuntu server I was testing with. > > The new version works on the Ubuntu server and I tested > changing ownership of a project which worked but... > > I changed ownership, logged in as the new owner in a separate > browser and could see and edit the changed project so that bit > works and the filtering of users works. But when I select the > new owner via users templates I don't see the new project even > after logging out and back in again to management. It is gone > from the previous owner but isn't showing under the new owner > in management even though it is available to the new owner in > their workspace. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf > Of *Tom Reijnders > *Sent:* 01 March 2013 10:13 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP > > Hmmm.... don't know why it even worked here... > > Is this one better? > > Tom > > Op 1-3-2013 10:44, Tom Reijnders schreef: > > What platform are you on? > > Can you send me your version of _debug (in functions.php) > > There should be diagnostic info there. > > Tom > > > Op 1-3-2013 10:29, Ron Mitchell schreef: > > Hi Tom > > I changed the debug.log path to write to error_logs > and set development to true and then tried again but > still getting the same message without any error log > being written. > > If I put the svn code back I see all the users and > templates. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On > Behalf Of *Tom Reijnders > *Sent:* 01 March 2013 09:07 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in > Management PHP > > Ron, > > It indicates the code is basically working, because > you get a reply. Something goes wrong with one of the > mysql queries though. > > Could you please try this one (should be in > website_code/php/management), turn on debugging and > look in '/tmp/debug.log' file for 'Query for > templates of user' (and the next line)? > > Any php errors? > > > Tom > > Op 1-3-2013 9:49, Ron Mitchell schreef: > > Hi Tom > > When clicking on users templates I see the drop > down list with names but if I select a user and > then view I get This user has no templates at > present which isn't correct e.g. if I select my > account which has lots of LO's I get the same message. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Tom Reijnders > *Sent:* 01 March 2013 07:19 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in > Management PHP > > This should be it... > > Op 1-3-2013 0:46, Pat @ Pgogy schreef: > > I have no server to test, Ron and Julian would > need a patch > > Pgogy Webstuff - http://www.pgogywebstuff.com > > Makers of web things of a fair to middling quality > > > On 28 Feb 2013, at 20:54, Tom Reijnders > > > wrote: > > I've got it... > > This is the result: > > > > > > Do you want me to check this in, or do you > want the files first.... > > Tom > > Op 28-2-2013 11:44, Pat @ Pgogy schreef: > > I will write a how to guide to do it, > whilst doing it > > *returns to cave* *plots* > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things of a fair to > middling quality > > > On 28 Feb 2013, at 10:25, Tom > Reijnders > wrote: > > I'll have a look. I am not too > familiar with Ajax and xot, but... > one is never too old to learn ;-) > > Tom > > Op 28-2-2013 10:49, Julian Tenney > schreef: > > I think you might be missing > the subtle manager speak in > 'would that be hard to do' > > ;-) > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Pat @ Pgogy > *Sent:* 28 February 2013 09:37 > *To:* For Xerte technical > developers > *Subject:* [Xerte-dev] Re: > Changing Ownership in > Management PHP > > Rewrite the query as a list of > usernames, make the username > an Ajax function which fires > and then returns just the data > for that user > > One new js function, and > splitting the existing php > into two files > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things of a fair > to middling quality > > > On 28 Feb 2013, at 09:08, > Julian Tenney > > > wrote: > > It still times out. I > think we probably need to > limit the searching to a > particular user name, > entered by the admin user. > I think that makes more > sense, I don't really need > to browse all users LOs, > would that be hard to do? > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Tom Reijnders > *Sent:* 28 February 2013 08:59 > *To:* For Xerte technical > developers > *Subject:* [Xerte-dev] Re: > Changing Ownership in > Management PHP > > There were a lot of > queries inside loops. If > you have say 8000 LO's and > 800 users, it would do at > least 8800 queries. > > Try this one (this is a > minor rewrite just > re-arranging queries, it > does 2 queries) > > Tom > > Op 27-2-2013 18:05, Pat @ > Pgogy schreef: > > Guess that page is > timing out. > > The page will need > rewriting, or a new > query doing I guess. > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > > Makers of web things > of a fair to middling > quality > > > On 27 Feb 2013, at > 16:23, Julian Tenney > > > wrote: > > This is what happens: > > > > Nothing more. > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Pat > @ Pgogy > *Sent:* 27 > February 2013 14:41 > *To:* For Xerte > technical developers > *Subject:* > [Xerte-dev] Re: > Changing Ownership > in Management PHP > > Management.php is > all ajaxed - so > the front page > should work > regardless. > > You can watch the > speed of requests > in console in > firebug or chrome > to see if that is > a problem > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web > things of a fair > to middling quality > > > On 27 Feb 2013, at > 13:36, Julian > Tenney > > > wrote: > > I had thought > it was due to > the size of > the database, > because I > noticed it > really > starting slow > up as the > number of LOs > increased -- > we have about > 8000 now. Does > management.php > work OK on the > sandpit On? > You've got a > similar number > of LOs in > there haven't you? > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of > *Pat @ Pgogy > *Sent:* 27 > February 2013 > 12:53 > *To:* For > Xerte > technical > developers > *Subject:* > [Xerte-dev] > Re: Changing > Ownership in > Management PHP > > Yes changing > ownership has > been there for > ages. > > If it freezes > it suggests a > JavaScript > problem has > occurred > > Pgogy Webstuff > - > http://www.pgogywebstuff.com > > Makers of web > things of a > fair to > middling quality > > > On 27 Feb > 2013, at > 11:56, Julian > Tenney > > > wrote: > > Can I > change > ownership > in > management.php? > When I log > in, it > just > appears to > freeze, > clicking > any of the > top menus > doesn't > appear to > do anything, > > > > > > > > > > > _______________________________________________ > Xerte-dev > mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev > mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: usertemplate_patch.zip Type: application/zip Size: 6477 bytes Desc: not available URL: From reijnders at tor.nl Mon Mar 4 10:07:04 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Mon, 04 Mar 2013 11:07:04 +0100 Subject: [Xerte-dev] Re: Changing Ownership in Management PHP In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E5D29@EXCHANGE1.ad.nottingham.ac.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCB4E@EXCHANGE1.ad.nottingham.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCE9F@EXCHANGE1.ad.nottingham.ac.uk> <86FF4588-AEFA-46A5-BE12-81813B078668@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C4CCF08@EXCHANGE1.ad.nottingham.ac.uk> <512F3082.3090703@tor.nl> <512FC401.5050408@tor.nl> <3DA42694-558C-411F-8A4C-03FDB5F9306A@pgogywebstuff.com> <5130566E.5010507@tor.nl> <004d01ce1659$b5b017c0$21104740$@co.uk> <51306FAE.8030502@tor.nl> <007401ce165f$4e6a3310$eb3e9930$@co.uk> <51307865.9090808@tor.nl> <51307F43.4010601@tor.nl> <00b401ce166c$ed21afd0$c7650f70$@co.uk> <51309EB8.4040509@tor.nl> <51310DED.8000309@tor.nl> <01ac01ce1729$32da5330$988ef990$@co.uk> <51346A56.2040800@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E5D08@EXCHANGE1.ad.nottingham.ac.uk> <51346C69.1080404@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E5D29@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <51347248.5060700@tor.nl> Done. Op 4-3-2013 10:44, Julian Tenney schreef: > > Yes please. > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Tom > Reijnders > *Sent:* 04 March 2013 09:42 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP > > Hmm.... again.... ;-) > > You want me to commit before you test? > > Tom > > Op 4-3-2013 10:34, Julian Tenney schreef: > > Messages crossed! > > Commit it and I'll test it. If it works, and I assume it's an > improvement, we'll keep It in the build... > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of > *Tom Reijnders > *Sent:* 04 March 2013 09:33 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP > > Julian, > > Do you want to test this as well, on the original problem? Or > should I commit this. > > Tom > > Op 2-3-2013 10:34, Ron Mitchell schreef: > > Hi Tom > > that seems to work fine now. > > Having said that the main problem here was the Nottingham > installation because of the number of users and LO's - it > strikes me that drop down menu will be much longer than the > installs I've used to test with so presumably Julian will test > this now too. > > HTH > > Cheers > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf > Of *Tom Reijnders > *Sent:* 01 March 2013 20:22 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in Management PHP > > Jeee.... that was an interesting stupid mistake. > > Every other LO was not shown, so if you had 9 LO's, only 5 > were shown. > > Fixed. > > Op 1-3-2013 13:27, Tom Reijnders schreef: > > I'll check.... > > Op 1-3-2013 12:07, Ron Mitchell schreef: > > Hi Tom > > sorry juggling other things and very short of time to > get everything done before the end of the day :-( > > The previous version seemed to work on xampp but not > on the Ubuntu server I was testing with. > > The new version works on the Ubuntu server and I > tested changing ownership of a project which worked but... > > I changed ownership, logged in as the new owner in a > separate browser and could see and edit the changed > project so that bit works and the filtering of users > works. But when I select the new owner via users > templates I don't see the new project even after > logging out and back in again to management. It is > gone from the previous owner but isn't showing under > the new owner in management even though it is > available to the new owner in their workspace. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On > Behalf Of *Tom Reijnders > *Sent:* 01 March 2013 10:13 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership in > Management PHP > > Hmmm.... don't know why it even worked here... > > Is this one better? > > Tom > > Op 1-3-2013 10:44, Tom Reijnders schreef: > > What platform are you on? > > Can you send me your version of _debug (in > functions.php) > > There should be diagnostic info there. > > Tom > > > > > Op 1-3-2013 10:29, Ron Mitchell schreef: > > Hi Tom > > I changed the debug.log path to write to > error_logs and set development to true and > then tried again but still getting the same > message without any error log being written. > > If I put the svn code back I see all the users > and templates. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Tom Reijnders > *Sent:* 01 March 2013 09:07 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing Ownership > in Management PHP > > Ron, > > It indicates the code is basically working, > because you get a reply. Something goes wrong > with one of the mysql queries though. > > Could you please try this one (should be in > website_code/php/management), turn on > debugging and look in '/tmp/debug.log' file > for 'Query for templates of user' (and the > next line)? > > Any php errors? > > > Tom > > Op 1-3-2013 9:49, Ron Mitchell schreef: > > Hi Tom > > When clicking on users templates I see the > drop down list with names but if I select > a user and then view I get This user has > no templates at present which isn't > correct e.g. if I select my account which > has lots of LO's I get the same message. > > HTH > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Tom Reijnders > *Sent:* 01 March 2013 07:19 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Changing > Ownership in Management PHP > > This should be it... > > Op 1-3-2013 0:46, Pat @ Pgogy schreef: > > I have no server to test, Ron and > Julian would need a patch > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things of a fair to > middling quality > > > On 28 Feb 2013, at 20:54, Tom > Reijnders > wrote: > > I've got it... > > This is the result: > > > > > > Do you want me to check this in, > or do you want the files first.... > > Tom > > Op 28-2-2013 11:44, Pat @ Pgogy > schreef: > > I will write a how to guide to > do it, whilst doing it > > *returns to cave* *plots* > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things of a fair > to middling quality > > > On 28 Feb 2013, at 10:25, Tom > Reijnders > wrote: > > I'll have a look. I am not > too familiar with Ajax and > xot, but... one is never > too old to learn ;-) > > Tom > > Op 28-2-2013 10:49, Julian > Tenney schreef: > > I think you might be > missing the subtle > manager speak in > 'would that be hard to do' > > ;-) > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Pat @ Pgogy > *Sent:* 28 February > 2013 09:37 > *To:* For Xerte > technical developers > *Subject:* [Xerte-dev] > Re: Changing Ownership > in Management PHP > > Rewrite the query as a > list of usernames, > make the username an > Ajax function which > fires and then returns > just the data for that > user > > One new js function, > and splitting the > existing php into two > files > > Pgogy Webstuff - > http://www.pgogywebstuff.com > > Makers of web things > of a fair to middling > quality > > > On 28 Feb 2013, at > 09:08, Julian Tenney > > > wrote: > > It still times > out. I think we > probably need to > limit the > searching to a > particular user > name, entered by > the admin user. I > think that makes > more sense, I > don't really need > to browse all > users LOs, would > that be hard to do? > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf Of *Tom > Reijnders > *Sent:* 28 > February 2013 08:59 > *To:* For Xerte > technical developers > *Subject:* > [Xerte-dev] Re: > Changing Ownership > in Management PHP > > There were a lot > of queries inside > loops. If you have > say 8000 LO's and > 800 users, it > would do at least > 8800 queries. > > Try this one (this > is a minor rewrite > just re-arranging > queries, it does 2 > queries) > > Tom > > Op 27-2-2013 > 18:05, Pat @ Pgogy > schreef: > > Guess that > page is timing > out. > > The page will > need > rewriting, or > a new query > doing I guess. > > Pgogy Webstuff > - > http://www.pgogywebstuff.com > > > Makers of web > things of a > fair to > middling quality > > > On 27 Feb > 2013, at > 16:23, Julian > Tenney > > > wrote: > > This is > what happens: > > > > Nothing more. > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On Behalf > Of *Pat @ > Pgogy > *Sent:* 27 > February > 2013 14:41 > *To:* For > Xerte > technical > developers > *Subject:* > [Xerte-dev] Re: > Changing > Ownership > in > Management PHP > > Management.php > is all > ajaxed - > so the > front page > should > work > regardless. > > You can > watch the > speed of > requests > in console > in firebug > or chrome > to see if > that is a > problem > > Pgogy > Webstuff - > http://www.pgogywebstuff.com > > Makers of > web things > of a fair > to > middling > quality > > > On 27 Feb > 2013, at > 13:36, > Julian > Tenney > > > wrote: > > I had > thought it > was > due to > the > size > of the > database, > because I > noticed it > really > starting > slow > up as > the > number > of LOs > increased > -- we > have > about > 8000 > now. > Does > management.php > work > OK on > the > sandpit On? > You've > got a > similar number > of LOs > in > there > haven't you? > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > *On > Behalf > Of > *Pat @ > Pgogy > *Sent:* 27 > February > 2013 12:53 > *To:* > For > Xerte > technical > developers > *Subject:* > [Xerte-dev] > Re: > Changing > Ownership > in > Management > PHP > > Yes > changing > ownership > has > been > there > for ages. > > If it > freezes it > suggests > a > JavaScript > problem has > occurred > > Pgogy > Webstuff > - > http://www.pgogywebstuff.com > > Makers > of web > things > of a > fair > to > middling > quality > > > On 27 > Feb > 2013, > at > 11:56, > Julian > Tenney > > > wrote: > > Can I > change > ownership > in > management.php? > When > I > log in, > it > just > appears > to > freeze, > clicking > any of > the top > menus > doesn't > appear > to > do > anything, > > > > > > > > > > > > > _______________________________________________ > Xerte-dev > mailing > list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev > mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev > mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: From reijnders at tor.nl Mon Mar 4 09:55:22 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Mon, 04 Mar 2013 10:55:22 +0100 Subject: [Xerte-dev] Peer review, feedback etc. Message-ID: <51346F8A.9000508@tor.nl> I've solved some issues with the peer review module and the feedback module. 1. Sending email from the system depends on some items in site_details that are really explained, and then in the code not used properly. 2. If not all users are on the same email domain, peer review doesn't work, as the review will be sent to @ email_to_add_to_user> 1. Has to do with headers. You are supposed to add the email headers yourself in site_details. Each line seperated by a '*'. There are three issues with that: - No user knows what to fill in there. Even I as a network specialist had to look at the code what was expected there. End even then, this field is often used inappropriately. Only in the case of peer reviews, the code assumed it was more than 1 header line separated with '*' - There is a field 'site_email_account', but it's not used as the 'From' Address. - You have to know that the email bodies are HTML, so you have to know to add Content-Type: text/html header, otherwise the emails look really weird. Fix: Added function get_email_headers() to functions.php (don't know whether that's the best location), that tries to build a proper header stringe for the php mail function: 1. It adds the site_email_account as the From: header, if there is no >From field in the site_details->headers field 2. It adds a Content-Type header is it is not in the site_details->headers field 3. It replaces the '*' with '\n' in the site_details->headers field and adds the result. 2. This is annoying for example in the case of the sand pit or in case of Toll-Net. Fix: Added retouremail to the peerreview form. I decided NOT to change the Database schema, but encoded the retouremail address(es) in the additional_sharing->extra field. Will commit later today, Tom -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 From xerte at pgogywebstuff.com Mon Mar 4 11:23:05 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Mon, 4 Mar 2013 11:23:05 +0000 Subject: [Xerte-dev] Re: Peer review, feedback etc. In-Reply-To: <51346F8A.9000508@tor.nl> References: <51346F8A.9000508@tor.nl> Message-ID: <60E55E81-0024-467E-B17D-F945814197D6@pgogywebstuff.com> Thanks Tom, This was always a bit weird. I thought the docs explained this though? Or the installer? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 4 Mar 2013, at 09:55, Tom Reijnders wrote: > I've solved some issues with the peer review module and the feedback module. > > 1. Sending email from the system depends on some items in site_details that are really explained, and then in the code not used properly. > 2. If not all users are on the same email domain, peer review doesn't work, as the review will be sent to @ email_to_add_to_user> > > 1. Has to do with headers. You are supposed to add the email headers yourself in site_details. Each line seperated by a '*'. > > There are three issues with that: > - No user knows what to fill in there. Even I as a network specialist had to look at the code what was expected there. End even then, this field is often used inappropriately. Only in the case of peer reviews, the code assumed it was more than 1 header line separated with '*' > - There is a field 'site_email_account', but it's not used as the 'From' Address. > - You have to know that the email bodies are HTML, so you have to know to add Content-Type: text/html header, otherwise the emails look really weird. > > Fix: > > Added function get_email_headers() to functions.php (don't know whether that's the best location), that tries to build a proper header stringe for the php mail function: > 1. It adds the site_email_account as the From: header, if there is no From field in the site_details->headers field > 2. It adds a Content-Type header is it is not in the site_details->headers field > 3. It replaces the '*' with '\n' in the site_details->headers field and adds the result. > > 2. This is annoying for example in the case of the sand pit or in case of Toll-Net. > > Fix: > > Added retouremail to the peerreview form. I decided NOT to change the Database schema, but encoded the retouremail address(es) in the additional_sharing->extra field. > > Will commit later today, > > Tom > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. From reijnders at tor.nl Mon Mar 4 11:59:52 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Mon, 04 Mar 2013 12:59:52 +0100 Subject: [Xerte-dev] Re: Peer review, feedback etc. In-Reply-To: <60E55E81-0024-467E-B17D-F945814197D6@pgogywebstuff.com> References: <51346F8A.9000508@tor.nl> <60E55E81-0024-467E-B17D-F945814197D6@pgogywebstuff.com> Message-ID: <51348CB8.5030304@tor.nl> Yeah..., it's just how it works right? You're asked to add some functionality, and you create it, and then no one uses (or complains about) it for ages, and all of a sudden you ask yourself... what the F... Been there, done that.... ;-) Op 4-3-2013 12:23, Pat @ Pgogy schreef: > Thanks Tom, > > This was always a bit weird. I thought the docs explained this though? Or the installer? > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 4 Mar 2013, at 09:55, Tom Reijnders wrote: > >> I've solved some issues with the peer review module and the feedback module. >> >> 1. Sending email from the system depends on some items in site_details that are really explained, and then in the code not used properly. >> 2. If not all users are on the same email domain, peer review doesn't work, as the review will be sent to @ email_to_add_to_user> >> >> 1. Has to do with headers. You are supposed to add the email headers yourself in site_details. Each line seperated by a '*'. >> >> There are three issues with that: >> - No user knows what to fill in there. Even I as a network specialist had to look at the code what was expected there. End even then, this field is often used inappropriately. Only in the case of peer reviews, the code assumed it was more than 1 header line separated with '*' >> - There is a field 'site_email_account', but it's not used as the 'From' Address. >> - You have to know that the email bodies are HTML, so you have to know to add Content-Type: text/html header, otherwise the emails look really weird. >> >> Fix: >> >> Added function get_email_headers() to functions.php (don't know whether that's the best location), that tries to build a proper header stringe for the php mail function: >> 1. It adds the site_email_account as the From: header, if there is no From field in the site_details->headers field >> 2. It adds a Content-Type header is it is not in the site_details->headers field >> 3. It replaces the '*' with '\n' in the site_details->headers field and adds the result. >> >> 2. This is annoying for example in the case of the sand pit or in case of Toll-Net. >> >> Fix: >> >> Added retouremail to the peerreview form. I decided NOT to change the Database schema, but encoded the retouremail address(es) in the additional_sharing->extra field. >> >> Will commit later today, >> >> Tom >> >> -- >> -- >> >> Tom Reijnders >> TOR Informatica >> Chopinlaan 27 >> 5242HM Rosmalen >> Tel: 073 5226191 >> Fax: 073 5226196 >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. >> >> This message has been checked for viruses but the contents of an attachment >> may still contain software viruses which could damage your computer system: >> you are advised to perform your own checks. Email communications with the >> University of Nottingham may be monitored as permitted by UK legislation. > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 From xerte at pgogywebstuff.com Mon Mar 4 12:44:22 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Mon, 4 Mar 2013 12:44:22 +0000 Subject: [Xerte-dev] Re: Peer review, feedback etc. In-Reply-To: <51348CB8.5030304@tor.nl> References: <51346F8A.9000508@tor.nl> <60E55E81-0024-467E-B17D-F945814197D6@pgogywebstuff.com> <51348CB8.5030304@tor.nl> Message-ID: <4F01CE2F-CE1C-421A-8F88-0A70ED04D228@pgogywebstuff.com> Yep, made it work for Nottingham, then did just about enough to make it work for someone else :) No one asked about it and never sure how often it is even used. Maybe a case for putting into a workflow as an option? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 4 Mar 2013, at 11:59, Tom Reijnders wrote: > Yeah..., it's just how it works right? > > You're asked to add some functionality, and you create it, and then no one uses (or complains about) it for ages, and all of a sudden you ask yourself... what the F... > > Been there, done that.... ;-) > > Op 4-3-2013 12:23, Pat @ Pgogy schreef: >> Thanks Tom, >> >> This was always a bit weird. I thought the docs explained this though? Or the installer? >> >> Pgogy Webstuff - http://www.pgogywebstuff.com >> Makers of web things of a fair to middling quality >> >> On 4 Mar 2013, at 09:55, Tom Reijnders wrote: >> >>> I've solved some issues with the peer review module and the feedback module. >>> >>> 1. Sending email from the system depends on some items in site_details that are really explained, and then in the code not used properly. >>> 2. If not all users are on the same email domain, peer review doesn't work, as the review will be sent to @ email_to_add_to_user> >>> >>> 1. Has to do with headers. You are supposed to add the email headers yourself in site_details. Each line seperated by a '*'. >>> >>> There are three issues with that: >>> - No user knows what to fill in there. Even I as a network specialist had to look at the code what was expected there. End even then, this field is often used inappropriately. Only in the case of peer reviews, the code assumed it was more than 1 header line separated with '*' >>> - There is a field 'site_email_account', but it's not used as the 'From' Address. >>> - You have to know that the email bodies are HTML, so you have to know to add Content-Type: text/html header, otherwise the emails look really weird. >>> >>> Fix: >>> >>> Added function get_email_headers() to functions.php (don't know whether that's the best location), that tries to build a proper header stringe for the php mail function: >>> 1. It adds the site_email_account as the From: header, if there is no From field in the site_details->headers field >>> 2. It adds a Content-Type header is it is not in the site_details->headers field >>> 3. It replaces the '*' with '\n' in the site_details->headers field and adds the result. >>> >>> 2. This is annoying for example in the case of the sand pit or in case of Toll-Net. >>> >>> Fix: >>> >>> Added retouremail to the peerreview form. I decided NOT to change the Database schema, but encoded the retouremail address(es) in the additional_sharing->extra field. >>> >>> Will commit later today, >>> >>> Tom >>> >>> -- >>> -- >>> >>> Tom Reijnders >>> TOR Informatica >>> Chopinlaan 27 >>> 5242HM Rosmalen >>> Tel: 073 5226191 >>> Fax: 073 5226196 >>> >>> >>> _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. >>> >>> This message has been checked for viruses but the contents of an attachment >>> may still contain software viruses which could damage your computer system: >>> you are advised to perform your own checks. Email communications with the >>> University of Nottingham may be monitored as permitted by UK legislation. >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. >> >> This message has been checked for viruses but the contents of an attachment >> may still contain software viruses which could damage your computer system: >> you are advised to perform your own checks. Email communications with the >> University of Nottingham may be monitored as permitted by UK legislation. > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. From J.J.Smith at gcu.ac.uk Mon Mar 4 16:02:26 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Mon, 4 Mar 2013 16:02:26 +0000 Subject: [Xerte-dev] Plugins code added to trunk Message-ID: Hi all, I've just committed the plugins code that I was working on - feel free to give it a try and let me know of any bugs/improvements/concerns and I'll address them... This is definitely a developer tool so won't be used by the majority but will allow functionality to be change without checking in code... we could almost have a repository of plugins to allow people to do things that means they don't need any PHP experience but can customise their setup... Here is the rather lengthy text I added to the SVN PLUGINS, ACTIONS & FILTERS: This code allows you to add a 'plugin' in the /plugins folder which will augment functionality provided by XOT. It allows you to create single file or folder style plugins (similar to Wordpress) which add functionality to various 'hook' points within the page. These hooks are by no means definitive and hopefully we can add lots more, however for filters to work in a better way some code will need re-written in order to pass 'content' through the filter before being used or echo-ed.. The current files should do nothing to an install. The example plugins are commented out - remove the 'REMOVE_THIS' text from the filenames in order to activate. The 'GCU Plugin' demonstrates some potentially useful functionality: * It adds a banner at the top of the page (login and editor) * It changes the text * It changes the "My Projects" text to "John's Projects" * It adds text to Pod 1 * It adds a title slide to data.xml on save The plugin_one plugin simply inserts HTML comments at action hook points throughout the page. Enable this by taking out REMOVE_THIS and then refresh the page and view the source to reveal it's result... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130304/dc2e1e12/attachment-0001.html> From johnathan.kemp at ntlworld.com Mon Mar 4 22:17:56 2013 From: johnathan.kemp at ntlworld.com (Kemp Johnathan) Date: Mon, 4 Mar 2013 22:17:56 +0000 Subject: [Xerte-dev] use of info tag in xwd forms Message-ID: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> On the 4th December I posted to the developer list an issue with the xwd forms relating to the use of the "info" tag. The inclusion of an info tag in the xwd form can result in space being allocated above the info tag for the display of the last few properties in the xwd form definition, but the properties are not visible in the form. You can however confirm their "presence" as the mouse pointer responds to them if moved over the input fields. You can test this out in Xerte (or XOT) by creating a page using one of the Connector page types. The info tag has been used in these pages to link to a pdf help file that is hosted on the Xerte community web site, but the "language" flagged form properties are no longer all editable, due to the presence of the info tag. This is a pity as the info tag could be used to provide a link to an external document that gives the Author useful additional information to assist them in making the best use of that page type. e.g. - Information about what the page is designed to do - Instructions on what the properties in the form are to help in completing the form created by the xwd file; - examples of actual uses of that page type in real projects. - examples of combining this page type with other page types to achieve a particular pedagogical approach - guidance as to how accessible the page is with respect to particular types of user, or what features the page has as optional properties to provide additional accessibility However at present if the "info" tag is used then the ability to edit the language flagged elements of the page is compromised. Is this something that is intended to be addressed before the next release of Xerte / XOT? Sorry to be a nuisance, but it seems such a potentially useful feature it seems a shame not to be able to use it. Kind regards Johnathan -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130304/98ef0ab2/attachment.html> From Julian.Tenney at nottingham.ac.uk Tue Mar 5 09:40:41 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Tue, 5 Mar 2013 09:40:41 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk> What's the problem in a nutshell? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp Johnathan Sent: 04 March 2013 22:18 To: Xerte Developers Discussion List Subject: [Xerte-dev] use of info tag in xwd forms On the 4th December I posted to the developer list an issue with the xwd forms relating to the use of the "info" tag. The inclusion of an info tag in the xwd form can result in space being allocated above the info tag for the display of the last few properties in the xwd form definition, but the properties are not visible in the form. You can however confirm their "presence" as the mouse pointer responds to them if moved over the input fields. You can test this out in Xerte (or XOT) by creating a page using one of the Connector page types. The info tag has been used in these pages to link to a pdf help file that is hosted on the Xerte community web site, but the "language" flagged form properties are no longer all editable, due to the presence of the info tag. This is a pity as the info tag could be used to provide a link to an external document that gives the Author useful additional information to assist them in making the best use of that page type. e.g. * Information about what the page is designed to do * Instructions on what the properties in the form are to help in completing the form created by the xwd file; * examples of actual uses of that page type in real projects. * examples of combining this page type with other page types to achieve a particular pedagogical approach * guidance as to how accessible the page is with respect to particular types of user, or what features the page has as optional properties to provide additional accessibility However at present if the "info" tag is used then the ability to edit the language flagged elements of the page is compromised. Is this something that is intended to be addressed before the next release of Xerte / XOT? Sorry to be a nuisance, but it seems such a potentially useful feature it seems a shame not to be able to use it. Kind regards Johnathan -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/bced1f17/attachment.html> From Julian.Tenney at nottingham.ac.uk Tue Mar 5 09:58:57 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Tue, 5 Mar 2013 09:58:57 +0000 Subject: [Xerte-dev] Re: Plugins code added to trunk In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D196@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D196@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E625E@EXCHANGE1.ad.nottingham.ac.uk> Nice one, this sounds interesting, From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 04 March 2013 16:02 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Plugins code added to trunk Hi all, I've just committed the plugins code that I was working on - feel free to give it a try and let me know of any bugs/improvements/concerns and I'll address them... This is definitely a developer tool so won't be used by the majority but will allow functionality to be change without checking in code... we could almost have a repository of plugins to allow people to do things that means they don't need any PHP experience but can customise their setup... Here is the rather lengthy text I added to the SVN PLUGINS, ACTIONS & FILTERS: This code allows you to add a 'plugin' in the /plugins folder which will augment functionality provided by XOT. It allows you to create single file or folder style plugins (similar to Wordpress) which add functionality to various 'hook' points within the page. These hooks are by no means definitive and hopefully we can add lots more, however for filters to work in a better way some code will need re-written in order to pass 'content' through the filter before being used or echo-ed.. The current files should do nothing to an install. The example plugins are commented out - remove the 'REMOVE_THIS' text from the filenames in order to activate. The 'GCU Plugin' demonstrates some potentially useful functionality: * It adds a banner at the top of the page (login and editor) * It changes the <title> text * It changes the "My Projects" text to "John's Projects" * It adds text to Pod 1 * It adds a title slide to data.xml on save The plugin_one plugin simply inserts HTML comments at action hook points throughout the page. Enable this by taking out REMOVE_THIS and then refresh the page and view the source to reveal it's result... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/9ee1eef5/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Tue Mar 5 10:13:39 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Tue, 5 Mar 2013 10:13:39 +0000 Subject: [Xerte-dev] Edit Window Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6287@EXCHANGE1.ad.nottingham.ac.uk> After recent changes, the edit window isn't opening as it used to do: I get all the toolbars, etc. Was this deliberate? [cid:image001.png at 01CE198A.1B382A50] -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/54412dae/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 68411 bytes Desc: image001.png URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/54412dae/attachment-0001.png> From johnathan.kemp at ntlworld.com Tue Mar 5 10:23:23 2013 From: johnathan.kemp at ntlworld.com (Kemp Johnathan) Date: Tue, 5 Mar 2013 10:23:23 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com> If you include the info tag in an xwd form it can result in the none display of the last entries in the form. The info tag displays at the bottom of the form with a blank area of form above it where the missing fields and field labels should be displayed. If you move the mouse pointer over the blank area of the form then the mouse pointer will change indicating that the fields are there - you just can't see them. The easiest way to explain what is happening is for you to see it for yourself. I have attached a simple demo. The demo is a standard Xerte project (not a "Pages" type project - I have manually set up the xwd links for the pages) in which I have set up two copies of the Quiz page. 1. Open this project in Xerte 2. Double click on the Quiz page to open the xwd form 3. Click on the language tab to display the language fields 4. Scroll down the form - you will see the blank area where the hidden language fields should appear and the blue info comment at the bottom. 5. The language tag is not significant to this issue. 6. Double click on the Quiz2 page, you will see the same effect without the use of the language tag (I deleted them from this pages xwd file) I don't know if the cause is to do with layers or visibility settings. I don't know what happens when the info tag is actioned in the code. I hope this makes the effect clear (if not the cause :-( ) Kind regards Johnathan On 5 March 2013 09:40, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > What?s the problem in a nutshell? > > > > *From:* xerte-dev-bounces at lists.nottingham.ac.uk [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Kemp Johnathan > *Sent:* 04 March 2013 22:18 > *To:* Xerte Developers Discussion List > *Subject:* [Xerte-dev] use of info tag in xwd forms > > > > On the 4th December I posted to the developer list an issue with the xwd > forms relating to the use of the "info" tag. > > > > The inclusion of an info tag in the xwd form can result in space being > allocated above the info tag for the display of the last few properties in > the xwd form definition, but the properties are not visible in the form. > You can however confirm their "presence" as the mouse pointer responds to > them if moved over the input fields. > > > > You can test this out in Xerte (or XOT) by creating a page using one of > the Connector page types. The info tag has been used in these pages to link > to a pdf help file that is hosted on the Xerte community web site, but the > "language" flagged form properties are no longer all editable, due to the > presence of the info tag. > > > > This is a pity as the info tag could be used to provide a link to an > external document that gives the Author useful additional information to > assist them in making the best use of that page type. e.g. > > ? Information about what the page is designed to do > > ? Instructions on what the properties in the form are to help in > completing the form created by the xwd file; > > ? examples of actual uses of that page type in real projects. > > ? examples of combining this page type with other page types to > achieve a particular pedagogical approach > > ? guidance as to how accessible the page is with respect to > particular types of user, or what features the page has as optional > properties to provide additional accessibility > > However at present if the "info" tag is used then the ability to edit the > language flagged elements of the page is compromised. > > > > Is this something that is intended to be addressed before the next release > of Xerte / XOT? > > > > Sorry to be a nuisance, but it seems such a potentially useful feature it > seems a shame not to be able to use it. > > > > Kind regards > > > > Johnathan > > > > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/e3586ed7/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: infoTagExample.zip Type: application/zip Size: 8832 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/e3586ed7/attachment.zip> From d_b_burnett at hotmail.com Tue Mar 5 10:43:27 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Tue, 5 Mar 2013 05:43:27 -0500 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com>, <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk>, <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com> Message-ID: <BLU153-W57942FC6EA78A20F3826B0A7FB0@phx.gbl> What version of desktop is required?The only language related object I have showing is "Show Language Options" in the bottom bar. (I do see "Here is the help" in blue near the bottom). Date: Tue, 5 Mar 2013 10:23:23 +0000 From: johnathan.kemp at ntlworld.com To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: use of info tag in xwd forms If you include the info tag in an xwd form it can result in the none display of the last entries in the form. The info tag displays at the bottom of the form with a blank area of form above it where the missing fields and field labels should be displayed. If you move the mouse pointer over the blank area of the form then the mouse pointer will change indicating that the fields are there - you just can't see them. The easiest way to explain what is happening is for you to see it for yourself. I have attached a simple demo. The demo is a standard Xerte project (not a "Pages" type project - I have manually set up the xwd links for the pages) in which I have set up two copies of the Quiz page. Open this project in XerteDouble click on the Quiz page to open the xwd formClick on the language tab to display the language fieldsScroll down the form - you will see the blank area where the hidden language fields should appear and the blue info comment at the bottom. The language tag is not significant to this issue. Double click on the Quiz2 page, you will see the same effect without the use of the language tag (I deleted them from this pages xwd file)I don't know if the cause is to do with layers or visibility settings. I don't know what happens when the info tag is actioned in the code. I hope this makes the effect clear (if not the cause :-( ) Kind regards Johnathan On 5 March 2013 09:40, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: What?s the problem in a nutshell? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp Johnathan Sent: 04 March 2013 22:18 To: Xerte Developers Discussion List Subject: [Xerte-dev] use of info tag in xwd forms On the 4th December I posted to the developer list an issue with the xwd forms relating to the use of the "info" tag. The inclusion of an info tag in the xwd form can result in space being allocated above the info tag for the display of the last few properties in the xwd form definition, but the properties are not visible in the form. You can however confirm their "presence" as the mouse pointer responds to them if moved over the input fields. You can test this out in Xerte (or XOT) by creating a page using one of the Connector page types. The info tag has been used in these pages to link to a pdf help file that is hosted on the Xerte community web site, but the "language" flagged form properties are no longer all editable, due to the presence of the info tag. This is a pity as the info tag could be used to provide a link to an external document that gives the Author useful additional information to assist them in making the best use of that page type. e.g. ? Information about what the page is designed to do ? Instructions on what the properties in the form are to help in completing the form created by the xwd file; ? examples of actual uses of that page type in real projects. ? examples of combining this page type with other page types to achieve a particular pedagogical approach ? guidance as to how accessible the page is with respect to particular types of user, or what features the page has as optional properties to provide additional accessibility However at present if the "info" tag is used then the ability to edit the language flagged elements of the page is compromised. Is this something that is intended to be addressed before the next release of Xerte / XOT? Sorry to be a nuisance, but it seems such a potentially useful feature it seems a shame not to be able to use it. Kind regards Johnathan _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/3e0f1bc1/attachment-0001.html> From d_b_burnett at hotmail.com Tue Mar 5 10:53:25 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Tue, 5 Mar 2013 05:53:25 -0500 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com>, <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk>, <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com> Message-ID: <BLU153-W56B5D4D3A4F28ED2DEAE4EA7FB0@phx.gbl> On Quiz2 page I do have a text entry immediately below the "Single Answer wrong" single line input area. But it is collapsed to a couple pixels high.I can put the cursor in there and see it move when I type. Date: Tue, 5 Mar 2013 10:23:23 +0000 From: johnathan.kemp at ntlworld.com To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: use of info tag in xwd forms If you include the info tag in an xwd form it can result in the none display of the last entries in the form. The info tag displays at the bottom of the form with a blank area of form above it where the missing fields and field labels should be displayed. If you move the mouse pointer over the blank area of the form then the mouse pointer will change indicating that the fields are there - you just can't see them. The easiest way to explain what is happening is for you to see it for yourself. I have attached a simple demo. The demo is a standard Xerte project (not a "Pages" type project - I have manually set up the xwd links for the pages) in which I have set up two copies of the Quiz page. Open this project in XerteDouble click on the Quiz page to open the xwd formClick on the language tab to display the language fieldsScroll down the form - you will see the blank area where the hidden language fields should appear and the blue info comment at the bottom. The language tag is not significant to this issue. Double click on the Quiz2 page, you will see the same effect without the use of the language tag (I deleted them from this pages xwd file)I don't know if the cause is to do with layers or visibility settings. I don't know what happens when the info tag is actioned in the code. I hope this makes the effect clear (if not the cause :-( ) Kind regards Johnathan On 5 March 2013 09:40, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: What?s the problem in a nutshell? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp Johnathan Sent: 04 March 2013 22:18 To: Xerte Developers Discussion List Subject: [Xerte-dev] use of info tag in xwd forms On the 4th December I posted to the developer list an issue with the xwd forms relating to the use of the "info" tag. The inclusion of an info tag in the xwd form can result in space being allocated above the info tag for the display of the last few properties in the xwd form definition, but the properties are not visible in the form. You can however confirm their "presence" as the mouse pointer responds to them if moved over the input fields. You can test this out in Xerte (or XOT) by creating a page using one of the Connector page types. The info tag has been used in these pages to link to a pdf help file that is hosted on the Xerte community web site, but the "language" flagged form properties are no longer all editable, due to the presence of the info tag. This is a pity as the info tag could be used to provide a link to an external document that gives the Author useful additional information to assist them in making the best use of that page type. e.g. ? Information about what the page is designed to do ? Instructions on what the properties in the form are to help in completing the form created by the xwd file; ? examples of actual uses of that page type in real projects. ? examples of combining this page type with other page types to achieve a particular pedagogical approach ? guidance as to how accessible the page is with respect to particular types of user, or what features the page has as optional properties to provide additional accessibility However at present if the "info" tag is used then the ability to edit the language flagged elements of the page is compromised. Is this something that is intended to be addressed before the next release of Xerte / XOT? Sorry to be a nuisance, but it seems such a potentially useful feature it seems a shame not to be able to use it. Kind regards Johnathan _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/b790717f/attachment.html> From xerte at pgogywebstuff.com Tue Mar 5 11:00:13 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Tue, 5 Mar 2013 11:00:13 +0000 Subject: [Xerte-dev] Re: Edit Window In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6287@EXCHANGE1.ad.nottingham.ac.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6287@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <17480C22-F8BB-48B2-94A6-DF0157E5F5BA@pgogywebstuff.com> Not deliberately Look in the js - the string concat might be breaking Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 10:13, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > After recent changes, the edit window isn?t opening as it used to do: I get all the toolbars, etc. Was this deliberate? > > <image001.png> > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/6650607d/attachment.html> From J.J.Smith at gcu.ac.uk Tue Mar 5 11:05:09 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Tue, 5 Mar 2013 11:05:09 +0000 Subject: [Xerte-dev] Re: Plugins code added to trunk In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E625E@EXCHANGE1.ad.nottingham.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D196@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E625E@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F2@ITSEMBXCLUS.enterprise.gcal.ac.uk> I agree - it gives people who are not that familiar with PHP to add functionality. Someone (might have even been me) at the developer day mentioned the possibility of a 'code snippet' library that allow you to tweak things - this could go 5 steps further by giving packaged plugins... we could even move CORE functionality into plugins... I think we need to treat it as a proof of concept just now though as we need to develop the list of hooks available and decide where we actually do the actions and filters For example, I apply a filter to the 'Pod 1' text in index.php but it could be that this is better in display_library.php - logged_in_page_format_middle function - OR we decide to move the whole {{pod_one}} replace into a CORE plugin - then it could be removed, added to or detached by a higher priority plugin... I think it needs discussing... maybe as part of your structure discussions at CETIS - it's a pity I can't make it... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Tuesday, March 05, 2013 9:59 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: Plugins code added to trunk Nice one, this sounds interesting, From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 04 March 2013 16:02 To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Plugins code added to trunk Hi all, I've just committed the plugins code that I was working on - feel free to give it a try and let me know of any bugs/improvements/concerns and I'll address them... This is definitely a developer tool so won't be used by the majority but will allow functionality to be change without checking in code... we could almost have a repository of plugins to allow people to do things that means they don't need any PHP experience but can customise their setup... Here is the rather lengthy text I added to the SVN PLUGINS, ACTIONS & FILTERS: This code allows you to add a 'plugin' in the /plugins folder which will augment functionality provided by XOT. It allows you to create single file or folder style plugins (similar to Wordpress) which add functionality to various 'hook' points within the page. These hooks are by no means definitive and hopefully we can add lots more, however for filters to work in a better way some code will need re-written in order to pass 'content' through the filter before being used or echo-ed.. The current files should do nothing to an install. The example plugins are commented out - remove the 'REMOVE_THIS' text from the filenames in order to activate. The 'GCU Plugin' demonstrates some potentially useful functionality: * It adds a banner at the top of the page (login and editor) * It changes the <title> text * It changes the "My Projects" text to "John's Projects" * It adds text to Pod 1 * It adds a title slide to data.xml on save The plugin_one plugin simply inserts HTML comments at action hook points throughout the page. Enable this by taking out REMOVE_THIS and then refresh the page and view the source to reveal it's result... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/3a086aa9/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Tue Mar 5 11:17:03 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Tue, 5 Mar 2013 11:17:03 +0000 Subject: [Xerte-dev] Re: Edit Window In-Reply-To: <17480C22-F8BB-48B2-94A6-DF0157E5F5BA@pgogywebstuff.com> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6287@EXCHANGE1.ad.nottingham.ac.uk> <17480C22-F8BB-48B2-94A6-DF0157E5F5BA@pgogywebstuff.com> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6339@EXCHANGE1.ad.nottingham.ac.uk> Where would I look? I want to demo some new stuff tomorrow, and it would be good if it looks as it should. It?s good that the code all runs out of the svn - we should always try and keep it that way. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 11:00 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Not deliberately Look in the js - the string concat might be breaking Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 10:13, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: After recent changes, the edit window isn?t opening as it used to do: I get all the toolbars, etc. Was this deliberate? <image001.png> _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/15ec787f/attachment.html> From J.J.Smith at gcu.ac.uk Tue Mar 5 11:20:27 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Tue, 5 Mar 2013 11:20:27 +0000 Subject: [Xerte-dev] Re: Edit Window In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6339@EXCHANGE1.ad.nottingham.ac.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6287@EXCHANGE1.ad.nottingham.ac.uk> <17480C22-F8BB-48B2-94A6-DF0157E5F5BA@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6339@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F7@ITSEMBXCLUS.enterprise.gcal.ac.uk> Pretty sure it?s not something I did? I?ve been looking through recent js file changes but not seeing anything? how recent do we think this happened? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Tuesday, March 05, 2013 11:17 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Where would I look? I want to demo some new stuff tomorrow, and it would be good if it looks as it should. It?s good that the code all runs out of the svn - we should always try and keep it that way. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 11:00 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Not deliberately Look in the js - the string concat might be breaking Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 10:13, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: After recent changes, the edit window isn?t opening as it used to do: I get all the toolbars, etc. Was this deliberate? <image001.png> _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/78eb25ad/attachment.html> From Julian.Tenney at nottingham.ac.uk Tue Mar 5 11:34:59 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Tue, 5 Mar 2013 11:34:59 +0000 Subject: [Xerte-dev] Re: Edit Window In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F7@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6287@EXCHANGE1.ad.nottingham.ac.uk> <17480C22-F8BB-48B2-94A6-DF0157E5F5BA@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6339@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F7@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E636C@EXCHANGE1.ad.nottingham.ac.uk> I?ve been checking out the svn and developing in it on localhost: I last checked it out sometime the week before last, and it was OK, I didn?t have time for any coding last week, so sometime in the week before From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 05 March 2013 11:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Pretty sure it?s not something I did? I?ve been looking through recent js file changes but not seeing anything? how recent do we think this happened? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Tuesday, March 05, 2013 11:17 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Where would I look? I want to demo some new stuff tomorrow, and it would be good if it looks as it should. It?s good that the code all runs out of the svn - we should always try and keep it that way. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 11:00 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Not deliberately Look in the js - the string concat might be breaking Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 10:13, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: After recent changes, the edit window isn?t opening as it used to do: I get all the toolbars, etc. Was this deliberate? <image001.png> _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/4f670508/attachment-0001.html> From xerte at pgogywebstuff.com Tue Mar 5 12:09:59 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Tue, 5 Mar 2013 12:09:59 +0000 Subject: [Xerte-dev] Re: Edit Window In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E636C@EXCHANGE1.ad.nottingham.ac.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6287@EXCHANGE1.ad.nottingham.ac.uk> <17480C22-F8BB-48B2-94A6-DF0157E5F5BA@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6339@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E636C@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <D4D60869-99C8-4958-84BE-827D10B33DF6@pgogywebstuff.com> Hmmmm, in editor window in template_management.js none of the recent changes show a removal of the toolbars so I am bit confused - I didn't remove with my changes - but it seems like it hasn't been there for ages...... But add the extra parameters to hide toolbars in this code. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 11:34, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > I?ve been checking out the svn and developing in it on localhost: I last checked it out sometime the week before last, and it was OK, I didn?t have time for any coding last week, so sometime in the week before > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 05 March 2013 11:20 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Pretty sure it?s not something I did? I?ve been looking through recent js file changes but not seeing anything? how recent do we think this happened? > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Tuesday, March 05, 2013 11:17 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Where would I look? I want to demo some new stuff tomorrow, and it would be good if it looks as it should. > > It?s good that the code all runs out of the svn - we should always try and keep it that way. > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: 05 March 2013 11:00 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Not deliberately > > Look in the js - the string concat might be breaking > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 5 Mar 2013, at 10:13, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > > After recent changes, the edit window isn?t opening as it used to do: I get all the toolbars, etc. Was this deliberate? > > <image001.png> > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/6c4d18a5/attachment.html> From J.J.Smith at gcu.ac.uk Tue Mar 5 12:26:32 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Tue, 5 Mar 2013 12:26:32 +0000 Subject: [Xerte-dev] Re: Edit Window In-Reply-To: <D4D60869-99C8-4958-84BE-827D10B33DF6@pgogywebstuff.com> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6287@EXCHANGE1.ad.nottingham.ac.uk> <17480C22-F8BB-48B2-94A6-DF0157E5F5BA@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6339@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E636C@EXCHANGE1.ad.nottingham.ac.uk> <D4D60869-99C8-4958-84BE-827D10B33DF6@pgogywebstuff.com> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D220@ITSEMBXCLUS.enterprise.gcal.ac.uk> I just tried the latest trunk in IE and it opens in a new window without toolbars? but in Firefox and Chrome it opens in a new tab. Does a new tab not always have the toolbars?? Is it a browser thing? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Tuesday, March 05, 2013 12:10 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Hmmmm, in editor window in template_management.js none of the recent changes show a removal of the toolbars so I am bit confused - I didn't remove with my changes - but it seems like it hasn't been there for ages...... But add the extra parameters to hide toolbars in this code. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 11:34, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: I?ve been checking out the svn and developing in it on localhost: I last checked it out sometime the week before last, and it was OK, I didn?t have time for any coding last week, so sometime in the week before From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 05 March 2013 11:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Pretty sure it?s not something I did? I?ve been looking through recent js file changes but not seeing anything? how recent do we think this happened? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Tuesday, March 05, 2013 11:17 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Where would I look? I want to demo some new stuff tomorrow, and it would be good if it looks as it should. It?s good that the code all runs out of the svn - we should always try and keep it that way. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 11:00 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Not deliberately Look in the js - the string concat might be breaking Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 10:13, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: After recent changes, the edit window isn?t opening as it used to do: I get all the toolbars, etc. Was this deliberate? <image001.png> _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/3af6c5b9/attachment-0001.html> From xerte at pgogywebstuff.com Tue Mar 5 13:14:51 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Tue, 5 Mar 2013 13:14:51 +0000 Subject: [Xerte-dev] Re: Edit Window In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D220@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6287@EXCHANGE1.ad.nottingham.ac.uk> <17480C22-F8BB-48B2-94A6-DF0157E5F5BA@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6339@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E636C@EXCHANGE1.ad.nottingham.ac.uk> <D4D60869-99C8-4958-84BE-827D10B33DF6@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D220@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <AD10ABB4-1232-4322-BCBC-A096D5AB8803@pgogywebstuff.com> Am suspicious we think it did something it maybe doesn't do because of browsers changing Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 12:26, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > I just tried the latest trunk in IE and it opens in a new window without toolbars? but in Firefox and Chrome it opens in a new tab. Does a new tab not always have the toolbars?? Is it a browser thing? > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: Tuesday, March 05, 2013 12:10 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Hmmmm, in editor window in template_management.js none of the recent changes show a removal of the toolbars so I am bit confused - I didn't remove with my changes - but it seems like it hasn't been there for ages...... > > But add the extra parameters to hide toolbars in this code. > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 5 Mar 2013, at 11:34, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > > I?ve been checking out the svn and developing in it on localhost: I last checked it out sometime the week before last, and it was OK, I didn?t have time for any coding last week, so sometime in the week before > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 05 March 2013 11:20 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Pretty sure it?s not something I did? I?ve been looking through recent js file changes but not seeing anything? how recent do we think this happened? > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Tuesday, March 05, 2013 11:17 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Where would I look? I want to demo some new stuff tomorrow, and it would be good if it looks as it should. > > It?s good that the code all runs out of the svn - we should always try and keep it that way. > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: 05 March 2013 11:00 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Not deliberately > > Look in the js - the string concat might be breaking > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 5 Mar 2013, at 10:13, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > > After recent changes, the edit window isn?t opening as it used to do: I get all the toolbars, etc. Was this deliberate? > > <image001.png> > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/09a988f7/attachment.html> From Julian.Tenney at nottingham.ac.uk Tue Mar 5 13:33:52 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Tue, 5 Mar 2013 13:33:52 +0000 Subject: [Xerte-dev] Re: Edit Window In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D220@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6287@EXCHANGE1.ad.nottingham.ac.uk> <17480C22-F8BB-48B2-94A6-DF0157E5F5BA@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6339@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E636C@EXCHANGE1.ad.nottingham.ac.uk> <D4D60869-99C8-4958-84BE-827D10B33DF6@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D220@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E647C@EXCHANGE1.ad.nottingham.ac.uk> IN my firefox it opens a new window, but with toolbars, resizable. What?s going on? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 05 March 2013 12:27 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window I just tried the latest trunk in IE and it opens in a new window without toolbars? but in Firefox and Chrome it opens in a new tab. Does a new tab not always have the toolbars?? Is it a browser thing? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Tuesday, March 05, 2013 12:10 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Hmmmm, in editor window in template_management.js none of the recent changes show a removal of the toolbars so I am bit confused - I didn't remove with my changes - but it seems like it hasn't been there for ages...... But add the extra parameters to hide toolbars in this code. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 11:34, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: I?ve been checking out the svn and developing in it on localhost: I last checked it out sometime the week before last, and it was OK, I didn?t have time for any coding last week, so sometime in the week before From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 05 March 2013 11:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Pretty sure it?s not something I did? I?ve been looking through recent js file changes but not seeing anything? how recent do we think this happened? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Tuesday, March 05, 2013 11:17 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Where would I look? I want to demo some new stuff tomorrow, and it would be good if it looks as it should. It?s good that the code all runs out of the svn - we should always try and keep it that way. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 11:00 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Not deliberately Look in the js - the string concat might be breaking Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 10:13, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: After recent changes, the edit window isn?t opening as it used to do: I get all the toolbars, etc. Was this deliberate? <image001.png> _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/edbbcfab/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Tue Mar 5 13:47:28 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Tue, 5 Mar 2013 13:47:28 +0000 Subject: [Xerte-dev] Re: Edit Window In-Reply-To: <AD10ABB4-1232-4322-BCBC-A096D5AB8803@pgogywebstuff.com> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6287@EXCHANGE1.ad.nottingham.ac.uk> <17480C22-F8BB-48B2-94A6-DF0157E5F5BA@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6339@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E636C@EXCHANGE1.ad.nottingham.ac.uk> <D4D60869-99C8-4958-84BE-827D10B33DF6@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D220@ITSEMBXCLUS.enterprise.gcal.ac.uk> <AD10ABB4-1232-4322-BCBC-A096D5AB8803@pgogywebstuff.com> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E649E@EXCHANGE1.ad.nottingham.ac.uk> If I put an alert as the first line in function edit_window it doesn?t fire (i.e. is function edit_window actually used when hitting the edit button in the workspace?), it doesn?t seem to be? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 13:15 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Am suspicious we think it did something it maybe doesn't do because of browsers changing Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 12:26, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: I just tried the latest trunk in IE and it opens in a new window without toolbars? but in Firefox and Chrome it opens in a new tab. Does a new tab not always have the toolbars?? Is it a browser thing? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Tuesday, March 05, 2013 12:10 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Hmmmm, in editor window in template_management.js none of the recent changes show a removal of the toolbars so I am bit confused - I didn't remove with my changes - but it seems like it hasn't been there for ages...... But add the extra parameters to hide toolbars in this code. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 11:34, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: I?ve been checking out the svn and developing in it on localhost: I last checked it out sometime the week before last, and it was OK, I didn?t have time for any coding last week, so sometime in the week before From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 05 March 2013 11:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Pretty sure it?s not something I did? I?ve been looking through recent js file changes but not seeing anything? how recent do we think this happened? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Tuesday, March 05, 2013 11:17 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Where would I look? I want to demo some new stuff tomorrow, and it would be good if it looks as it should. It?s good that the code all runs out of the svn - we should always try and keep it that way. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 11:00 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Not deliberately Look in the js - the string concat might be breaking Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 10:13, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: After recent changes, the edit window isn?t opening as it used to do: I get all the toolbars, etc. Was this deliberate? <image001.png> _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/986c3bb3/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Tue Mar 5 13:48:19 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Tue, 5 Mar 2013 13:48:19 +0000 Subject: [Xerte-dev] Re: Edit Window References: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6287@EXCHANGE1.ad.nottingham.ac.uk> <17480C22-F8BB-48B2-94A6-DF0157E5F5BA@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6339@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E636C@EXCHANGE1.ad.nottingham.ac.uk> <D4D60869-99C8-4958-84BE-827D10B33DF6@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D220@ITSEMBXCLUS.enterprise.gcal.ac.uk> <AD10ABB4-1232-4322-BCBC-A096D5AB8803@pgogywebstuff.com> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E64A2@EXCHANGE1.ad.nottingham.ac.uk> Forget that. From: Tenney Julian Sent: 05 March 2013 13:47 To: 'For Xerte technical developers' Subject: RE: [Xerte-dev] Re: Edit Window If I put an alert as the first line in function edit_window it doesn?t fire (i.e. is function edit_window actually used when hitting the edit button in the workspace?), it doesn?t seem to be? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 13:15 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Am suspicious we think it did something it maybe doesn't do because of browsers changing Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 12:26, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: I just tried the latest trunk in IE and it opens in a new window without toolbars? but in Firefox and Chrome it opens in a new tab. Does a new tab not always have the toolbars?? Is it a browser thing? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Tuesday, March 05, 2013 12:10 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Hmmmm, in editor window in template_management.js none of the recent changes show a removal of the toolbars so I am bit confused - I didn't remove with my changes - but it seems like it hasn't been there for ages...... But add the extra parameters to hide toolbars in this code. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 11:34, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: I?ve been checking out the svn and developing in it on localhost: I last checked it out sometime the week before last, and it was OK, I didn?t have time for any coding last week, so sometime in the week before From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 05 March 2013 11:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Pretty sure it?s not something I did? I?ve been looking through recent js file changes but not seeing anything? how recent do we think this happened? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Tuesday, March 05, 2013 11:17 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Where would I look? I want to demo some new stuff tomorrow, and it would be good if it looks as it should. It?s good that the code all runs out of the svn - we should always try and keep it that way. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 11:00 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Not deliberately Look in the js - the string concat might be breaking Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 10:13, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: After recent changes, the edit window isn?t opening as it used to do: I get all the toolbars, etc. Was this deliberate? <image001.png> _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/63d11ab9/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Tue Mar 5 13:50:37 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Tue, 5 Mar 2013 13:50:37 +0000 Subject: [Xerte-dev] Re: Edit Window References: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6287@EXCHANGE1.ad.nottingham.ac.uk> <17480C22-F8BB-48B2-94A6-DF0157E5F5BA@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6339@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E636C@EXCHANGE1.ad.nottingham.ac.uk> <D4D60869-99C8-4958-84BE-827D10B33DF6@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D220@ITSEMBXCLUS.enterprise.gcal.ac.uk> <AD10ABB4-1232-4322-BCBC-A096D5AB8803@pgogywebstuff.com> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E64AC@EXCHANGE1.ad.nottingham.ac.uk> It opens the wndow in the if (we have no editor size) logic. Shouldn?t it default to 800 x 665 if there is no size deifned? I take it this is a modualrisation thing? Should I define a size somewhere? From: Tenney Julian Sent: 05 March 2013 13:48 To: Tenney Julian; 'For Xerte technical developers' Subject: RE: [Xerte-dev] Re: Edit Window Forget that. From: Tenney Julian Sent: 05 March 2013 13:47 To: 'For Xerte technical developers' Subject: RE: [Xerte-dev] Re: Edit Window If I put an alert as the first line in function edit_window it doesn?t fire (i.e. is function edit_window actually used when hitting the edit button in the workspace?), it doesn?t seem to be? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 13:15 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Am suspicious we think it did something it maybe doesn't do because of browsers changing Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 12:26, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: I just tried the latest trunk in IE and it opens in a new window without toolbars? but in Firefox and Chrome it opens in a new tab. Does a new tab not always have the toolbars?? Is it a browser thing? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Tuesday, March 05, 2013 12:10 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Hmmmm, in editor window in template_management.js none of the recent changes show a removal of the toolbars so I am bit confused - I didn't remove with my changes - but it seems like it hasn't been there for ages...... But add the extra parameters to hide toolbars in this code. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 11:34, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: I?ve been checking out the svn and developing in it on localhost: I last checked it out sometime the week before last, and it was OK, I didn?t have time for any coding last week, so sometime in the week before From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 05 March 2013 11:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Pretty sure it?s not something I did? I?ve been looking through recent js file changes but not seeing anything? how recent do we think this happened? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Tuesday, March 05, 2013 11:17 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Where would I look? I want to demo some new stuff tomorrow, and it would be good if it looks as it should. It?s good that the code all runs out of the svn - we should always try and keep it that way. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 11:00 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Not deliberately Look in the js - the string concat might be breaking Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 10:13, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: After recent changes, the edit window isn?t opening as it used to do: I get all the toolbars, etc. Was this deliberate? <image001.png> _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/bf184040/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Tue Mar 5 13:57:19 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Tue, 5 Mar 2013 13:57:19 +0000 Subject: [Xerte-dev] Re: Plugins code added to trunk In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F2@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D196@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E625E@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F2@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E64C8@EXCHANGE1.ad.nottingham.ac.uk> > I think it needs discussing... maybe as part of your structure discussions at CETIS - it's a pity I can't make it... When should we get together face to face again? And where? There seems like loads going on at the moment, it's March already and if we wanted to do something, say, end of June, we should maybe plan for that now? Maybe we should also think about the AGM again, and what we want to do with that, From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 05 March 2013 11:05 To: For Xerte technical developers Subject: [Xerte-dev] Re: Plugins code added to trunk I agree - it gives people who are not that familiar with PHP to add functionality. Someone (might have even been me) at the developer day mentioned the possibility of a 'code snippet' library that allow you to tweak things - this could go 5 steps further by giving packaged plugins... we could even move CORE functionality into plugins... I think we need to treat it as a proof of concept just now though as we need to develop the list of hooks available and decide where we actually do the actions and filters For example, I apply a filter to the 'Pod 1' text in index.php but it could be that this is better in display_library.php - logged_in_page_format_middle function - OR we decide to move the whole {{pod_one}} replace into a CORE plugin - then it could be removed, added to or detached by a higher priority plugin... I think it needs discussing... maybe as part of your structure discussions at CETIS - it's a pity I can't make it... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Tuesday, March 05, 2013 9:59 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: Plugins code added to trunk Nice one, this sounds interesting, From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 04 March 2013 16:02 To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Plugins code added to trunk Hi all, I've just committed the plugins code that I was working on - feel free to give it a try and let me know of any bugs/improvements/concerns and I'll address them... This is definitely a developer tool so won't be used by the majority but will allow functionality to be change without checking in code... we could almost have a repository of plugins to allow people to do things that means they don't need any PHP experience but can customise their setup... Here is the rather lengthy text I added to the SVN PLUGINS, ACTIONS & FILTERS: This code allows you to add a 'plugin' in the /plugins folder which will augment functionality provided by XOT. It allows you to create single file or folder style plugins (similar to Wordpress) which add functionality to various 'hook' points within the page. These hooks are by no means definitive and hopefully we can add lots more, however for filters to work in a better way some code will need re-written in order to pass 'content' through the filter before being used or echo-ed.. The current files should do nothing to an install. The example plugins are commented out - remove the 'REMOVE_THIS' text from the filenames in order to activate. The 'GCU Plugin' demonstrates some potentially useful functionality: * It adds a banner at the top of the page (login and editor) * It changes the <title> text * It changes the "My Projects" text to "John's Projects" * It adds text to Pod 1 * It adds a title slide to data.xml on save The plugin_one plugin simply inserts HTML comments at action hook points throughout the page. Enable this by taking out REMOVE_THIS and then refresh the page and view the source to reveal it's result... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/3d2e7bed/attachment.html> From xerte at pgogywebstuff.com Tue Mar 5 13:56:34 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Tue, 5 Mar 2013 13:56:34 +0000 Subject: [Xerte-dev] Re: Edit Window In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E64AC@EXCHANGE1.ad.nottingham.ac.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6287@EXCHANGE1.ad.nottingham.ac.uk> <17480C22-F8BB-48B2-94A6-DF0157E5F5BA@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6339@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E636C@EXCHANGE1.ad.nottingham.ac.uk> <D4D60869-99C8-4958-84BE-827D10B33DF6@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D220@ITSEMBXCLUS.enterprise.gcal.ac.uk> <AD10ABB4-1232-4322-BCBC-A096D5AB8803@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E64AC@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <04139A6A-985C-4D57-A4CA-214B8C2CB07C@pgogywebstuff.com> Yes you put a size in the info, but by default it should be xerte size - did I get my logic back to front Yes modularisation meant each module could choose its own window size Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 13:50, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > It opens the wndow in the if (we have no editor size) logic. Shouldn?t it default to 800 x 665 if there is no size deifned? I take it this is a modualrisation thing? > > Should I define a size somewhere? > > From: Tenney Julian > Sent: 05 March 2013 13:48 > To: Tenney Julian; 'For Xerte technical developers' > Subject: RE: [Xerte-dev] Re: Edit Window > > Forget that. > > From: Tenney Julian > Sent: 05 March 2013 13:47 > To: 'For Xerte technical developers' > Subject: RE: [Xerte-dev] Re: Edit Window > > If I put an alert as the first line in function edit_window it doesn?t fire (i.e. is function edit_window actually used when hitting the edit button in the workspace?), it doesn?t seem to be? > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: 05 March 2013 13:15 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Am suspicious we think it did something it maybe doesn't do because of browsers changing > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 5 Mar 2013, at 12:26, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > > I just tried the latest trunk in IE and it opens in a new window without toolbars? but in Firefox and Chrome it opens in a new tab. Does a new tab not always have the toolbars?? Is it a browser thing? > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: Tuesday, March 05, 2013 12:10 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Hmmmm, in editor window in template_management.js none of the recent changes show a removal of the toolbars so I am bit confused - I didn't remove with my changes - but it seems like it hasn't been there for ages...... > > But add the extra parameters to hide toolbars in this code. > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 5 Mar 2013, at 11:34, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > > I?ve been checking out the svn and developing in it on localhost: I last checked it out sometime the week before last, and it was OK, I didn?t have time for any coding last week, so sometime in the week before > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 05 March 2013 11:20 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Pretty sure it?s not something I did? I?ve been looking through recent js file changes but not seeing anything? how recent do we think this happened? > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Tuesday, March 05, 2013 11:17 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Where would I look? I want to demo some new stuff tomorrow, and it would be good if it looks as it should. > > It?s good that the code all runs out of the svn - we should always try and keep it that way. > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: 05 March 2013 11:00 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Not deliberately > > Look in the js - the string concat might be breaking > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 5 Mar 2013, at 10:13, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > > After recent changes, the edit window isn?t opening as it used to do: I get all the toolbars, etc. Was this deliberate? > > <image001.png> > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/d5b33009/attachment-0001.html> From xerte at pgogywebstuff.com Tue Mar 5 13:57:01 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Tue, 5 Mar 2013 13:57:01 +0000 Subject: [Xerte-dev] Re: Edit Window In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E64AC@EXCHANGE1.ad.nottingham.ac.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6287@EXCHANGE1.ad.nottingham.ac.uk> <17480C22-F8BB-48B2-94A6-DF0157E5F5BA@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6339@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E636C@EXCHANGE1.ad.nottingham.ac.uk> <D4D60869-99C8-4958-84BE-827D10B33DF6@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D220@ITSEMBXCLUS.enterprise.gcal.ac.uk> <AD10ABB4-1232-4322-BCBC-A096D5AB8803@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E64AC@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <689FE84F-88DE-4A75-ABDB-76CC42940FB5@pgogywebstuff.com> But that doesn't explain the toolbar code, as that appears to be absent in the svn? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 13:50, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > It opens the wndow in the if (we have no editor size) logic. Shouldn?t it default to 800 x 665 if there is no size deifned? I take it this is a modualrisation thing? > > Should I define a size somewhere? > > From: Tenney Julian > Sent: 05 March 2013 13:48 > To: Tenney Julian; 'For Xerte technical developers' > Subject: RE: [Xerte-dev] Re: Edit Window > > Forget that. > > From: Tenney Julian > Sent: 05 March 2013 13:47 > To: 'For Xerte technical developers' > Subject: RE: [Xerte-dev] Re: Edit Window > > If I put an alert as the first line in function edit_window it doesn?t fire (i.e. is function edit_window actually used when hitting the edit button in the workspace?), it doesn?t seem to be? > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: 05 March 2013 13:15 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Am suspicious we think it did something it maybe doesn't do because of browsers changing > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 5 Mar 2013, at 12:26, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > > I just tried the latest trunk in IE and it opens in a new window without toolbars? but in Firefox and Chrome it opens in a new tab. Does a new tab not always have the toolbars?? Is it a browser thing? > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: Tuesday, March 05, 2013 12:10 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Hmmmm, in editor window in template_management.js none of the recent changes show a removal of the toolbars so I am bit confused - I didn't remove with my changes - but it seems like it hasn't been there for ages...... > > But add the extra parameters to hide toolbars in this code. > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 5 Mar 2013, at 11:34, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > > I?ve been checking out the svn and developing in it on localhost: I last checked it out sometime the week before last, and it was OK, I didn?t have time for any coding last week, so sometime in the week before > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 05 March 2013 11:20 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Pretty sure it?s not something I did? I?ve been looking through recent js file changes but not seeing anything? how recent do we think this happened? > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Tuesday, March 05, 2013 11:17 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Where would I look? I want to demo some new stuff tomorrow, and it would be good if it looks as it should. > > It?s good that the code all runs out of the svn - we should always try and keep it that way. > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: 05 March 2013 11:00 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Not deliberately > > Look in the js - the string concat might be breaking > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 5 Mar 2013, at 10:13, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > > After recent changes, the edit window isn?t opening as it used to do: I get all the toolbars, etc. Was this deliberate? > > <image001.png> > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/9a4c156c/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Tue Mar 5 14:01:55 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Tue, 5 Mar 2013 14:01:55 +0000 Subject: [Xerte-dev] Re: Edit Window In-Reply-To: <689FE84F-88DE-4A75-ABDB-76CC42940FB5@pgogywebstuff.com> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6287@EXCHANGE1.ad.nottingham.ac.uk> <17480C22-F8BB-48B2-94A6-DF0157E5F5BA@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6339@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E636C@EXCHANGE1.ad.nottingham.ac.uk> <D4D60869-99C8-4958-84BE-827D10B33DF6@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D220@ITSEMBXCLUS.enterprise.gcal.ac.uk> <AD10ABB4-1232-4322-BCBC-A096D5AB8803@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E64AC@EXCHANGE1.ad.nottingham.ac.uk> <689FE84F-88DE-4A75-ABDB-76CC42940FB5@pgogywebstuff.com> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E64D9@EXCHANGE1.ad.nottingham.ac.uk> I know I?m a bit perplexed myself. But no matter, an easy enough fix: but the problem is that this is launching from the undefined size option in the code. I want to make sure the window is the right size, so does no size defined mean default to 800x665? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 13:57 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window But that doesn't explain the toolbar code, as that appears to be absent in the svn? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 13:50, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: It opens the wndow in the if (we have no editor size) logic. Shouldn?t it default to 800 x 665 if there is no size deifned? I take it this is a modualrisation thing? Should I define a size somewhere? From: Tenney Julian Sent: 05 March 2013 13:48 To: Tenney Julian; 'For Xerte technical developers' Subject: RE: [Xerte-dev] Re: Edit Window Forget that. From: Tenney Julian Sent: 05 March 2013 13:47 To: 'For Xerte technical developers' Subject: RE: [Xerte-dev] Re: Edit Window If I put an alert as the first line in function edit_window it doesn?t fire (i.e. is function edit_window actually used when hitting the edit button in the workspace?), it doesn?t seem to be? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 13:15 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Am suspicious we think it did something it maybe doesn't do because of browsers changing Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 12:26, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: I just tried the latest trunk in IE and it opens in a new window without toolbars? but in Firefox and Chrome it opens in a new tab. Does a new tab not always have the toolbars?? Is it a browser thing? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Tuesday, March 05, 2013 12:10 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Hmmmm, in editor window in template_management.js none of the recent changes show a removal of the toolbars so I am bit confused - I didn't remove with my changes - but it seems like it hasn't been there for ages...... But add the extra parameters to hide toolbars in this code. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 11:34, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: I?ve been checking out the svn and developing in it on localhost: I last checked it out sometime the week before last, and it was OK, I didn?t have time for any coding last week, so sometime in the week before From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 05 March 2013 11:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Pretty sure it?s not something I did? I?ve been looking through recent js file changes but not seeing anything? how recent do we think this happened? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Tuesday, March 05, 2013 11:17 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Where would I look? I want to demo some new stuff tomorrow, and it would be good if it looks as it should. It?s good that the code all runs out of the svn - we should always try and keep it that way. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 11:00 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Not deliberately Look in the js - the string concat might be breaking Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 10:13, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: After recent changes, the edit window isn?t opening as it used to do: I get all the toolbars, etc. Was this deliberate? <image001.png> _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/ccba343a/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Tue Mar 5 14:09:15 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Tue, 5 Mar 2013 14:09:15 +0000 Subject: [Xerte-dev] Re: Edit Window In-Reply-To: <04139A6A-985C-4D57-A4CA-214B8C2CB07C@pgogywebstuff.com> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6287@EXCHANGE1.ad.nottingham.ac.uk> <17480C22-F8BB-48B2-94A6-DF0157E5F5BA@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6339@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E636C@EXCHANGE1.ad.nottingham.ac.uk> <D4D60869-99C8-4958-84BE-827D10B33DF6@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D220@ITSEMBXCLUS.enterprise.gcal.ac.uk> <AD10ABB4-1232-4322-BCBC-A096D5AB8803@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E64AC@EXCHANGE1.ad.nottingham.ac.uk> <04139A6A-985C-4D57-A4CA-214B8C2CB07C@pgogywebstuff.com> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E64ED@EXCHANGE1.ad.nottingham.ac.uk> OK. Bit pushed for time today, but will fix it. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 13:57 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Yes you put a size in the info, but by default it should be xerte size - did I get my logic back to front Yes modularisation meant each module could choose its own window size Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 13:50, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: It opens the wndow in the if (we have no editor size) logic. Shouldn?t it default to 800 x 665 if there is no size deifned? I take it this is a modualrisation thing? Should I define a size somewhere? From: Tenney Julian Sent: 05 March 2013 13:48 To: Tenney Julian; 'For Xerte technical developers' Subject: RE: [Xerte-dev] Re: Edit Window Forget that. From: Tenney Julian Sent: 05 March 2013 13:47 To: 'For Xerte technical developers' Subject: RE: [Xerte-dev] Re: Edit Window If I put an alert as the first line in function edit_window it doesn?t fire (i.e. is function edit_window actually used when hitting the edit button in the workspace?), it doesn?t seem to be? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 13:15 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Am suspicious we think it did something it maybe doesn't do because of browsers changing Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 12:26, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: I just tried the latest trunk in IE and it opens in a new window without toolbars? but in Firefox and Chrome it opens in a new tab. Does a new tab not always have the toolbars?? Is it a browser thing? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Tuesday, March 05, 2013 12:10 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Hmmmm, in editor window in template_management.js none of the recent changes show a removal of the toolbars so I am bit confused - I didn't remove with my changes - but it seems like it hasn't been there for ages...... But add the extra parameters to hide toolbars in this code. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 11:34, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: I?ve been checking out the svn and developing in it on localhost: I last checked it out sometime the week before last, and it was OK, I didn?t have time for any coding last week, so sometime in the week before From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 05 March 2013 11:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Pretty sure it?s not something I did? I?ve been looking through recent js file changes but not seeing anything? how recent do we think this happened? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Tuesday, March 05, 2013 11:17 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Where would I look? I want to demo some new stuff tomorrow, and it would be good if it looks as it should. It?s good that the code all runs out of the svn - we should always try and keep it that way. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 11:00 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Not deliberately Look in the js - the string concat might be breaking Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 10:13, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: After recent changes, the edit window isn?t opening as it used to do: I get all the toolbars, etc. Was this deliberate? <image001.png> _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/3adb36e5/attachment-0001.html> From xerte at pgogywebstuff.com Tue Mar 5 14:20:56 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Tue, 5 Mar 2013 14:20:56 +0000 Subject: [Xerte-dev] Re: Edit Window In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E64D9@EXCHANGE1.ad.nottingham.ac.uk> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6287@EXCHANGE1.ad.nottingham.ac.uk> <17480C22-F8BB-48B2-94A6-DF0157E5F5BA@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6339@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E636C@EXCHANGE1.ad.nottingham.ac.uk> <D4D60869-99C8-4958-84BE-827D10B33DF6@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D220@ITSEMBXCLUS.enterprise.gcal.ac.uk> <AD10ABB4-1232-4322-BCBC-A096D5AB8803@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E64AC@EXCHANGE1.ad.nottingham.ac.uk> <689FE84F-88DE-4A75-ABDB-76CC42940FB5@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E64D9@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <866BF3AC-4578-497C-A493-E21414A1DFAD@pgogywebstuff.com> Yes, let me check it later and commit some changes So xerte windows no toolbars and stuff? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 14:01, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > I know I?m a bit perplexed myself. > > But no matter, an easy enough fix: but the problem is that this is launching from the undefined size option in the code. I want to make sure the window is the right size, so does no size defined mean default to 800x665? > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: 05 March 2013 13:57 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > But that doesn't explain the toolbar code, as that appears to be absent in the svn? > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 5 Mar 2013, at 13:50, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > > It opens the wndow in the if (we have no editor size) logic. Shouldn?t it default to 800 x 665 if there is no size deifned? I take it this is a modualrisation thing? > > Should I define a size somewhere? > > From: Tenney Julian > Sent: 05 March 2013 13:48 > To: Tenney Julian; 'For Xerte technical developers' > Subject: RE: [Xerte-dev] Re: Edit Window > > Forget that. > > From: Tenney Julian > Sent: 05 March 2013 13:47 > To: 'For Xerte technical developers' > Subject: RE: [Xerte-dev] Re: Edit Window > > If I put an alert as the first line in function edit_window it doesn?t fire (i.e. is function edit_window actually used when hitting the edit button in the workspace?), it doesn?t seem to be? > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: 05 March 2013 13:15 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Am suspicious we think it did something it maybe doesn't do because of browsers changing > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 5 Mar 2013, at 12:26, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > > I just tried the latest trunk in IE and it opens in a new window without toolbars? but in Firefox and Chrome it opens in a new tab. Does a new tab not always have the toolbars?? Is it a browser thing? > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: Tuesday, March 05, 2013 12:10 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Hmmmm, in editor window in template_management.js none of the recent changes show a removal of the toolbars so I am bit confused - I didn't remove with my changes - but it seems like it hasn't been there for ages...... > > But add the extra parameters to hide toolbars in this code. > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 5 Mar 2013, at 11:34, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > > I?ve been checking out the svn and developing in it on localhost: I last checked it out sometime the week before last, and it was OK, I didn?t have time for any coding last week, so sometime in the week before > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 05 March 2013 11:20 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Pretty sure it?s not something I did? I?ve been looking through recent js file changes but not seeing anything? how recent do we think this happened? > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Tuesday, March 05, 2013 11:17 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Where would I look? I want to demo some new stuff tomorrow, and it would be good if it looks as it should. > > It?s good that the code all runs out of the svn - we should always try and keep it that way. > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: 05 March 2013 11:00 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Edit Window > > Not deliberately > > Look in the js - the string concat might be breaking > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 5 Mar 2013, at 10:13, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > > After recent changes, the edit window isn?t opening as it used to do: I get all the toolbars, etc. Was this deliberate? > > <image001.png> > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/f9269938/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Tue Mar 5 14:21:24 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Tue, 5 Mar 2013 14:21:24 +0000 Subject: [Xerte-dev] Re: Edit Window In-Reply-To: <866BF3AC-4578-497C-A493-E21414A1DFAD@pgogywebstuff.com> References: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6287@EXCHANGE1.ad.nottingham.ac.uk> <17480C22-F8BB-48B2-94A6-DF0157E5F5BA@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E6339@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E636C@EXCHANGE1.ad.nottingham.ac.uk> <D4D60869-99C8-4958-84BE-827D10B33DF6@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D220@ITSEMBXCLUS.enterprise.gcal.ac.uk> <AD10ABB4-1232-4322-BCBC-A096D5AB8803@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E64AC@EXCHANGE1.ad.nottingham.ac.uk> <689FE84F-88DE-4A75-ABDB-76CC42940FB5@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E64D9@EXCHANGE1.ad.nottingham.ac.uk> <866BF3AC-4578-497C-A493-E21414A1DFAD@pgogywebstuff.com> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E650E@EXCHANGE1.ad.nottingham.ac.uk> please From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 14:21 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Yes, let me check it later and commit some changes So xerte windows no toolbars and stuff? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 14:01, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: I know I?m a bit perplexed myself. But no matter, an easy enough fix: but the problem is that this is launching from the undefined size option in the code. I want to make sure the window is the right size, so does no size defined mean default to 800x665? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 13:57 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window But that doesn't explain the toolbar code, as that appears to be absent in the svn? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 13:50, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: It opens the wndow in the if (we have no editor size) logic. Shouldn?t it default to 800 x 665 if there is no size deifned? I take it this is a modualrisation thing? Should I define a size somewhere? From: Tenney Julian Sent: 05 March 2013 13:48 To: Tenney Julian; 'For Xerte technical developers' Subject: RE: [Xerte-dev] Re: Edit Window Forget that. From: Tenney Julian Sent: 05 March 2013 13:47 To: 'For Xerte technical developers' Subject: RE: [Xerte-dev] Re: Edit Window If I put an alert as the first line in function edit_window it doesn?t fire (i.e. is function edit_window actually used when hitting the edit button in the workspace?), it doesn?t seem to be? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 13:15 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Am suspicious we think it did something it maybe doesn't do because of browsers changing Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 12:26, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: I just tried the latest trunk in IE and it opens in a new window without toolbars? but in Firefox and Chrome it opens in a new tab. Does a new tab not always have the toolbars?? Is it a browser thing? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Tuesday, March 05, 2013 12:10 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Hmmmm, in editor window in template_management.js none of the recent changes show a removal of the toolbars so I am bit confused - I didn't remove with my changes - but it seems like it hasn't been there for ages...... But add the extra parameters to hide toolbars in this code. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 11:34, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: I?ve been checking out the svn and developing in it on localhost: I last checked it out sometime the week before last, and it was OK, I didn?t have time for any coding last week, so sometime in the week before From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 05 March 2013 11:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Pretty sure it?s not something I did? I?ve been looking through recent js file changes but not seeing anything? how recent do we think this happened? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Tuesday, March 05, 2013 11:17 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Where would I look? I want to demo some new stuff tomorrow, and it would be good if it looks as it should. It?s good that the code all runs out of the svn - we should always try and keep it that way. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 05 March 2013 11:00 To: For Xerte technical developers Subject: [Xerte-dev] Re: Edit Window Not deliberately Look in the js - the string concat might be breaking Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 10:13, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: After recent changes, the edit window isn?t opening as it used to do: I get all the toolbars, etc. Was this deliberate? <image001.png> _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/4765db49/attachment-0001.html> From johnathan.kemp at ntlworld.com Tue Mar 5 17:53:29 2013 From: johnathan.kemp at ntlworld.com (Kemp Johnathan) Date: Tue, 5 Mar 2013 17:53:29 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <BLU153-W57942FC6EA78A20F3826B0A7FB0@phx.gbl> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com> <BLU153-W57942FC6EA78A20F3826B0A7FB0@phx.gbl> Message-ID: <CABtG3=XL7YU0XZou1awcUXYY3ZQKZsss=-e58rTrUV_vnSR_Jg@mail.gmail.com> The most recent version of the desktop would ensure you have the latest version of wizard.swf, but if you can see the Show Language Options I think that should be enough to demonstrate the issue. The "here is the help" text is the text contained in the info tag. If you click in the Show Language Options check box you will see that some additional fields are displayed in the form but that there is an expanse of blank grey form before the "here is the help" text is displayed. If you mouse over the grey area above the "here is the help" text you will see the mouse pointer change as it hovers over where the text entry boxes for the hidden language options are positioned. If you click on the Quiz2 page to open its xwd form the effect is clear as none of the fields are flagged as language options so as soon as the form opens you see that the display of labels and fields ends abruptly and then there is again the grey expanse of blank form before the "here is the help" text is displayed. You have noticed, in your second post that the entry below "single answer wrong" is cut short vertically. There are also more fields below this which are not displaying at all. If you edit the quiz.xwd file in the page002 folder to remove the "info" tag then all the fields defined in the form are displayed correctly. So it is the "info" tag that is causing the display issue. Kind regards Johnathan On 5 March 2013 10:43, Dave Burnett <d_b_burnett at hotmail.com> wrote: > What version of desktop is required? > The only language related object I have showing is "Show Language Options" > in the bottom bar. > > (I do see "Here is the help" in blue near the bottom). > > > > ------------------------------ > Date: Tue, 5 Mar 2013 10:23:23 +0000 > From: johnathan.kemp at ntlworld.com > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > If you include the info tag in an xwd form it can result in the none > display of the last entries in the form. > > The info tag displays at the bottom of the form with a blank area of form > above it where the missing fields and field labels should be displayed. > > If you move the mouse pointer over the blank area of the form then the > mouse pointer will change indicating that the fields are there - you just > can't see them. > > The easiest way to explain what is happening is for you to see it for > yourself. > > I have attached a simple demo. The demo is a standard Xerte project (not a > "Pages" type project - I have manually set up the xwd links for the pages) > in which I have set up two copies of the Quiz page. > > > 1. Open this project in Xerte > 2. Double click on the Quiz page to open the xwd form > 3. Click on the language tab to display the language fields > 4. Scroll down the form - you will see the blank area where the hidden > language fields should appear and the blue info comment at the bottom. > 5. The language tag is not significant to this issue. > 6. Double click on the Quiz2 page, you will see the same effect > without the use of the language tag (I deleted them from this pages xwd > file) > > I don't know if the cause is to do with layers or visibility settings. I > don't know what happens when the info tag is actioned in the code. > > I hope this makes the effect clear (if not the cause :-( ) > > Kind regards > > Johnathan > > > > On 5 March 2013 09:40, Julian Tenney <Julian.Tenney at nottingham.ac.uk>wrote: > > What?s the problem in a nutshell? > > > > *From:* xerte-dev-bounces at lists.nottingham.ac.uk [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Kemp Johnathan > *Sent:* 04 March 2013 22:18 > *To:* Xerte Developers Discussion List > *Subject:* [Xerte-dev] use of info tag in xwd forms > > > > On the 4th December I posted to the developer list an issue with the xwd > forms relating to the use of the "info" tag. > > > > The inclusion of an info tag in the xwd form can result in space being > allocated above the info tag for the display of the last few properties in > the xwd form definition, but the properties are not visible in the form. > You can however confirm their "presence" as the mouse pointer responds to > them if moved over the input fields. > > > > You can test this out in Xerte (or XOT) by creating a page using one of > the Connector page types. The info tag has been used in these pages to link > to a pdf help file that is hosted on the Xerte community web site, but the > "language" flagged form properties are no longer all editable, due to the > presence of the info tag. > > > > This is a pity as the info tag could be used to provide a link to an > external document that gives the Author useful additional information to > assist them in making the best use of that page type. e.g. > > ? Information about what the page is designed to do > > ? Instructions on what the properties in the form are to help in > completing the form created by the xwd file; > > ? examples of actual uses of that page type in real projects. > > ? examples of combining this page type with other page types to > achieve a particular pedagogical approach > > ? guidance as to how accessible the page is with respect to > particular types of user, or what features the page has as optional > properties to provide additional accessibility > > However at present if the "info" tag is used then the ability to edit the > language flagged elements of the page is compromised. > > > > Is this something that is intended to be addressed before the next release > of Xerte / XOT? > > > > Sorry to be a nuisance, but it seems such a potentially useful feature it > seems a shame not to be able to use it. > > > > Kind regards > > > > Johnathan > > > > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130305/324d731f/attachment.html> From Julian.Tenney at nottingham.ac.uk Wed Mar 6 07:50:38 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Wed, 6 Mar 2013 07:50:38 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <CABtG3=XL7YU0XZou1awcUXYY3ZQKZsss=-e58rTrUV_vnSR_Jg@mail.gmail.com> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com> <BLU153-W57942FC6EA78A20F3826B0A7FB0@phx.gbl> <CABtG3=XL7YU0XZou1awcUXYY3ZQKZsss=-e58rTrUV_vnSR_Jg@mail.gmail.com> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4CE58138@EXCHANGE1.ad.nottingham.ac.uk> Maybe we should tackle this differently: rather than trying to display the <info> on the form, why not pop it up in a message or show it somewhere else? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp Johnathan Sent: 05 March 2013 17:53 To: For Xerte technical developers Subject: [Xerte-dev] Re: use of info tag in xwd forms The most recent version of the desktop would ensure you have the latest version of wizard.swf, but if you can see the Show Language Options I think that should be enough to demonstrate the issue. The "here is the help" text is the text contained in the info tag. If you click in the Show Language Options check box you will see that some additional fields are displayed in the form but that there is an expanse of blank grey form before the "here is the help" text is displayed. If you mouse over the grey area above the "here is the help" text you will see the mouse pointer change as it hovers over where the text entry boxes for the hidden language options are positioned. If you click on the Quiz2 page to open its xwd form the effect is clear as none of the fields are flagged as language options so as soon as the form opens you see that the display of labels and fields ends abruptly and then there is again the grey expanse of blank form before the "here is the help" text is displayed. You have noticed, in your second post that the entry below "single answer wrong" is cut short vertically. There are also more fields below this which are not displaying at all. If you edit the quiz.xwd file in the page002 folder to remove the "info" tag then all the fields defined in the form are displayed correctly. So it is the "info" tag that is causing the display issue. Kind regards Johnathan On 5 March 2013 10:43, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: What version of desktop is required? The only language related object I have showing is "Show Language Options" in the bottom bar. (I do see "Here is the help" in blue near the bottom). ________________________________ Date: Tue, 5 Mar 2013 10:23:23 +0000 From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: use of info tag in xwd forms If you include the info tag in an xwd form it can result in the none display of the last entries in the form. The info tag displays at the bottom of the form with a blank area of form above it where the missing fields and field labels should be displayed. If you move the mouse pointer over the blank area of the form then the mouse pointer will change indicating that the fields are there - you just can't see them. The easiest way to explain what is happening is for you to see it for yourself. I have attached a simple demo. The demo is a standard Xerte project (not a "Pages" type project - I have manually set up the xwd links for the pages) in which I have set up two copies of the Quiz page. 1. Open this project in Xerte 2. Double click on the Quiz page to open the xwd form 3. Click on the language tab to display the language fields 4. Scroll down the form - you will see the blank area where the hidden language fields should appear and the blue info comment at the bottom. 5. The language tag is not significant to this issue. 6. Double click on the Quiz2 page, you will see the same effect without the use of the language tag (I deleted them from this pages xwd file) I don't know if the cause is to do with layers or visibility settings. I don't know what happens when the info tag is actioned in the code. I hope this makes the effect clear (if not the cause :-( ) Kind regards Johnathan On 5 March 2013 09:40, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: What's the problem in a nutshell? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp Johnathan Sent: 04 March 2013 22:18 To: Xerte Developers Discussion List Subject: [Xerte-dev] use of info tag in xwd forms On the 4th December I posted to the developer list an issue with the xwd forms relating to the use of the "info" tag. The inclusion of an info tag in the xwd form can result in space being allocated above the info tag for the display of the last few properties in the xwd form definition, but the properties are not visible in the form. You can however confirm their "presence" as the mouse pointer responds to them if moved over the input fields. You can test this out in Xerte (or XOT) by creating a page using one of the Connector page types. The info tag has been used in these pages to link to a pdf help file that is hosted on the Xerte community web site, but the "language" flagged form properties are no longer all editable, due to the presence of the info tag. This is a pity as the info tag could be used to provide a link to an external document that gives the Author useful additional information to assist them in making the best use of that page type. e.g. * Information about what the page is designed to do * Instructions on what the properties in the form are to help in completing the form created by the xwd file; * examples of actual uses of that page type in real projects. * examples of combining this page type with other page types to achieve a particular pedagogical approach * guidance as to how accessible the page is with respect to particular types of user, or what features the page has as optional properties to provide additional accessibility However at present if the "info" tag is used then the ability to edit the language flagged elements of the page is compromised. Is this something that is intended to be addressed before the next release of Xerte / XOT? Sorry to be a nuisance, but it seems such a potentially useful feature it seems a shame not to be able to use it. Kind regards Johnathan _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130306/94e3836e/attachment-0001.html> From johnathan.kemp at ntlworld.com Wed Mar 6 10:01:35 2013 From: johnathan.kemp at ntlworld.com (Kemp Johnathan) Date: Wed, 6 Mar 2013 10:01:35 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4CE58138@EXCHANGE1.ad.nottingham.ac.uk> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com> <BLU153-W57942FC6EA78A20F3826B0A7FB0@phx.gbl> <CABtG3=XL7YU0XZou1awcUXYY3ZQKZsss=-e58rTrUV_vnSR_Jg@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4CE58138@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <CABtG3=V5450hnHb0BGXeJWb+zfcNX2oSZeRDpBdmk6TiBpj7QQ@mail.gmail.com> Hi Folks, What I would like to be able to achieve is a means of providing a link to a pdf file that the author can access to provide additional information to support the use of the page type. My original need was to support the connector pages and the inventory page with more information about how the page worked and how, in the case of connector pages they could be used in conjunction with other pages. However the help file could provide other stuff such as examples of use or pedagogical information. How that link is made available to the author I don't have a strong view on. It just seemed that the <info> tag already provided the functionality (except for this frustrating glitch). If resolving the glitch was a simple matter then the <info> tag might be a convenient way of doing this without involving much time input. If however the glitch is difficult to pin down then a different approach might be appropriate. By putting the link in the xwd file it keeps everything about the page in one place. However it does have the disadvantage of making it difficult to change the location of the help files. Perhaps an approach that assumed the help file would use the same stem as the model file but have a pdf extension (e.g. quiz.rlm and quiz.pdf), would allow a Xerte or XOT project to define a single folder location for all the help files. The specific help file for a page type would then be accessed by combining the single folder address with the model name and a pdf extension. This would allow help files to be either located on a remote server or on a local server, or even in a desktop Xerte installation folder e.g. Xerte\pages\help\. It would also make it easier to change the locations of the help files as there would be only one path to change. Kind regards Johnathan On 6 March 2013 07:50, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > Maybe we should tackle this differently: rather than trying to display the > <info> on the form, why not pop it up in a message or show it somewhere > else? > > > > *From:* xerte-dev-bounces at lists.nottingham.ac.uk [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Kemp Johnathan > *Sent:* 05 March 2013 17:53 > *To:* For Xerte technical developers > > *Subject:* [Xerte-dev] Re: use of info tag in xwd forms > > > > The most recent version of the desktop would ensure you have the latest > version of wizard.swf, but if you can see the Show Language Options I think > that should be enough to demonstrate the issue. > > > > The "here is the help" text is the text contained in the info tag. > > > > If you click in the Show Language Options check box you will see that some > additional fields are displayed in the form but that there is an expanse of > blank grey form before the "here is the help" text is displayed. > > > > If you mouse over the grey area above the "here is the help" text you will > see the mouse pointer change as it hovers over where the text entry boxes > for the hidden language options are positioned. > > > > If you click on the Quiz2 page to open its xwd form the effect is clear as > none of the fields are flagged as language options so as soon as the form > opens you see that the display of labels and fields ends abruptly and then > there is again the grey expanse of blank form before the "here is the help" > text is displayed. You have noticed, in your second post that the entry > below "single answer wrong" is cut short vertically. There are also more > fields below this which are not displaying at all. > > > > If you edit the quiz.xwd file in the page002 folder to remove the "info" > tag then all the fields defined in the form are displayed correctly. So it > is the "info" tag that is causing the display issue. > > > > Kind regards > > > > Johnathan > > > > On 5 March 2013 10:43, Dave Burnett <d_b_burnett at hotmail.com> wrote: > > What version of desktop is required? > > The only language related object I have showing is "Show Language Options" > in the bottom bar. > > > > (I do see "Here is the help" in blue near the bottom). > > > > > ------------------------------ > > Date: Tue, 5 Mar 2013 10:23:23 +0000 > From: johnathan.kemp at ntlworld.com > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > If you include the info tag in an xwd form it can result in the none > display of the last entries in the form. > > > > The info tag displays at the bottom of the form with a blank area of form > above it where the missing fields and field labels should be displayed. > > > > If you move the mouse pointer over the blank area of the form then the > mouse pointer will change indicating that the fields are there - you just > can't see them. > > > > The easiest way to explain what is happening is for you to see it for > yourself. > > > > I have attached a simple demo. The demo is a standard Xerte project (not a > "Pages" type project - I have manually set up the xwd links for the pages) > in which I have set up two copies of the Quiz page. > > > > 1. Open this project in Xerte > > 2. Double click on the Quiz page to open the xwd form > > 3. Click on the language tab to display the language fields > > 4. Scroll down the form - you will see the blank area where the > hidden language fields should appear and the blue info comment at the > bottom. > > 5. The language tag is not significant to this issue. > > 6. Double click on the Quiz2 page, you will see the same effect > without the use of the language tag (I deleted them from this pages xwd > file) > > I don't know if the cause is to do with layers or visibility settings. I > don't know what happens when the info tag is actioned in the code. > > > > I hope this makes the effect clear (if not the cause :-( ) > > > > Kind regards > > > > Johnathan > > > > > > > > On 5 March 2013 09:40, Julian Tenney <Julian.Tenney at nottingham.ac.uk> > wrote: > > What?s the problem in a nutshell? > > > > *From:* xerte-dev-bounces at lists.nottingham.ac.uk [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Kemp Johnathan > *Sent:* 04 March 2013 22:18 > *To:* Xerte Developers Discussion List > *Subject:* [Xerte-dev] use of info tag in xwd forms > > > > On the 4th December I posted to the developer list an issue with the xwd > forms relating to the use of the "info" tag. > > > > The inclusion of an info tag in the xwd form can result in space being > allocated above the info tag for the display of the last few properties in > the xwd form definition, but the properties are not visible in the form. > You can however confirm their "presence" as the mouse pointer responds to > them if moved over the input fields. > > > > You can test this out in Xerte (or XOT) by creating a page using one of > the Connector page types. The info tag has been used in these pages to link > to a pdf help file that is hosted on the Xerte community web site, but the > "language" flagged form properties are no longer all editable, due to the > presence of the info tag. > > > > This is a pity as the info tag could be used to provide a link to an > external document that gives the Author useful additional information to > assist them in making the best use of that page type. e.g. > > ? Information about what the page is designed to do > > ? Instructions on what the properties in the form are to help in > completing the form created by the xwd file; > > ? examples of actual uses of that page type in real projects. > > ? examples of combining this page type with other page types to > achieve a particular pedagogical approach > > ? guidance as to how accessible the page is with respect to > particular types of user, or what features the page has as optional > properties to provide additional accessibility > > However at present if the "info" tag is used then the ability to edit the > language flagged elements of the page is compromised. > > > > Is this something that is intended to be addressed before the next release > of Xerte / XOT? > > > > Sorry to be a nuisance, but it seems such a potentially useful feature it > seems a shame not to be able to use it. > > > > Kind regards > > > > Johnathan > > > > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130306/2e450216/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Wed Mar 6 10:38:26 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Wed, 6 Mar 2013 10:38:26 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <CABtG3=V5450hnHb0BGXeJWb+zfcNX2oSZeRDpBdmk6TiBpj7QQ@mail.gmail.com> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com> <BLU153-W57942FC6EA78A20F3826B0A7FB0@phx.gbl> <CABtG3=XL7YU0XZou1awcUXYY3ZQKZsss=-e58rTrUV_vnSR_Jg@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4CE58138@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=V5450hnHb0BGXeJWb+zfcNX2oSZeRDpBdmk6TiBpj7QQ@mail.gmail.com> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4D649813@EXCHANGE1.ad.nottingham.ac.uk> What about languages? You might want help in several languages. But we can cope with multi lingual wizards, so why not multi lingual help? The form is a bit of a pain because now we have advanced / language options, redrawing the form is a bit of a pain, so thinking differently might be a good idea. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp Johnathan Sent: 06 March 2013 10:02 To: For Xerte technical developers Subject: [Xerte-dev] Re: use of info tag in xwd forms Hi Folks, What I would like to be able to achieve is a means of providing a link to a pdf file that the author can access to provide additional information to support the use of the page type. My original need was to support the connector pages and the inventory page with more information about how the page worked and how, in the case of connector pages they could be used in conjunction with other pages. However the help file could provide other stuff such as examples of use or pedagogical information. How that link is made available to the author I don't have a strong view on. It just seemed that the <info> tag already provided the functionality (except for this frustrating glitch). If resolving the glitch was a simple matter then the <info> tag might be a convenient way of doing this without involving much time input. If however the glitch is difficult to pin down then a different approach might be appropriate. By putting the link in the xwd file it keeps everything about the page in one place. However it does have the disadvantage of making it difficult to change the location of the help files. Perhaps an approach that assumed the help file would use the same stem as the model file but have a pdf extension (e.g. quiz.rlm and quiz.pdf), would allow a Xerte or XOT project to define a single folder location for all the help files. The specific help file for a page type would then be accessed by combining the single folder address with the model name and a pdf extension. This would allow help files to be either located on a remote server or on a local server, or even in a desktop Xerte installation folder e.g. Xerte\pages\help\. It would also make it easier to change the locations of the help files as there would be only one path to change. Kind regards Johnathan On 6 March 2013 07:50, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: Maybe we should tackle this differently: rather than trying to display the <info> on the form, why not pop it up in a message or show it somewhere else? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp Johnathan Sent: 05 March 2013 17:53 To: For Xerte technical developers Subject: [Xerte-dev] Re: use of info tag in xwd forms The most recent version of the desktop would ensure you have the latest version of wizard.swf, but if you can see the Show Language Options I think that should be enough to demonstrate the issue. The "here is the help" text is the text contained in the info tag. If you click in the Show Language Options check box you will see that some additional fields are displayed in the form but that there is an expanse of blank grey form before the "here is the help" text is displayed. If you mouse over the grey area above the "here is the help" text you will see the mouse pointer change as it hovers over where the text entry boxes for the hidden language options are positioned. If you click on the Quiz2 page to open its xwd form the effect is clear as none of the fields are flagged as language options so as soon as the form opens you see that the display of labels and fields ends abruptly and then there is again the grey expanse of blank form before the "here is the help" text is displayed. You have noticed, in your second post that the entry below "single answer wrong" is cut short vertically. There are also more fields below this which are not displaying at all. If you edit the quiz.xwd file in the page002 folder to remove the "info" tag then all the fields defined in the form are displayed correctly. So it is the "info" tag that is causing the display issue. Kind regards Johnathan On 5 March 2013 10:43, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: What version of desktop is required? The only language related object I have showing is "Show Language Options" in the bottom bar. (I do see "Here is the help" in blue near the bottom). ________________________________ Date: Tue, 5 Mar 2013 10:23:23 +0000 From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: use of info tag in xwd forms If you include the info tag in an xwd form it can result in the none display of the last entries in the form. The info tag displays at the bottom of the form with a blank area of form above it where the missing fields and field labels should be displayed. If you move the mouse pointer over the blank area of the form then the mouse pointer will change indicating that the fields are there - you just can't see them. The easiest way to explain what is happening is for you to see it for yourself. I have attached a simple demo. The demo is a standard Xerte project (not a "Pages" type project - I have manually set up the xwd links for the pages) in which I have set up two copies of the Quiz page. 1. Open this project in Xerte 2. Double click on the Quiz page to open the xwd form 3. Click on the language tab to display the language fields 4. Scroll down the form - you will see the blank area where the hidden language fields should appear and the blue info comment at the bottom. 5. The language tag is not significant to this issue. 6. Double click on the Quiz2 page, you will see the same effect without the use of the language tag (I deleted them from this pages xwd file) I don't know if the cause is to do with layers or visibility settings. I don't know what happens when the info tag is actioned in the code. I hope this makes the effect clear (if not the cause :-( ) Kind regards Johnathan On 5 March 2013 09:40, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: What's the problem in a nutshell? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp Johnathan Sent: 04 March 2013 22:18 To: Xerte Developers Discussion List Subject: [Xerte-dev] use of info tag in xwd forms On the 4th December I posted to the developer list an issue with the xwd forms relating to the use of the "info" tag. The inclusion of an info tag in the xwd form can result in space being allocated above the info tag for the display of the last few properties in the xwd form definition, but the properties are not visible in the form. You can however confirm their "presence" as the mouse pointer responds to them if moved over the input fields. You can test this out in Xerte (or XOT) by creating a page using one of the Connector page types. The info tag has been used in these pages to link to a pdf help file that is hosted on the Xerte community web site, but the "language" flagged form properties are no longer all editable, due to the presence of the info tag. This is a pity as the info tag could be used to provide a link to an external document that gives the Author useful additional information to assist them in making the best use of that page type. e.g. * Information about what the page is designed to do * Instructions on what the properties in the form are to help in completing the form created by the xwd file; * examples of actual uses of that page type in real projects. * examples of combining this page type with other page types to achieve a particular pedagogical approach * guidance as to how accessible the page is with respect to particular types of user, or what features the page has as optional properties to provide additional accessibility However at present if the "info" tag is used then the ability to edit the language flagged elements of the page is compromised. Is this something that is intended to be addressed before the next release of Xerte / XOT? Sorry to be a nuisance, but it seems such a potentially useful feature it seems a shame not to be able to use it. Kind regards Johnathan _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130306/c8314a74/attachment-0001.html> From J.J.Smith at gcu.ac.uk Wed Mar 6 10:55:45 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Wed, 6 Mar 2013 10:55:45 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4D649813@EXCHANGE1.ad.nottingham.ac.uk> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com> <BLU153-W57942FC6EA78A20F3826B0A7FB0@phx.gbl> <CABtG3=XL7YU0XZou1awcUXYY3ZQKZsss=-e58rTrUV_vnSR_Jg@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4CE58138@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=V5450hnHb0BGXeJWb+zfcNX2oSZeRDpBdmk6TiBpj7QQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D649813@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2B9@ITSEMBXCLUS.enterprise.gcal.ac.uk> Why not just append the language code to the URL (new website) and mod rewrite the url. If there is a language file that matches send that, otherwise send the English one... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Wednesday, March 06, 2013 10:38 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: use of info tag in xwd forms What about languages? You might want help in several languages. But we can cope with multi lingual wizards, so why not multi lingual help? The form is a bit of a pain because now we have advanced / language options, redrawing the form is a bit of a pain, so thinking differently might be a good idea. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp Johnathan Sent: 06 March 2013 10:02 To: For Xerte technical developers Subject: [Xerte-dev] Re: use of info tag in xwd forms Hi Folks, What I would like to be able to achieve is a means of providing a link to a pdf file that the author can access to provide additional information to support the use of the page type. My original need was to support the connector pages and the inventory page with more information about how the page worked and how, in the case of connector pages they could be used in conjunction with other pages. However the help file could provide other stuff such as examples of use or pedagogical information. How that link is made available to the author I don't have a strong view on. It just seemed that the <info> tag already provided the functionality (except for this frustrating glitch). If resolving the glitch was a simple matter then the <info> tag might be a convenient way of doing this without involving much time input. If however the glitch is difficult to pin down then a different approach might be appropriate. By putting the link in the xwd file it keeps everything about the page in one place. However it does have the disadvantage of making it difficult to change the location of the help files. Perhaps an approach that assumed the help file would use the same stem as the model file but have a pdf extension (e.g. quiz.rlm and quiz.pdf), would allow a Xerte or XOT project to define a single folder location for all the help files. The specific help file for a page type would then be accessed by combining the single folder address with the model name and a pdf extension. This would allow help files to be either located on a remote server or on a local server, or even in a desktop Xerte installation folder e.g. Xerte\pages\help\. It would also make it easier to change the locations of the help files as there would be only one path to change. Kind regards Johnathan On 6 March 2013 07:50, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: Maybe we should tackle this differently: rather than trying to display the <info> on the form, why not pop it up in a message or show it somewhere else? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp Johnathan Sent: 05 March 2013 17:53 To: For Xerte technical developers Subject: [Xerte-dev] Re: use of info tag in xwd forms The most recent version of the desktop would ensure you have the latest version of wizard.swf, but if you can see the Show Language Options I think that should be enough to demonstrate the issue. The "here is the help" text is the text contained in the info tag. If you click in the Show Language Options check box you will see that some additional fields are displayed in the form but that there is an expanse of blank grey form before the "here is the help" text is displayed. If you mouse over the grey area above the "here is the help" text you will see the mouse pointer change as it hovers over where the text entry boxes for the hidden language options are positioned. If you click on the Quiz2 page to open its xwd form the effect is clear as none of the fields are flagged as language options so as soon as the form opens you see that the display of labels and fields ends abruptly and then there is again the grey expanse of blank form before the "here is the help" text is displayed. You have noticed, in your second post that the entry below "single answer wrong" is cut short vertically. There are also more fields below this which are not displaying at all. If you edit the quiz.xwd file in the page002 folder to remove the "info" tag then all the fields defined in the form are displayed correctly. So it is the "info" tag that is causing the display issue. Kind regards Johnathan On 5 March 2013 10:43, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: What version of desktop is required? The only language related object I have showing is "Show Language Options" in the bottom bar. (I do see "Here is the help" in blue near the bottom). ________________________________ Date: Tue, 5 Mar 2013 10:23:23 +0000 From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: use of info tag in xwd forms If you include the info tag in an xwd form it can result in the none display of the last entries in the form. The info tag displays at the bottom of the form with a blank area of form above it where the missing fields and field labels should be displayed. If you move the mouse pointer over the blank area of the form then the mouse pointer will change indicating that the fields are there - you just can't see them. The easiest way to explain what is happening is for you to see it for yourself. I have attached a simple demo. The demo is a standard Xerte project (not a "Pages" type project - I have manually set up the xwd links for the pages) in which I have set up two copies of the Quiz page. 1. Open this project in Xerte 2. Double click on the Quiz page to open the xwd form 3. Click on the language tab to display the language fields 4. Scroll down the form - you will see the blank area where the hidden language fields should appear and the blue info comment at the bottom. 5. The language tag is not significant to this issue. 6. Double click on the Quiz2 page, you will see the same effect without the use of the language tag (I deleted them from this pages xwd file) I don't know if the cause is to do with layers or visibility settings. I don't know what happens when the info tag is actioned in the code. I hope this makes the effect clear (if not the cause :-( ) Kind regards Johnathan On 5 March 2013 09:40, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: What's the problem in a nutshell? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp Johnathan Sent: 04 March 2013 22:18 To: Xerte Developers Discussion List Subject: [Xerte-dev] use of info tag in xwd forms On the 4th December I posted to the developer list an issue with the xwd forms relating to the use of the "info" tag. The inclusion of an info tag in the xwd form can result in space being allocated above the info tag for the display of the last few properties in the xwd form definition, but the properties are not visible in the form. You can however confirm their "presence" as the mouse pointer responds to them if moved over the input fields. You can test this out in Xerte (or XOT) by creating a page using one of the Connector page types. The info tag has been used in these pages to link to a pdf help file that is hosted on the Xerte community web site, but the "language" flagged form properties are no longer all editable, due to the presence of the info tag. This is a pity as the info tag could be used to provide a link to an external document that gives the Author useful additional information to assist them in making the best use of that page type. e.g. * Information about what the page is designed to do * Instructions on what the properties in the form are to help in completing the form created by the xwd file; * examples of actual uses of that page type in real projects. * examples of combining this page type with other page types to achieve a particular pedagogical approach * guidance as to how accessible the page is with respect to particular types of user, or what features the page has as optional properties to provide additional accessibility However at present if the "info" tag is used then the ability to edit the language flagged elements of the page is compromised. Is this something that is intended to be addressed before the next release of Xerte / XOT? Sorry to be a nuisance, but it seems such a potentially useful feature it seems a shame not to be able to use it. Kind regards Johnathan _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130306/d8d46512/attachment-0001.html> From reijnders at tor.nl Wed Mar 6 11:05:21 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Wed, 06 Mar 2013 12:05:21 +0100 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2B9@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com> <BLU153-W57942FC6EA78A20F3826B0A7FB0@phx.gbl> <CABtG3=XL7YU0XZou1awcUXYY3ZQKZsss=-e58rTrUV_vnSR_Jg@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4CE58138@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=V5450hnHb0BGXeJWb+zfcNX2oSZeRDpBdmk6TiBpj7QQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D649813@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2B9@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <20130306120521.59815leiwct5zlyp@server.tor.nl> It's not too much work to fall back to English if we need to, So have a help/<language code> for the help forlder location like we have wizard/<language code> now. The thing I have against mod_rewrites is that it's webserver specific. So, now we only have to agree on the help file format. .pdf is fine with me... Tom Citeren "Smith, John" <J.J.Smith at gcu.ac.uk>: > Why not just append the language code to the URL (new website) and > mod rewrite the url. If there is a language file that matches send > that, otherwise send the English one... > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of > Julian Tenney > Sent: Wednesday, March 06, 2013 10:38 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > What about languages? You might want help in several languages. But > we can cope with multi lingual wizards, so why not multi lingual help? > > The form is a bit of a pain because now we have advanced / language > options, redrawing the form is a bit of a pain, so thinking > differently might be a good idea. > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp > Johnathan > Sent: 06 March 2013 10:02 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > Hi Folks, > > What I would like to be able to achieve is a means of providing a > link to a pdf file that the author can access to provide additional > information to support the use of the page type. My original need > was to support the connector pages and the inventory page with more > information about how the page worked and how, in the case of > connector pages they could be used in conjunction with other pages. > However the help file could provide other stuff such as examples of > use or pedagogical information. > > How that link is made available to the author I don't have a strong > view on. It just seemed that the <info> tag already provided the > functionality (except for this frustrating glitch). If resolving the > glitch was a simple matter then the <info> tag might be a convenient > way of doing this without involving much time input. If however the > glitch is difficult to pin down then a different approach might be > appropriate. > > By putting the link in the xwd file it keeps everything about the > page in one place. However it does have the disadvantage of making > it difficult to change the location of the help files. > > Perhaps an approach that assumed the help file would use the same > stem as the model file but have a pdf extension (e.g. quiz.rlm and > quiz.pdf), would allow a Xerte or XOT project to define a single > folder location for all the help files. The specific help file for a > page type would then be accessed by combining the single folder > address with the model name and a pdf extension. > > This would allow help files to be either located on a remote server > or on a local server, or even in a desktop Xerte installation folder > e.g. Xerte\pages\help\. It would also make it easier to change the > locations of the help files as there would be only one path to change. > > Kind regards > > Johnathan > > On 6 March 2013 07:50, Julian Tenney > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> > wrote: > Maybe we should tackle this differently: rather than trying to > display the <info> on the form, why not pop it up in a message or > show it somewhere else? > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > Johnathan > Sent: 05 March 2013 17:53 > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > The most recent version of the desktop would ensure you have the > latest version of wizard.swf, but if you can see the Show Language > Options I think that should be enough to demonstrate the issue. > > The "here is the help" text is the text contained in the info tag. > > If you click in the Show Language Options check box you will see > that some additional fields are displayed in the form but that there > is an expanse of blank grey form before the "here is the help" text > is displayed. > > If you mouse over the grey area above the "here is the help" text > you will see the mouse pointer change as it hovers over where the > text entry boxes for the hidden language options are positioned. > > If you click on the Quiz2 page to open its xwd form the effect is > clear as none of the fields are flagged as language options so as > soon as the form opens you see that the display of labels and fields > ends abruptly and then there is again the grey expanse of blank form > before the "here is the help" text is displayed. You have noticed, > in your second post that the entry below "single answer wrong" is > cut short vertically. There are also more fields below this which > are not displaying at all. > > If you edit the quiz.xwd file in the page002 folder to remove the > "info" tag then all the fields defined in the form are displayed > correctly. So it is the "info" tag that is causing the display issue. > > Kind regards > > Johnathan > > On 5 March 2013 10:43, Dave Burnett > <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: > What version of desktop is required? > The only language related object I have showing is "Show Language > Options" in the bottom bar. > > (I do see "Here is the help" in blue near the bottom). > > > ________________________________ > Date: Tue, 5 Mar 2013 10:23:23 +0000 > From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > If you include the info tag in an xwd form it can result in the none > display of the last entries in the form. > > The info tag displays at the bottom of the form with a blank area of > form above it where the missing fields and field labels should be > displayed. > > If you move the mouse pointer over the blank area of the form then > the mouse pointer will change indicating that the fields are there - > you just can't see them. > > The easiest way to explain what is happening is for you to see it > for yourself. > > I have attached a simple demo. The demo is a standard Xerte project > (not a "Pages" type project - I have manually set up the xwd links > for the pages) in which I have set up two copies of the Quiz page. > > 1. Open this project in Xerte > 2. Double click on the Quiz page to open the xwd form > 3. Click on the language tab to display the language fields > 4. Scroll down the form - you will see the blank area where the > hidden language fields should appear and the blue info comment at > the bottom. > 5. The language tag is not significant to this issue. > 6. Double click on the Quiz2 page, you will see the same effect > without the use of the language tag (I deleted them from this pages > xwd file) > I don't know if the cause is to do with layers or visibility > settings. I don't know what happens when the info tag is actioned in > the code. > > I hope this makes the effect clear (if not the cause :-( ) > > Kind regards > > Johnathan > > > > On 5 March 2013 09:40, Julian Tenney > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> > wrote: > > What's the problem in a nutshell? > > > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > Johnathan > Sent: 04 March 2013 22:18 > To: Xerte Developers Discussion List > Subject: [Xerte-dev] use of info tag in xwd forms > > > > On the 4th December I posted to the developer list an issue with the > xwd forms relating to the use of the "info" tag. > > > > The inclusion of an info tag in the xwd form can result in space > being allocated above the info tag for the display of the last few > properties in the xwd form definition, but the properties are not > visible in the form. You can however confirm their "presence" as the > mouse pointer responds to them if moved over the input fields. > > > > You can test this out in Xerte (or XOT) by creating a page using one > of the Connector page types. The info tag has been used in these > pages to link to a pdf help file that is hosted on the Xerte > community web site, but the "language" flagged form properties are > no longer all editable, due to the presence of the info tag. > > > > This is a pity as the info tag could be used to provide a link to an > external document that gives the Author useful additional > information to assist them in making the best use of that page type. > e.g. > > * Information about what the page is designed to do > > * Instructions on what the properties in the form are to > help in completing the form created by the xwd file; > > * examples of actual uses of that page type in real projects. > > * examples of combining this page type with other page types > to achieve a particular pedagogical approach > > * guidance as to how accessible the page is with respect to > particular types of user, or what features the page has as optional > properties to provide additional accessibility > > However at present if the "info" tag is used then the ability to > edit the language flagged elements of the page is compromised. > > > > Is this something that is intended to be addressed before the next > release of Xerte / XOT? > > > > Sorry to be a nuisance, but it seems such a potentially useful > feature it seems a shame not to be able to use it. > > > > Kind regards > > > > Johnathan > > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ Xerte-dev mailing > list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > Glasgow Caledonian University is a registered Scottish charity, > number SC021474 > > Winner: Times Higher Education's Widening Participation Initiative > of the Year 2009 and Herald Society's Education Initiative of the > Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early > Career Researchers of the Year 2010, GCU as a lead with Universities > Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > This message and any attachment are intended solely for the > addressee and may contain confidential information. If you have > received this message in error, please send it back to me, and > immediately delete it. Please do not use, copy or disclose the > information contained in this message or in any attachment. Any > views or opinions expressed by the author of this email do not > necessarily reflect the views of the University of Nottingham. > > > > This message has been checked for viruses but the contents of an attachment > > may still contain software viruses which could damage your computer system: > > you are advised to perform your own checks. Email communications with the > > University of Nottingham may be monitored as permitted by UK legislation. > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From Fay.Cross at nottingham.ac.uk Wed Mar 6 11:18:48 2013 From: Fay.Cross at nottingham.ac.uk (Fay Cross) Date: Wed, 6 Mar 2013 11:18:48 +0000 Subject: [Xerte-dev] Re: location of latest rlm files In-Reply-To: <51332E2D.5060601@tor.nl> References: <CABtG3=XOrwFTgEbuTj7C+iK1evtQyKbV7Eh3pNsTDLG12L8tAg@mail.gmail.com> <51332E2D.5060601@tor.nl> Message-ID: <A44245E8C549494D9561A9727B89EEC80C358762DC@EXCHANGE1.ad.nottingham.ac.uk> As far as I know none of the html5 stuff is in the xerte svn - it's all in the toolkits one. The only thing I update in the xerte svn now are changes to the xwds or additions to the language files. Should all the html5 stuff be there too? What folder? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 03 March 2013 11:04 To: For Xerte technical developers Subject: [Xerte-dev] Re: location of latest rlm files Hai Jonathan, Good to have you back. You shouldn't compare them, you should check waht the latest are. And yes, they should be synchronised, but that's not always the case. It is my understanding that the xerte one is leading for the .rlms. I noticed that for HTML5, at this point in time the xot one is leading. We should really try to make this VERY clear and or automate the synchronisation... Tom Op 3-3-2013 11:49, Kemp Johnathan schreef: I have just updated my copies of the Xerte and XOt svns and then run a comparison of the .rlm files in the following folders xerte svn\runtime\pages\models\ and xot svn\modules\xerte\parent_templates\Nottingham\models\ The following pages show differences in the model files in the two locations accNav.rlm columnPage.rlm connectorPlainText.rlm * cRedirector.rlm * cTabNav.rlm * embedDiv.rlm quiz.rlm slideshow.rlm * These connector pages are no longer offered in XOT but the older models remain in XOT to provide support for older XOT projects that may have used them. The newer version of the models in the Xerte svn are for use only in Xerte. Is the XOT model folder now the definitive location for the latest models? When changes are made in XOT are they no longer being updated also in the Xerte svn? Kind regards Johnathan _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130306/08ec1ac7/attachment.html> From J.J.Smith at gcu.ac.uk Wed Mar 6 12:09:21 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Wed, 6 Mar 2013 12:09:21 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <20130306120521.59815leiwct5zlyp@server.tor.nl> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com> <BLU153-W57942FC6EA78A20F3826B0A7FB0@phx.gbl> <CABtG3=XL7YU0XZou1awcUXYY3ZQKZsss=-e58rTrUV_vnSR_Jg@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4CE58138@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=V5450hnHb0BGXeJWb+zfcNX2oSZeRDpBdmk6TiBpj7QQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D649813@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2B9@ITSEMBXCLUS.enterprise.gcal.ac.uk> <20130306120521.59815leiwct5zlyp@server.tor.nl> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2D2@ITSEMBXCLUS.enterprise.gcal.ac.uk> Sure Tom, I suppose an alternative would be to funnel everything through help/index.php?language=XX&file=YYY and let it decide which to serve up... I'm having to do similar with the api... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: Wednesday, March 06, 2013 11:05 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: use of info tag in xwd forms It's not too much work to fall back to English if we need to, So have a help/<language code> for the help forlder location like we have wizard/<language code> now. The thing I have against mod_rewrites is that it's webserver specific. So, now we only have to agree on the help file format. .pdf is fine with me... Tom Citeren "Smith, John" <J.J.Smith at gcu.ac.uk>: > Why not just append the language code to the URL (new website) and mod > rewrite the url. If there is a language file that matches send that, > otherwise send the English one... > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of > Julian Tenney > Sent: Wednesday, March 06, 2013 10:38 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > What about languages? You might want help in several languages. But > we can cope with multi lingual wizards, so why not multi lingual help? > > The form is a bit of a pain because now we have advanced / language > options, redrawing the form is a bit of a pain, so thinking > differently might be a good idea. > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp > Johnathan > Sent: 06 March 2013 10:02 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > Hi Folks, > > What I would like to be able to achieve is a means of providing a > link to a pdf file that the author can access to provide additional > information to support the use of the page type. My original need > was to support the connector pages and the inventory page with more > information about how the page worked and how, in the case of > connector pages they could be used in conjunction with other pages. > However the help file could provide other stuff such as examples of > use or pedagogical information. > > How that link is made available to the author I don't have a strong > view on. It just seemed that the <info> tag already provided the > functionality (except for this frustrating glitch). If resolving the > glitch was a simple matter then the <info> tag might be a convenient > way of doing this without involving much time input. If however the > glitch is difficult to pin down then a different approach might be > appropriate. > > By putting the link in the xwd file it keeps everything about the > page in one place. However it does have the disadvantage of making > it difficult to change the location of the help files. > > Perhaps an approach that assumed the help file would use the same > stem as the model file but have a pdf extension (e.g. quiz.rlm and > quiz.pdf), would allow a Xerte or XOT project to define a single > folder location for all the help files. The specific help file for a > page type would then be accessed by combining the single folder > address with the model name and a pdf extension. > > This would allow help files to be either located on a remote server > or on a local server, or even in a desktop Xerte installation folder > e.g. Xerte\pages\help\. It would also make it easier to change the > locations of the help files as there would be only one path to change. > > Kind regards > > Johnathan > > On 6 March 2013 07:50, Julian Tenney > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> > wrote: > Maybe we should tackle this differently: rather than trying to > display the <info> on the form, why not pop it up in a message or > show it somewhere else? > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > Johnathan > Sent: 05 March 2013 17:53 > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > The most recent version of the desktop would ensure you have the > latest version of wizard.swf, but if you can see the Show Language > Options I think that should be enough to demonstrate the issue. > > The "here is the help" text is the text contained in the info tag. > > If you click in the Show Language Options check box you will see > that some additional fields are displayed in the form but that there > is an expanse of blank grey form before the "here is the help" text > is displayed. > > If you mouse over the grey area above the "here is the help" text > you will see the mouse pointer change as it hovers over where the > text entry boxes for the hidden language options are positioned. > > If you click on the Quiz2 page to open its xwd form the effect is > clear as none of the fields are flagged as language options so as > soon as the form opens you see that the display of labels and fields > ends abruptly and then there is again the grey expanse of blank form > before the "here is the help" text is displayed. You have noticed, > in your second post that the entry below "single answer wrong" is > cut short vertically. There are also more fields below this which > are not displaying at all. > > If you edit the quiz.xwd file in the page002 folder to remove the > "info" tag then all the fields defined in the form are displayed > correctly. So it is the "info" tag that is causing the display issue. > > Kind regards > > Johnathan > > On 5 March 2013 10:43, Dave Burnett > <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: > What version of desktop is required? > The only language related object I have showing is "Show Language > Options" in the bottom bar. > > (I do see "Here is the help" in blue near the bottom). > > > ________________________________ > Date: Tue, 5 Mar 2013 10:23:23 +0000 > From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > If you include the info tag in an xwd form it can result in the none > display of the last entries in the form. > > The info tag displays at the bottom of the form with a blank area of > form above it where the missing fields and field labels should be > displayed. > > If you move the mouse pointer over the blank area of the form then > the mouse pointer will change indicating that the fields are there - > you just can't see them. > > The easiest way to explain what is happening is for you to see it > for yourself. > > I have attached a simple demo. The demo is a standard Xerte project > (not a "Pages" type project - I have manually set up the xwd links > for the pages) in which I have set up two copies of the Quiz page. > > 1. Open this project in Xerte > 2. Double click on the Quiz page to open the xwd form > 3. Click on the language tab to display the language fields > 4. Scroll down the form - you will see the blank area where the > hidden language fields should appear and the blue info comment at > the bottom. > 5. The language tag is not significant to this issue. > 6. Double click on the Quiz2 page, you will see the same effect > without the use of the language tag (I deleted them from this pages > xwd file) > I don't know if the cause is to do with layers or visibility > settings. I don't know what happens when the info tag is actioned in > the code. > > I hope this makes the effect clear (if not the cause :-( ) > > Kind regards > > Johnathan > > > > On 5 March 2013 09:40, Julian Tenney > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> > wrote: > > What's the problem in a nutshell? > > > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > Johnathan > Sent: 04 March 2013 22:18 > To: Xerte Developers Discussion List > Subject: [Xerte-dev] use of info tag in xwd forms > > > > On the 4th December I posted to the developer list an issue with the > xwd forms relating to the use of the "info" tag. > > > > The inclusion of an info tag in the xwd form can result in space > being allocated above the info tag for the display of the last few > properties in the xwd form definition, but the properties are not > visible in the form. You can however confirm their "presence" as the > mouse pointer responds to them if moved over the input fields. > > > > You can test this out in Xerte (or XOT) by creating a page using one > of the Connector page types. The info tag has been used in these > pages to link to a pdf help file that is hosted on the Xerte > community web site, but the "language" flagged form properties are > no longer all editable, due to the presence of the info tag. > > > > This is a pity as the info tag could be used to provide a link to an > external document that gives the Author useful additional > information to assist them in making the best use of that page type. > e.g. > > * Information about what the page is designed to do > > * Instructions on what the properties in the form are to > help in completing the form created by the xwd file; > > * examples of actual uses of that page type in real projects. > > * examples of combining this page type with other page types > to achieve a particular pedagogical approach > > * guidance as to how accessible the page is with respect to > particular types of user, or what features the page has as optional > properties to provide additional accessibility > > However at present if the "info" tag is used then the ability to > edit the language flagged elements of the page is compromised. > > > > Is this something that is intended to be addressed before the next > release of Xerte / XOT? > > > > Sorry to be a nuisance, but it seems such a potentially useful > feature it seems a shame not to be able to use it. > > > > Kind regards > > > > Johnathan > > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ Xerte-dev mailing > list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > Glasgow Caledonian University is a registered Scottish charity, > number SC021474 > > Winner: Times Higher Education's Widening Participation Initiative > of the Year 2009 and Herald Society's Education Initiative of the > Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early > Career Researchers of the Year 2010, GCU as a lead with Universities > Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > This message and any attachment are intended solely for the > addressee and may contain confidential information. If you have > received this message in error, please send it back to me, and > immediately delete it. Please do not use, copy or disclose the > information contained in this message or in any attachment. Any > views or opinions expressed by the author of this email do not > necessarily reflect the views of the University of Nottingham. > > > > This message has been checked for viruses but the contents of an attachment > > may still contain software viruses which could damage your computer system: > > you are advised to perform your own checks. Email communications with the > > University of Nottingham may be monitored as permitted by UK legislation. > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system: you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation. Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From d_b_burnett at hotmail.com Wed Mar 6 12:35:38 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Wed, 6 Mar 2013 07:35:38 -0500 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2D2@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com>, <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk>, <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com>, <BLU153-W57942FC6EA78A20F3826B0A7FB0@phx.gbl>, <CABtG3=XL7YU0XZou1awcUXYY3ZQKZsss=-e58rTrUV_vnSR_Jg@mail.gmail.com>, <12C67A1EEC419342AF5E59DA31562C3F0C4CE58138@EXCHANGE1.ad.nottingham.ac.uk>, <CABtG3=V5450hnHb0BGXeJWb+zfcNX2oSZeRDpBdmk6TiBpj7QQ@mail.gmail.com>, <12C67A1EEC419342AF5E59DA31562C3F0C4D649813@EXCHANGE1.ad.nottingham.ac.uk>, <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2B9@ITSEMBXCLUS.enterprise.gcal.ac.uk>, <20130306120521.59815leiwct5zlyp@server.tor.nl>, <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2D2@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <BLU153-W9A990EF26D2C7CA920D1AA7E40@phx.gbl> Advantage of pdf? I would bet we get a lot more contribution if it's dynamic.Maybe something editable in a Xerte app?Folks with svn access can edit? > From: J.J.Smith at gcu.ac.uk > To: xerte-dev at lists.nottingham.ac.uk > Date: Wed, 6 Mar 2013 12:09:21 +0000 > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > Sure Tom, I suppose an alternative would be to funnel everything through help/index.php?language=XX&file=YYY and let it decide which to serve up... > > I'm having to do similar with the api... > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders > Sent: Wednesday, March 06, 2013 11:05 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > It's not too much work to fall back to English if we need to, > > So have a help/<language code> for the help forlder location like we have wizard/<language code> now. > > > The thing I have against mod_rewrites is that it's webserver specific. > > So, now we only have to agree on the help file format. .pdf is fine with me... > > Tom > > Citeren "Smith, John" <J.J.Smith at gcu.ac.uk>: > > > Why not just append the language code to the URL (new website) and mod > > rewrite the url. If there is a language file that matches send that, > > otherwise send the English one... > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > From: xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of > > Julian Tenney > > Sent: Wednesday, March 06, 2013 10:38 AM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > What about languages? You might want help in several languages. But > > we can cope with multi lingual wizards, so why not multi lingual help? > > > > The form is a bit of a pain because now we have advanced / language > > options, redrawing the form is a bit of a pain, so thinking > > differently might be a good idea. > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp > > Johnathan > > Sent: 06 March 2013 10:02 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > Hi Folks, > > > > What I would like to be able to achieve is a means of providing a > > link to a pdf file that the author can access to provide additional > > information to support the use of the page type. My original need > > was to support the connector pages and the inventory page with more > > information about how the page worked and how, in the case of > > connector pages they could be used in conjunction with other pages. > > However the help file could provide other stuff such as examples of > > use or pedagogical information. > > > > How that link is made available to the author I don't have a strong > > view on. It just seemed that the <info> tag already provided the > > functionality (except for this frustrating glitch). If resolving the > > glitch was a simple matter then the <info> tag might be a convenient > > way of doing this without involving much time input. If however the > > glitch is difficult to pin down then a different approach might be > > appropriate. > > > > By putting the link in the xwd file it keeps everything about the > > page in one place. However it does have the disadvantage of making > > it difficult to change the location of the help files. > > > > Perhaps an approach that assumed the help file would use the same > > stem as the model file but have a pdf extension (e.g. quiz.rlm and > > quiz.pdf), would allow a Xerte or XOT project to define a single > > folder location for all the help files. The specific help file for a > > page type would then be accessed by combining the single folder > > address with the model name and a pdf extension. > > > > This would allow help files to be either located on a remote server > > or on a local server, or even in a desktop Xerte installation folder > > e.g. Xerte\pages\help\. It would also make it easier to change the > > locations of the help files as there would be only one path to change. > > > > Kind regards > > > > Johnathan > > > > On 6 March 2013 07:50, Julian Tenney > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> > > wrote: > > Maybe we should tackle this differently: rather than trying to > > display the <info> on the form, why not pop it up in a message or > > show it somewhere else? > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > > Johnathan > > Sent: 05 March 2013 17:53 > > To: For Xerte technical developers > > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > The most recent version of the desktop would ensure you have the > > latest version of wizard.swf, but if you can see the Show Language > > Options I think that should be enough to demonstrate the issue. > > > > The "here is the help" text is the text contained in the info tag. > > > > If you click in the Show Language Options check box you will see > > that some additional fields are displayed in the form but that there > > is an expanse of blank grey form before the "here is the help" text > > is displayed. > > > > If you mouse over the grey area above the "here is the help" text > > you will see the mouse pointer change as it hovers over where the > > text entry boxes for the hidden language options are positioned. > > > > If you click on the Quiz2 page to open its xwd form the effect is > > clear as none of the fields are flagged as language options so as > > soon as the form opens you see that the display of labels and fields > > ends abruptly and then there is again the grey expanse of blank form > > before the "here is the help" text is displayed. You have noticed, > > in your second post that the entry below "single answer wrong" is > > cut short vertically. There are also more fields below this which > > are not displaying at all. > > > > If you edit the quiz.xwd file in the page002 folder to remove the > > "info" tag then all the fields defined in the form are displayed > > correctly. So it is the "info" tag that is causing the display issue. > > > > Kind regards > > > > Johnathan > > > > On 5 March 2013 10:43, Dave Burnett > > <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: > > What version of desktop is required? > > The only language related object I have showing is "Show Language > > Options" in the bottom bar. > > > > (I do see "Here is the help" in blue near the bottom). > > > > > > ________________________________ > > Date: Tue, 5 Mar 2013 10:23:23 +0000 > > From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> > > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > If you include the info tag in an xwd form it can result in the none > > display of the last entries in the form. > > > > The info tag displays at the bottom of the form with a blank area of > > form above it where the missing fields and field labels should be > > displayed. > > > > If you move the mouse pointer over the blank area of the form then > > the mouse pointer will change indicating that the fields are there - > > you just can't see them. > > > > The easiest way to explain what is happening is for you to see it > > for yourself. > > > > I have attached a simple demo. The demo is a standard Xerte project > > (not a "Pages" type project - I have manually set up the xwd links > > for the pages) in which I have set up two copies of the Quiz page. > > > > 1. Open this project in Xerte > > 2. Double click on the Quiz page to open the xwd form > > 3. Click on the language tab to display the language fields > > 4. Scroll down the form - you will see the blank area where the > > hidden language fields should appear and the blue info comment at > > the bottom. > > 5. The language tag is not significant to this issue. > > 6. Double click on the Quiz2 page, you will see the same effect > > without the use of the language tag (I deleted them from this pages > > xwd file) > > I don't know if the cause is to do with layers or visibility > > settings. I don't know what happens when the info tag is actioned in > > the code. > > > > I hope this makes the effect clear (if not the cause :-( ) > > > > Kind regards > > > > Johnathan > > > > > > > > On 5 March 2013 09:40, Julian Tenney > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> > > wrote: > > > > What's the problem in a nutshell? > > > > > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > > Johnathan > > Sent: 04 March 2013 22:18 > > To: Xerte Developers Discussion List > > Subject: [Xerte-dev] use of info tag in xwd forms > > > > > > > > On the 4th December I posted to the developer list an issue with the > > xwd forms relating to the use of the "info" tag. > > > > > > > > The inclusion of an info tag in the xwd form can result in space > > being allocated above the info tag for the display of the last few > > properties in the xwd form definition, but the properties are not > > visible in the form. You can however confirm their "presence" as the > > mouse pointer responds to them if moved over the input fields. > > > > > > > > You can test this out in Xerte (or XOT) by creating a page using one > > of the Connector page types. The info tag has been used in these > > pages to link to a pdf help file that is hosted on the Xerte > > community web site, but the "language" flagged form properties are > > no longer all editable, due to the presence of the info tag. > > > > > > > > This is a pity as the info tag could be used to provide a link to an > > external document that gives the Author useful additional > > information to assist them in making the best use of that page type. > > e.g. > > > > * Information about what the page is designed to do > > > > * Instructions on what the properties in the form are to > > help in completing the form created by the xwd file; > > > > * examples of actual uses of that page type in real projects. > > > > * examples of combining this page type with other page types > > to achieve a particular pedagogical approach > > > > * guidance as to how accessible the page is with respect to > > particular types of user, or what features the page has as optional > > properties to provide additional accessibility > > > > However at present if the "info" tag is used then the ability to > > edit the language flagged elements of the page is compromised. > > > > > > > > Is this something that is intended to be addressed before the next > > release of Xerte / XOT? > > > > > > > > Sorry to be a nuisance, but it seems such a potentially useful > > feature it seems a shame not to be able to use it. > > > > > > > > Kind regards > > > > > > > > Johnathan > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ Xerte-dev mailing > > list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, > > number SC021474 > > > > Winner: Times Higher Education's Widening Participation Initiative > > of the Year 2009 and Herald Society's Education Initiative of the > > Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > > > Winner: Times Higher Education's Outstanding Support for Early > > Career Researchers of the Year 2010, GCU as a lead with Universities > > Scotland partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > > > This message and any attachment are intended solely for the > > addressee and may contain confidential information. If you have > > received this message in error, please send it back to me, and > > immediately delete it. Please do not use, copy or disclose the > > information contained in this message or in any attachment. Any > > views or opinions expressed by the author of this email do not > > necessarily reflect the views of the University of Nottingham. > > > > > > > > This message has been checked for viruses but the contents of an attachment > > > > may still contain software viruses which could damage your computer system: > > > > you are advised to perform your own checks. Email communications with the > > > > University of Nottingham may be monitored as permitted by UK legislation. > > > > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130306/9e72269d/attachment-0001.html> From xerte at pgogywebstuff.com Wed Mar 6 15:10:40 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Wed, 6 Mar 2013 15:10:40 +0000 Subject: [Xerte-dev] Re: Plugins code added to trunk In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4C5E64C8@EXCHANGE1.ad.nottingham.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D196@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E625E@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D1F2@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E64C8@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <7D5C5494-6CDF-4287-9FE4-C733F953720E@pgogywebstuff.com> I think a Skype might make sense I have told cetis that there is a xerte pub camp on the Tuesday. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 5 Mar 2013, at 13:57, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > > I think it needs discussing? maybe as part of your structure discussions at CETIS ? it?s a pity I can?t make it? > > When should we get together face to face again? And where? There seems like loads going on at the moment, it?s March already and if we wanted to do something, say, end of June, we should maybe plan for that now? Maybe we should also think about the AGM again, and what we want to do with that, > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 05 March 2013 11:05 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Plugins code added to trunk > > I agree ? it gives people who are not that familiar with PHP to add functionality. Someone (might have even been me) at the developer day mentioned the possibility of a ?code snippet? library that allow you to tweak things ? this could go 5 steps further by giving packaged plugins? we could even move CORE functionality into plugins? > > I think we need to treat it as a proof of concept just now though as we need to develop the list of hooks available and decide where we actually do the actions and filters > > For example, I apply a filter to the ?Pod 1? text in index.php but it could be that this is better in display_library.php ? logged_in_page_format_middle function ? OR we decide to move the whole {{pod_one}} replace into a CORE plugin ? then it could be removed, added to or detached by a higher priority plugin? > > I think it needs discussing? maybe as part of your structure discussions at CETIS ? it?s a pity I can?t make it? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Tuesday, March 05, 2013 9:59 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Plugins code added to trunk > > Nice one, this sounds interesting, > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 04 March 2013 16:02 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Plugins code added to trunk > > Hi all, > > I?ve just committed the plugins code that I was working on ? feel free to give it a try and let me know of any bugs/improvements/concerns and I?ll address them? > > This is definitely a developer tool so won?t be used by the majority but will allow functionality to be change without checking in code? we could almost have a repository of plugins to allow people to do things that means they don?t need any PHP experience but can customise their setup? Here is the rather lengthy text I added to the SVN > > > PLUGINS, ACTIONS & FILTERS: This code allows you to add a 'plugin' in the > /plugins folder which will augment functionality provided by XOT. It allows you > to create single file or folder style plugins (similar to Wordpress) which add > functionality to various 'hook' points within the page. These hooks are by no > means definitive and hopefully we can add lots more, however for filters to work > in a better way some code will need re-written in order to pass 'content' > through the filter before being used or echo-ed.. > > The current files should do nothing to an install. The example plugins are > commented out - remove the 'REMOVE_THIS' text from the filenames in order to > activate. The 'GCU Plugin' demonstrates some potentially useful functionality: > > ? It adds a banner at the top of the page (login and editor) > ? It changes the <title> text > ? It changes the "My Projects" text to "John's Projects" > ? It adds text to Pod 1 > ? It adds a title slide to data.xml on save > > The plugin_one plugin simply inserts HTML comments at action hook points > throughout the page. Enable this by taking out REMOVE_THIS and then refresh the > page and view the source to reveal it's result... > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130306/1993456a/attachment-0001.html> From johnathan.kemp at ntlworld.com Wed Mar 6 18:20:51 2013 From: johnathan.kemp at ntlworld.com (Kemp Johnathan) Date: Wed, 6 Mar 2013 18:20:51 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <BLU153-W9A990EF26D2C7CA920D1AA7E40@phx.gbl> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com> <BLU153-W57942FC6EA78A20F3826B0A7FB0@phx.gbl> <CABtG3=XL7YU0XZou1awcUXYY3ZQKZsss=-e58rTrUV_vnSR_Jg@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4CE58138@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=V5450hnHb0BGXeJWb+zfcNX2oSZeRDpBdmk6TiBpj7QQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D649813@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2B9@ITSEMBXCLUS.enterprise.gcal.ac.uk> <20130306120521.59815leiwct5zlyp@server.tor.nl> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2D2@ITSEMBXCLUS.enterprise.gcal.ac.uk> <BLU153-W9A990EF26D2C7CA920D1AA7E40@phx.gbl> Message-ID: <CABtG3=UW=zY=TWtL4apF0ttMsUHp-L8bqqFWrShBCt0O9cBP_Q@mail.gmail.com> Advantage of pdf? A single file that contains text and graphics and will maintain its format when printed out (some people still like to print things out). My approach so far has been to author the files in Open Office which will export to pdf. This provides a master file (the Open Office odt) file that is editable, and the pdf export of the odt file that can be published for Author usage. So whilst at present the file the Author uses is pdf, this is generated from a single, easily edited odt file. Open Office is free, open source, and available in many languages. I agree with the idea of allowing those with svn access to edit the help files. The current approach fully facilitates that. Folks with svn access can edit (or make a copy and translate) the odt file and then generate a new pdf file for publication. I am not sure of the benefit of trying to edit the help documents in a Xerte app. Why try to create a cut down word processor in Xerte, if there is already a fully featured one available for free? The only downside I see is that each help file consists of two files (rather than one) - the odt source file and the published public accessed pdf file. But this has upsides as well. The odt help file can be edited without affecting the published pdf file, which can be re-published once the editing / updating is completed. Just my take on things Johnathan On 6 March 2013 12:35, Dave Burnett <d_b_burnett at hotmail.com> wrote: > > Advantage of pdf? > > I would bet we get a lot more contribution if it's dynamic. > Maybe something editable in a Xerte app? > Folks with svn access can edit? > > > > From: J.J.Smith at gcu.ac.uk > > To: xerte-dev at lists.nottingham.ac.uk > > Date: Wed, 6 Mar 2013 12:09:21 +0000 > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > Sure Tom, I suppose an alternative would be to funnel everything through > help/index.php?language=XX&file=YYY and let it decide which to serve up... > > > > I'm having to do similar with the api... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders > > Sent: Wednesday, March 06, 2013 11:05 AM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > It's not too much work to fall back to English if we need to, > > > > So have a help/<language code> for the help forlder location like we > have wizard/<language code> now. > > > > > > The thing I have against mod_rewrites is that it's webserver specific. > > > > So, now we only have to agree on the help file format. .pdf is fine with > me... > > > > Tom > > > > Citeren "Smith, John" <J.J.Smith at gcu.ac.uk>: > > > > > Why not just append the language code to the URL (new website) and mod > > > rewrite the url. If there is a language file that matches send that, > > > otherwise send the English one... > > > > > > > > > Regards, > > > > > > John Smith > > > Learning Technologist > > > School of Health & Life Sciences > > > Glasgow Caledonian University > > > > > > From: xerte-dev-bounces at lists.nottingham.ac.uk > > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of > > > Julian Tenney > > > Sent: Wednesday, March 06, 2013 10:38 AM > > > To: For Xerte technical developers > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > What about languages? You might want help in several languages. But > > > we can cope with multi lingual wizards, so why not multi lingual help? > > > > > > The form is a bit of a pain because now we have advanced / language > > > options, redrawing the form is a bit of a pain, so thinking > > > differently might be a good idea. > > > > > > From: > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk> [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp > > > Johnathan > > > Sent: 06 March 2013 10:02 > > > To: For Xerte technical developers > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > Hi Folks, > > > > > > What I would like to be able to achieve is a means of providing a > > > link to a pdf file that the author can access to provide additional > > > information to support the use of the page type. My original need > > > was to support the connector pages and the inventory page with more > > > information about how the page worked and how, in the case of > > > connector pages they could be used in conjunction with other pages. > > > However the help file could provide other stuff such as examples of > > > use or pedagogical information. > > > > > > How that link is made available to the author I don't have a strong > > > view on. It just seemed that the <info> tag already provided the > > > functionality (except for this frustrating glitch). If resolving the > > > glitch was a simple matter then the <info> tag might be a convenient > > > way of doing this without involving much time input. If however the > > > glitch is difficult to pin down then a different approach might be > > > appropriate. > > > > > > By putting the link in the xwd file it keeps everything about the > > > page in one place. However it does have the disadvantage of making > > > it difficult to change the location of the help files. > > > > > > Perhaps an approach that assumed the help file would use the same > > > stem as the model file but have a pdf extension (e.g. quiz.rlm and > > > quiz.pdf), would allow a Xerte or XOT project to define a single > > > folder location for all the help files. The specific help file for a > > > page type would then be accessed by combining the single folder > > > address with the model name and a pdf extension. > > > > > > This would allow help files to be either located on a remote server > > > or on a local server, or even in a desktop Xerte installation folder > > > e.g. Xerte\pages\help\. It would also make it easier to change the > > > locations of the help files as there would be only one path to change. > > > > > > Kind regards > > > > > > Johnathan > > > > > > On 6 March 2013 07:50, Julian Tenney > > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk > >> > > > wrote: > > > Maybe we should tackle this differently: rather than trying to > > > display the <info> on the form, why not pop it up in a message or > > > show it somewhere else? > > > > > > From: > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk> [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > > > Johnathan > > > Sent: 05 March 2013 17:53 > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > The most recent version of the desktop would ensure you have the > > > latest version of wizard.swf, but if you can see the Show Language > > > Options I think that should be enough to demonstrate the issue. > > > > > > The "here is the help" text is the text contained in the info tag. > > > > > > If you click in the Show Language Options check box you will see > > > that some additional fields are displayed in the form but that there > > > is an expanse of blank grey form before the "here is the help" text > > > is displayed. > > > > > > If you mouse over the grey area above the "here is the help" text > > > you will see the mouse pointer change as it hovers over where the > > > text entry boxes for the hidden language options are positioned. > > > > > > If you click on the Quiz2 page to open its xwd form the effect is > > > clear as none of the fields are flagged as language options so as > > > soon as the form opens you see that the display of labels and fields > > > ends abruptly and then there is again the grey expanse of blank form > > > before the "here is the help" text is displayed. You have noticed, > > > in your second post that the entry below "single answer wrong" is > > > cut short vertically. There are also more fields below this which > > > are not displaying at all. > > > > > > If you edit the quiz.xwd file in the page002 folder to remove the > > > "info" tag then all the fields defined in the form are displayed > > > correctly. So it is the "info" tag that is causing the display issue. > > > > > > Kind regards > > > > > > Johnathan > > > > > > On 5 March 2013 10:43, Dave Burnett > > > <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: > > > What version of desktop is required? > > > The only language related object I have showing is "Show Language > > > Options" in the bottom bar. > > > > > > (I do see "Here is the help" in blue near the bottom). > > > > > > > > > ________________________________ > > > Date: Tue, 5 Mar 2013 10:23:23 +0000 > > > From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> > > > To: xerte-dev at lists.nottingham.ac.uk<mailto: > xerte-dev at lists.nottingham.ac.uk> > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > If you include the info tag in an xwd form it can result in the none > > > display of the last entries in the form. > > > > > > The info tag displays at the bottom of the form with a blank area of > > > form above it where the missing fields and field labels should be > > > displayed. > > > > > > If you move the mouse pointer over the blank area of the form then > > > the mouse pointer will change indicating that the fields are there - > > > you just can't see them. > > > > > > The easiest way to explain what is happening is for you to see it > > > for yourself. > > > > > > I have attached a simple demo. The demo is a standard Xerte project > > > (not a "Pages" type project - I have manually set up the xwd links > > > for the pages) in which I have set up two copies of the Quiz page. > > > > > > 1. Open this project in Xerte > > > 2. Double click on the Quiz page to open the xwd form > > > 3. Click on the language tab to display the language fields > > > 4. Scroll down the form - you will see the blank area where the > > > hidden language fields should appear and the blue info comment at > > > the bottom. > > > 5. The language tag is not significant to this issue. > > > 6. Double click on the Quiz2 page, you will see the same effect > > > without the use of the language tag (I deleted them from this pages > > > xwd file) > > > I don't know if the cause is to do with layers or visibility > > > settings. I don't know what happens when the info tag is actioned in > > > the code. > > > > > > I hope this makes the effect clear (if not the cause :-( ) > > > > > > Kind regards > > > > > > Johnathan > > > > > > > > > > > > On 5 March 2013 09:40, Julian Tenney > > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk > >> > > > wrote: > > > > > > What's the problem in a nutshell? > > > > > > > > > > > > From: > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk> [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > > > Johnathan > > > Sent: 04 March 2013 22:18 > > > To: Xerte Developers Discussion List > > > Subject: [Xerte-dev] use of info tag in xwd forms > > > > > > > > > > > > On the 4th December I posted to the developer list an issue with the > > > xwd forms relating to the use of the "info" tag. > > > > > > > > > > > > The inclusion of an info tag in the xwd form can result in space > > > being allocated above the info tag for the display of the last few > > > properties in the xwd form definition, but the properties are not > > > visible in the form. You can however confirm their "presence" as the > > > mouse pointer responds to them if moved over the input fields. > > > > > > > > > > > > You can test this out in Xerte (or XOT) by creating a page using one > > > of the Connector page types. The info tag has been used in these > > > pages to link to a pdf help file that is hosted on the Xerte > > > community web site, but the "language" flagged form properties are > > > no longer all editable, due to the presence of the info tag. > > > > > > > > > > > > This is a pity as the info tag could be used to provide a link to an > > > external document that gives the Author useful additional > > > information to assist them in making the best use of that page type. > > > e.g. > > > > > > * Information about what the page is designed to do > > > > > > * Instructions on what the properties in the form are to > > > help in completing the form created by the xwd file; > > > > > > * examples of actual uses of that page type in real projects. > > > > > > * examples of combining this page type with other page types > > > to achieve a particular pedagogical approach > > > > > > * guidance as to how accessible the page is with respect to > > > particular types of user, or what features the page has as optional > > > properties to provide additional accessibility > > > > > > However at present if the "info" tag is used then the ability to > > > edit the language flagged elements of the page is compromised. > > > > > > > > > > > > Is this something that is intended to be addressed before the next > > > release of Xerte / XOT? > > > > > > > > > > > > Sorry to be a nuisance, but it seems such a potentially useful > > > feature it seems a shame not to be able to use it. > > > > > > > > > > > > Kind regards > > > > > > > > > > > > Johnathan > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk<mailto: > Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > _______________________________________________ Xerte-dev mailing > > > list > > > Xerte-dev at lists.nottingham.ac.uk<mailto: > Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk<mailto: > Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk<mailto: > Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, > > > number SC021474 > > > > > > Winner: Times Higher Education's Widening Participation Initiative > > > of the Year 2009 and Herald Society's Education Initiative of the > > > Year 2009. > > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > > > > > Winner: Times Higher Education's Outstanding Support for Early > > > Career Researchers of the Year 2010, GCU as a lead with Universities > > > Scotland partners. > > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > > > > > This message and any attachment are intended solely for the > > > addressee and may contain confidential information. If you have > > > received this message in error, please send it back to me, and > > > immediately delete it. Please do not use, copy or disclose the > > > information contained in this message or in any attachment. Any > > > views or opinions expressed by the author of this email do not > > > necessarily reflect the views of the University of Nottingham. > > > > > > > > > > > > This message has been checked for viruses but the contents of an > attachment > > > > > > may still contain software viruses which could damage your computer > system: > > > > > > you are advised to perform your own checks. Email communications with > the > > > > > > University of Nottingham may be monitored as permitted by UK > legislation. > > > > > > > > > > > > > > ---------------------------------------------------------------- > > This message was sent using IMP, the Internet Messaging Program. > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > This message and any attachment are intended solely for the addressee > and may contain confidential information. If you have received this message > in error, please send it back to me, and immediately delete it. Please do > not use, copy or disclose the information contained in this message or in > any attachment. Any views or opinions expressed by the author of this email > do not necessarily reflect the views of the University of Nottingham. > > > > This message has been checked for viruses but the contents of an > attachment > > may still contain software viruses which could damage your computer > system: > > you are advised to perform your own checks. Email communications with the > > University of Nottingham may be monitored as permitted by UK legislation. > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > > > Winner: Times Higher Education?s Widening Participation Initiative of > the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > > > Winner: Times Higher Education?s Outstanding Support for Early Career > Researchers of the Year 2010, GCU as a lead with Universities Scotland > partners. > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130306/9ee72f0d/attachment-0001.html> From d_b_burnett at hotmail.com Wed Mar 6 18:25:49 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Wed, 6 Mar 2013 13:25:49 -0500 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <CABtG3=UW=zY=TWtL4apF0ttMsUHp-L8bqqFWrShBCt0O9cBP_Q@mail.gmail.com> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com>, <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk>, <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com>, <BLU153-W57942FC6EA78A20F3826B0A7FB0@phx.gbl>, <CABtG3=XL7YU0XZou1awcUXYY3ZQKZsss=-e58rTrUV_vnSR_Jg@mail.gmail.com>, <12C67A1EEC419342AF5E59DA31562C3F0C4CE58138@EXCHANGE1.ad.nottingham.ac.uk>, <CABtG3=V5450hnHb0BGXeJWb+zfcNX2oSZeRDpBdmk6TiBpj7QQ@mail.gmail.com>, <12C67A1EEC419342AF5E59DA31562C3F0C4D649813@EXCHANGE1.ad.nottingham.ac.uk>, <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2B9@ITSEMBXCLUS.enterprise.gcal.ac.uk>, <20130306120521.59815leiwct5zlyp@server.tor.nl>, <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2D2@ITSEMBXCLUS.enterprise.gcal.ac.uk>, <BLU153-W9A990EF26D2C7CA920D1AA7E40@phx.gbl>, <CABtG3=UW=zY=TWtL4apF0ttMsUHp-L8bqqFWrShBCt0O9cBP_Q@mail.gmail.com> Message-ID: <BLU153-W13FAFF7ADE5D1BAF6C234DA7E40@phx.gbl> Just my personal preference.Static documents usually lead to version control nightmares.I still believe in the Java "write once, deliver everywhere" fantasy.;-) Date: Wed, 6 Mar 2013 18:20:51 +0000 From: johnathan.kemp at ntlworld.com To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: use of info tag in xwd forms Advantage of pdf? A single file that contains text and graphics and will maintain its format when printed out (some people still like to print things out). My approach so far has been to author the files in Open Office which will export to pdf. This provides a master file (the Open Office odt) file that is editable, and the pdf export of the odt file that can be published for Author usage. So whilst at present the file the Author uses is pdf, this is generated from a single, easily edited odt file. Open Office is free, open source, and available in many languages. I agree with the idea of allowing those with svn access to edit the help files. The current approach fully facilitates that.Folks with svn access can edit (or make a copy and translate) the odt file and then generate a new pdf file for publication. I am not sure of the benefit of trying to edit the help documents in a Xerte app. Why try to create a cut down word processor in Xerte, if there is already a fully featured one available for free? The only downside I see is that each help file consists of two files (rather than one) - the odt source file and the published public accessed pdf file. But this has upsides as well. The odt help file can be edited without affecting the published pdf file, which can be re-published once the editing / updating is completed. Just my take on things Johnathan On 6 March 2013 12:35, Dave Burnett <d_b_burnett at hotmail.com> wrote: Advantage of pdf? I would bet we get a lot more contribution if it's dynamic.Maybe something editable in a Xerte app?Folks with svn access can edit? > From: J.J.Smith at gcu.ac.uk > To: xerte-dev at lists.nottingham.ac.uk > Date: Wed, 6 Mar 2013 12:09:21 +0000 > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > Sure Tom, I suppose an alternative would be to funnel everything through help/index.php?language=XX&file=YYY and let it decide which to serve up... > > I'm having to do similar with the api... > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders > Sent: Wednesday, March 06, 2013 11:05 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > It's not too much work to fall back to English if we need to, > > So have a help/<language code> for the help forlder location like we have wizard/<language code> now. > > > The thing I have against mod_rewrites is that it's webserver specific. > > So, now we only have to agree on the help file format. .pdf is fine with me... > > Tom > > Citeren "Smith, John" <J.J.Smith at gcu.ac.uk>: > > > Why not just append the language code to the URL (new website) and mod > > rewrite the url. If there is a language file that matches send that, > > otherwise send the English one... > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > From: xerte-dev-bounces at lists.nottingham.ac.uk > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of > > Julian Tenney > > Sent: Wednesday, March 06, 2013 10:38 AM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > What about languages? You might want help in several languages. But > > we can cope with multi lingual wizards, so why not multi lingual help? > > > > The form is a bit of a pain because now we have advanced / language > > options, redrawing the form is a bit of a pain, so thinking > > differently might be a good idea. > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp > > Johnathan > > Sent: 06 March 2013 10:02 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > Hi Folks, > > > > What I would like to be able to achieve is a means of providing a > > link to a pdf file that the author can access to provide additional > > information to support the use of the page type. My original need > > was to support the connector pages and the inventory page with more > > information about how the page worked and how, in the case of > > connector pages they could be used in conjunction with other pages. > > However the help file could provide other stuff such as examples of > > use or pedagogical information. > > > > How that link is made available to the author I don't have a strong > > view on. It just seemed that the <info> tag already provided the > > functionality (except for this frustrating glitch). If resolving the > > glitch was a simple matter then the <info> tag might be a convenient > > way of doing this without involving much time input. If however the > > glitch is difficult to pin down then a different approach might be > > appropriate. > > > > By putting the link in the xwd file it keeps everything about the > > page in one place. However it does have the disadvantage of making > > it difficult to change the location of the help files. > > > > Perhaps an approach that assumed the help file would use the same > > stem as the model file but have a pdf extension (e.g. quiz.rlm and > > quiz.pdf), would allow a Xerte or XOT project to define a single > > folder location for all the help files. The specific help file for a > > page type would then be accessed by combining the single folder > > address with the model name and a pdf extension. > > > > This would allow help files to be either located on a remote server > > or on a local server, or even in a desktop Xerte installation folder > > e.g. Xerte\pages\help\. It would also make it easier to change the > > locations of the help files as there would be only one path to change. > > > > Kind regards > > > > Johnathan > > > > On 6 March 2013 07:50, Julian Tenney > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> > > wrote: > > Maybe we should tackle this differently: rather than trying to > > display the <info> on the form, why not pop it up in a message or > > show it somewhere else? > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > > Johnathan > > Sent: 05 March 2013 17:53 > > To: For Xerte technical developers > > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > The most recent version of the desktop would ensure you have the > > latest version of wizard.swf, but if you can see the Show Language > > Options I think that should be enough to demonstrate the issue. > > > > The "here is the help" text is the text contained in the info tag. > > > > If you click in the Show Language Options check box you will see > > that some additional fields are displayed in the form but that there > > is an expanse of blank grey form before the "here is the help" text > > is displayed. > > > > If you mouse over the grey area above the "here is the help" text > > you will see the mouse pointer change as it hovers over where the > > text entry boxes for the hidden language options are positioned. > > > > If you click on the Quiz2 page to open its xwd form the effect is > > clear as none of the fields are flagged as language options so as > > soon as the form opens you see that the display of labels and fields > > ends abruptly and then there is again the grey expanse of blank form > > before the "here is the help" text is displayed. You have noticed, > > in your second post that the entry below "single answer wrong" is > > cut short vertically. There are also more fields below this which > > are not displaying at all. > > > > If you edit the quiz.xwd file in the page002 folder to remove the > > "info" tag then all the fields defined in the form are displayed > > correctly. So it is the "info" tag that is causing the display issue. > > > > Kind regards > > > > Johnathan > > > > On 5 March 2013 10:43, Dave Burnett > > <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: > > What version of desktop is required? > > The only language related object I have showing is "Show Language > > Options" in the bottom bar. > > > > (I do see "Here is the help" in blue near the bottom). > > > > > > ________________________________ > > Date: Tue, 5 Mar 2013 10:23:23 +0000 > > From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> > > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > If you include the info tag in an xwd form it can result in the none > > display of the last entries in the form. > > > > The info tag displays at the bottom of the form with a blank area of > > form above it where the missing fields and field labels should be > > displayed. > > > > If you move the mouse pointer over the blank area of the form then > > the mouse pointer will change indicating that the fields are there - > > you just can't see them. > > > > The easiest way to explain what is happening is for you to see it > > for yourself. > > > > I have attached a simple demo. The demo is a standard Xerte project > > (not a "Pages" type project - I have manually set up the xwd links > > for the pages) in which I have set up two copies of the Quiz page. > > > > 1. Open this project in Xerte > > 2. Double click on the Quiz page to open the xwd form > > 3. Click on the language tab to display the language fields > > 4. Scroll down the form - you will see the blank area where the > > hidden language fields should appear and the blue info comment at > > the bottom. > > 5. The language tag is not significant to this issue. > > 6. Double click on the Quiz2 page, you will see the same effect > > without the use of the language tag (I deleted them from this pages > > xwd file) > > I don't know if the cause is to do with layers or visibility > > settings. I don't know what happens when the info tag is actioned in > > the code. > > > > I hope this makes the effect clear (if not the cause :-( ) > > > > Kind regards > > > > Johnathan > > > > > > > > On 5 March 2013 09:40, Julian Tenney > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> > > wrote: > > > > What's the problem in a nutshell? > > > > > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > > Johnathan > > Sent: 04 March 2013 22:18 > > To: Xerte Developers Discussion List > > Subject: [Xerte-dev] use of info tag in xwd forms > > > > > > > > On the 4th December I posted to the developer list an issue with the > > xwd forms relating to the use of the "info" tag. > > > > > > > > The inclusion of an info tag in the xwd form can result in space > > being allocated above the info tag for the display of the last few > > properties in the xwd form definition, but the properties are not > > visible in the form. You can however confirm their "presence" as the > > mouse pointer responds to them if moved over the input fields. > > > > > > > > You can test this out in Xerte (or XOT) by creating a page using one > > of the Connector page types. The info tag has been used in these > > pages to link to a pdf help file that is hosted on the Xerte > > community web site, but the "language" flagged form properties are > > no longer all editable, due to the presence of the info tag. > > > > > > > > This is a pity as the info tag could be used to provide a link to an > > external document that gives the Author useful additional > > information to assist them in making the best use of that page type. > > e.g. > > > > * Information about what the page is designed to do > > > > * Instructions on what the properties in the form are to > > help in completing the form created by the xwd file; > > > > * examples of actual uses of that page type in real projects. > > > > * examples of combining this page type with other page types > > to achieve a particular pedagogical approach > > > > * guidance as to how accessible the page is with respect to > > particular types of user, or what features the page has as optional > > properties to provide additional accessibility > > > > However at present if the "info" tag is used then the ability to > > edit the language flagged elements of the page is compromised. > > > > > > > > Is this something that is intended to be addressed before the next > > release of Xerte / XOT? > > > > > > > > Sorry to be a nuisance, but it seems such a potentially useful > > feature it seems a shame not to be able to use it. > > > > > > > > Kind regards > > > > > > > > Johnathan > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ Xerte-dev mailing > > list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, > > number SC021474 > > > > Winner: Times Higher Education's Widening Participation Initiative > > of the Year 2009 and Herald Society's Education Initiative of the > > Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > > > Winner: Times Higher Education's Outstanding Support for Early > > Career Researchers of the Year 2010, GCU as a lead with Universities > > Scotland partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > > > This message and any attachment are intended solely for the > > addressee and may contain confidential information. If you have > > received this message in error, please send it back to me, and > > immediately delete it. Please do not use, copy or disclose the > > information contained in this message or in any attachment. Any > > views or opinions expressed by the author of this email do not > > necessarily reflect the views of the University of Nottingham. > > > > > > > > This message has been checked for viruses but the contents of an attachment > > > > may still contain software viruses which could damage your computer system: > > > > you are advised to perform your own checks. Email communications with the > > > > University of Nottingham may be monitored as permitted by UK legislation. > > > > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130306/24c2a580/attachment-0001.html> From johnathan.kemp at ntlworld.com Wed Mar 6 18:25:44 2013 From: johnathan.kemp at ntlworld.com (Kemp Johnathan) Date: Wed, 6 Mar 2013 18:25:44 +0000 Subject: [Xerte-dev] Re: location of latest rlm files In-Reply-To: <A44245E8C549494D9561A9727B89EEC80C358762DC@EXCHANGE1.ad.nottingham.ac.uk> References: <CABtG3=XOrwFTgEbuTj7C+iK1evtQyKbV7Eh3pNsTDLG12L8tAg@mail.gmail.com> <51332E2D.5060601@tor.nl> <A44245E8C549494D9561A9727B89EEC80C358762DC@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <CABtG3=VpDcyGkQuZasn4thGkCk1JE_NDD8k7h4xX50T6vKaikg@mail.gmail.com> The files I compared where the .rlm model files. I just expected that there should not be different versions of the .rlm files in Xerte and XOT svns. Is there any support for HTML5 model usage in desktop Xerte? If Xerte is not going to support HTML5 then presumably the HTML5 models would just be in the XOT svn? Kind regards Johnathan On 6 March 2013 11:18, Fay Cross <Fay.Cross at nottingham.ac.uk> wrote: > As far as I know none of the html5 stuff is in the xerte svn - it?s all in > the toolkits one. The only thing I update in the xerte svn now are changes > to the xwds or additions to the language files. Should all the html5 stuff > be there too? What folder? > > > > *From:* xerte-dev-bounces at lists.nottingham.ac.uk [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Tom Reijnders > *Sent:* 03 March 2013 11:04 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: location of latest rlm files > > > > Hai Jonathan, > > Good to have you back. You shouldn't compare them, you should check waht > the latest are. And yes, they should be synchronised, but that's not always > the case. > > It is my understanding that the xerte one is leading for the .rlms. I > noticed that for HTML5, at this point in time the xot one is leading. > > We should really try to make this VERY clear and or automate the > synchronisation... > > Tom > > > Op 3-3-2013 11:49, Kemp Johnathan schreef: > > I have just updated my copies of the Xerte and XOt svns and then run a > comparison of the .rlm files in the following folders > > > > xerte svn\runtime\pages\models\ > > and > > xot svn\modules\xerte\parent_templates\Nottingham\models\ > > > > The following pages show differences in the model files in the two > locations > > > > accNav.rlm > > columnPage.rlm > > connectorPlainText.rlm * > > cRedirector.rlm * > > cTabNav.rlm * > > embedDiv.rlm > > quiz.rlm > > slideshow.rlm > > > > * These connector pages are no longer offered in XOT but the older models > remain in XOT to provide support for older XOT projects that may have used > them. The newer version of the models in the Xerte svn are for use only in > Xerte. > > > > Is the XOT model folder now the definitive location for the latest models? > > When changes are made in XOT are they no longer being updated also in the > Xerte svn? > > > > Kind regards > > > > Johnathan > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130306/cd262bc4/attachment.html> From johnathan.kemp at ntlworld.com Wed Mar 6 18:57:20 2013 From: johnathan.kemp at ntlworld.com (Kemp Johnathan) Date: Wed, 6 Mar 2013 18:57:20 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <BLU153-W13FAFF7ADE5D1BAF6C234DA7E40@phx.gbl> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com> <BLU153-W57942FC6EA78A20F3826B0A7FB0@phx.gbl> <CABtG3=XL7YU0XZou1awcUXYY3ZQKZsss=-e58rTrUV_vnSR_Jg@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4CE58138@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=V5450hnHb0BGXeJWb+zfcNX2oSZeRDpBdmk6TiBpj7QQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D649813@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2B9@ITSEMBXCLUS.enterprise.gcal.ac.uk> <20130306120521.59815leiwct5zlyp@server.tor.nl> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2D2@ITSEMBXCLUS.enterprise.gcal.ac.uk> <BLU153-W9A990EF26D2C7CA920D1AA7E40@phx.gbl> <CABtG3=UW=zY=TWtL4apF0ttMsUHp-L8bqqFWrShBCt0O9cBP_Q@mail.gmail.com> <BLU153-W13FAFF7ADE5D1BAF6C234DA7E40@phx.gbl> Message-ID: <CABtG3=UCuq3i_sBMA1cMRYqNS5ssLPjJw1TKjj3__Pa8A1xH5Q@mail.gmail.com> I suppose one alternative would be to set up a wiki, but I am not sure this is the best approach for help documents. One thought that has just sprung to mind - what about using an ebook editor? I know next to nothing about them but it would seem a possibly logical platform to publish to. I am not sure if this would be the right approach if we only want to create a set of individual files that are each a single publication? I did a quick google and found an open source wysiwyg editor called sigil. It looks quite powerful, but it appears designed to pull together large numbers of separate files into a single document. I don't know if there is anyone on the list who is familiar with this stuff and could pass a more informed opinion? I have to admit, the one thing that concerns me with using Open Office is that someone will go and open up the file in Word and bugger up its formatting :-( What concerns me about not using Open Office is the possible lack of a familiar, versatile, and easy to use interface for creating the documents. JK On 6 March 2013 18:25, Dave Burnett <d_b_burnett at hotmail.com> wrote: > > Just my personal preference. > Static documents usually lead to version control nightmares. > I still believe in the Java "write once, deliver everywhere" fantasy. > ;-) > > ------------------------------ > Date: Wed, 6 Mar 2013 18:20:51 +0000 > From: johnathan.kemp at ntlworld.com > To: xerte-dev at lists.nottingham.ac.uk > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > Advantage of pdf? > > A single file that contains text and graphics and will maintain its format > when printed out (some people still like to print things out). > > My approach so far has been to author the files in Open Office which will > export to pdf. This provides a master file (the Open Office odt) file that > is editable, and the pdf export of the odt file that can be published for > Author usage. > > So whilst at present the file the Author uses is pdf, this is generated > from a single, easily edited odt file. Open Office is free, open source, > and available in many languages. > > I agree with the idea of allowing those with svn access to edit the help > files. The current approach fully facilitates that. > Folks with svn access can edit (or make a copy and translate) the odt file > and then generate a new pdf file for publication. > > I am not sure of the benefit of trying to edit the help documents in a > Xerte app. Why try to create a cut down word processor in Xerte, if there > is already a fully featured one available for free? > > The only downside I see is that each help file consists of two files > (rather than one) - the odt source file and the published public accessed > pdf file. But this has upsides as well. The odt help file can be edited > without affecting the published pdf file, which can be re-published once > the editing / updating is completed. > > Just my take on things > > Johnathan > > > On 6 March 2013 12:35, Dave Burnett <d_b_burnett at hotmail.com> wrote: > > > Advantage of pdf? > > I would bet we get a lot more contribution if it's dynamic. > Maybe something editable in a Xerte app? > Folks with svn access can edit? > > > > From: J.J.Smith at gcu.ac.uk > > To: xerte-dev at lists.nottingham.ac.uk > > Date: Wed, 6 Mar 2013 12:09:21 +0000 > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > Sure Tom, I suppose an alternative would be to funnel everything through > help/index.php?language=XX&file=YYY and let it decide which to serve up... > > > > I'm having to do similar with the api... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders > > Sent: Wednesday, March 06, 2013 11:05 AM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > It's not too much work to fall back to English if we need to, > > > > So have a help/<language code> for the help forlder location like we > have wizard/<language code> now. > > > > > > The thing I have against mod_rewrites is that it's webserver specific. > > > > So, now we only have to agree on the help file format. .pdf is fine with > me... > > > > Tom > > > > Citeren "Smith, John" <J.J.Smith at gcu.ac.uk>: > > > > > Why not just append the language code to the URL (new website) and mod > > > rewrite the url. If there is a language file that matches send that, > > > otherwise send the English one... > > > > > > > > > Regards, > > > > > > John Smith > > > Learning Technologist > > > School of Health & Life Sciences > > > Glasgow Caledonian University > > > > > > From: xerte-dev-bounces at lists.nottingham.ac.uk > > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of > > > Julian Tenney > > > Sent: Wednesday, March 06, 2013 10:38 AM > > > To: For Xerte technical developers > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > What about languages? You might want help in several languages. But > > > we can cope with multi lingual wizards, so why not multi lingual help? > > > > > > The form is a bit of a pain because now we have advanced / language > > > options, redrawing the form is a bit of a pain, so thinking > > > differently might be a good idea. > > > > > > From: > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk> [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp > > > Johnathan > > > Sent: 06 March 2013 10:02 > > > To: For Xerte technical developers > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > Hi Folks, > > > > > > What I would like to be able to achieve is a means of providing a > > > link to a pdf file that the author can access to provide additional > > > information to support the use of the page type. My original need > > > was to support the connector pages and the inventory page with more > > > information about how the page worked and how, in the case of > > > connector pages they could be used in conjunction with other pages. > > > However the help file could provide other stuff such as examples of > > > use or pedagogical information. > > > > > > How that link is made available to the author I don't have a strong > > > view on. It just seemed that the <info> tag already provided the > > > functionality (except for this frustrating glitch). If resolving the > > > glitch was a simple matter then the <info> tag might be a convenient > > > way of doing this without involving much time input. If however the > > > glitch is difficult to pin down then a different approach might be > > > appropriate. > > > > > > By putting the link in the xwd file it keeps everything about the > > > page in one place. However it does have the disadvantage of making > > > it difficult to change the location of the help files. > > > > > > Perhaps an approach that assumed the help file would use the same > > > stem as the model file but have a pdf extension (e.g. quiz.rlm and > > > quiz.pdf), would allow a Xerte or XOT project to define a single > > > folder location for all the help files. The specific help file for a > > > page type would then be accessed by combining the single folder > > > address with the model name and a pdf extension. > > > > > > This would allow help files to be either located on a remote server > > > or on a local server, or even in a desktop Xerte installation folder > > > e.g. Xerte\pages\help\. It would also make it easier to change the > > > locations of the help files as there would be only one path to change. > > > > > > Kind regards > > > > > > Johnathan > > > > > > On 6 March 2013 07:50, Julian Tenney > > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk > >> > > > wrote: > > > Maybe we should tackle this differently: rather than trying to > > > display the <info> on the form, why not pop it up in a message or > > > show it somewhere else? > > > > > > From: > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk> [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > > > Johnathan > > > Sent: 05 March 2013 17:53 > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > The most recent version of the desktop would ensure you have the > > > latest version of wizard.swf, but if you can see the Show Language > > > Options I think that should be enough to demonstrate the issue. > > > > > > The "here is the help" text is the text contained in the info tag. > > > > > > If you click in the Show Language Options check box you will see > > > that some additional fields are displayed in the form but that there > > > is an expanse of blank grey form before the "here is the help" text > > > is displayed. > > > > > > If you mouse over the grey area above the "here is the help" text > > > you will see the mouse pointer change as it hovers over where the > > > text entry boxes for the hidden language options are positioned. > > > > > > If you click on the Quiz2 page to open its xwd form the effect is > > > clear as none of the fields are flagged as language options so as > > > soon as the form opens you see that the display of labels and fields > > > ends abruptly and then there is again the grey expanse of blank form > > > before the "here is the help" text is displayed. You have noticed, > > > in your second post that the entry below "single answer wrong" is > > > cut short vertically. There are also more fields below this which > > > are not displaying at all. > > > > > > If you edit the quiz.xwd file in the page002 folder to remove the > > > "info" tag then all the fields defined in the form are displayed > > > correctly. So it is the "info" tag that is causing the display issue. > > > > > > Kind regards > > > > > > Johnathan > > > > > > On 5 March 2013 10:43, Dave Burnett > > > <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: > > > What version of desktop is required? > > > The only language related object I have showing is "Show Language > > > Options" in the bottom bar. > > > > > > (I do see "Here is the help" in blue near the bottom). > > > > > > > > > ________________________________ > > > Date: Tue, 5 Mar 2013 10:23:23 +0000 > > > From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> > > > To: xerte-dev at lists.nottingham.ac.uk<mailto: > xerte-dev at lists.nottingham.ac.uk> > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > If you include the info tag in an xwd form it can result in the none > > > display of the last entries in the form. > > > > > > The info tag displays at the bottom of the form with a blank area of > > > form above it where the missing fields and field labels should be > > > displayed. > > > > > > If you move the mouse pointer over the blank area of the form then > > > the mouse pointer will change indicating that the fields are there - > > > you just can't see them. > > > > > > The easiest way to explain what is happening is for you to see it > > > for yourself. > > > > > > I have attached a simple demo. The demo is a standard Xerte project > > > (not a "Pages" type project - I have manually set up the xwd links > > > for the pages) in which I have set up two copies of the Quiz page. > > > > > > 1. Open this project in Xerte > > > 2. Double click on the Quiz page to open the xwd form > > > 3. Click on the language tab to display the language fields > > > 4. Scroll down the form - you will see the blank area where the > > > hidden language fields should appear and the blue info comment at > > > the bottom. > > > 5. The language tag is not significant to this issue. > > > 6. Double click on the Quiz2 page, you will see the same effect > > > without the use of the language tag (I deleted them from this pages > > > xwd file) > > > I don't know if the cause is to do with layers or visibility > > > settings. I don't know what happens when the info tag is actioned in > > > the code. > > > > > > I hope this makes the effect clear (if not the cause :-( ) > > > > > > Kind regards > > > > > > Johnathan > > > > > > > > > > > > On 5 March 2013 09:40, Julian Tenney > > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk > >> > > > wrote: > > > > > > What's the problem in a nutshell? > > > > > > > > > > > > From: > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk> [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > > > Johnathan > > > Sent: 04 March 2013 22:18 > > > To: Xerte Developers Discussion List > > > Subject: [Xerte-dev] use of info tag in xwd forms > > > > > > > > > > > > On the 4th December I posted to the developer list an issue with the > > > xwd forms relating to the use of the "info" tag. > > > > > > > > > > > > The inclusion of an info tag in the xwd form can result in space > > > being allocated above the info tag for the display of the last few > > > properties in the xwd form definition, but the properties are not > > > visible in the form. You can however confirm their "presence" as the > > > mouse pointer responds to them if moved over the input fields. > > > > > > > > > > > > You can test this out in Xerte (or XOT) by creating a page using one > > > of the Connector page types. The info tag has been used in these > > > pages to link to a pdf help file that is hosted on the Xerte > > > community web site, but the "language" flagged form properties are > > > no longer all editable, due to the presence of the info tag. > > > > > > > > > > > > This is a pity as the info tag could be used to provide a link to an > > > external document that gives the Author useful additional > > > information to assist them in making the best use of that page type. > > > e.g. > > > > > > * Information about what the page is designed to do > > > > > > * Instructions on what the properties in the form are to > > > help in completing the form created by the xwd file; > > > > > > * examples of actual uses of that page type in real projects. > > > > > > * examples of combining this page type with other page types > > > to achieve a particular pedagogical approach > > > > > > * guidance as to how accessible the page is with respect to > > > particular types of user, or what features the page has as optional > > > properties to provide additional accessibility > > > > > > However at present if the "info" tag is used then the ability to > > > edit the language flagged elements of the page is compromised. > > > > > > > > > > > > Is this something that is intended to be addressed before the next > > > release of Xerte / XOT? > > > > > > > > > > > > Sorry to be a nuisance, but it seems such a potentially useful > > > feature it seems a shame not to be able to use it. > > > > > > > > > > > > Kind regards > > > > > > > > > > > > Johnathan > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk<mailto: > Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > _______________________________________________ Xerte-dev mailing > > > list > > > Xerte-dev at lists.nottingham.ac.uk<mailto: > Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk<mailto: > Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk<mailto: > Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, > > > number SC021474 > > > > > > Winner: Times Higher Education's Widening Participation Initiative > > > of the Year 2009 and Herald Society's Education Initiative of the > > > Year 2009. > > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > > > > > Winner: Times Higher Education's Outstanding Support for Early > > > Career Researchers of the Year 2010, GCU as a lead with Universities > > > Scotland partners. > > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > > > > > This message and any attachment are intended solely for the > > > addressee and may contain confidential information. If you have > > > received this message in error, please send it back to me, and > > > immediately delete it. Please do not use, copy or disclose the > > > information contained in this message or in any attachment. Any > > > views or opinions expressed by the author of this email do not > > > necessarily reflect the views of the University of Nottingham. > > > > > > > > > > > > This message has been checked for viruses but the contents of an > attachment > > > > > > may still contain software viruses which could damage your computer > system: > > > > > > you are advised to perform your own checks. Email communications with > the > > > > > > University of Nottingham may be monitored as permitted by UK > legislation. > > > > > > > > > > > > > > ---------------------------------------------------------------- > > This message was sent using IMP, the Internet Messaging Program. > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > This message and any attachment are intended solely for the addressee > and may contain confidential information. If you have received this message > in error, please send it back to me, and immediately delete it. Please do > not use, copy or disclose the information contained in this message or in > any attachment. Any views or opinions expressed by the author of this email > do not necessarily reflect the views of the University of Nottingham. > > > > This message has been checked for viruses but the contents of an > attachment > > may still contain software viruses which could damage your computer > system: > > you are advised to perform your own checks. Email communications with the > > University of Nottingham may be monitored as permitted by UK legislation. > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > > > Winner: Times Higher Education?s Widening Participation Initiative of > the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > > > Winner: Times Higher Education?s Outstanding Support for Early Career > Researchers of the Year 2010, GCU as a lead with Universities Scotland > partners. > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130306/942c3fa7/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Wed Mar 6 20:19:51 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Wed, 6 Mar 2013 20:19:51 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <CABtG3=UCuq3i_sBMA1cMRYqNS5ssLPjJw1TKjj3__Pa8A1xH5Q@mail.gmail.com> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com> <BLU153-W57942FC6EA78A20F3826B0A7FB0@phx.gbl> <CABtG3=XL7YU0XZou1awcUXYY3ZQKZsss=-e58rTrUV_vnSR_Jg@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4CE58138@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=V5450hnHb0BGXeJWb+zfcNX2oSZeRDpBdmk6TiBpj7QQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D649813@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2B9@ITSEMBXCLUS.enterprise.gcal.ac.uk> <20130306120521.59815leiwct5zlyp@server.tor.nl> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2D2@ITSEMBXCLUS.enterprise.gcal.ac.uk> <BLU153-W9A990EF26D2C7CA920D1AA7E40@phx.gbl> <CABtG3=UW=zY=TWtL4apF0ttMsUHp-L8bqqFWrShBCt0O9cBP_Q@mail.gmail.com> <BLU153-W13FAFF7ADE5D1BAF6C234DA7E40@phx.gbl>, <CABtG3=UCuq3i_sBMA1cMRYqNS5ssLPjJw1TKjj3__Pa8A1xH5Q@mail.gmail.com> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4D8CFB17@EXCHANGE1.ad.nottingham.ac.uk> what about the new site template? ________________________________________ From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp Johnathan [johnathan.kemp at ntlworld.com] Sent: 06 March 2013 18:57 To: For Xerte technical developers Subject: [Xerte-dev] Re: use of info tag in xwd forms I suppose one alternative would be to set up a wiki, but I am not sure this is the best approach for help documents. One thought that has just sprung to mind - what about using an ebook editor? I know next to nothing about them but it would seem a possibly logical platform to publish to. I am not sure if this would be the right approach if we only want to create a set of individual files that are each a single publication? I did a quick google and found an open source wysiwyg editor called sigil. It looks quite powerful, but it appears designed to pull together large numbers of separate files into a single document. I don't know if there is anyone on the list who is familiar with this stuff and could pass a more informed opinion? I have to admit, the one thing that concerns me with using Open Office is that someone will go and open up the file in Word and bugger up its formatting :-( What concerns me about not using Open Office is the possible lack of a familiar, versatile, and easy to use interface for creating the documents. JK On 6 March 2013 18:25, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: Just my personal preference. Static documents usually lead to version control nightmares. I still believe in the Java "write once, deliver everywhere" fantasy. ;-) ________________________________ Date: Wed, 6 Mar 2013 18:20:51 +0000 From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: use of info tag in xwd forms Advantage of pdf? A single file that contains text and graphics and will maintain its format when printed out (some people still like to print things out). My approach so far has been to author the files in Open Office which will export to pdf. This provides a master file (the Open Office odt) file that is editable, and the pdf export of the odt file that can be published for Author usage. So whilst at present the file the Author uses is pdf, this is generated from a single, easily edited odt file. Open Office is free, open source, and available in many languages. I agree with the idea of allowing those with svn access to edit the help files. The current approach fully facilitates that. Folks with svn access can edit (or make a copy and translate) the odt file and then generate a new pdf file for publication. I am not sure of the benefit of trying to edit the help documents in a Xerte app. Why try to create a cut down word processor in Xerte, if there is already a fully featured one available for free? The only downside I see is that each help file consists of two files (rather than one) - the odt source file and the published public accessed pdf file. But this has upsides as well. The odt help file can be edited without affecting the published pdf file, which can be re-published once the editing / updating is completed. Just my take on things Johnathan On 6 March 2013 12:35, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: Advantage of pdf? I would bet we get a lot more contribution if it's dynamic. Maybe something editable in a Xerte app? Folks with svn access can edit? > From: J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk> > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> > Date: Wed, 6 Mar 2013 12:09:21 +0000 > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > Sure Tom, I suppose an alternative would be to funnel everything through help/index.php?language=XX&file=YYY and let it decide which to serve up... > > I'm having to do similar with the api... > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Tom Reijnders > Sent: Wednesday, March 06, 2013 11:05 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > It's not too much work to fall back to English if we need to, > > So have a help/<language code> for the help forlder location like we have wizard/<language code> now. > > > The thing I have against mod_rewrites is that it's webserver specific. > > So, now we only have to agree on the help file format. .pdf is fine with me... > > Tom > > Citeren "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>>: > > > Why not just append the language code to the URL (new website) and mod > > rewrite the url. If there is a language file that matches send that, > > otherwise send the English one... > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of > > Julian Tenney > > Sent: Wednesday, March 06, 2013 10:38 AM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > What about languages? You might want help in several languages. But > > we can cope with multi lingual wizards, so why not multi lingual help? > > > > The form is a bit of a pain because now we have advanced / language > > options, redrawing the form is a bit of a pain, so thinking > > differently might be a good idea. > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > > Johnathan > > Sent: 06 March 2013 10:02 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > Hi Folks, > > > > What I would like to be able to achieve is a means of providing a > > link to a pdf file that the author can access to provide additional > > information to support the use of the page type. My original need > > was to support the connector pages and the inventory page with more > > information about how the page worked and how, in the case of > > connector pages they could be used in conjunction with other pages. > > However the help file could provide other stuff such as examples of > > use or pedagogical information. > > > > How that link is made available to the author I don't have a strong > > view on. It just seemed that the <info> tag already provided the > > functionality (except for this frustrating glitch). If resolving the > > glitch was a simple matter then the <info> tag might be a convenient > > way of doing this without involving much time input. If however the > > glitch is difficult to pin down then a different approach might be > > appropriate. > > > > By putting the link in the xwd file it keeps everything about the > > page in one place. However it does have the disadvantage of making > > it difficult to change the location of the help files. > > > > Perhaps an approach that assumed the help file would use the same > > stem as the model file but have a pdf extension (e.g. quiz.rlm and > > quiz.pdf), would allow a Xerte or XOT project to define a single > > folder location for all the help files. The specific help file for a > > page type would then be accessed by combining the single folder > > address with the model name and a pdf extension. > > > > This would allow help files to be either located on a remote server > > or on a local server, or even in a desktop Xerte installation folder > > e.g. Xerte\pages\help\. It would also make it easier to change the > > locations of the help files as there would be only one path to change. > > > > Kind regards > > > > Johnathan > > > > On 6 March 2013 07:50, Julian Tenney > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk><mailto:Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>>> > > wrote: > > Maybe we should tackle this differently: rather than trying to > > display the <info> on the form, why not pop it up in a message or > > show it somewhere else? > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>>] On Behalf Of Kemp > > Johnathan > > Sent: 05 March 2013 17:53 > > To: For Xerte technical developers > > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > The most recent version of the desktop would ensure you have the > > latest version of wizard.swf, but if you can see the Show Language > > Options I think that should be enough to demonstrate the issue. > > > > The "here is the help" text is the text contained in the info tag. > > > > If you click in the Show Language Options check box you will see > > that some additional fields are displayed in the form but that there > > is an expanse of blank grey form before the "here is the help" text > > is displayed. > > > > If you mouse over the grey area above the "here is the help" text > > you will see the mouse pointer change as it hovers over where the > > text entry boxes for the hidden language options are positioned. > > > > If you click on the Quiz2 page to open its xwd form the effect is > > clear as none of the fields are flagged as language options so as > > soon as the form opens you see that the display of labels and fields > > ends abruptly and then there is again the grey expanse of blank form > > before the "here is the help" text is displayed. You have noticed, > > in your second post that the entry below "single answer wrong" is > > cut short vertically. There are also more fields below this which > > are not displaying at all. > > > > If you edit the quiz.xwd file in the page002 folder to remove the > > "info" tag then all the fields defined in the form are displayed > > correctly. So it is the "info" tag that is causing the display issue. > > > > Kind regards > > > > Johnathan > > > > On 5 March 2013 10:43, Dave Burnett > > <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com><mailto:d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>>> wrote: > > What version of desktop is required? > > The only language related object I have showing is "Show Language > > Options" in the bottom bar. > > > > (I do see "Here is the help" in blue near the bottom). > > > > > > ________________________________ > > Date: Tue, 5 Mar 2013 10:23:23 +0000 > > From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com><mailto:johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com>> > > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk><mailto:xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk>> > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > If you include the info tag in an xwd form it can result in the none > > display of the last entries in the form. > > > > The info tag displays at the bottom of the form with a blank area of > > form above it where the missing fields and field labels should be > > displayed. > > > > If you move the mouse pointer over the blank area of the form then > > the mouse pointer will change indicating that the fields are there - > > you just can't see them. > > > > The easiest way to explain what is happening is for you to see it > > for yourself. > > > > I have attached a simple demo. The demo is a standard Xerte project > > (not a "Pages" type project - I have manually set up the xwd links > > for the pages) in which I have set up two copies of the Quiz page. > > > > 1. Open this project in Xerte > > 2. Double click on the Quiz page to open the xwd form > > 3. Click on the language tab to display the language fields > > 4. Scroll down the form - you will see the blank area where the > > hidden language fields should appear and the blue info comment at > > the bottom. > > 5. The language tag is not significant to this issue. > > 6. Double click on the Quiz2 page, you will see the same effect > > without the use of the language tag (I deleted them from this pages > > xwd file) > > I don't know if the cause is to do with layers or visibility > > settings. I don't know what happens when the info tag is actioned in > > the code. > > > > I hope this makes the effect clear (if not the cause :-( ) > > > > Kind regards > > > > Johnathan > > > > > > > > On 5 March 2013 09:40, Julian Tenney > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk><mailto:Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>>> > > wrote: > > > > What's the problem in a nutshell? > > > > > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>>] On Behalf Of Kemp > > Johnathan > > Sent: 04 March 2013 22:18 > > To: Xerte Developers Discussion List > > Subject: [Xerte-dev] use of info tag in xwd forms > > > > > > > > On the 4th December I posted to the developer list an issue with the > > xwd forms relating to the use of the "info" tag. > > > > > > > > The inclusion of an info tag in the xwd form can result in space > > being allocated above the info tag for the display of the last few > > properties in the xwd form definition, but the properties are not > > visible in the form. You can however confirm their "presence" as the > > mouse pointer responds to them if moved over the input fields. > > > > > > > > You can test this out in Xerte (or XOT) by creating a page using one > > of the Connector page types. The info tag has been used in these > > pages to link to a pdf help file that is hosted on the Xerte > > community web site, but the "language" flagged form properties are > > no longer all editable, due to the presence of the info tag. > > > > > > > > This is a pity as the info tag could be used to provide a link to an > > external document that gives the Author useful additional > > information to assist them in making the best use of that page type. > > e.g. > > > > * Information about what the page is designed to do > > > > * Instructions on what the properties in the form are to > > help in completing the form created by the xwd file; > > > > * examples of actual uses of that page type in real projects. > > > > * examples of combining this page type with other page types > > to achieve a particular pedagogical approach > > > > * guidance as to how accessible the page is with respect to > > particular types of user, or what features the page has as optional > > properties to provide additional accessibility > > > > However at present if the "info" tag is used then the ability to > > edit the language flagged elements of the page is compromised. > > > > > > > > Is this something that is intended to be addressed before the next > > release of Xerte / XOT? > > > > > > > > Sorry to be a nuisance, but it seems such a potentially useful > > feature it seems a shame not to be able to use it. > > > > > > > > Kind regards > > > > > > > > Johnathan > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ Xerte-dev mailing > > list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, > > number SC021474 > > > > Winner: Times Higher Education's Widening Participation Initiative > > of the Year 2009 and Herald Society's Education Initiative of the > > Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c6219%2cen.html> > > > > Winner: Times Higher Education's Outstanding Support for Early > > Career Researchers of the Year 2010, GCU as a lead with Universities > > Scotland partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c15691%2cen.html> > > > > This message and any attachment are intended solely for the > > addressee and may contain confidential information. If you have > > received this message in error, please send it back to me, and > > immediately delete it. Please do not use, copy or disclose the > > information contained in this message or in any attachment. Any > > views or opinions expressed by the author of this email do not > > necessarily reflect the views of the University of Nottingham. > > > > > > > > This message has been checked for viruses but the contents of an attachment > > > > may still contain software viruses which could damage your computer system: > > > > you are advised to perform your own checks. Email communications with the > > > > University of Nottingham may be monitored as permitted by UK legislation. > > > > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c6219%2cen.html> > > Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c15691%2cen.html> > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From Fay.Cross at nottingham.ac.uk Thu Mar 7 09:01:29 2013 From: Fay.Cross at nottingham.ac.uk (Fay Cross) Date: Thu, 7 Mar 2013 09:01:29 +0000 Subject: [Xerte-dev] Re: location of latest rlm files In-Reply-To: <CABtG3=VpDcyGkQuZasn4thGkCk1JE_NDD8k7h4xX50T6vKaikg@mail.gmail.com> References: <CABtG3=XOrwFTgEbuTj7C+iK1evtQyKbV7Eh3pNsTDLG12L8tAg@mail.gmail.com> <51332E2D.5060601@tor.nl> <A44245E8C549494D9561A9727B89EEC80C358762DC@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=VpDcyGkQuZasn4thGkCk1JE_NDD8k7h4xX50T6vKaikg@mail.gmail.com> Message-ID: <A44245E8C549494D9561A9727B89EEC80C358765FC@EXCHANGE1.ad.nottingham.ac.uk> Yes, that's what I thought - the HTML5 stuff is only going to apply to xot isn't it? It's just Tom mentioned the HTML files below because they're only in xot svn. I assumed this was because he thought they should be in both. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp Johnathan Sent: 06 March 2013 18:26 To: For Xerte technical developers Subject: [Xerte-dev] Re: location of latest rlm files The files I compared where the .rlm model files. I just expected that there should not be different versions of the .rlm files in Xerte and XOT svns. Is there any support for HTML5 model usage in desktop Xerte? If Xerte is not going to support HTML5 then presumably the HTML5 models would just be in the XOT svn? Kind regards Johnathan On 6 March 2013 11:18, Fay Cross <Fay.Cross at nottingham.ac.uk<mailto:Fay.Cross at nottingham.ac.uk>> wrote: As far as I know none of the html5 stuff is in the xerte svn - it's all in the toolkits one. The only thing I update in the xerte svn now are changes to the xwds or additions to the language files. Should all the html5 stuff be there too? What folder? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Tom Reijnders Sent: 03 March 2013 11:04 To: For Xerte technical developers Subject: [Xerte-dev] Re: location of latest rlm files Hai Jonathan, Good to have you back. You shouldn't compare them, you should check waht the latest are. And yes, they should be synchronised, but that's not always the case. It is my understanding that the xerte one is leading for the .rlms. I noticed that for HTML5, at this point in time the xot one is leading. We should really try to make this VERY clear and or automate the synchronisation... Tom Op 3-3-2013 11:49, Kemp Johnathan schreef: I have just updated my copies of the Xerte and XOt svns and then run a comparison of the .rlm files in the following folders xerte svn\runtime\pages\models\ and xot svn\modules\xerte\parent_templates\Nottingham\models\ The following pages show differences in the model files in the two locations accNav.rlm columnPage.rlm connectorPlainText.rlm * cRedirector.rlm * cTabNav.rlm * embedDiv.rlm quiz.rlm slideshow.rlm * These connector pages are no longer offered in XOT but the older models remain in XOT to provide support for older XOT projects that may have used them. The newer version of the models in the Xerte svn are for use only in Xerte. Is the XOT model folder now the definitive location for the latest models? When changes are made in XOT are they no longer being updated also in the Xerte svn? Kind regards Johnathan _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130307/fdb96f83/attachment-0001.html> From johnathan.kemp at ntlworld.com Thu Mar 7 12:21:42 2013 From: johnathan.kemp at ntlworld.com (Kemp Johnathan) Date: Thu, 7 Mar 2013 12:21:42 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4D8CFB17@EXCHANGE1.ad.nottingham.ac.uk> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com> <BLU153-W57942FC6EA78A20F3826B0A7FB0@phx.gbl> <CABtG3=XL7YU0XZou1awcUXYY3ZQKZsss=-e58rTrUV_vnSR_Jg@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4CE58138@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=V5450hnHb0BGXeJWb+zfcNX2oSZeRDpBdmk6TiBpj7QQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D649813@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2B9@ITSEMBXCLUS.enterprise.gcal.ac.uk> <20130306120521.59815leiwct5zlyp@server.tor.nl> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2D2@ITSEMBXCLUS.enterprise.gcal.ac.uk> <BLU153-W9A990EF26D2C7CA920D1AA7E40@phx.gbl> <CABtG3=UW=zY=TWtL4apF0ttMsUHp-L8bqqFWrShBCt0O9cBP_Q@mail.gmail.com> <BLU153-W13FAFF7ADE5D1BAF6C234DA7E40@phx.gbl> <CABtG3=UCuq3i_sBMA1cMRYqNS5ssLPjJw1TKjj3__Pa8A1xH5Q@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D8CFB17@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <CABtG3=VoC9JXZojkZr8hLnYzReibv6a5QeC2EVeDzz6fCRT4ZA@mail.gmail.com> I don't know anything about it yet so can't really comment. I did a bit of playing around with sigil last night. It appears that to read an epub file in a web browser you need a plugin and I am not sure they all have one (e.g. Opera) so perhaps not a good idea after all. Kind regards Johnathan On 6 March 2013 20:19, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > what about the new site template? > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk [ > xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp Johnathan [ > johnathan.kemp at ntlworld.com] > Sent: 06 March 2013 18:57 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > I suppose one alternative would be to set up a wiki, but I am not sure > this is the best approach for help documents. > > One thought that has just sprung to mind - what about using an ebook > editor? I know next to nothing about them but it would seem a possibly > logical platform to publish to. I am not sure if this would be the right > approach if we only want to create a set of individual files that are each > a single publication? > > I did a quick google and found an open source wysiwyg editor called sigil. > It looks quite powerful, but it appears designed to pull together large > numbers of separate files into a single document. > > I don't know if there is anyone on the list who is familiar with this > stuff and could pass a more informed opinion? > > I have to admit, the one thing that concerns me with using Open Office is > that someone will go and open up the file in Word and bugger up its > formatting :-( > > What concerns me about not using Open Office is the possible lack of a > familiar, versatile, and easy to use interface for creating the documents. > > JK > > > On 6 March 2013 18:25, Dave Burnett <d_b_burnett at hotmail.com<mailto: > d_b_burnett at hotmail.com>> wrote: > > Just my personal preference. > Static documents usually lead to version control nightmares. > I still believe in the Java "write once, deliver everywhere" fantasy. > ;-) > > ________________________________ > Date: Wed, 6 Mar 2013 18:20:51 +0000 > From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> > To: xerte-dev at lists.nottingham.ac.uk<mailto: > xerte-dev at lists.nottingham.ac.uk> > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > Advantage of pdf? > > A single file that contains text and graphics and will maintain its format > when printed out (some people still like to print things out). > > My approach so far has been to author the files in Open Office which will > export to pdf. This provides a master file (the Open Office odt) file that > is editable, and the pdf export of the odt file that can be published for > Author usage. > > So whilst at present the file the Author uses is pdf, this is generated > from a single, easily edited odt file. Open Office is free, open source, > and available in many languages. > > I agree with the idea of allowing those with svn access to edit the help > files. The current approach fully facilitates that. > Folks with svn access can edit (or make a copy and translate) the odt file > and then generate a new pdf file for publication. > > I am not sure of the benefit of trying to edit the help documents in a > Xerte app. Why try to create a cut down word processor in Xerte, if there > is already a fully featured one available for free? > > The only downside I see is that each help file consists of two files > (rather than one) - the odt source file and the published public accessed > pdf file. But this has upsides as well. The odt help file can be edited > without affecting the published pdf file, which can be re-published once > the editing / updating is completed. > > Just my take on things > > Johnathan > > > On 6 March 2013 12:35, Dave Burnett <d_b_burnett at hotmail.com<mailto: > d_b_burnett at hotmail.com>> wrote: > > Advantage of pdf? > > I would bet we get a lot more contribution if it's dynamic. > Maybe something editable in a Xerte app? > Folks with svn access can edit? > > > > From: J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk> > > To: xerte-dev at lists.nottingham.ac.uk<mailto: > xerte-dev at lists.nottingham.ac.uk> > > Date: Wed, 6 Mar 2013 12:09:21 +0000 > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > Sure Tom, I suppose an alternative would be to funnel everything through > help/index.php?language=XX&file=YYY and let it decide which to serve up... > > > > I'm having to do similar with the api... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk> [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Tom Reijnders > > Sent: Wednesday, March 06, 2013 11:05 AM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > It's not too much work to fall back to English if we need to, > > > > So have a help/<language code> for the help forlder location like we > have wizard/<language code> now. > > > > > > The thing I have against mod_rewrites is that it's webserver specific. > > > > So, now we only have to agree on the help file format. .pdf is fine with > me... > > > > Tom > > > > Citeren "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>>: > > > > > Why not just append the language code to the URL (new website) and mod > > > rewrite the url. If there is a language file that matches send that, > > > otherwise send the English one... > > > > > > > > > Regards, > > > > > > John Smith > > > Learning Technologist > > > School of Health & Life Sciences > > > Glasgow Caledonian University > > > > > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk> > > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of > > > Julian Tenney > > > Sent: Wednesday, March 06, 2013 10:38 AM > > > To: For Xerte technical developers > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > What about languages? You might want help in several languages. But > > > we can cope with multi lingual wizards, so why not multi lingual help? > > > > > > The form is a bit of a pain because now we have advanced / language > > > options, redrawing the form is a bit of a pain, so thinking > > > differently might be a good idea. > > > > > > From: > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk><mailto: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk>> [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > > > Johnathan > > > Sent: 06 March 2013 10:02 > > > To: For Xerte technical developers > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > Hi Folks, > > > > > > What I would like to be able to achieve is a means of providing a > > > link to a pdf file that the author can access to provide additional > > > information to support the use of the page type. My original need > > > was to support the connector pages and the inventory page with more > > > information about how the page worked and how, in the case of > > > connector pages they could be used in conjunction with other pages. > > > However the help file could provide other stuff such as examples of > > > use or pedagogical information. > > > > > > How that link is made available to the author I don't have a strong > > > view on. It just seemed that the <info> tag already provided the > > > functionality (except for this frustrating glitch). If resolving the > > > glitch was a simple matter then the <info> tag might be a convenient > > > way of doing this without involving much time input. If however the > > > glitch is difficult to pin down then a different approach might be > > > appropriate. > > > > > > By putting the link in the xwd file it keeps everything about the > > > page in one place. However it does have the disadvantage of making > > > it difficult to change the location of the help files. > > > > > > Perhaps an approach that assumed the help file would use the same > > > stem as the model file but have a pdf extension (e.g. quiz.rlm and > > > quiz.pdf), would allow a Xerte or XOT project to define a single > > > folder location for all the help files. The specific help file for a > > > page type would then be accessed by combining the single folder > > > address with the model name and a pdf extension. > > > > > > This would allow help files to be either located on a remote server > > > or on a local server, or even in a desktop Xerte installation folder > > > e.g. Xerte\pages\help\. It would also make it easier to change the > > > locations of the help files as there would be only one path to change. > > > > > > Kind regards > > > > > > Johnathan > > > > > > On 6 March 2013 07:50, Julian Tenney > > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk > ><mailto:Julian.Tenney at nottingham.ac.uk<mailto: > Julian.Tenney at nottingham.ac.uk>>> > > > wrote: > > > Maybe we should tackle this differently: rather than trying to > > > display the <info> on the form, why not pop it up in a message or > > > show it somewhere else? > > > > > > From: > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk><mailto: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk>> [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk><mailto: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk>>] On Behalf Of Kemp > > > Johnathan > > > Sent: 05 March 2013 17:53 > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > The most recent version of the desktop would ensure you have the > > > latest version of wizard.swf, but if you can see the Show Language > > > Options I think that should be enough to demonstrate the issue. > > > > > > The "here is the help" text is the text contained in the info tag. > > > > > > If you click in the Show Language Options check box you will see > > > that some additional fields are displayed in the form but that there > > > is an expanse of blank grey form before the "here is the help" text > > > is displayed. > > > > > > If you mouse over the grey area above the "here is the help" text > > > you will see the mouse pointer change as it hovers over where the > > > text entry boxes for the hidden language options are positioned. > > > > > > If you click on the Quiz2 page to open its xwd form the effect is > > > clear as none of the fields are flagged as language options so as > > > soon as the form opens you see that the display of labels and fields > > > ends abruptly and then there is again the grey expanse of blank form > > > before the "here is the help" text is displayed. You have noticed, > > > in your second post that the entry below "single answer wrong" is > > > cut short vertically. There are also more fields below this which > > > are not displaying at all. > > > > > > If you edit the quiz.xwd file in the page002 folder to remove the > > > "info" tag then all the fields defined in the form are displayed > > > correctly. So it is the "info" tag that is causing the display issue. > > > > > > Kind regards > > > > > > Johnathan > > > > > > On 5 March 2013 10:43, Dave Burnett > > > <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com><mailto: > d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>>> wrote: > > > What version of desktop is required? > > > The only language related object I have showing is "Show Language > > > Options" in the bottom bar. > > > > > > (I do see "Here is the help" in blue near the bottom). > > > > > > > > > ________________________________ > > > Date: Tue, 5 Mar 2013 10:23:23 +0000 > > > From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com > ><mailto:johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com>> > > > To: xerte-dev at lists.nottingham.ac.uk<mailto: > xerte-dev at lists.nottingham.ac.uk><mailto:xerte-dev at lists.nottingham.ac.uk > <mailto:xerte-dev at lists.nottingham.ac.uk>> > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > If you include the info tag in an xwd form it can result in the none > > > display of the last entries in the form. > > > > > > The info tag displays at the bottom of the form with a blank area of > > > form above it where the missing fields and field labels should be > > > displayed. > > > > > > If you move the mouse pointer over the blank area of the form then > > > the mouse pointer will change indicating that the fields are there - > > > you just can't see them. > > > > > > The easiest way to explain what is happening is for you to see it > > > for yourself. > > > > > > I have attached a simple demo. The demo is a standard Xerte project > > > (not a "Pages" type project - I have manually set up the xwd links > > > for the pages) in which I have set up two copies of the Quiz page. > > > > > > 1. Open this project in Xerte > > > 2. Double click on the Quiz page to open the xwd form > > > 3. Click on the language tab to display the language fields > > > 4. Scroll down the form - you will see the blank area where the > > > hidden language fields should appear and the blue info comment at > > > the bottom. > > > 5. The language tag is not significant to this issue. > > > 6. Double click on the Quiz2 page, you will see the same effect > > > without the use of the language tag (I deleted them from this pages > > > xwd file) > > > I don't know if the cause is to do with layers or visibility > > > settings. I don't know what happens when the info tag is actioned in > > > the code. > > > > > > I hope this makes the effect clear (if not the cause :-( ) > > > > > > Kind regards > > > > > > Johnathan > > > > > > > > > > > > On 5 March 2013 09:40, Julian Tenney > > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk > ><mailto:Julian.Tenney at nottingham.ac.uk<mailto: > Julian.Tenney at nottingham.ac.uk>>> > > > wrote: > > > > > > What's the problem in a nutshell? > > > > > > > > > > > > From: > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk><mailto: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk>> [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk><mailto: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk>>] On Behalf Of Kemp > > > Johnathan > > > Sent: 04 March 2013 22:18 > > > To: Xerte Developers Discussion List > > > Subject: [Xerte-dev] use of info tag in xwd forms > > > > > > > > > > > > On the 4th December I posted to the developer list an issue with the > > > xwd forms relating to the use of the "info" tag. > > > > > > > > > > > > The inclusion of an info tag in the xwd form can result in space > > > being allocated above the info tag for the display of the last few > > > properties in the xwd form definition, but the properties are not > > > visible in the form. You can however confirm their "presence" as the > > > mouse pointer responds to them if moved over the input fields. > > > > > > > > > > > > You can test this out in Xerte (or XOT) by creating a page using one > > > of the Connector page types. The info tag has been used in these > > > pages to link to a pdf help file that is hosted on the Xerte > > > community web site, but the "language" flagged form properties are > > > no longer all editable, due to the presence of the info tag. > > > > > > > > > > > > This is a pity as the info tag could be used to provide a link to an > > > external document that gives the Author useful additional > > > information to assist them in making the best use of that page type. > > > e.g. > > > > > > * Information about what the page is designed to do > > > > > > * Instructions on what the properties in the form are to > > > help in completing the form created by the xwd file; > > > > > > * examples of actual uses of that page type in real projects. > > > > > > * examples of combining this page type with other page types > > > to achieve a particular pedagogical approach > > > > > > * guidance as to how accessible the page is with respect to > > > particular types of user, or what features the page has as optional > > > properties to provide additional accessibility > > > > > > However at present if the "info" tag is used then the ability to > > > edit the language flagged elements of the page is compromised. > > > > > > > > > > > > Is this something that is intended to be addressed before the next > > > release of Xerte / XOT? > > > > > > > > > > > > Sorry to be a nuisance, but it seems such a potentially useful > > > feature it seems a shame not to be able to use it. > > > > > > > > > > > > Kind regards > > > > > > > > > > > > Johnathan > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk<mailto: > Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk>> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > _______________________________________________ Xerte-dev mailing > > > list > > > Xerte-dev at lists.nottingham.ac.uk<mailto: > Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk>> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk<mailto: > Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk>> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk<mailto: > Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk>> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, > > > number SC021474 > > > > > > Winner: Times Higher Education's Widening Participation Initiative > > > of the Year 2009 and Herald Society's Education Initiative of the > > > Year 2009. > > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > < > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c6219%2cen.html > > > > > > > > Winner: Times Higher Education's Outstanding Support for Early > > > Career Researchers of the Year 2010, GCU as a lead with Universities > > > Scotland partners. > > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > < > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c15691%2cen.html > > > > > > > > This message and any attachment are intended solely for the > > > addressee and may contain confidential information. If you have > > > received this message in error, please send it back to me, and > > > immediately delete it. Please do not use, copy or disclose the > > > information contained in this message or in any attachment. Any > > > views or opinions expressed by the author of this email do not > > > necessarily reflect the views of the University of Nottingham. > > > > > > > > > > > > This message has been checked for viruses but the contents of an > attachment > > > > > > may still contain software viruses which could damage your computer > system: > > > > > > you are advised to perform your own checks. Email communications with > the > > > > > > University of Nottingham may be monitored as permitted by UK > legislation. > > > > > > > > > > > > > > ---------------------------------------------------------------- > > This message was sent using IMP, the Internet Messaging Program. > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk > > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > This message and any attachment are intended solely for the addressee > and may contain confidential information. If you have received this message > in error, please send it back to me, and immediately delete it. Please do > not use, copy or disclose the information contained in this message or in > any attachment. Any views or opinions expressed by the author of this email > do not necessarily reflect the views of the University of Nottingham. > > > > This message has been checked for viruses but the contents of an > attachment > > may still contain software viruses which could damage your computer > system: > > you are advised to perform your own checks. Email communications with the > > University of Nottingham may be monitored as permitted by UK legislation. > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > > > Winner: Times Higher Education's Widening Participation Initiative of > the Year 2009 and Herald Society's Education Initiative of the Year 2009. > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > < > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c6219%2cen.html > > > > > > Winner: Times Higher Education's Outstanding Support for Early Career > Researchers of the Year 2010, GCU as a lead with Universities Scotland > partners. > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > < > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c15691%2cen.html > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk > > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and > may contain confidential information. If you have received this message in > error, please send it back to me, and immediately delete it. Please do > not use, copy or disclose the information contained in this message or in > any attachment. Any views or opinions expressed by the author of this > email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130307/0aad257e/attachment-0001.html> From J.J.Smith at gcu.ac.uk Thu Mar 7 13:01:55 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Thu, 7 Mar 2013 13:01:55 +0000 Subject: [Xerte-dev] SECURITY PATCH for upload.php Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> Hi, I've just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I've added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I've uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130307/6ec0be06/attachment.html> From xerte at pgogywebstuff.com Thu Mar 7 14:53:31 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Thu, 7 Mar 2013 14:53:31 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Hi, > > I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. > > Can someone test this and advise if there are any other media types that we want/need to allow? > > There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130307/121363c4/attachment.html> From J.J.Smith at gcu.ac.uk Thu Mar 7 15:32:38 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Thu, 7 Mar 2013 15:32:38 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130307/3d6a114c/attachment-0001.html> From xerte at pgogywebstuff.com Thu Mar 7 17:14:24 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Thu, 7 Mar 2013 17:14:24 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Hi Pat, > > I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? > > I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? > > I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: Thursday, March 07, 2013 2:54 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hello, > > I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). > > My reg exp is a bit flaky as well, if you copied that over. > > There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > > Hi, > > I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. > > Can someone test this and advise if there are any other media types that we want/need to allow? > > There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130307/c951a40a/attachment.html> From J.J.Smith at gcu.ac.uk Fri Mar 8 09:59:36 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 8 Mar 2013 09:59:36 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D407@ITSEMBXCLUS.enterprise.gcal.ac.uk> Could we add a comment type header block to the start of the models? Similar to a Wordpress style header and parse these comments once in a while, via cron or just on user login or something? I suppose we could hook ?user_login? and do the damage in a plugin? Do you think that a comment header would that break the parsing of the model? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 5:14 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/dc9e0b4e/attachment-0001.html> From Fay.Cross at nottingham.ac.uk Fri Mar 8 10:14:57 2013 From: Fay.Cross at nottingham.ac.uk (Fay Cross) Date: Fri, 8 Mar 2013 10:14:57 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D407@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D407@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <A44245E8C549494D9561A9727B89EEC80C35876BE2@EXCHANGE1.ad.nottingham.ac.uk> If we added something to the xwds would that help? e.g. adding an extra attribute... <url label="Image" type="media" fileType=?jpeg,gif,png?/> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 10:00 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Could we add a comment type header block to the start of the models? Similar to a Wordpress style header and parse these comments once in a while, via cron or just on user login or something? I suppose we could hook ?user_login? and do the damage in a plugin? Do you think that a comment header would that break the parsing of the model? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 5:14 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/5a178b77/attachment-0001.html> From J.J.Smith at gcu.ac.uk Fri Mar 8 10:26:41 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 8 Mar 2013 10:26:41 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <A44245E8C549494D9561A9727B89EEC80C35876BE2@EXCHANGE1.ad.nottingham.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D407@ITSEMBXCLUS.enterprise.gcal.ac.uk> <A44245E8C549494D9561A9727B89EEC80C35876BE2@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D41A@ITSEMBXCLUS.enterprise.gcal.ac.uk> Hi Fay, Sure, I could work with that if that?s not going to cause any problems with the system. I think we need to check mime types too as the server can ignore extensions if it recognizes the format but if we have the extensions allowed then I suppose we can look up the mime types allowed for that extension and make sure the uploaded file type matches? These parameters won?t be posted with the file will they, if they are added there? The only issue I see is that we would simply have an aggregated list of extensions that ALL models use, and so any model could upload any file in that list, not just the ones allowed by that model, which is kind of counter intuitive? Regards, John From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Fay Cross Sent: Friday, March 08, 2013 10:15 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If we added something to the xwds would that help? e.g. adding an extra attribute... <url label="Image" type="media" fileType=?jpeg,gif,png?/> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 10:00 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Could we add a comment type header block to the start of the models? Similar to a Wordpress style header and parse these comments once in a while, via cron or just on user login or something? I suppose we could hook ?user_login? and do the damage in a plugin? Do you think that a comment header would that break the parsing of the model? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 5:14 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/568896cd/attachment-0001.html> From Fay.Cross at nottingham.ac.uk Fri Mar 8 11:09:11 2013 From: Fay.Cross at nottingham.ac.uk (Fay Cross) Date: Fri, 8 Mar 2013 11:09:11 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D41A@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D407@ITSEMBXCLUS.enterprise.gcal.ac.uk> <A44245E8C549494D9561A9727B89EEC80C35876BE2@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D41A@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <A44245E8C549494D9561A9727B89EEC80C35876C45@EXCHANGE1.ad.nottingham.ac.uk> I don?t know how all this side of things works tbh. If it makes more sense from your side of things to have the info in the model files rather than xwd then let me know what you need and I can put it in From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 10:27 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Fay, Sure, I could work with that if that?s not going to cause any problems with the system. I think we need to check mime types too as the server can ignore extensions if it recognizes the format but if we have the extensions allowed then I suppose we can look up the mime types allowed for that extension and make sure the uploaded file type matches? These parameters won?t be posted with the file will they, if they are added there? The only issue I see is that we would simply have an aggregated list of extensions that ALL models use, and so any model could upload any file in that list, not just the ones allowed by that model, which is kind of counter intuitive? Regards, John From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Fay Cross Sent: Friday, March 08, 2013 10:15 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If we added something to the xwds would that help? e.g. adding an extra attribute... <url label="Image" type="media" fileType=?jpeg,gif,png?/> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 10:00 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Could we add a comment type header block to the start of the models? Similar to a Wordpress style header and parse these comments once in a while, via cron or just on user login or something? I suppose we could hook ?user_login? and do the damage in a plugin? Do you think that a comment header would that break the parsing of the model? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 5:14 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/67bf7024/attachment-0001.html> From reijnders at tor.nl Fri Mar 8 11:18:41 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Fri, 08 Mar 2013 12:18:41 +0100 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <A44245E8C549494D9561A9727B89EEC80C35876C45@EXCHANGE1.ad.nottingham.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D407@ITSEMBXCLUS.enterprise.gcal.ac.uk> <A44245E8C549494D9561A9727B89EEC80C35876BE2@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D41A@ITSEMBXCLUS.enterprise.gcal.ac.uk> <A44245E8C549494D9561A9727B89EEC80C35876C45@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <5139C911.8080300@tor.nl> If we are going down this road, it will make more sense to me to have them in the .xwd (because the .xwd will present the browse button and the upload action) Tom Op 8-3-2013 12:09, Fay Cross schreef: > > I don't know how all this side of things works tbh. If it makes more > sense from your side of things to have the info in the model files > rather than xwd then let me know what you need and I can put it in > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of > *Smith, John > *Sent:* 08 March 2013 10:27 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Fay, > > Sure, I could work with that if that's not going to cause any problems > with the system. I think we need to check mime types too as the > server can ignore extensions if it recognizes the format but if we > have the extensions allowed then I suppose we can look up the mime > types allowed for that extension and make sure the uploaded file type > matches... > > These parameters won't be posted with the file will they, if they are > added there? The only issue I see is that we would simply have an > aggregated list of extensions that ALL models use, and so any model > could upload any file in that list, not just the ones allowed by that > model, which is kind of counter intuitive... > > Regards, > > John > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Fay Cross > *Sent:* Friday, March 08, 2013 10:15 AM > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: SECURITY PATCH for upload.php > > If we added something to the xwds would that help? > > e.g. adding an extra attribute... > > <url label="Image" type="media" *fileType="jpeg,gif,png"*/> > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of > *Smith, John > *Sent:* 08 March 2013 10:00 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: SECURITY PATCH for upload.php > > Could we add a comment type header block to the start of the models? > Similar to a Wordpress style header and parse these comments once in a > while, via cron or just on user login or something? I suppose we could > hook 'user_login' and do the damage in a plugin? > > Do you think that a comment header would that break the parsing of the > model? > > Regards, > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Pat @ > Pgogy > *Sent:* Thursday, March 07, 2013 5:14 PM > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hello, > > Problem is getting a list of types the models support. I think there > is a case for saying the model should list the extensions it supports > as it is partly their job to do it. This way the model could post the > allowed types and the list is generated on the fly? > > I agree preventing php is a good thing, but I think the problem is not > knowing what types are acceptable is a real curveball > > Pgogy Webstuff - http://www.pgogywebstuff.com > > Makers of web things of a fair to middling quality > > > On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk > <mailto:J.J.Smith at gcu.ac.uk>> wrote: > > Hi Pat, > > I didn't copy your regexp or your select list directly but > translated the select code into a comma separated list so that it > can be moved elsewhere if required... > > I noticed the list in the sitedetails table but it is of Mime > Types. I think it would be best practice to use extensions, > content headers, mimetypes and any other method available to > whitelist the allowable files but I think that might take a bit > more work... > > I think it is leaving a load of sites out there very vulnerable so > we should try to find a good way to shore this up before the next > release. What do you think? I'll have a go at adding in some code > to deal with content headers and mimetypes > > Regards, > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of > *Pat @ Pgogy > *Sent:* Thursday, March 07, 2013 2:54 PM > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hello, > > I hobble the Wordpress version deliberately to only allow a few > file types but that isn't the list that full XOT needs (there is > in fact, no list, hence the problem). > > My reg exp is a bit flaky as well, if you copied that over. > > There is a sort of whitelist in the sitedetails table as the media > upload properties panel page uses this - but not sure this is the > XOT list. > > Pgogy Webstuff - http://www.pgogywebstuff.com > > Makers of web things of a fair to middling quality > > > On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk > <mailto:J.J.Smith at gcu.ac.uk>> wrote: > > Hi, > > I've just committed a change to upload.php (revision 714) to > stop users exploiting a system by uploading php code. I've > added a whitelist and stuck in the same allowed file > extensions that Pat uses in the Wordpress plugins. > > Can someone test this and advise if there are any other media > types that we want/need to allow? > > There was also a session check but exit(); was commented out > therefore in an unpatched system ANYONE can post data to > upload.php and get some code onto the server. I've uncommented > this now but does anyone know why it was commented out in the > first place? > > Regards, > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > Glasgow Caledonian University is a registered Scottish > charity, number SC021474 > > Winner: Times Higher Education's Widening Participation > Initiative of the Year 2009 and Herald Society's Education > Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early > Career Researchers of the Year 2010, GCU as a lead with > Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > Glasgow Caledonian University is a registered Scottish charity, > number SC021474 > > Winner: Times Higher Education's Widening Participation Initiative > of the Year 2009 and Herald Society's Education Initiative of the > Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early > Career Researchers of the Year 2010, GCU as a lead with > Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of > the Year 2009 and Herald Society's Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early Career > Researchers of the Year 2010, GCU as a lead with Universities Scotland > partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of > the Year 2009 and Herald Society's Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early Career > Researchers of the Year 2010, GCU as a lead with Universities Scotland > partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/39c59701/attachment-0001.html> From xerte at pgogywebstuff.com Fri Mar 8 12:01:29 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Fri, 8 Mar 2013 12:01:29 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <A44245E8C549494D9561A9727B89EEC80C35876BE2@EXCHANGE1.ad.nottingham.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D407@ITSEMBXCLUS.enterprise.gcal.ac.uk> <A44245E8C549494D9561A9727B89EEC80C35876BE2@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <F724D217-216F-4D5B-A2EA-C58183773EEF@pgogywebstuff.com> That's what I would do, then modifiy the wizard to post that array to the php upload which can then check it Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 10:14, Fay Cross <Fay.Cross at nottingham.ac.uk> wrote: > If we added something to the xwds would that help? > > e.g. adding an extra attribute... > <url label="Image" type="media" fileType=?jpeg,gif,png?/> > > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 10:00 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Could we add a comment type header block to the start of the models? Similar to a Wordpress style header and parse these comments once in a while, via cron or just on user login or something? I suppose we could hook ?user_login? and do the damage in a plugin? > > Do you think that a comment header would that break the parsing of the model? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: Thursday, March 07, 2013 5:14 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hello, > > Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? > > I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > > Hi Pat, > > I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? > > I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? > > I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: Thursday, March 07, 2013 2:54 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hello, > > I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). > > My reg exp is a bit flaky as well, if you copied that over. > > There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > > Hi, > > I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. > > Can someone test this and advise if there are any other media types that we want/need to allow? > > There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/0d2360c8/attachment-0001.html> From J.J.Smith at gcu.ac.uk Fri Mar 8 12:08:27 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 8 Mar 2013 12:08:27 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <5139C911.8080300@tor.nl> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D407@ITSEMBXCLUS.enterprise.gcal.ac.uk> <A44245E8C549494D9561A9727B89EEC80C35876BE2@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D41A@ITSEMBXCLUS.enterprise.gcal.ac.uk> <A44245E8C549494D9561A9727B89EEC80C35876C45@EXCHANGE1.ad.nottingham.ac.uk> <5139C911.8080300@tor.nl> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D437@ITSEMBXCLUS.enterprise.gcal.ac.uk> If we are going down this route then should we also post the allowed extensions with the file so that upload can check it meets the criteria for the individual model? Although it would be trivial to overcome this using an exploit, we'd still have the complete whitelist superset to prevent injection of potentially malicious file types... I suppose with the html5 files Easter deadline coming up we have javsacript XSS to think about too... if for example sake you could get them a js file onto the Nottingham install you could ajax anything in the same domain as if the user running the LO had actioned it... if that was Fay or Julian then what could you get access to? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: Friday, March 08, 2013 11:19 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If we are going down this road, it will make more sense to me to have them in the .xwd (because the .xwd will present the browse button and the upload action) Tom Op 8-3-2013 12:09, Fay Cross schreef: I don't know how all this side of things works tbh. If it makes more sense from your side of things to have the info in the model files rather than xwd then let me know what you need and I can put it in From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 10:27 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Fay, Sure, I could work with that if that's not going to cause any problems with the system. I think we need to check mime types too as the server can ignore extensions if it recognizes the format but if we have the extensions allowed then I suppose we can look up the mime types allowed for that extension and make sure the uploaded file type matches... These parameters won't be posted with the file will they, if they are added there? The only issue I see is that we would simply have an aggregated list of extensions that ALL models use, and so any model could upload any file in that list, not just the ones allowed by that model, which is kind of counter intuitive... Regards, John From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Fay Cross Sent: Friday, March 08, 2013 10:15 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If we added something to the xwds would that help? e.g. adding an extra attribute... <url label="Image" type="media" fileType="jpeg,gif,png"/> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 10:00 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Could we add a comment type header block to the start of the models? Similar to a Wordpress style header and parse these comments once in a while, via cron or just on user login or something? I suppose we could hook 'user_login' and do the damage in a plugin? Do you think that a comment header would that break the parsing of the model? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 5:14 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn't copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required... I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work... I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I'll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I've just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I've added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I've uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/de886ea1/attachment-0001.html> From xerte at pgogywebstuff.com Fri Mar 8 12:09:27 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Fri, 8 Mar 2013 12:09:27 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <5139C911.8080300@tor.nl> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D407@ITSEMBXCLUS.enterprise.gcal.ac.uk> <A44245E8C549494D9561A9727B89EEC80C35876BE2@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D41A@ITSEMBXCLUS.enterprise.gcal.ac.uk> <A44245E8C549494D9561A9727B89EEC80C35876C45@EXCHANGE1.ad.nottingham.ac.uk> <5139C911.8080300@tor.nl> Message-ID: <C5EFF859-F919-4411-B3A0-73358716F763@pgogywebstuff.com> If the problem is making an allowed type for a page then it might be a bit of code, but the xwd drives the page layout so it must be possible to do? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 11:18, Tom Reijnders <reijnders at tor.nl> wrote: > If we are going down this road, it will make more sense to me to have them in the .xwd (because the .xwd will present the browse button and the upload action) > > Tom > > Op 8-3-2013 12:09, Fay Cross schreef: >> I don?t know how all this side of things works tbh. If it makes more sense from your side of things to have the info in the model files rather than xwd then let me know what you need and I can put it in >> >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> Sent: 08 March 2013 10:27 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi Fay, >> >> Sure, I could work with that if that?s not going to cause any problems with the system. I think we need to check mime types too as the server can ignore extensions if it recognizes the format but if we have the extensions allowed then I suppose we can look up the mime types allowed for that extension and make sure the uploaded file type matches? >> >> These parameters won?t be posted with the file will they, if they are added there? The only issue I see is that we would simply have an aggregated list of extensions that ALL models use, and so any model could upload any file in that list, not just the ones allowed by that model, which is kind of counter intuitive? >> >> Regards, >> >> John >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Fay Cross >> Sent: Friday, March 08, 2013 10:15 AM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we added something to the xwds would that help? >> >> e.g. adding an extra attribute... >> <url label="Image" type="media" fileType=?jpeg,gif,png?/> >> >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> Sent: 08 March 2013 10:00 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Could we add a comment type header block to the start of the models? Similar to a Wordpress style header and parse these comments once in a while, via cron or just on user login or something? I suppose we could hook ?user_login? and do the damage in a plugin? >> >> Do you think that a comment header would that break the parsing of the model? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> Sent: Thursday, March 07, 2013 5:14 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - http://www.pgogywebstuff.com >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: >> >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - http://www.pgogywebstuff.com >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: >> >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/53f9c86c/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Fri Mar 8 13:13:03 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Fri, 8 Mar 2013 13:13:03 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40D@EXCHANGE1.ad.nottingham.ac.uk> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 07 March 2013 17:14 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/8f413a71/attachment.html> From Julian.Tenney at nottingham.ac.uk Fri Mar 8 13:14:05 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Fri, 8 Mar 2013 13:14:05 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <5139C911.8080300@tor.nl> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D407@ITSEMBXCLUS.enterprise.gcal.ac.uk> <A44245E8C549494D9561A9727B89EEC80C35876BE2@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D41A@ITSEMBXCLUS.enterprise.gcal.ac.uk> <A44245E8C549494D9561A9727B89EEC80C35876C45@EXCHANGE1.ad.nottingham.ac.uk> <5139C911.8080300@tor.nl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40E@EXCHANGE1.ad.nottingham.ac.uk> Hmm, I can also see some advantage in this approach. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 08 March 2013 11:19 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If we are going down this road, it will make more sense to me to have them in the .xwd (because the .xwd will present the browse button and the upload action) Tom Op 8-3-2013 12:09, Fay Cross schreef: I don't know how all this side of things works tbh. If it makes more sense from your side of things to have the info in the model files rather than xwd then let me know what you need and I can put it in From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 10:27 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Fay, Sure, I could work with that if that's not going to cause any problems with the system. I think we need to check mime types too as the server can ignore extensions if it recognizes the format but if we have the extensions allowed then I suppose we can look up the mime types allowed for that extension and make sure the uploaded file type matches... These parameters won't be posted with the file will they, if they are added there? The only issue I see is that we would simply have an aggregated list of extensions that ALL models use, and so any model could upload any file in that list, not just the ones allowed by that model, which is kind of counter intuitive... Regards, John From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Fay Cross Sent: Friday, March 08, 2013 10:15 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If we added something to the xwds would that help? e.g. adding an extra attribute... <url label="Image" type="media" fileType="jpeg,gif,png"/> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 10:00 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Could we add a comment type header block to the start of the models? Similar to a Wordpress style header and parse these comments once in a while, via cron or just on user login or something? I suppose we could hook 'user_login' and do the damage in a plugin? Do you think that a comment header would that break the parsing of the model? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 5:14 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn't copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required... I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work... I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I'll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I've just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I've added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I've uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/36d86900/attachment-0001.html> From J.J.Smith at gcu.ac.uk Fri Mar 8 13:25:51 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 8 Mar 2013 13:25:51 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40D@EXCHANGE1.ad.nottingham.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40D@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D44E@ITSEMBXCLUS.enterprise.gcal.ac.uk> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:13 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 07 March 2013 17:14 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/54eff790/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Fri Mar 8 13:46:49 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Fri, 8 Mar 2013 13:46:49 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D44E@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40D@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D44E@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4D64A461@EXCHANGE1.ad.nottingham.ac.uk> I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:26 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:13 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 07 March 2013 17:14 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/97668671/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Fri Mar 8 13:47:39 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Fri, 8 Mar 2013 13:47:39 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <CABtG3=UCuq3i_sBMA1cMRYqNS5ssLPjJw1TKjj3__Pa8A1xH5Q@mail.gmail.com> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com> <BLU153-W57942FC6EA78A20F3826B0A7FB0@phx.gbl> <CABtG3=XL7YU0XZou1awcUXYY3ZQKZsss=-e58rTrUV_vnSR_Jg@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4CE58138@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=V5450hnHb0BGXeJWb+zfcNX2oSZeRDpBdmk6TiBpj7QQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D649813@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2B9@ITSEMBXCLUS.enterprise.gcal.ac.uk> <20130306120521.59815leiwct5zlyp@server.tor.nl> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2D2@ITSEMBXCLUS.enterprise.gcal.ac.uk> <BLU153-W9A990EF26D2C7CA920D1AA7E40@phx.gbl> <CABtG3=UW=zY=TWtL4apF0ttMsUHp-L8bqqFWrShBCt0O9cBP_Q@mail.gmail.com> <BLU153-W13FAFF7ADE5D1BAF6C234DA7E40@phx.gbl> <CABtG3=UCuq3i_sBMA1cMRYqNS5ssLPjJw1TKjj3__Pa8A1xH5Q@mail.gmail.com> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4D64A463@EXCHANGE1.ad.nottingham.ac.uk> I don't much like the idea of separate files (pdfs / docs etc) I think it would be better as a central resource on a web site, maybe the community site? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp Johnathan Sent: 06 March 2013 18:57 To: For Xerte technical developers Subject: [Xerte-dev] Re: use of info tag in xwd forms I suppose one alternative would be to set up a wiki, but I am not sure this is the best approach for help documents. One thought that has just sprung to mind - what about using an ebook editor? I know next to nothing about them but it would seem a possibly logical platform to publish to. I am not sure if this would be the right approach if we only want to create a set of individual files that are each a single publication? I did a quick google and found an open source wysiwyg editor called sigil. It looks quite powerful, but it appears designed to pull together large numbers of separate files into a single document. I don't know if there is anyone on the list who is familiar with this stuff and could pass a more informed opinion? I have to admit, the one thing that concerns me with using Open Office is that someone will go and open up the file in Word and bugger up its formatting :-( What concerns me about not using Open Office is the possible lack of a familiar, versatile, and easy to use interface for creating the documents. JK On 6 March 2013 18:25, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: Just my personal preference. Static documents usually lead to version control nightmares. I still believe in the Java "write once, deliver everywhere" fantasy. ;-) ________________________________ Date: Wed, 6 Mar 2013 18:20:51 +0000 From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: use of info tag in xwd forms Advantage of pdf? A single file that contains text and graphics and will maintain its format when printed out (some people still like to print things out). My approach so far has been to author the files in Open Office which will export to pdf. This provides a master file (the Open Office odt) file that is editable, and the pdf export of the odt file that can be published for Author usage. So whilst at present the file the Author uses is pdf, this is generated from a single, easily edited odt file. Open Office is free, open source, and available in many languages. I agree with the idea of allowing those with svn access to edit the help files. The current approach fully facilitates that. Folks with svn access can edit (or make a copy and translate) the odt file and then generate a new pdf file for publication. I am not sure of the benefit of trying to edit the help documents in a Xerte app. Why try to create a cut down word processor in Xerte, if there is already a fully featured one available for free? The only downside I see is that each help file consists of two files (rather than one) - the odt source file and the published public accessed pdf file. But this has upsides as well. The odt help file can be edited without affecting the published pdf file, which can be re-published once the editing / updating is completed. Just my take on things Johnathan On 6 March 2013 12:35, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: Advantage of pdf? I would bet we get a lot more contribution if it's dynamic. Maybe something editable in a Xerte app? Folks with svn access can edit? > From: J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk> > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> > Date: Wed, 6 Mar 2013 12:09:21 +0000 > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > Sure Tom, I suppose an alternative would be to funnel everything through help/index.php?language=XX&file=YYY and let it decide which to serve up... > > I'm having to do similar with the api... > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Tom Reijnders > Sent: Wednesday, March 06, 2013 11:05 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > It's not too much work to fall back to English if we need to, > > So have a help/<language code> for the help forlder location like we have wizard/<language code> now. > > > The thing I have against mod_rewrites is that it's webserver specific. > > So, now we only have to agree on the help file format. .pdf is fine with me... > > Tom > > Citeren "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>>: > > > Why not just append the language code to the URL (new website) and mod > > rewrite the url. If there is a language file that matches send that, > > otherwise send the English one... > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of > > Julian Tenney > > Sent: Wednesday, March 06, 2013 10:38 AM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > What about languages? You might want help in several languages. But > > we can cope with multi lingual wizards, so why not multi lingual help? > > > > The form is a bit of a pain because now we have advanced / language > > options, redrawing the form is a bit of a pain, so thinking > > differently might be a good idea. > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > > Johnathan > > Sent: 06 March 2013 10:02 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > Hi Folks, > > > > What I would like to be able to achieve is a means of providing a > > link to a pdf file that the author can access to provide additional > > information to support the use of the page type. My original need > > was to support the connector pages and the inventory page with more > > information about how the page worked and how, in the case of > > connector pages they could be used in conjunction with other pages. > > However the help file could provide other stuff such as examples of > > use or pedagogical information. > > > > How that link is made available to the author I don't have a strong > > view on. It just seemed that the <info> tag already provided the > > functionality (except for this frustrating glitch). If resolving the > > glitch was a simple matter then the <info> tag might be a convenient > > way of doing this without involving much time input. If however the > > glitch is difficult to pin down then a different approach might be > > appropriate. > > > > By putting the link in the xwd file it keeps everything about the > > page in one place. However it does have the disadvantage of making > > it difficult to change the location of the help files. > > > > Perhaps an approach that assumed the help file would use the same > > stem as the model file but have a pdf extension (e.g. quiz.rlm and > > quiz.pdf), would allow a Xerte or XOT project to define a single > > folder location for all the help files. The specific help file for a > > page type would then be accessed by combining the single folder > > address with the model name and a pdf extension. > > > > This would allow help files to be either located on a remote server > > or on a local server, or even in a desktop Xerte installation folder > > e.g. Xerte\pages\help\. It would also make it easier to change the > > locations of the help files as there would be only one path to change. > > > > Kind regards > > > > Johnathan > > > > On 6 March 2013 07:50, Julian Tenney > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk><mailto:Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>>> > > wrote: > > Maybe we should tackle this differently: rather than trying to > > display the <info> on the form, why not pop it up in a message or > > show it somewhere else? > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>>] On Behalf Of Kemp > > Johnathan > > Sent: 05 March 2013 17:53 > > To: For Xerte technical developers > > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > The most recent version of the desktop would ensure you have the > > latest version of wizard.swf, but if you can see the Show Language > > Options I think that should be enough to demonstrate the issue. > > > > The "here is the help" text is the text contained in the info tag. > > > > If you click in the Show Language Options check box you will see > > that some additional fields are displayed in the form but that there > > is an expanse of blank grey form before the "here is the help" text > > is displayed. > > > > If you mouse over the grey area above the "here is the help" text > > you will see the mouse pointer change as it hovers over where the > > text entry boxes for the hidden language options are positioned. > > > > If you click on the Quiz2 page to open its xwd form the effect is > > clear as none of the fields are flagged as language options so as > > soon as the form opens you see that the display of labels and fields > > ends abruptly and then there is again the grey expanse of blank form > > before the "here is the help" text is displayed. You have noticed, > > in your second post that the entry below "single answer wrong" is > > cut short vertically. There are also more fields below this which > > are not displaying at all. > > > > If you edit the quiz.xwd file in the page002 folder to remove the > > "info" tag then all the fields defined in the form are displayed > > correctly. So it is the "info" tag that is causing the display issue. > > > > Kind regards > > > > Johnathan > > > > On 5 March 2013 10:43, Dave Burnett > > <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com><mailto:d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>>> wrote: > > What version of desktop is required? > > The only language related object I have showing is "Show Language > > Options" in the bottom bar. > > > > (I do see "Here is the help" in blue near the bottom). > > > > > > ________________________________ > > Date: Tue, 5 Mar 2013 10:23:23 +0000 > > From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com><mailto:johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com>> > > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk><mailto:xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk>> > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > If you include the info tag in an xwd form it can result in the none > > display of the last entries in the form. > > > > The info tag displays at the bottom of the form with a blank area of > > form above it where the missing fields and field labels should be > > displayed. > > > > If you move the mouse pointer over the blank area of the form then > > the mouse pointer will change indicating that the fields are there - > > you just can't see them. > > > > The easiest way to explain what is happening is for you to see it > > for yourself. > > > > I have attached a simple demo. The demo is a standard Xerte project > > (not a "Pages" type project - I have manually set up the xwd links > > for the pages) in which I have set up two copies of the Quiz page. > > > > 1. Open this project in Xerte > > 2. Double click on the Quiz page to open the xwd form > > 3. Click on the language tab to display the language fields > > 4. Scroll down the form - you will see the blank area where the > > hidden language fields should appear and the blue info comment at > > the bottom. > > 5. The language tag is not significant to this issue. > > 6. Double click on the Quiz2 page, you will see the same effect > > without the use of the language tag (I deleted them from this pages > > xwd file) > > I don't know if the cause is to do with layers or visibility > > settings. I don't know what happens when the info tag is actioned in > > the code. > > > > I hope this makes the effect clear (if not the cause :-( ) > > > > Kind regards > > > > Johnathan > > > > > > > > On 5 March 2013 09:40, Julian Tenney > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk><mailto:Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>>> > > wrote: > > > > What's the problem in a nutshell? > > > > > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>>] On Behalf Of Kemp > > Johnathan > > Sent: 04 March 2013 22:18 > > To: Xerte Developers Discussion List > > Subject: [Xerte-dev] use of info tag in xwd forms > > > > > > > > On the 4th December I posted to the developer list an issue with the > > xwd forms relating to the use of the "info" tag. > > > > > > > > The inclusion of an info tag in the xwd form can result in space > > being allocated above the info tag for the display of the last few > > properties in the xwd form definition, but the properties are not > > visible in the form. You can however confirm their "presence" as the > > mouse pointer responds to them if moved over the input fields. > > > > > > > > You can test this out in Xerte (or XOT) by creating a page using one > > of the Connector page types. The info tag has been used in these > > pages to link to a pdf help file that is hosted on the Xerte > > community web site, but the "language" flagged form properties are > > no longer all editable, due to the presence of the info tag. > > > > > > > > This is a pity as the info tag could be used to provide a link to an > > external document that gives the Author useful additional > > information to assist them in making the best use of that page type. > > e.g. > > > > * Information about what the page is designed to do > > > > * Instructions on what the properties in the form are to > > help in completing the form created by the xwd file; > > > > * examples of actual uses of that page type in real projects. > > > > * examples of combining this page type with other page types > > to achieve a particular pedagogical approach > > > > * guidance as to how accessible the page is with respect to > > particular types of user, or what features the page has as optional > > properties to provide additional accessibility > > > > However at present if the "info" tag is used then the ability to > > edit the language flagged elements of the page is compromised. > > > > > > > > Is this something that is intended to be addressed before the next > > release of Xerte / XOT? > > > > > > > > Sorry to be a nuisance, but it seems such a potentially useful > > feature it seems a shame not to be able to use it. > > > > > > > > Kind regards > > > > > > > > Johnathan > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ Xerte-dev mailing > > list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, > > number SC021474 > > > > Winner: Times Higher Education's Widening Participation Initiative > > of the Year 2009 and Herald Society's Education Initiative of the > > Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c6219%2cen.html> > > > > Winner: Times Higher Education's Outstanding Support for Early > > Career Researchers of the Year 2010, GCU as a lead with Universities > > Scotland partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c15691%2cen.html> > > > > This message and any attachment are intended solely for the > > addressee and may contain confidential information. If you have > > received this message in error, please send it back to me, and > > immediately delete it. Please do not use, copy or disclose the > > information contained in this message or in any attachment. Any > > views or opinions expressed by the author of this email do not > > necessarily reflect the views of the University of Nottingham. > > > > > > > > This message has been checked for viruses but the contents of an attachment > > > > may still contain software viruses which could damage your computer system: > > > > you are advised to perform your own checks. Email communications with the > > > > University of Nottingham may be monitored as permitted by UK legislation. > > > > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c6219%2cen.html> > > Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c15691%2cen.html> > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/561d8bf4/attachment-0001.html> From J.J.Smith at gcu.ac.uk Fri Mar 8 13:54:38 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 8 Mar 2013 13:54:38 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4D64A461@EXCHANGE1.ad.nottingham.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40D@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D44E@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A461@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D455@ITSEMBXCLUS.enterprise.gcal.ac.uk> If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:47 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:26 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:13 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 07 March 2013 17:14 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/b32aa232/attachment-0001.html> From J.J.Smith at gcu.ac.uk Fri Mar 8 13:55:17 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 8 Mar 2013 13:55:17 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4D64A463@EXCHANGE1.ad.nottingham.ac.uk> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com> <BLU153-W57942FC6EA78A20F3826B0A7FB0@phx.gbl> <CABtG3=XL7YU0XZou1awcUXYY3ZQKZsss=-e58rTrUV_vnSR_Jg@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4CE58138@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=V5450hnHb0BGXeJWb+zfcNX2oSZeRDpBdmk6TiBpj7QQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D649813@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2B9@ITSEMBXCLUS.enterprise.gcal.ac.uk> <20130306120521.59815leiwct5zlyp@server.tor.nl> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2D2@ITSEMBXCLUS.enterprise.gcal.ac.uk> <BLU153-W9A990EF26D2C7CA920D1AA7E40@phx.gbl> <CABtG3=UW=zY=TWtL4apF0ttMsUHp-L8bqqFWrShBCt0O9cBP_Q@mail.gmail.com> <BLU153-W13FAFF7ADE5D1BAF6C234DA7E40@phx.gbl> <CABtG3=UCuq3i_sBMA1cMRYqNS5ssLPjJw1TKjj3__Pa8A1xH5Q@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A463@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D456@ITSEMBXCLUS.enterprise.gcal.ac.uk> A wiki... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: use of info tag in xwd forms I don't much like the idea of separate files (pdfs / docs etc) I think it would be better as a central resource on a web site, maybe the community site? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp Johnathan Sent: 06 March 2013 18:57 To: For Xerte technical developers Subject: [Xerte-dev] Re: use of info tag in xwd forms I suppose one alternative would be to set up a wiki, but I am not sure this is the best approach for help documents. One thought that has just sprung to mind - what about using an ebook editor? I know next to nothing about them but it would seem a possibly logical platform to publish to. I am not sure if this would be the right approach if we only want to create a set of individual files that are each a single publication? I did a quick google and found an open source wysiwyg editor called sigil. It looks quite powerful, but it appears designed to pull together large numbers of separate files into a single document. I don't know if there is anyone on the list who is familiar with this stuff and could pass a more informed opinion? I have to admit, the one thing that concerns me with using Open Office is that someone will go and open up the file in Word and bugger up its formatting :-( What concerns me about not using Open Office is the possible lack of a familiar, versatile, and easy to use interface for creating the documents. JK On 6 March 2013 18:25, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: Just my personal preference. Static documents usually lead to version control nightmares. I still believe in the Java "write once, deliver everywhere" fantasy. ;-) ________________________________ Date: Wed, 6 Mar 2013 18:20:51 +0000 From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: use of info tag in xwd forms Advantage of pdf? A single file that contains text and graphics and will maintain its format when printed out (some people still like to print things out). My approach so far has been to author the files in Open Office which will export to pdf. This provides a master file (the Open Office odt) file that is editable, and the pdf export of the odt file that can be published for Author usage. So whilst at present the file the Author uses is pdf, this is generated from a single, easily edited odt file. Open Office is free, open source, and available in many languages. I agree with the idea of allowing those with svn access to edit the help files. The current approach fully facilitates that. Folks with svn access can edit (or make a copy and translate) the odt file and then generate a new pdf file for publication. I am not sure of the benefit of trying to edit the help documents in a Xerte app. Why try to create a cut down word processor in Xerte, if there is already a fully featured one available for free? The only downside I see is that each help file consists of two files (rather than one) - the odt source file and the published public accessed pdf file. But this has upsides as well. The odt help file can be edited without affecting the published pdf file, which can be re-published once the editing / updating is completed. Just my take on things Johnathan On 6 March 2013 12:35, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: Advantage of pdf? I would bet we get a lot more contribution if it's dynamic. Maybe something editable in a Xerte app? Folks with svn access can edit? > From: J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk> > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> > Date: Wed, 6 Mar 2013 12:09:21 +0000 > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > Sure Tom, I suppose an alternative would be to funnel everything through help/index.php?language=XX&file=YYY and let it decide which to serve up... > > I'm having to do similar with the api... > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Tom Reijnders > Sent: Wednesday, March 06, 2013 11:05 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > It's not too much work to fall back to English if we need to, > > So have a help/<language code> for the help forlder location like we have wizard/<language code> now. > > > The thing I have against mod_rewrites is that it's webserver specific. > > So, now we only have to agree on the help file format. .pdf is fine with me... > > Tom > > Citeren "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>>: > > > Why not just append the language code to the URL (new website) and mod > > rewrite the url. If there is a language file that matches send that, > > otherwise send the English one... > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of > > Julian Tenney > > Sent: Wednesday, March 06, 2013 10:38 AM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > What about languages? You might want help in several languages. But > > we can cope with multi lingual wizards, so why not multi lingual help? > > > > The form is a bit of a pain because now we have advanced / language > > options, redrawing the form is a bit of a pain, so thinking > > differently might be a good idea. > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > > Johnathan > > Sent: 06 March 2013 10:02 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > Hi Folks, > > > > What I would like to be able to achieve is a means of providing a > > link to a pdf file that the author can access to provide additional > > information to support the use of the page type. My original need > > was to support the connector pages and the inventory page with more > > information about how the page worked and how, in the case of > > connector pages they could be used in conjunction with other pages. > > However the help file could provide other stuff such as examples of > > use or pedagogical information. > > > > How that link is made available to the author I don't have a strong > > view on. It just seemed that the <info> tag already provided the > > functionality (except for this frustrating glitch). If resolving the > > glitch was a simple matter then the <info> tag might be a convenient > > way of doing this without involving much time input. If however the > > glitch is difficult to pin down then a different approach might be > > appropriate. > > > > By putting the link in the xwd file it keeps everything about the > > page in one place. However it does have the disadvantage of making > > it difficult to change the location of the help files. > > > > Perhaps an approach that assumed the help file would use the same > > stem as the model file but have a pdf extension (e.g. quiz.rlm and > > quiz.pdf), would allow a Xerte or XOT project to define a single > > folder location for all the help files. The specific help file for a > > page type would then be accessed by combining the single folder > > address with the model name and a pdf extension. > > > > This would allow help files to be either located on a remote server > > or on a local server, or even in a desktop Xerte installation folder > > e.g. Xerte\pages\help\. It would also make it easier to change the > > locations of the help files as there would be only one path to change. > > > > Kind regards > > > > Johnathan > > > > On 6 March 2013 07:50, Julian Tenney > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk><mailto:Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>>> > > wrote: > > Maybe we should tackle this differently: rather than trying to > > display the <info> on the form, why not pop it up in a message or > > show it somewhere else? > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>>] On Behalf Of Kemp > > Johnathan > > Sent: 05 March 2013 17:53 > > To: For Xerte technical developers > > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > The most recent version of the desktop would ensure you have the > > latest version of wizard.swf, but if you can see the Show Language > > Options I think that should be enough to demonstrate the issue. > > > > The "here is the help" text is the text contained in the info tag. > > > > If you click in the Show Language Options check box you will see > > that some additional fields are displayed in the form but that there > > is an expanse of blank grey form before the "here is the help" text > > is displayed. > > > > If you mouse over the grey area above the "here is the help" text > > you will see the mouse pointer change as it hovers over where the > > text entry boxes for the hidden language options are positioned. > > > > If you click on the Quiz2 page to open its xwd form the effect is > > clear as none of the fields are flagged as language options so as > > soon as the form opens you see that the display of labels and fields > > ends abruptly and then there is again the grey expanse of blank form > > before the "here is the help" text is displayed. You have noticed, > > in your second post that the entry below "single answer wrong" is > > cut short vertically. There are also more fields below this which > > are not displaying at all. > > > > If you edit the quiz.xwd file in the page002 folder to remove the > > "info" tag then all the fields defined in the form are displayed > > correctly. So it is the "info" tag that is causing the display issue. > > > > Kind regards > > > > Johnathan > > > > On 5 March 2013 10:43, Dave Burnett > > <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com><mailto:d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>>> wrote: > > What version of desktop is required? > > The only language related object I have showing is "Show Language > > Options" in the bottom bar. > > > > (I do see "Here is the help" in blue near the bottom). > > > > > > ________________________________ > > Date: Tue, 5 Mar 2013 10:23:23 +0000 > > From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com><mailto:johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com>> > > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk><mailto:xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk>> > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > If you include the info tag in an xwd form it can result in the none > > display of the last entries in the form. > > > > The info tag displays at the bottom of the form with a blank area of > > form above it where the missing fields and field labels should be > > displayed. > > > > If you move the mouse pointer over the blank area of the form then > > the mouse pointer will change indicating that the fields are there - > > you just can't see them. > > > > The easiest way to explain what is happening is for you to see it > > for yourself. > > > > I have attached a simple demo. The demo is a standard Xerte project > > (not a "Pages" type project - I have manually set up the xwd links > > for the pages) in which I have set up two copies of the Quiz page. > > > > 1. Open this project in Xerte > > 2. Double click on the Quiz page to open the xwd form > > 3. Click on the language tab to display the language fields > > 4. Scroll down the form - you will see the blank area where the > > hidden language fields should appear and the blue info comment at > > the bottom. > > 5. The language tag is not significant to this issue. > > 6. Double click on the Quiz2 page, you will see the same effect > > without the use of the language tag (I deleted them from this pages > > xwd file) > > I don't know if the cause is to do with layers or visibility > > settings. I don't know what happens when the info tag is actioned in > > the code. > > > > I hope this makes the effect clear (if not the cause :-( ) > > > > Kind regards > > > > Johnathan > > > > > > > > On 5 March 2013 09:40, Julian Tenney > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk><mailto:Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>>> > > wrote: > > > > What's the problem in a nutshell? > > > > > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>>] On Behalf Of Kemp > > Johnathan > > Sent: 04 March 2013 22:18 > > To: Xerte Developers Discussion List > > Subject: [Xerte-dev] use of info tag in xwd forms > > > > > > > > On the 4th December I posted to the developer list an issue with the > > xwd forms relating to the use of the "info" tag. > > > > > > > > The inclusion of an info tag in the xwd form can result in space > > being allocated above the info tag for the display of the last few > > properties in the xwd form definition, but the properties are not > > visible in the form. You can however confirm their "presence" as the > > mouse pointer responds to them if moved over the input fields. > > > > > > > > You can test this out in Xerte (or XOT) by creating a page using one > > of the Connector page types. The info tag has been used in these > > pages to link to a pdf help file that is hosted on the Xerte > > community web site, but the "language" flagged form properties are > > no longer all editable, due to the presence of the info tag. > > > > > > > > This is a pity as the info tag could be used to provide a link to an > > external document that gives the Author useful additional > > information to assist them in making the best use of that page type. > > e.g. > > > > * Information about what the page is designed to do > > > > * Instructions on what the properties in the form are to > > help in completing the form created by the xwd file; > > > > * examples of actual uses of that page type in real projects. > > > > * examples of combining this page type with other page types > > to achieve a particular pedagogical approach > > > > * guidance as to how accessible the page is with respect to > > particular types of user, or what features the page has as optional > > properties to provide additional accessibility > > > > However at present if the "info" tag is used then the ability to > > edit the language flagged elements of the page is compromised. > > > > > > > > Is this something that is intended to be addressed before the next > > release of Xerte / XOT? > > > > > > > > Sorry to be a nuisance, but it seems such a potentially useful > > feature it seems a shame not to be able to use it. > > > > > > > > Kind regards > > > > > > > > Johnathan > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ Xerte-dev mailing > > list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, > > number SC021474 > > > > Winner: Times Higher Education's Widening Participation Initiative > > of the Year 2009 and Herald Society's Education Initiative of the > > Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c6219%2cen.html> > > > > Winner: Times Higher Education's Outstanding Support for Early > > Career Researchers of the Year 2010, GCU as a lead with Universities > > Scotland partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c15691%2cen.html> > > > > This message and any attachment are intended solely for the > > addressee and may contain confidential information. If you have > > received this message in error, please send it back to me, and > > immediately delete it. Please do not use, copy or disclose the > > information contained in this message or in any attachment. Any > > views or opinions expressed by the author of this email do not > > necessarily reflect the views of the University of Nottingham. > > > > > > > > This message has been checked for viruses but the contents of an attachment > > > > may still contain software viruses which could damage your computer system: > > > > you are advised to perform your own checks. Email communications with the > > > > University of Nottingham may be monitored as permitted by UK legislation. > > > > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c6219%2cen.html> > > Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c15691%2cen.html> > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/f755e930/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Fri Mar 8 14:05:08 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Fri, 8 Mar 2013 14:05:08 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D455@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40D@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D44E@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A461@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D455@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4D64A486@EXCHANGE1.ad.nottingham.ac.uk> I commented it out because it didn?t work in firefox. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:47 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:26 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:13 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 07 March 2013 17:14 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/e59fcabf/attachment-0001.html> From david at palepurple.co.uk Fri Mar 8 14:05:56 2013 From: david at palepurple.co.uk (David Goodwin) Date: Fri, 8 Mar 2013 14:05:56 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D455@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40D@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D44E@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A461@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D455@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <DA01755F-44E2-4F57-9DCF-63E1D3062579@palepurple.co.uk> On 8 Mar 2013, at 13:54, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? > > Regards, See the commit message etc at : https://code.google.com/p/xerteonlinetoolkits/source/browse/trunk/modules/xerte/engine/upload.php?r=654 David. Pale Purple Ltd. (Company No: 5580814) 'Web and Mobile Application Development for Business' http://www.palepurple.co.uk Office: 0845 0046746 Mobile: 07792380669 Follow us on Twitter: @PalePurpleLtd -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/0d60b7a4/attachment.html> From J.J.Smith at gcu.ac.uk Fri Mar 8 14:11:38 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 8 Mar 2013 14:11:38 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4D64A486@EXCHANGE1.ad.nottingham.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40D@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D44E@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A461@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D455@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A486@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D458@ITSEMBXCLUS.enterprise.gcal.ac.uk> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:05 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I commented it out because it didn?t work in firefox. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:47 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:26 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:13 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 07 March 2013 17:14 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/8fbaa25c/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Fri Mar 8 14:14:31 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Fri, 8 Mar 2013 14:14:31 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D458@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40D@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D44E@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A461@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D455@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A486@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D458@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4D64A49A@EXCHANGE1.ad.nottingham.ac.uk> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 14:12 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:05 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I commented it out because it didn?t work in firefox. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:47 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:26 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:13 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 07 March 2013 17:14 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/ecf294e6/attachment-0001.html> From J.J.Smith at gcu.ac.uk Fri Mar 8 14:20:45 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 8 Mar 2013 14:20:45 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4D64A49A@EXCHANGE1.ad.nottingham.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40D@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D44E@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A461@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D455@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A486@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D458@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A49A@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D45B@ITSEMBXCLUS.enterprise.gcal.ac.uk> Hmm perhaps we can ajax via the browser? now I see why nobody was wanting to touch this!! Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:15 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 14:12 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:05 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I commented it out because it didn?t work in firefox. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:47 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:26 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:13 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 07 March 2013 17:14 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/675924f1/attachment-0001.html> From J.J.Smith at gcu.ac.uk Fri Mar 8 14:34:10 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 8 Mar 2013 14:34:10 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D45B@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40D@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D44E@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A461@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D455@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A486@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D458@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A49A@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D45B@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D45E@ITSEMBXCLUS.enterprise.gcal.ac.uk> What?s the user_sessions table used for in database? We could store the session and a nonce, and check the nonce in the database on the upload side? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Friday, March 08, 2013 2:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hmm perhaps we can ajax via the browser? now I see why nobody was wanting to touch this!! Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:15 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 14:12 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:05 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I commented it out because it didn?t work in firefox. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:47 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:26 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:13 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 07 March 2013 17:14 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/5b506871/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Fri Mar 8 14:48:12 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Fri, 8 Mar 2013 14:48:12 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D45E@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40D@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D44E@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A461@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D455@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A486@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D458@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A49A@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D45B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D45E@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4D64A4E4@EXCHANGE1.ad.nottingham.ac.uk> That was one approach we discussed, but I don?t know enough about sessions to try stuff out really. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 14:34 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php What?s the user_sessions table used for in database? We could store the session and a nonce, and check the nonce in the database on the upload side? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Friday, March 08, 2013 2:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hmm perhaps we can ajax via the browser? now I see why nobody was wanting to touch this!! Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:15 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 14:12 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:05 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I commented it out because it didn?t work in firefox. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:47 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:26 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:13 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 07 March 2013 17:14 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/056fbe03/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Fri Mar 8 14:54:20 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Fri, 8 Mar 2013 14:54:20 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D45B@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40D@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D44E@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A461@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D455@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A486@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D458@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A49A@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D45B@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4D64A4F7@EXCHANGE1.ad.nottingham.ac.uk> Maybe that?s not a bad idea, but is the case that you can?t get progress from the browser, which ideally we want for the progress bar (is that the case? I thought that was the downside of calling some js functions from the wizard to handle the call to upload.php?) From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 14:21 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hmm perhaps we can ajax via the browser? now I see why nobody was wanting to touch this!! Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:15 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 14:12 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:05 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I commented it out because it didn?t work in firefox. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:47 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:26 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:13 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 07 March 2013 17:14 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/22ed03f8/attachment-0001.html> From J.J.Smith at gcu.ac.uk Fri Mar 8 15:13:29 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 8 Mar 2013 15:13:29 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4D64A4F7@EXCHANGE1.ad.nottingham.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40D@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D44E@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A461@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D455@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A486@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D458@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A49A@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D45B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A4F7@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D464@ITSEMBXCLUS.enterprise.gcal.ac.uk> I ?think? we have 2 possible solutions: I?m sure if we delegate jquery to do the upload then we can get at the progress and feed back to Flash, even if the Flash had to poll? there are jquery uploaders that do? I think though we can also do it with session and nonce though, but it is how we deal with multiple uploads without refresh ? alternatively we just ? Store the session id in the database, with a timestamp every time a php file loads, in config or something? ? send the session id as a parameter upload.php?sess=<%php echo(session_id())%> into flash or as a flashvar ? flash posts the session_id to upload and we interrogate the database to see if it?s valid (present and not expired ? older than 20 mins I?ll play around with it over the weekend? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Maybe that?s not a bad idea, but is the case that you can?t get progress from the browser, which ideally we want for the progress bar (is that the case? I thought that was the downside of calling some js functions from the wizard to handle the call to upload.php?) From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 14:21 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hmm perhaps we can ajax via the browser? now I see why nobody was wanting to touch this!! Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:15 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 14:12 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:05 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I commented it out because it didn?t work in firefox. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:47 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:26 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:13 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 07 March 2013 17:14 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/fc02cbf3/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Fri Mar 8 15:18:53 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Fri, 8 Mar 2013 15:18:53 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D464@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40D@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D44E@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A461@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D455@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A486@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D458@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A49A@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D45B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A4F7@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D464@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4D64A548@EXCHANGE1.ad.nottingham.ac.uk> You can call functions in flash from JavaScript, so I don?t think you?d have to poll From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 15:13 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I ?think? we have 2 possible solutions: I?m sure if we delegate jquery to do the upload then we can get at the progress and feed back to Flash, even if the Flash had to poll? there are jquery uploaders that do? I think though we can also do it with session and nonce though, but it is how we deal with multiple uploads without refresh ? alternatively we just ? Store the session id in the database, with a timestamp every time a php file loads, in config or something? ? send the session id as a parameter upload.php?sess=<%php echo(session_id())%> into flash or as a flashvar ? flash posts the session_id to upload and we interrogate the database to see if it?s valid (present and not expired ? older than 20 mins I?ll play around with it over the weekend? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Maybe that?s not a bad idea, but is the case that you can?t get progress from the browser, which ideally we want for the progress bar (is that the case? I thought that was the downside of calling some js functions from the wizard to handle the call to upload.php?) From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 14:21 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hmm perhaps we can ajax via the browser? now I see why nobody was wanting to touch this!! Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:15 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 14:12 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:05 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I commented it out because it didn?t work in firefox. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:47 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:26 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:13 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 07 March 2013 17:14 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/91455cdc/attachment-0001.html> From xerte at pgogywebstuff.com Fri Mar 8 16:15:32 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Fri, 8 Mar 2013 16:15:32 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D464@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40D@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D44E@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A461@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D455@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A486@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D458@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A49A@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D45B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A4F7@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D464@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <E37E1BEE-163D-4485-BAB9-6B81F2CF7D83@pgogywebstuff.com> Argh stupid webmail not working You can't rely on user_sessions as some installs don't use it - it is optional whether you use it and it is turned off by default. I wrote it in for toolkits 1.6 but then some server settings changed at Nottingham so I commented it out. The session id won't make it safer as a malevolent person could still do stuff. Logically you move user-files so sit outside the web root, but that is a problem as flash is shite with relative paths. The safest thing is to move userfiles outside web root You could also add a .htaccess to prevent any php access and so on Then you need a white list, given that models can only be added by admin then then allowing models to set the whitelist isn't a million miles from letting the models so it. Once you've got the upload working then your next problem is that when upload fails no code exists to display an error, and it sounds like you need that to happen The Wordpress plugin saves the XML using Ajax and uses a new upload URL to work Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 15:13, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > I ?think? we have 2 possible solutions: > > I?m sure if we delegate jquery to do the upload then we can get at the progress and feed back to Flash, even if the Flash had to poll? there are jquery uploaders that do? > > I think though we can also do it with session and nonce though, but it is how we deal with multiple uploads without refresh ? alternatively we just > > ? Store the session id in the database, with a timestamp every time a php file loads, in config or something? > ? send the session id as a parameter upload.php?sess=<%php echo(session_id())%> into flash or as a flashvar > ? flash posts the session_id to upload and we interrogate the database to see if it?s valid (present and not expired ? older than 20 mins > > I?ll play around with it over the weekend? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 2:54 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Maybe that?s not a bad idea, but is the case that you can?t get progress from the browser, which ideally we want for the progress bar (is that the case? I thought that was the downside of calling some js functions from the wizard to handle the call to upload.php?) > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 14:21 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hmm perhaps we can ajax via the browser? now I see why nobody was wanting to touch this!! > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 2:15 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 14:12 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 2:05 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I commented it out because it didn?t work in firefox. > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 13:55 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 1:47 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 13:26 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? > > Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). > > One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 1:13 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: 07 March 2013 17:14 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hello, > > Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? > > I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > > Hi Pat, > > I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? > > I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? > > I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: Thursday, March 07, 2013 2:54 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hello, > > I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). > > My reg exp is a bit flaky as well, if you copied that over. > > There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > > Hi, > > I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. > > Can someone test this and advise if there are any other media types that we want/need to allow? > > There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/0a31d45d/attachment-0001.html> From xerte at pgogywebstuff.com Fri Mar 8 17:59:31 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Fri, 8 Mar 2013 17:59:31 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4D64A49A@EXCHANGE1.ad.nottingham.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40D@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D44E@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A461@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D455@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A486@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D458@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A49A@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <8C796242-69E8-47C0-AA65-F4217DFE35A2@pgogywebstuff.com> Pass session Id in as a flashvar? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 14:12 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 2:05 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I commented it out because it didn?t work in firefox. > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 13:55 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 1:47 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 13:26 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? > > Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). > > One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 1:13 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: 07 March 2013 17:14 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hello, > > Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? > > I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > > Hi Pat, > > I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? > > I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? > > I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: Thursday, March 07, 2013 2:54 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hello, > > I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). > > My reg exp is a bit flaky as well, if you copied that over. > > There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > > Hi, > > I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. > > Can someone test this and advise if there are any other media types that we want/need to allow? > > There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/5e7dc1e7/attachment-0001.html> From J.J.Smith at gcu.ac.uk Fri Mar 8 19:47:50 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 8 Mar 2013 19:47:50 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <8C796242-69E8-47C0-AA65-F4217DFE35A2@pgogywebstuff.com> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40D@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D44E@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A461@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D455@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A486@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D458@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A49A@EXCHANGE1.ad.nottingham.ac.uk>, <8C796242-69E8-47C0-AA65-F4217DFE35A2@pgogywebstuff.com> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EF84745@ITSEMBXCLUS.enterprise.gcal.ac.uk> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... I've changed the upload_path code to so.addVariable("upload_path", "upload.php?nonce=123456789&" + document.cookie + "&path="); which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" but when the Flash Post's the URL (as viewed in the Network console) is munged to http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=123456789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); session_start(); Regards, John Smith | Learning Technologist Room A251, Govan Mbeki Building | School of Health & Life Sciences | Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA ________________________________________ From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy [xerte at pgogywebstuff.com] Sent: 08 March 2013 17:59 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Pass session Id in as a flashvar? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 14:12 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:05 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I commented it out because it didn?t work in firefox. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:47 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:26 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:13 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 07 March 2013 17:14 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From J.J.Smith at gcu.ac.uk Fri Mar 8 20:32:10 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 8 Mar 2013 20:32:10 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Message-ID: <7dqjlhy59lvtpoc8w4qlgi0b.1362774729103@email.android.com> Which installs don't use sessions? Edit.php bounces you id session id isn't set... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: Argh stupid webmail not working You can't rely on user_sessions as some installs don't use it - it is optional whether you use it and it is turned off by default. I wrote it in for toolkits 1.6 but then some server settings changed at Nottingham so I commented it out. The session id won't make it safer as a malevolent person could still do stuff. Logically you move user-files so sit outside the web root, but that is a problem as flash is shite with relative paths. The safest thing is to move userfiles outside web root You could also add a .htaccess to prevent any php access and so on Then you need a white list, given that models can only be added by admin then then allowing models to set the whitelist isn't a million miles from letting the models so it. Once you've got the upload working then your next problem is that when upload fails no code exists to display an error, and it sounds like you need that to happen The Wordpress plugin saves the XML using Ajax and uses a new upload URL to work Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 15:13, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: I ?think? we have 2 possible solutions: I?m sure if we delegate jquery to do the upload then we can get at the progress and feed back to Flash, even if the Flash had to poll? there are jquery uploaders that do? I think though we can also do it with session and nonce though, but it is how we deal with multiple uploads without refresh ? alternatively we just ? Store the session id in the database, with a timestamp every time a php file loads, in config or something? ? send the session id as a parameter upload.php?sess=<%php echo(session_id())%> into flash or as a flashvar ? flash posts the session_id to upload and we interrogate the database to see if it?s valid (present and not expired ? older than 20 mins I?ll play around with it over the weekend? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Maybe that?s not a bad idea, but is the case that you can?t get progress from the browser, which ideally we want for the progress bar (is that the case? I thought that was the downside of calling some js functions from the wizard to handle the call to upload.php?) From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 14:21 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hmm perhaps we can ajax via the browser? now I see why nobody was wanting to touch this!! Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:15 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 14:12 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 2:05 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I commented it out because it didn?t work in firefox. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:47 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 13:26 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:13 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 07 March 2013 17:14 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Pat, I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: Thursday, March 07, 2013 2:54 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hello, I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). My reg exp is a bit flaky as well, if you copied that over. There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi, I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. Can someone test this and advise if there are any other media types that we want/need to allow? There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From xerte at pgogywebstuff.com Fri Mar 8 20:49:08 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Fri, 8 Mar 2013 20:49:08 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EF84745@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D394@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CD6BED07-A688-425D-AAA7-EE046DED274B@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D3B7@ITSEMBXCLUS.enterprise.gcal.ac.uk> <1B93C61A-4A8D-4E60-AFBE-8DB41E80396F@pgogywebstuff.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A40D@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D44E@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A461@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D455@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A486@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D458@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A49A@EXCHANGE1.ad.nottingham.ac.uk> <8C796242-69E8-47C0-AA65-F4217DFE35A2@pgogywebstuff.com> <EE0B2AFFDB88B34AA864E00CE98914C2247EF84745@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <483B0826-51B1-487F-9E8D-77C5DBF5C6EE@pgogywebstuff.com> Assuming you know the fixed session if wont work? I think the wizard alters the URL - but might you need to URL encode the string? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... > > I've changed the upload_path code to > > so.addVariable("upload_path", "upload.php?nonce=123456789&" + document.cookie + "&path="); > > which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" > > but when the Flash Post's the URL (as viewed in the Network console) is munged to > > http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=123456789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 > > and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... > > Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? > > if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); > session_start(); > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | Glasgow Caledonian University > Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy [xerte at pgogywebstuff.com] > Sent: 08 March 2013 17:59 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Pass session Id in as a flashvar? > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: > > It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 14:12 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 2:05 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I commented it out because it didn?t work in firefox. > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 13:55 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 1:47 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 13:26 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? > > Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). > > One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 1:13 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: 07 March 2013 17:14 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hello, > > Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? > > I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: > Hi Pat, > > I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? > > I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? > > I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: Thursday, March 07, 2013 2:54 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hello, > > I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). > > My reg exp is a bit flaky as well, if you copied that over. > > There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: > Hi, > > I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. > > Can someone test this and advise if there are any other media types that we want/need to allow? > > There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. From xerte at pgogywebstuff.com Fri Mar 8 20:42:46 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Fri, 8 Mar 2013 20:42:46 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <7dqjlhy59lvtpoc8w4qlgi0b.1362774729103@email.android.com> References: <7dqjlhy59lvtpoc8w4qlgi0b.1362774729103@email.android.com> Message-ID: <FB0A3029-D82E-4038-B6BD-A1ACCC713505@pgogywebstuff.com> Sorry You can't rely on the user sessions table or whatever it is called Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 20:32, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Which installs don't use sessions? Edit.php bounces you id session id isn't set... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Argh stupid webmail not working > > > You can't rely on user_sessions as some installs don't use it - it is optional whether you use it and it is turned off by default. I wrote it in for toolkits 1.6 but then some server settings changed at Nottingham so I commented it out. > > The session id won't make it safer as a malevolent person could still do stuff. Logically you move user-files so sit outside the web root, but that is a problem as flash is shite with relative paths. > > The safest thing is to move userfiles outside web root > > You could also add a .htaccess to prevent any php access and so on > > Then you need a white list, given that models can only be added by admin then then allowing models to set the whitelist isn't a million miles from letting the models so it. > > Once you've got the upload working then your next problem is that when upload fails no code exists to display an error, and it sounds like you need that to happen > > The Wordpress plugin saves the XML using Ajax and uses a new upload URL to work > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 15:13, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: > > I ?think? we have 2 possible solutions: > > I?m sure if we delegate jquery to do the upload then we can get at the progress and feed back to Flash, even if the Flash had to poll? there are jquery uploaders that do? > > I think though we can also do it with session and nonce though, but it is how we deal with multiple uploads without refresh ? alternatively we just > > > ? Store the session id in the database, with a timestamp every time a php file loads, in config or something? > > ? send the session id as a parameter upload.php?sess=<%php echo(session_id())%> into flash or as a flashvar > > ? flash posts the session_id to upload and we interrogate the database to see if it?s valid (present and not expired ? older than 20 mins > > I?ll play around with it over the weekend? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 2:54 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Maybe that?s not a bad idea, but is the case that you can?t get progress from the browser, which ideally we want for the progress bar (is that the case? I thought that was the downside of calling some js functions from the wizard to handle the call to upload.php?) > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 14:21 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hmm perhaps we can ajax via the browser? now I see why nobody was wanting to touch this!! > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 2:15 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 14:12 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 2:05 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I commented it out because it didn?t work in firefox. > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 13:55 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 1:47 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 13:26 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? > > Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). > > One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 1:13 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: 07 March 2013 17:14 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hello, > > Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? > > I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: > Hi Pat, > > I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? > > I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? > > I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: Thursday, March 07, 2013 2:54 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hello, > > I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). > > My reg exp is a bit flaky as well, if you copied that over. > > There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: > Hi, > > I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. > > Can someone test this and advise if there are any other media types that we want/need to allow? > > There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > Glasgow Caledonian University is a registered Sco From J.J.Smith at gcu.ac.uk Fri Mar 8 21:05:19 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 8 Mar 2013 21:05:19 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Message-ID: <vpl87u1wj3s7b65f0u22kv74.1362776719548@email.android.com> Its bizarre. If i modify the parameter in any way by adding x=y& before path then the querystring is mangled I just assumed that the flash took the upload_path parameter (which ends path=) and appended the path but it must be doing some strange parsing which cant handle extra params I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: Assuming you know the fixed session if wont work? I think the wizard alters the URL - but might you need to URL encode the string? Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> Makers of web things of a fair to middling quality On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... > > I've changed the upload_path code to > > so.addVariable("upload_path", "upload.php?nonce=123456789&" + document.cookie + "&path="); > > which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" > > but when the Flash Post's the URL (as viewed in the Network console) is munged to > > http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=123456789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 > > and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... > > Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? > > if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); > session_start(); > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | Glasgow Caledonian University > Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy [xerte at pgogywebstuff.com] > Sent: 08 March 2013 17:59 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Pass session Id in as a flashvar? > > Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: > > It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 14:12 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 2:05 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I commented it out because it didn?t work in firefox. > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 13:55 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 1:47 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 13:26 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? > > Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). > > One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 1:13 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: 07 March 2013 17:14 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hello, > > Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? > > I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball > > Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: > Hi Pat, > > I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? > > I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? > > I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: Thursday, March 07, 2013 2:54 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hello, > > I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). > > My reg exp is a bit flaky as well, if you copied that over. > > There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. > > Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: > Hi, > > I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. > > Can someone test this and advise if there are any other media types that we want/need to allow? > > There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html> Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From J.J.Smith at gcu.ac.uk Fri Mar 8 21:07:10 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 8 Mar 2013 21:07:10 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Message-ID: <axruo0r4ef7uxvbuo6pehgf7.1362776828035@email.android.com> Ah right i get it now... I realised that would be overkill... Passing the session id as a param and reseting the session id seems to work across all 3 main browsers... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: Sorry You can't rely on the user sessions table or whatever it is called Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 20:32, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Which installs don't use sessions? Edit.php bounces you id session id isn't set... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Argh stupid webmail not working > > > You can't rely on user_sessions as some installs don't use it - it is optional whether you use it and it is turned off by default. I wrote it in for toolkits 1.6 but then some server settings changed at Nottingham so I commented it out. > > The session id won't make it safer as a malevolent person could still do stuff. Logically you move user-files so sit outside the web root, but that is a problem as flash is shite with relative paths. > > The safest thing is to move userfiles outside web root > > You could also add a .htaccess to prevent any php access and so on > > Then you need a white list, given that models can only be added by admin then then allowing models to set the whitelist isn't a million miles from letting the models so it. > > Once you've got the upload working then your next problem is that when upload fails no code exists to display an error, and it sounds like you need that to happen > > The Wordpress plugin saves the XML using Ajax and uses a new upload URL to work > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 15:13, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: > > I ?think? we have 2 possible solutions: > > I?m sure if we delegate jquery to do the upload then we can get at the progress and feed back to Flash, even if the Flash had to poll? there are jquery uploaders that do? > > I think though we can also do it with session and nonce though, but it is how we deal with multiple uploads without refresh ? alternatively we just > > > ? Store the session id in the database, with a timestamp every time a php file loads, in config or something? > > ? send the session id as a parameter upload.php?sess=<%php echo(session_id())%> into flash or as a flashvar > > ? flash posts the session_id to upload and we interrogate the database to see if it?s valid (present and not expired ? older than 20 mins > > I?ll play around with it over the weekend? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 2:54 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Maybe that?s not a bad idea, but is the case that you can?t get progress from the browser, which ideally we want for the progress bar (is that the case? I thought that was the downside of calling some js functions from the wizard to handle the call to upload.php?) > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 14:21 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hmm perhaps we can ajax via the browser? now I see why nobody was wanting to touch this!! > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 2:15 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 14:12 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 2:05 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I commented it out because it didn?t work in firefox. > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 13:55 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 1:47 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 13:26 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? > > Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). > > One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 1:13 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: 07 March 2013 17:14 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hello, > > Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? > > I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: > Hi Pat, > > I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? > > I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? > > I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy > Sent: Thursday, March 07, 2013 2:54 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hello, > > I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). > > My reg exp is a bit flaky as well, if you copied that over. > > There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: > Hi, > > I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. > > Can someone test this and advise if there are any other media types that we want/need to allow? > > There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > Glasgow Caledonian University is a registered Sco _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From xerte at pgogywebstuff.com Fri Mar 8 22:54:37 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Fri, 8 Mar 2013 22:54:37 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <vpl87u1wj3s7b65f0u22kv74.1362776719548@email.android.com> References: <vpl87u1wj3s7b65f0u22kv74.1362776719548@email.android.com> Message-ID: <FB4E3D08-ED10-4FF7-BE44-A5762D282570@pgogywebstuff.com> I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which ends path=) and appended the path but it must be doing some strange parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=123456789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | Glasgow Caledonian University >> Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From xerte at pgogywebstuff.com Fri Mar 8 22:53:23 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Fri, 8 Mar 2013 22:53:23 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <axruo0r4ef7uxvbuo6pehgf7.1362776828035@email.android.com> References: <axruo0r4ef7uxvbuo6pehgf7.1362776828035@email.android.com> Message-ID: <04E59464-31AD-4116-81F3-625A0ADFA169@pgogywebstuff.com> Not overkill, just not something to use safely Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:07, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Ah right i get it now... I realised that would be overkill... Passing the session id as a param and reseting the session id seems to work across all 3 main browsers... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Sorry > > You can't rely on the user sessions table or whatever it is called > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 20:32, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> Which installs don't use sessions? Edit.php bounces you id session id isn't set... >> >> Regards >> >> John Smith >> Learning Technologist >> School of Health and Life Sciences >> >> Sent from Samsung Galaxy SII >> >> >> "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: >> >> >> Argh stupid webmail not working >> >> >> You can't rely on user_sessions as some installs don't use it - it is optional whether you use it and it is turned off by default. I wrote it in for toolkits 1.6 but then some server settings changed at Nottingham so I commented it out. >> >> The session id won't make it safer as a malevolent person could still do stuff. Logically you move user-files so sit outside the web root, but that is a problem as flash is shite with relative paths. >> >> The safest thing is to move userfiles outside web root >> >> You could also add a .htaccess to prevent any php access and so on >> >> Then you need a white list, given that models can only be added by admin then then allowing models to set the whitelist isn't a million miles from letting the models so it. >> >> Once you've got the upload working then your next problem is that when upload fails no code exists to display an error, and it sounds like you need that to happen >> >> The Wordpress plugin saves the XML using Ajax and uses a new upload URL to work >> >> Pgogy Webstuff - http://www.pgogywebstuff.com >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 15:13, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> >> I ?think? we have 2 possible solutions: >> >> I?m sure if we delegate jquery to do the upload then we can get at the progress and feed back to Flash, even if the Flash had to poll? there are jquery uploaders that do? >> >> I think though we can also do it with session and nonce though, but it is how we deal with multiple uploads without refresh ? alternatively we just >> >> >> ? Store the session id in the database, with a timestamp every time a php file loads, in config or something? >> >> ? send the session id as a parameter upload.php?sess=<%php echo(session_id())%> into flash or as a flashvar >> >> ? flash posts the session_id to upload and we interrogate the database to see if it?s valid (present and not expired ? older than 20 mins >> >> I?ll play around with it over the weekend? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney >> Sent: Friday, March 08, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Maybe that?s not a bad idea, but is the case that you can?t get progress from the browser, which ideally we want for the progress bar (is that the case? I thought that was the downside of calling some js functions from the wizard to handle the call to upload.php?) >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> Sent: 08 March 2013 14:21 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hmm perhaps we can ajax via the browser? now I see why nobody was wanting to touch this!! >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney >> Sent: Friday, March 08, 2013 2:15 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - http://www.pgogywebstuff.com >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - http://www.pgogywebstuff.com >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Sco > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From J.J.Smith at gcu.ac.uk Fri Mar 8 23:50:55 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 8 Mar 2013 23:50:55 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Message-ID: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which ends path=) and appended the path but it must be doing some strange parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=123456789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | Glasgow Caledonian University >> Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the svn so we?re not in a position where exporting the svn creates an install that won?t upload anything? >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I?ll have a go at adding in some code to deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From johnathan.kemp at ntlworld.com Sun Mar 10 17:10:25 2013 From: johnathan.kemp at ntlworld.com (Kemp Johnathan) Date: Sun, 10 Mar 2013 17:10:25 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D456@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4C5E622B@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=WwvPwjJ9br6u6AADOoDSy8KpFQZp+g1NA5g6n=Ze3qBA@mail.gmail.com> <BLU153-W57942FC6EA78A20F3826B0A7FB0@phx.gbl> <CABtG3=XL7YU0XZou1awcUXYY3ZQKZsss=-e58rTrUV_vnSR_Jg@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4CE58138@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=V5450hnHb0BGXeJWb+zfcNX2oSZeRDpBdmk6TiBpj7QQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D649813@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2B9@ITSEMBXCLUS.enterprise.gcal.ac.uk> <20130306120521.59815leiwct5zlyp@server.tor.nl> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2D2@ITSEMBXCLUS.enterprise.gcal.ac.uk> <BLU153-W9A990EF26D2C7CA920D1AA7E40@phx.gbl> <CABtG3=UW=zY=TWtL4apF0ttMsUHp-L8bqqFWrShBCt0O9cBP_Q@mail.gmail.com> <BLU153-W13FAFF7ADE5D1BAF6C234DA7E40@phx.gbl> <CABtG3=UCuq3i_sBMA1cMRYqNS5ssLPjJw1TKjj3__Pa8A1xH5Q@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A463@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D456@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <CABtG3=WQuEiHmJUfCPyxh-qz0gEaP4yfzug-xtAQ9bk5RrOL_A@mail.gmail.com> It would be nice if there was a way of accessing the wiki page about a specific Xerte / XOT page type, perhaps before having added that page type to your project. This could then help both with selecting the page type to use as well as assisting the author in the using of that page. This is in contrast to just having a generic link to the wiki home page. Kind regards Johnathan On 8 March 2013 13:55, Smith, John <J.J.Smith at gcu.ac.uk> wrote: > A wiki? > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > *From:* xerte-dev-bounces at lists.nottingham.ac.uk [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Julian Tenney > *Sent:* Friday, March 08, 2013 1:48 PM > > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: use of info tag in xwd forms > > > > I don?t much like the idea of separate files (pdfs / docs etc) I think it > would be better as a central resource on a web site, maybe the community > site? > > > > *From:* xerte-dev-bounces at lists.nottingham.ac.uk [ > mailto:xerte-dev-bounces at lists.nottingham.ac.uk<xerte-dev-bounces at lists.nottingham.ac.uk>] > *On Behalf Of *Kemp Johnathan > *Sent:* 06 March 2013 18:57 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: use of info tag in xwd forms > > > > I suppose one alternative would be to set up a wiki, but I am not sure > this is the best approach for help documents. > > > > One thought that has just sprung to mind - what about using an ebook > editor? I know next to nothing about them but it would seem a possibly > logical platform to publish to. I am not sure if this would be the right > approach if we only want to create a set of individual files that are each > a single publication? > > > > I did a quick google and found an open source wysiwyg editor called sigil. > It looks quite powerful, but it appears designed to pull together large > numbers of separate files into a single document. > > > > I don't know if there is anyone on the list who is familiar with this > stuff and could pass a more informed opinion? > > > > I have to admit, the one thing that concerns me with using Open Office is > that someone will go and open up the file in Word and bugger up its > formatting :-( > > > > What concerns me about not using Open Office is the possible lack of a > familiar, versatile, and easy to use interface for creating the documents. > > > > JK > > > > > > On 6 March 2013 18:25, Dave Burnett <d_b_burnett at hotmail.com> wrote: > > > > Just my personal preference. > > Static documents usually lead to version control nightmares. > > I still believe in the Java "write once, deliver everywhere" fantasy. > > ;-) > > > ------------------------------ > > Date: Wed, 6 Mar 2013 18:20:51 +0000 > From: johnathan.kemp at ntlworld.com > To: xerte-dev at lists.nottingham.ac.uk > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > Advantage of pdf? > > > > A single file that contains text and graphics and will maintain its format > when printed out (some people still like to print things out). > > > > My approach so far has been to author the files in Open Office which will > export to pdf. This provides a master file (the Open Office odt) file that > is editable, and the pdf export of the odt file that can be published for > Author usage. > > > > So whilst at present the file the Author uses is pdf, this is generated > from a single, easily edited odt file. Open Office is free, open source, > and available in many languages. > > > > I agree with the idea of allowing those with svn access to edit the help > files. The current approach fully facilitates that. > > Folks with svn access can edit (or make a copy and translate) the odt file > and then generate a new pdf file for publication. > > > > I am not sure of the benefit of trying to edit the help documents in a > Xerte app. Why try to create a cut down word processor in Xerte, if there > is already a fully featured one available for free? > > > > The only downside I see is that each help file consists of two files > (rather than one) - the odt source file and the published public accessed > pdf file. But this has upsides as well. The odt help file can be edited > without affecting the published pdf file, which can be re-published once > the editing / updating is completed. > > > > Just my take on things > > > > Johnathan > > > > > > On 6 March 2013 12:35, Dave Burnett <d_b_burnett at hotmail.com> wrote: > > > > Advantage of pdf? > > > > I would bet we get a lot more contribution if it's dynamic. > > Maybe something editable in a Xerte app? > > Folks with svn access can edit? > > > > > From: J.J.Smith at gcu.ac.uk > > To: xerte-dev at lists.nottingham.ac.uk > > Date: Wed, 6 Mar 2013 12:09:21 +0000 > > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > Sure Tom, I suppose an alternative would be to funnel everything through > help/index.php?language=XX&file=YYY and let it decide which to serve up... > > > > I'm having to do similar with the api... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders > > Sent: Wednesday, March 06, 2013 11:05 AM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > It's not too much work to fall back to English if we need to, > > > > So have a help/<language code> for the help forlder location like we > have wizard/<language code> now. > > > > > > The thing I have against mod_rewrites is that it's webserver specific. > > > > So, now we only have to agree on the help file format. .pdf is fine with > me... > > > > Tom > > > > Citeren "Smith, John" <J.J.Smith at gcu.ac.uk>: > > > > > Why not just append the language code to the URL (new website) and mod > > > rewrite the url. If there is a language file that matches send that, > > > otherwise send the English one... > > > > > > > > > Regards, > > > > > > John Smith > > > Learning Technologist > > > School of Health & Life Sciences > > > Glasgow Caledonian University > > > > > > From: xerte-dev-bounces at lists.nottingham.ac.uk > > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of > > > Julian Tenney > > > Sent: Wednesday, March 06, 2013 10:38 AM > > > To: For Xerte technical developers > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > What about languages? You might want help in several languages. But > > > we can cope with multi lingual wizards, so why not multi lingual help? > > > > > > The form is a bit of a pain because now we have advanced / language > > > options, redrawing the form is a bit of a pain, so thinking > > > differently might be a good idea. > > > > > > From: > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk> [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp > > > Johnathan > > > Sent: 06 March 2013 10:02 > > > To: For Xerte technical developers > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > Hi Folks, > > > > > > What I would like to be able to achieve is a means of providing a > > > link to a pdf file that the author can access to provide additional > > > information to support the use of the page type. My original need > > > was to support the connector pages and the inventory page with more > > > information about how the page worked and how, in the case of > > > connector pages they could be used in conjunction with other pages. > > > However the help file could provide other stuff such as examples of > > > use or pedagogical information. > > > > > > How that link is made available to the author I don't have a strong > > > view on. It just seemed that the <info> tag already provided the > > > functionality (except for this frustrating glitch). If resolving the > > > glitch was a simple matter then the <info> tag might be a convenient > > > way of doing this without involving much time input. If however the > > > glitch is difficult to pin down then a different approach might be > > > appropriate. > > > > > > By putting the link in the xwd file it keeps everything about the > > > page in one place. However it does have the disadvantage of making > > > it difficult to change the location of the help files. > > > > > > Perhaps an approach that assumed the help file would use the same > > > stem as the model file but have a pdf extension (e.g. quiz.rlm and > > > quiz.pdf), would allow a Xerte or XOT project to define a single > > > folder location for all the help files. The specific help file for a > > > page type would then be accessed by combining the single folder > > > address with the model name and a pdf extension. > > > > > > This would allow help files to be either located on a remote server > > > or on a local server, or even in a desktop Xerte installation folder > > > e.g. Xerte\pages\help\. It would also make it easier to change the > > > locations of the help files as there would be only one path to change. > > > > > > Kind regards > > > > > > Johnathan > > > > > > On 6 March 2013 07:50, Julian Tenney > > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk > >> > > > wrote: > > > Maybe we should tackle this differently: rather than trying to > > > display the <info> on the form, why not pop it up in a message or > > > show it somewhere else? > > > > > > From: > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk> [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > > > Johnathan > > > Sent: 05 March 2013 17:53 > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > The most recent version of the desktop would ensure you have the > > > latest version of wizard.swf, but if you can see the Show Language > > > Options I think that should be enough to demonstrate the issue. > > > > > > The "here is the help" text is the text contained in the info tag. > > > > > > If you click in the Show Language Options check box you will see > > > that some additional fields are displayed in the form but that there > > > is an expanse of blank grey form before the "here is the help" text > > > is displayed. > > > > > > If you mouse over the grey area above the "here is the help" text > > > you will see the mouse pointer change as it hovers over where the > > > text entry boxes for the hidden language options are positioned. > > > > > > If you click on the Quiz2 page to open its xwd form the effect is > > > clear as none of the fields are flagged as language options so as > > > soon as the form opens you see that the display of labels and fields > > > ends abruptly and then there is again the grey expanse of blank form > > > before the "here is the help" text is displayed. You have noticed, > > > in your second post that the entry below "single answer wrong" is > > > cut short vertically. There are also more fields below this which > > > are not displaying at all. > > > > > > If you edit the quiz.xwd file in the page002 folder to remove the > > > "info" tag then all the fields defined in the form are displayed > > > correctly. So it is the "info" tag that is causing the display issue. > > > > > > Kind regards > > > > > > Johnathan > > > > > > On 5 March 2013 10:43, Dave Burnett > > > <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: > > > What version of desktop is required? > > > The only language related object I have showing is "Show Language > > > Options" in the bottom bar. > > > > > > (I do see "Here is the help" in blue near the bottom). > > > > > > > > > ________________________________ > > > Date: Tue, 5 Mar 2013 10:23:23 +0000 > > > From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> > > > To: xerte-dev at lists.nottingham.ac.uk<mailto: > xerte-dev at lists.nottingham.ac.uk> > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > If you include the info tag in an xwd form it can result in the none > > > display of the last entries in the form. > > > > > > The info tag displays at the bottom of the form with a blank area of > > > form above it where the missing fields and field labels should be > > > displayed. > > > > > > If you move the mouse pointer over the blank area of the form then > > > the mouse pointer will change indicating that the fields are there - > > > you just can't see them. > > > > > > The easiest way to explain what is happening is for you to see it > > > for yourself. > > > > > > I have attached a simple demo. The demo is a standard Xerte project > > > (not a "Pages" type project - I have manually set up the xwd links > > > for the pages) in which I have set up two copies of the Quiz page. > > > > > > 1. Open this project in Xerte > > > 2. Double click on the Quiz page to open the xwd form > > > 3. Click on the language tab to display the language fields > > > 4. Scroll down the form - you will see the blank area where the > > > hidden language fields should appear and the blue info comment at > > > the bottom. > > > 5. The language tag is not significant to this issue. > > > 6. Double click on the Quiz2 page, you will see the same effect > > > without the use of the language tag (I deleted them from this pages > > > xwd file) > > > I don't know if the cause is to do with layers or visibility > > > settings. I don't know what happens when the info tag is actioned in > > > the code. > > > > > > I hope this makes the effect clear (if not the cause :-( ) > > > > > > Kind regards > > > > > > Johnathan > > > > > > > > > > > > On 5 March 2013 09:40, Julian Tenney > > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk > >> > > > wrote: > > > > > > What's the problem in a nutshell? > > > > > > > > > > > > From: > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk> [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > > > Johnathan > > > Sent: 04 March 2013 22:18 > > > To: Xerte Developers Discussion List > > > Subject: [Xerte-dev] use of info tag in xwd forms > > > > > > > > > > > > On the 4th December I posted to the developer list an issue with the > > > xwd forms relating to the use of the "info" tag. > > > > > > > > > > > > The inclusion of an info tag in the xwd form can result in space > > > being allocated above the info tag for the display of the last few > > > properties in the xwd form definition, but the properties are not > > > visible in the form. You can however confirm their "presence" as the > > > mouse pointer responds to them if moved over the input fields. > > > > > > > > > > > > You can test this out in Xerte (or XOT) by creating a page using one > > > of the Connector page types. The info tag has been used in these > > > pages to link to a pdf help file that is hosted on the Xerte > > > community web site, but the "language" flagged form properties are > > > no longer all editable, due to the presence of the info tag. > > > > > > > > > > > > This is a pity as the info tag could be used to provide a link to an > > > external document that gives the Author useful additional > > > information to assist them in making the best use of that page type. > > > e.g. > > > > > > * Information about what the page is designed to do > > > > > > * Instructions on what the properties in the form are to > > > help in completing the form created by the xwd file; > > > > > > * examples of actual uses of that page type in real projects. > > > > > > * examples of combining this page type with other page types > > > to achieve a particular pedagogical approach > > > > > > * guidance as to how accessible the page is with respect to > > > particular types of user, or what features the page has as optional > > > properties to provide additional accessibility > > > > > > However at present if the "info" tag is used then the ability to > > > edit the language flagged elements of the page is compromised. > > > > > > > > > > > > Is this something that is intended to be addressed before the next > > > release of Xerte / XOT? > > > > > > > > > > > > Sorry to be a nuisance, but it seems such a potentially useful > > > feature it seems a shame not to be able to use it. > > > > > > > > > > > > Kind regards > > > > > > > > > > > > Johnathan > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk<mailto: > Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > _______________________________________________ Xerte-dev mailing > > > list > > > Xerte-dev at lists.nottingham.ac.uk<mailto: > Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk<mailto: > Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk<mailto: > Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, > > > number SC021474 > > > > > > Winner: Times Higher Education's Widening Participation Initiative > > > of the Year 2009 and Herald Society's Education Initiative of the > > > Year 2009. > > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > > > > > Winner: Times Higher Education's Outstanding Support for Early > > > Career Researchers of the Year 2010, GCU as a lead with Universities > > > Scotland partners. > > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > > > > > This message and any attachment are intended solely for the > > > addressee and may contain confidential information. If you have > > > received this message in error, please send it back to me, and > > > immediately delete it. Please do not use, copy or disclose the > > > information contained in this message or in any attachment. Any > > > views or opinions expressed by the author of this email do not > > > necessarily reflect the views of the University of Nottingham. > > > > > > > > > > > > This message has been checked for viruses but the contents of an > attachment > > > > > > may still contain software viruses which could damage your computer > system: > > > > > > you are advised to perform your own checks. Email communications with > the > > > > > > University of Nottingham may be monitored as permitted by UK > legislation. > > > > > > > > > > > > > > ---------------------------------------------------------------- > > This message was sent using IMP, the Internet Messaging Program. > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > This message and any attachment are intended solely for the addressee > and may contain confidential information. If you have received this message > in error, please send it back to me, and immediately delete it. Please do > not use, copy or disclose the information contained in this message or in > any attachment. Any views or opinions expressed by the author of this email > do not necessarily reflect the views of the University of Nottingham. > > > > This message has been checked for viruses but the contents of an > attachment > > may still contain software viruses which could damage your computer > system: > > you are advised to perform your own checks. Email communications with the > > University of Nottingham may be monitored as permitted by UK legislation. > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > > > Winner: Times Higher Education?s Widening Participation Initiative of > the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > > > Winner: Times Higher Education?s Outstanding Support for Early Career > Researchers of the Year 2010, GCU as a lead with Universities Scotland > partners. > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the > Year 2009 and Herald Society?s Education Initiative of the Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career > Researchers of the Year 2010, GCU as a lead with Universities Scotland > partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130310/2fbfa6dd/attachment-0001.html> From reijnders at tor.nl Sun Mar 10 17:47:08 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Sun, 10 Mar 2013 18:47:08 +0100 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <CABtG3=WQuEiHmJUfCPyxh-qz0gEaP4yfzug-xtAQ9bk5RrOL_A@mail.gmail.com> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4CE58138@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=V5450hnHb0BGXeJWb+zfcNX2oSZeRDpBdmk6TiBpj7QQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D649813@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2B9@ITSEMBXCLUS.enterprise.gcal.ac.uk> <20130306120521.59815leiwct5zlyp@server.tor.nl> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2D2@ITSEMBXCLUS.enterprise.gcal.ac.uk> <BLU153-W9A990EF26D2C7CA920D1AA7E40@phx.gbl> <CABtG3=UW=zY=TWtL4apF0ttMsUHp-L8bqqFWrShBCt0O9cBP_Q@mail.gmail.com> <BLU153-W13FAFF7ADE5D1BAF6C234DA7E40@phx.gbl> <CABtG3=UCuq3i_sBMA1cMRYqNS5ssLPjJw1TKjj3__Pa8A1xH5Q@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A463@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D456@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CABtG3=WQuEiHmJUfCPyxh-qz0gEaP4yfzug-xtAQ9bk5RrOL_A@mail.gmail.com> Message-ID: <513CC71C.1030300@tor.nl> You can, that's no problem at all: http://www.xerte.org.uk/wiki/index.php/Template_walkthrough Tom Op 10-3-2013 18:10, Kemp Johnathan schreef: > It would be nice if there was a way of accessing the wiki page about a > specific Xerte / XOT page type, perhaps before having added that page > type to your project. This could then help both with selecting the > page type to use as well as assisting the author in the using of that > page. > > This is in contrast to just having a generic link to the wiki home page. > > Kind regards > > Johnathan > > On 8 March 2013 13:55, Smith, John <J.J.Smith at gcu.ac.uk > <mailto:J.J.Smith at gcu.ac.uk>> wrote: > > A wiki... > > Regards, > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] *On Behalf Of > *Julian Tenney > *Sent:* Friday, March 08, 2013 1:48 PM > > > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: use of info tag in xwd forms > > I don't much like the idea of separate files (pdfs / docs etc) I > think it would be better as a central resource on a web site, > maybe the community site? > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of > *Kemp Johnathan > *Sent:* 06 March 2013 18:57 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: use of info tag in xwd forms > > I suppose one alternative would be to set up a wiki, but I am not > sure this is the best approach for help documents. > > One thought that has just sprung to mind - what about using an > ebook editor? I know next to nothing about them but it would seem > a possibly logical platform to publish to. I am not sure if this > would be the right approach if we only want to create a set of > individual files that are each a single publication? > > I did a quick google and found an open source wysiwyg editor > called sigil. It looks quite powerful, but it appears designed to > pull together large numbers of separate files into a single document. > > I don't know if there is anyone on the list who is familiar with > this stuff and could pass a more informed opinion? > > I have to admit, the one thing that concerns me with using Open > Office is that someone will go and open up the file in Word and > bugger up its formatting :-( > > What concerns me about not using Open Office is the possible lack > of a familiar, versatile, and easy to use interface for creating > the documents. > > JK > > On 6 March 2013 18:25, Dave Burnett <d_b_burnett at hotmail.com > <mailto:d_b_burnett at hotmail.com>> wrote: > > Just my personal preference. > > Static documents usually lead to version control nightmares. > > I still believe in the Java "write once, deliver everywhere" fantasy. > > ;-) > > ------------------------------------------------------------------------ > > Date: Wed, 6 Mar 2013 18:20:51 +0000 > From: johnathan.kemp at ntlworld.com <mailto:johnathan.kemp at ntlworld.com> > To: xerte-dev at lists.nottingham.ac.uk > <mailto:xerte-dev at lists.nottingham.ac.uk> > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > Advantage of pdf? > > A single file that contains text and graphics and will maintain > its format when printed out (some people still like to print > things out). > > My approach so far has been to author the files in Open Office > which will export to pdf. This provides a master file (the Open > Office odt) file that is editable, and the pdf export of the odt > file that can be published for Author usage. > > So whilst at present the file the Author uses is pdf, this is > generated from a single, easily edited odt file. Open Office is > free, open source, and available in many languages. > > I agree with the idea of allowing those with svn access to edit > the help files. The current approach fully facilitates that. > > Folks with svn access can edit (or make a copy and translate) the > odt file and then generate a new pdf file for publication. > > I am not sure of the benefit of trying to edit the help documents > in a Xerte app. Why try to create a cut down word processor in > Xerte, if there is already a fully featured one available for free? > > The only downside I see is that each help file consists of two > files (rather than one) - the odt source file and the published > public accessed pdf file. But this has upsides as well. The odt > help file can be edited without affecting the published pdf file, > which can be re-published once the editing / updating is completed. > > Just my take on things > > Johnathan > > On 6 March 2013 12:35, Dave Burnett <d_b_burnett at hotmail.com > <mailto:d_b_burnett at hotmail.com>> wrote: > > Advantage of pdf? > > I would bet we get a lot more contribution if it's dynamic. > > Maybe something editable in a Xerte app? > > Folks with svn access can edit? > > > From:J.J.Smith at gcu.ac.uk <mailto:J.J.Smith at gcu.ac.uk> > > To: xerte-dev at lists.nottingham.ac.uk > <mailto:xerte-dev at lists.nottingham.ac.uk> > > Date: Wed, 6 Mar 2013 12:09:21 +0000 > > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > Sure Tom, I suppose an alternative would be to funnel everything > through help/index.php?language=XX&file=YYY and let it decide > which to serve up... > > > > I'm having to do similar with the api... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of > Tom Reijnders > > Sent: Wednesday, March 06, 2013 11:05 AM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > It's not too much work to fall back to English if we need to, > > > > So have a help/<language code> for the help forlder location > like we have wizard/<language code> now. > > > > > > The thing I have against mod_rewrites is that it's webserver > specific. > > > > So, now we only have to agree on the help file format. .pdf is > fine with me... > > > > Tom > > > > Citeren "Smith, John" <J.J.Smith at gcu.ac.uk > <mailto:J.J.Smith at gcu.ac.uk>>: > > > > > Why not just append the language code to the URL (new website) > and mod > > > rewrite the url. If there is a language file that matches send > that, > > > otherwise send the English one... > > > > > > > > > Regards, > > > > > > John Smith > > > Learning Technologist > > > School of Health & Life Sciences > > > Glasgow Caledonian University > > > > > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of > > > Julian Tenney > > > Sent: Wednesday, March 06, 2013 10:38 AM > > > To: For Xerte technical developers > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > What about languages? You might want help in several > languages. But > > > we can cope with multi lingual wizards, so why not multi > lingual help? > > > > > > The form is a bit of a pain because now we have advanced / > language > > > options, redrawing the form is a bit of a pain, so thinking > > > differently might be a good idea. > > > > > > From: > > > xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > > > Johnathan > > > Sent: 06 March 2013 10:02 > > > To: For Xerte technical developers > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > Hi Folks, > > > > > > What I would like to be able to achieve is a means of providing a > > > link to a pdf file that the author can access to provide > additional > > > information to support the use of the page type. My original need > > > was to support the connector pages and the inventory page with > more > > > information about how the page worked and how, in the case of > > > connector pages they could be used in conjunction with other > pages. > > > However the help file could provide other stuff such as > examples of > > > use or pedagogical information. > > > > > > How that link is made available to the author I don't have a > strong > > > view on. It just seemed that the <info> tag already provided the > > > functionality (except for this frustrating glitch). If > resolving the > > > glitch was a simple matter then the <info> tag might be a > convenient > > > way of doing this without involving much time input. If > however the > > > glitch is difficult to pin down then a different approach might be > > > appropriate. > > > > > > By putting the link in the xwd file it keeps everything about the > > > page in one place. However it does have the disadvantage of making > > > it difficult to change the location of the help files. > > > > > > Perhaps an approach that assumed the help file would use the same > > > stem as the model file but have a pdf extension (e.g. quiz.rlm and > > > quiz.pdf), would allow a Xerte or XOT project to define a single > > > folder location for all the help files. The specific help file > for a > > > page type would then be accessed by combining the single folder > > > address with the model name and a pdf extension. > > > > > > This would allow help files to be either located on a remote > server > > > or on a local server, or even in a desktop Xerte installation > folder > > > e.g. Xerte\pages\help\. It would also make it easier to change the > > > locations of the help files as there would be only one path to > change. > > > > > > Kind regards > > > > > > Johnathan > > > > > > On 6 March 2013 07:50, Julian Tenney > > > <Julian.Tenney at nottingham.ac.uk > <mailto:Julian.Tenney at nottingham.ac.uk><mailto:Julian.Tenney at nottingham.ac.uk > <mailto:Julian.Tenney at nottingham.ac.uk>>> > > > wrote: > > > Maybe we should tackle this differently: rather than trying to > > > display the <info> on the form, why not pop it up in a message or > > > show it somewhere else? > > > > > > From: > > > xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>>] On Behalf Of Kemp > > > Johnathan > > > Sent: 05 March 2013 17:53 > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > The most recent version of the desktop would ensure you have the > > > latest version of wizard.swf, but if you can see the Show Language > > > Options I think that should be enough to demonstrate the issue. > > > > > > The "here is the help" text is the text contained in the info tag. > > > > > > If you click in the Show Language Options check box you will see > > > that some additional fields are displayed in the form but that > there > > > is an expanse of blank grey form before the "here is the help" > text > > > is displayed. > > > > > > If you mouse over the grey area above the "here is the help" text > > > you will see the mouse pointer change as it hovers over where the > > > text entry boxes for the hidden language options are positioned. > > > > > > If you click on the Quiz2 page to open its xwd form the effect is > > > clear as none of the fields are flagged as language options so as > > > soon as the form opens you see that the display of labels and > fields > > > ends abruptly and then there is again the grey expanse of > blank form > > > before the "here is the help" text is displayed. You have noticed, > > > in your second post that the entry below "single answer wrong" is > > > cut short vertically. There are also more fields below this which > > > are not displaying at all. > > > > > > If you edit the quiz.xwd file in the page002 folder to remove the > > > "info" tag then all the fields defined in the form are displayed > > > correctly. So it is the "info" tag that is causing the display > issue. > > > > > > Kind regards > > > > > > Johnathan > > > > > > On 5 March 2013 10:43, Dave Burnett > > > <d_b_burnett at hotmail.com > <mailto:d_b_burnett at hotmail.com><mailto:d_b_burnett at hotmail.com > <mailto:d_b_burnett at hotmail.com>>> wrote: > > > What version of desktop is required? > > > The only language related object I have showing is "Show Language > > > Options" in the bottom bar. > > > > > > (I do see "Here is the help" in blue near the bottom). > > > > > > > > > ________________________________ > > > Date: Tue, 5 Mar 2013 10:23:23 +0000 > > > From: johnathan.kemp at ntlworld.com > <mailto:johnathan.kemp at ntlworld.com><mailto:johnathan.kemp at ntlworld.com > <mailto:johnathan.kemp at ntlworld.com>> > > > To: xerte-dev at lists.nottingham.ac.uk > <mailto:xerte-dev at lists.nottingham.ac.uk><mailto:xerte-dev at lists.nottingham.ac.uk > <mailto:xerte-dev at lists.nottingham.ac.uk>> > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > If you include the info tag in an xwd form it can result in > the none > > > display of the last entries in the form. > > > > > > The info tag displays at the bottom of the form with a blank > area of > > > form above it where the missing fields and field labels should be > > > displayed. > > > > > > If you move the mouse pointer over the blank area of the form then > > > the mouse pointer will change indicating that the fields are > there - > > > you just can't see them. > > > > > > The easiest way to explain what is happening is for you to see it > > > for yourself. > > > > > > I have attached a simple demo. The demo is a standard Xerte > project > > > (not a "Pages" type project - I have manually set up the xwd links > > > for the pages) in which I have set up two copies of the Quiz page. > > > > > > 1. Open this project in Xerte > > > 2. Double click on the Quiz page to open the xwd form > > > 3. Click on the language tab to display the language fields > > > 4. Scroll down the form - you will see the blank area where the > > > hidden language fields should appear and the blue info comment at > > > the bottom. > > > 5. The language tag is not significant to this issue. > > > 6. Double click on the Quiz2 page, you will see the same effect > > > without the use of the language tag (I deleted them from this > pages > > > xwd file) > > > I don't know if the cause is to do with layers or visibility > > > settings. I don't know what happens when the info tag is > actioned in > > > the code. > > > > > > I hope this makes the effect clear (if not the cause :-( ) > > > > > > Kind regards > > > > > > Johnathan > > > > > > > > > > > > On 5 March 2013 09:40, Julian Tenney > > > <Julian.Tenney at nottingham.ac.uk > <mailto:Julian.Tenney at nottingham.ac.uk><mailto:Julian.Tenney at nottingham.ac.uk > <mailto:Julian.Tenney at nottingham.ac.uk>>> > > > wrote: > > > > > > What's the problem in a nutshell? > > > > > > > > > > > > From: > > > xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>>] On Behalf Of Kemp > > > Johnathan > > > Sent: 04 March 2013 22:18 > > > To: Xerte Developers Discussion List > > > Subject: [Xerte-dev] use of info tag in xwd forms > > > > > > > > > > > > On the 4th December I posted to the developer list an issue > with the > > > xwd forms relating to the use of the "info" tag. > > > > > > > > > > > > The inclusion of an info tag in the xwd form can result in space > > > being allocated above the info tag for the display of the last few > > > properties in the xwd form definition, but the properties are not > > > visible in the form. You can however confirm their "presence" > as the > > > mouse pointer responds to them if moved over the input fields. > > > > > > > > > > > > You can test this out in Xerte (or XOT) by creating a page > using one > > > of the Connector page types. The info tag has been used in these > > > pages to link to a pdf help file that is hosted on the Xerte > > > community web site, but the "language" flagged form properties are > > > no longer all editable, due to the presence of the info tag. > > > > > > > > > > > > This is a pity as the info tag could be used to provide a link > to an > > > external document that gives the Author useful additional > > > information to assist them in making the best use of that page > type. > > > e.g. > > > > > > * Information about what the page is designed to do > > > > > > * Instructions on what the properties in the form are to > > > help in completing the form created by the xwd file; > > > > > > * examples of actual uses of that page type in real projects. > > > > > > * examples of combining this page type with other page types > > > to achieve a particular pedagogical approach > > > > > > * guidance as to how accessible the page is with respect to > > > particular types of user, or what features the page has as > optional > > > properties to provide additional accessibility > > > > > > However at present if the "info" tag is used then the ability to > > > edit the language flagged elements of the page is compromised. > > > > > > > > > > > > Is this something that is intended to be addressed before the next > > > release of Xerte / XOT? > > > > > > > > > > > > Sorry to be a nuisance, but it seems such a potentially useful > > > feature it seems a shame not to be able to use it. > > > > > > > > > > > > Kind regards > > > > > > > > > > > > Johnathan > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk>> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > _______________________________________________ Xerte-dev mailing > > > list > > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk>> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk>> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk>> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, > > > number SC021474 > > > > > > Winner: Times Higher Education's Widening Participation Initiative > > > of the Year 2009 and Herald Society's Education Initiative of the > > > Year 2009. > > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c6219%2cen.html> > > > > > > Winner: Times Higher Education's Outstanding Support for Early > > > Career Researchers of the Year 2010, GCU as a lead with > Universities > > > Scotland partners. > > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c15691%2cen.html> > > > > > > This message and any attachment are intended solely for the > > > addressee and may contain confidential information. If you have > > > received this message in error, please send it back to me, and > > > immediately delete it. Please do not use, copy or disclose the > > > information contained in this message or in any attachment. Any > > > views or opinions expressed by the author of this email do not > > > necessarily reflect the views of the University of Nottingham. > > > > > > > > > > > > This message has been checked for viruses but the contents of > an attachment > > > > > > may still contain software viruses which could damage your > computer system: > > > > > > you are advised to perform your own checks. Email > communications with the > > > > > > University of Nottingham may be monitored as permitted by UK > legislation. > > > > > > > > > > > > > > ---------------------------------------------------------------- > > This message was sent using IMP, the Internet Messaging Program. > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > This message and any attachment are intended solely for the > addressee and may contain confidential information. If you have > received this message in error, please send it back to me, and > immediately delete it. Please do not use, copy or disclose the > information contained in this message or in any attachment. Any > views or opinions expressed by the author of this email do not > necessarily reflect the views of the University of Nottingham. > > > > This message has been checked for viruses but the contents of an > attachment > > may still contain software viruses which could damage your > computer system: > > you are advised to perform your own checks. Email communications > with the > > University of Nottingham may be monitored as permitted by UK > legislation. > > > > Glasgow Caledonian University is a registered Scottish charity, > number SC021474 > > > > Winner: Times Higher Education's Widening Participation > Initiative of the Year 2009 and Herald Society's Education > Initiative of the Year 2009. > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c6219%2cen.html> > > > > Winner: Times Higher Education's Outstanding Support for Early > Career Researchers of the Year 2010, GCU as a lead with > Universities Scotland partners. > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c15691%2cen.html> > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ Xerte-dev mailing > list Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > Glasgow Caledonian University is a registered Scottish charity, > number SC021474 > > Winner: Times Higher Education's Widening Participation Initiative > of the Year 2009 and Herald Society's Education Initiative of the > Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early > Career Researchers of the Year 2010, GCU as a lead with > Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130310/4656db73/attachment-0001.html> From johnathan.kemp at ntlworld.com Sun Mar 10 19:46:47 2013 From: johnathan.kemp at ntlworld.com (Kemp Johnathan) Date: Sun, 10 Mar 2013 19:46:47 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <513CC71C.1030300@tor.nl> References: <CABtG3=WCoocObQt4jqO29uHgzQS=BFz_9R4pHYTf46ohWktOQQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4CE58138@EXCHANGE1.ad.nottingham.ac.uk> <CABtG3=V5450hnHb0BGXeJWb+zfcNX2oSZeRDpBdmk6TiBpj7QQ@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D649813@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2B9@ITSEMBXCLUS.enterprise.gcal.ac.uk> <20130306120521.59815leiwct5zlyp@server.tor.nl> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D2D2@ITSEMBXCLUS.enterprise.gcal.ac.uk> <BLU153-W9A990EF26D2C7CA920D1AA7E40@phx.gbl> <CABtG3=UW=zY=TWtL4apF0ttMsUHp-L8bqqFWrShBCt0O9cBP_Q@mail.gmail.com> <BLU153-W13FAFF7ADE5D1BAF6C234DA7E40@phx.gbl> <CABtG3=UCuq3i_sBMA1cMRYqNS5ssLPjJw1TKjj3__Pa8A1xH5Q@mail.gmail.com> <12C67A1EEC419342AF5E59DA31562C3F0C4D64A463@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D456@ITSEMBXCLUS.enterprise.gcal.ac.uk> <CABtG3=WQuEiHmJUfCPyxh-qz0gEaP4yfzug-xtAQ9bk5RrOL_A@mail.gmail.com> <513CC71C.1030300@tor.nl> Message-ID: <CABtG3=V3oNRwbqqq=yOk7fn2S8fEj5EcE-ap6K26vUJYMsfR9Q@mail.gmail.com> What I was thinking requires to things to be available 1. A url within the wiki that takes you to a specific page (which appears possible from the link you have provided) 2. A means in Xerte / XOT to link to that specific page (e.g. in the way I was using the info tag to link to a specific page) There are two issues at present with using the info tag a) It can result in some of the xwd fields failing to be displayed b) It is only available to the Author after they have added the page type, since the link is from the xwd form. I was thinking that as the wiki expands any contents page that listed all the pages could get very long. So for an author a way of going directly from Xerte / XOT to a specific page type's wiki entry could be very user friendly and helpful. At present I think we may have a generic help link that could take you to the wiki home page, or we can use the info tag with its current drawbacks. Kind regards Johnathan On 10 March 2013 17:47, Tom Reijnders <reijnders at tor.nl> wrote: > You can, that's no problem at all: > > http://www.xerte.org.uk/wiki/index.php/Template_walkthrough > > Tom > > Op 10-3-2013 18:10, Kemp Johnathan schreef: > > It would be nice if there was a way of accessing the wiki page about a > specific Xerte / XOT page type, perhaps before having added that page type > to your project. This could then help both with selecting the page type to > use as well as assisting the author in the using of that page. > > This is in contrast to just having a generic link to the wiki home page. > > Kind regards > > Johnathan > > On 8 March 2013 13:55, Smith, John <J.J.Smith at gcu.ac.uk> wrote: > >> A wiki? >> >> >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> *From:* xerte-dev-bounces at lists.nottingham.ac.uk [mailto: >> xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Julian Tenney >> *Sent:* Friday, March 08, 2013 1:48 PM >> >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: use of info tag in xwd forms >> >> >> >> I don?t much like the idea of separate files (pdfs / docs etc) I think it >> would be better as a central resource on a web site, maybe the community >> site? >> >> >> >> *From:* xerte-dev-bounces at lists.nottingham.ac.uk [ >> mailto:xerte-dev-bounces at lists.nottingham.ac.uk<xerte-dev-bounces at lists.nottingham.ac.uk>] >> *On Behalf Of *Kemp Johnathan >> *Sent:* 06 March 2013 18:57 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: use of info tag in xwd forms >> >> >> >> I suppose one alternative would be to set up a wiki, but I am not sure >> this is the best approach for help documents. >> >> >> >> One thought that has just sprung to mind - what about using an ebook >> editor? I know next to nothing about them but it would seem a possibly >> logical platform to publish to. I am not sure if this would be the right >> approach if we only want to create a set of individual files that are each >> a single publication? >> >> >> >> I did a quick google and found an open source wysiwyg editor called >> sigil. It looks quite powerful, but it appears designed to pull together >> large numbers of separate files into a single document. >> >> >> >> I don't know if there is anyone on the list who is familiar with this >> stuff and could pass a more informed opinion? >> >> >> >> I have to admit, the one thing that concerns me with using Open Office is >> that someone will go and open up the file in Word and bugger up its >> formatting :-( >> >> >> >> What concerns me about not using Open Office is the possible lack of a >> familiar, versatile, and easy to use interface for creating the documents. >> >> >> >> JK >> >> >> >> >> >> On 6 March 2013 18:25, Dave Burnett <d_b_burnett at hotmail.com> wrote: >> >> >> >> Just my personal preference. >> >> Static documents usually lead to version control nightmares. >> >> I still believe in the Java "write once, deliver everywhere" fantasy. >> >> ;-) >> >> >> ------------------------------ >> >> Date: Wed, 6 Mar 2013 18:20:51 +0000 >> From: johnathan.kemp at ntlworld.com >> To: xerte-dev at lists.nottingham.ac.uk >> >> >> Subject: [Xerte-dev] Re: use of info tag in xwd forms >> >> Advantage of pdf? >> >> >> >> A single file that contains text and graphics and will maintain its >> format when printed out (some people still like to print things out). >> >> >> >> My approach so far has been to author the files in Open Office which will >> export to pdf. This provides a master file (the Open Office odt) file that >> is editable, and the pdf export of the odt file that can be published for >> Author usage. >> >> >> >> So whilst at present the file the Author uses is pdf, this is generated >> from a single, easily edited odt file. Open Office is free, open source, >> and available in many languages. >> >> >> >> I agree with the idea of allowing those with svn access to edit the help >> files. The current approach fully facilitates that. >> >> Folks with svn access can edit (or make a copy and translate) the odt >> file and then generate a new pdf file for publication. >> >> >> >> I am not sure of the benefit of trying to edit the help documents in a >> Xerte app. Why try to create a cut down word processor in Xerte, if there >> is already a fully featured one available for free? >> >> >> >> The only downside I see is that each help file consists of two files >> (rather than one) - the odt source file and the published public accessed >> pdf file. But this has upsides as well. The odt help file can be edited >> without affecting the published pdf file, which can be re-published once >> the editing / updating is completed. >> >> >> >> Just my take on things >> >> >> >> Johnathan >> >> >> >> >> >> On 6 March 2013 12:35, Dave Burnett <d_b_burnett at hotmail.com> wrote: >> >> >> >> Advantage of pdf? >> >> >> >> I would bet we get a lot more contribution if it's dynamic. >> >> Maybe something editable in a Xerte app? >> >> Folks with svn access can edit? >> >> >> >> > From: J.J.Smith at gcu.ac.uk >> > To: xerte-dev at lists.nottingham.ac.uk >> > Date: Wed, 6 Mar 2013 12:09:21 +0000 >> >> >> > Subject: [Xerte-dev] Re: use of info tag in xwd forms >> > >> > Sure Tom, I suppose an alternative would be to funnel everything >> through help/index.php?language=XX&file=YYY and let it decide which to >> serve up... >> > >> > I'm having to do similar with the api... >> > >> > Regards, >> > >> > John Smith >> > Learning Technologist >> > School of Health & Life Sciences >> > Glasgow Caledonian University >> > >> > >> > -----Original Message----- >> > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto: >> xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders >> > Sent: Wednesday, March 06, 2013 11:05 AM >> > To: For Xerte technical developers >> > Subject: [Xerte-dev] Re: use of info tag in xwd forms >> > >> > It's not too much work to fall back to English if we need to, >> > >> > So have a help/<language code> for the help forlder location like we >> have wizard/<language code> now. >> > >> > >> > The thing I have against mod_rewrites is that it's webserver specific. >> > >> > So, now we only have to agree on the help file format. .pdf is fine >> with me... >> > >> > Tom >> > >> > Citeren "Smith, John" <J.J.Smith at gcu.ac.uk>: >> > >> > > Why not just append the language code to the URL (new website) and mod >> > > rewrite the url. If there is a language file that matches send that, >> > > otherwise send the English one... >> > > >> > > >> > > Regards, >> > > >> > > John Smith >> > > Learning Technologist >> > > School of Health & Life Sciences >> > > Glasgow Caledonian University >> > > >> > > From: xerte-dev-bounces at lists.nottingham.ac.uk >> > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of >> > > Julian Tenney >> > > Sent: Wednesday, March 06, 2013 10:38 AM >> > > To: For Xerte technical developers >> > > Subject: [Xerte-dev] Re: use of info tag in xwd forms >> > > >> > > What about languages? You might want help in several languages. But >> > > we can cope with multi lingual wizards, so why not multi lingual help? >> > > >> > > The form is a bit of a pain because now we have advanced / language >> > > options, redrawing the form is a bit of a pain, so thinking >> > > differently might be a good idea. >> > > >> > > From: >> > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: >> xerte-dev-bounces at lists.nottingham.ac.uk> [mailto: >> xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp >> > > Johnathan >> > > Sent: 06 March 2013 10:02 >> > > To: For Xerte technical developers >> > > Subject: [Xerte-dev] Re: use of info tag in xwd forms >> > > >> > > Hi Folks, >> > > >> > > What I would like to be able to achieve is a means of providing a >> > > link to a pdf file that the author can access to provide additional >> > > information to support the use of the page type. My original need >> > > was to support the connector pages and the inventory page with more >> > > information about how the page worked and how, in the case of >> > > connector pages they could be used in conjunction with other pages. >> > > However the help file could provide other stuff such as examples of >> > > use or pedagogical information. >> > > >> > > How that link is made available to the author I don't have a strong >> > > view on. It just seemed that the <info> tag already provided the >> > > functionality (except for this frustrating glitch). If resolving the >> > > glitch was a simple matter then the <info> tag might be a convenient >> > > way of doing this without involving much time input. If however the >> > > glitch is difficult to pin down then a different approach might be >> > > appropriate. >> > > >> > > By putting the link in the xwd file it keeps everything about the >> > > page in one place. However it does have the disadvantage of making >> > > it difficult to change the location of the help files. >> > > >> > > Perhaps an approach that assumed the help file would use the same >> > > stem as the model file but have a pdf extension (e.g. quiz.rlm and >> > > quiz.pdf), would allow a Xerte or XOT project to define a single >> > > folder location for all the help files. The specific help file for a >> > > page type would then be accessed by combining the single folder >> > > address with the model name and a pdf extension. >> > > >> > > This would allow help files to be either located on a remote server >> > > or on a local server, or even in a desktop Xerte installation folder >> > > e.g. Xerte\pages\help\. It would also make it easier to change the >> > > locations of the help files as there would be only one path to change. >> > > >> > > Kind regards >> > > >> > > Johnathan >> > > >> > > On 6 March 2013 07:50, Julian Tenney >> > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk >> >> >> > > wrote: >> > > Maybe we should tackle this differently: rather than trying to >> > > display the <info> on the form, why not pop it up in a message or >> > > show it somewhere else? >> > > >> > > From: >> > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: >> xerte-dev-bounces at lists.nottingham.ac.uk> [mailto: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto: >> xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp >> > > Johnathan >> > > Sent: 05 March 2013 17:53 >> > > To: For Xerte technical developers >> > > >> > > Subject: [Xerte-dev] Re: use of info tag in xwd forms >> > > >> > > The most recent version of the desktop would ensure you have the >> > > latest version of wizard.swf, but if you can see the Show Language >> > > Options I think that should be enough to demonstrate the issue. >> > > >> > > The "here is the help" text is the text contained in the info tag. >> > > >> > > If you click in the Show Language Options check box you will see >> > > that some additional fields are displayed in the form but that there >> > > is an expanse of blank grey form before the "here is the help" text >> > > is displayed. >> > > >> > > If you mouse over the grey area above the "here is the help" text >> > > you will see the mouse pointer change as it hovers over where the >> > > text entry boxes for the hidden language options are positioned. >> > > >> > > If you click on the Quiz2 page to open its xwd form the effect is >> > > clear as none of the fields are flagged as language options so as >> > > soon as the form opens you see that the display of labels and fields >> > > ends abruptly and then there is again the grey expanse of blank form >> > > before the "here is the help" text is displayed. You have noticed, >> > > in your second post that the entry below "single answer wrong" is >> > > cut short vertically. There are also more fields below this which >> > > are not displaying at all. >> > > >> > > If you edit the quiz.xwd file in the page002 folder to remove the >> > > "info" tag then all the fields defined in the form are displayed >> > > correctly. So it is the "info" tag that is causing the display issue. >> > > >> > > Kind regards >> > > >> > > Johnathan >> > > >> > > On 5 March 2013 10:43, Dave Burnett >> > > <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: >> > > What version of desktop is required? >> > > The only language related object I have showing is "Show Language >> > > Options" in the bottom bar. >> > > >> > > (I do see "Here is the help" in blue near the bottom). >> > > >> > > >> > > ________________________________ >> > > Date: Tue, 5 Mar 2013 10:23:23 +0000 >> > > From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> >> > > To: xerte-dev at lists.nottingham.ac.uk<mailto: >> xerte-dev at lists.nottingham.ac.uk> >> > > Subject: [Xerte-dev] Re: use of info tag in xwd forms >> > > >> > > If you include the info tag in an xwd form it can result in the none >> > > display of the last entries in the form. >> > > >> > > The info tag displays at the bottom of the form with a blank area of >> > > form above it where the missing fields and field labels should be >> > > displayed. >> > > >> > > If you move the mouse pointer over the blank area of the form then >> > > the mouse pointer will change indicating that the fields are there - >> > > you just can't see them. >> > > >> > > The easiest way to explain what is happening is for you to see it >> > > for yourself. >> > > >> > > I have attached a simple demo. The demo is a standard Xerte project >> > > (not a "Pages" type project - I have manually set up the xwd links >> > > for the pages) in which I have set up two copies of the Quiz page. >> > > >> > > 1. Open this project in Xerte >> > > 2. Double click on the Quiz page to open the xwd form >> > > 3. Click on the language tab to display the language fields >> > > 4. Scroll down the form - you will see the blank area where the >> > > hidden language fields should appear and the blue info comment at >> > > the bottom. >> > > 5. The language tag is not significant to this issue. >> > > 6. Double click on the Quiz2 page, you will see the same effect >> > > without the use of the language tag (I deleted them from this pages >> > > xwd file) >> > > I don't know if the cause is to do with layers or visibility >> > > settings. I don't know what happens when the info tag is actioned in >> > > the code. >> > > >> > > I hope this makes the effect clear (if not the cause :-( ) >> > > >> > > Kind regards >> > > >> > > Johnathan >> > > >> > > >> > > >> > > On 5 March 2013 09:40, Julian Tenney >> > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk >> >> >> > > wrote: >> > > >> > > What's the problem in a nutshell? >> > > >> > > >> > > >> > > From: >> > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: >> xerte-dev-bounces at lists.nottingham.ac.uk> [mailto: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto: >> xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp >> > > Johnathan >> > > Sent: 04 March 2013 22:18 >> > > To: Xerte Developers Discussion List >> > > Subject: [Xerte-dev] use of info tag in xwd forms >> > > >> > > >> > > >> > > On the 4th December I posted to the developer list an issue with the >> > > xwd forms relating to the use of the "info" tag. >> > > >> > > >> > > >> > > The inclusion of an info tag in the xwd form can result in space >> > > being allocated above the info tag for the display of the last few >> > > properties in the xwd form definition, but the properties are not >> > > visible in the form. You can however confirm their "presence" as the >> > > mouse pointer responds to them if moved over the input fields. >> > > >> > > >> > > >> > > You can test this out in Xerte (or XOT) by creating a page using one >> > > of the Connector page types. The info tag has been used in these >> > > pages to link to a pdf help file that is hosted on the Xerte >> > > community web site, but the "language" flagged form properties are >> > > no longer all editable, due to the presence of the info tag. >> > > >> > > >> > > >> > > This is a pity as the info tag could be used to provide a link to an >> > > external document that gives the Author useful additional >> > > information to assist them in making the best use of that page type. >> > > e.g. >> > > >> > > * Information about what the page is designed to do >> > > >> > > * Instructions on what the properties in the form are to >> > > help in completing the form created by the xwd file; >> > > >> > > * examples of actual uses of that page type in real projects. >> > > >> > > * examples of combining this page type with other page types >> > > to achieve a particular pedagogical approach >> > > >> > > * guidance as to how accessible the page is with respect to >> > > particular types of user, or what features the page has as optional >> > > properties to provide additional accessibility >> > > >> > > However at present if the "info" tag is used then the ability to >> > > edit the language flagged elements of the page is compromised. >> > > >> > > >> > > >> > > Is this something that is intended to be addressed before the next >> > > release of Xerte / XOT? >> > > >> > > >> > > >> > > Sorry to be a nuisance, but it seems such a potentially useful >> > > feature it seems a shame not to be able to use it. >> > > >> > > >> > > >> > > Kind regards >> > > >> > > >> > > >> > > Johnathan >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > _______________________________________________ >> > > Xerte-dev mailing list >> > > Xerte-dev at lists.nottingham.ac.uk<mailto: >> Xerte-dev at lists.nottingham.ac.uk> >> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> > > >> > > >> > > _______________________________________________ Xerte-dev mailing >> > > list >> > > Xerte-dev at lists.nottingham.ac.uk<mailto: >> Xerte-dev at lists.nottingham.ac.uk> >> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> > > >> > > >> > > _______________________________________________ >> > > Xerte-dev mailing list >> > > Xerte-dev at lists.nottingham.ac.uk<mailto: >> Xerte-dev at lists.nottingham.ac.uk> >> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> > > >> > > >> > > >> > > _______________________________________________ >> > > Xerte-dev mailing list >> > > Xerte-dev at lists.nottingham.ac.uk<mailto: >> Xerte-dev at lists.nottingham.ac.uk> >> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> > > >> > > >> > > >> > > >> > > Glasgow Caledonian University is a registered Scottish charity, >> > > number SC021474 >> > > >> > > Winner: Times Higher Education's Widening Participation Initiative >> > > of the Year 2009 and Herald Society's Education Initiative of the >> > > Year 2009. >> > > >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> > > >> > > Winner: Times Higher Education's Outstanding Support for Early >> > > Career Researchers of the Year 2010, GCU as a lead with Universities >> > > Scotland partners. >> > > >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >> > > >> > > This message and any attachment are intended solely for the >> > > addressee and may contain confidential information. If you have >> > > received this message in error, please send it back to me, and >> > > immediately delete it. Please do not use, copy or disclose the >> > > information contained in this message or in any attachment. Any >> > > views or opinions expressed by the author of this email do not >> > > necessarily reflect the views of the University of Nottingham. >> > > >> > > >> > > >> > > This message has been checked for viruses but the contents of an >> attachment >> > > >> > > may still contain software viruses which could damage your computer >> system: >> > > >> > > you are advised to perform your own checks. Email communications with >> the >> > > >> > > University of Nottingham may be monitored as permitted by UK >> legislation. >> > > >> > > >> > >> > >> > >> > ---------------------------------------------------------------- >> > This message was sent using IMP, the Internet Messaging Program. >> > >> > >> > _______________________________________________ >> > Xerte-dev mailing list >> > Xerte-dev at lists.nottingham.ac.uk >> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> > This message and any attachment are intended solely for the addressee >> and may contain confidential information. If you have received this message >> in error, please send it back to me, and immediately delete it. Please do >> not use, copy or disclose the information contained in this message or in >> any attachment. Any views or opinions expressed by the author of this email >> do not necessarily reflect the views of the University of Nottingham. >> > >> > This message has been checked for viruses but the contents of an >> attachment >> > may still contain software viruses which could damage your computer >> system: >> > you are advised to perform your own checks. Email communications with >> the >> > University of Nottingham may be monitored as permitted by UK >> legislation. >> > >> > Glasgow Caledonian University is a registered Scottish charity, number >> SC021474 >> > >> > Winner: Times Higher Education?s Widening Participation Initiative of >> the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> > >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> > >> > Winner: Times Higher Education?s Outstanding Support for Early Career >> Researchers of the Year 2010, GCU as a lead with Universities Scotland >> partners. >> > >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >> > _______________________________________________ >> > Xerte-dev mailing list >> > Xerte-dev at lists.nottingham.ac.uk >> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> _______________________________________________ Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the >> Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career >> Researchers of the Year 2010, GCU as a lead with Universities Scotland >> partners. >> >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >> >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> > > > _______________________________________________ > Xerte-dev mailing listXerte-dev at lists.nottingham.ac.ukhttp://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130310/f38f8b16/attachment-0001.html> From reijnders at tor.nl Sun Mar 10 19:55:19 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Sun, 10 Mar 2013 20:55:19 +0100 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <CABtG3=V3oNRwbqqq=yOk7fn2S8fEj5EcE-ap6K26vUJYMsfR9Q@mail.gmail.com> References: <CABtG3=V3oNRwbqqq=yOk7fn2S8fEj5EcE-ap6K26vUJYMsfR9Q@mail.gmail.com> Message-ID: <671bff9c-7f8a-4590-acfc-59c514b9483e@email.android.com> We could use the info tag to provide a one line help, including a link to a wiki page AND we could provide for the same link to the wiki page from the thumbnail area. We could even automate it. We have a fixed wiki. (Community website), and a fixed link (page name). Tom Kemp Johnathan <johnathan.kemp at ntlworld.com> schreef: >What I was thinking requires to things to be available > >1. A url within the wiki that takes you to a specific page (which >appears >possible from the link you have provided) >2. A means in Xerte / XOT to link to that specific page (e.g. in the >way I >was using the info tag to link to a specific page) > >There are two issues at present with using the info tag >a) It can result in some of the xwd fields failing to be displayed >b) It is only available to the Author after they have added the page >type, >since the link is from the xwd form. > >I was thinking that as the wiki expands any contents page that listed >all >the pages could get very long. So for an author a way of going directly >from Xerte / XOT to a specific page type's wiki entry could be very >user >friendly and helpful. > >At present I think we may have a generic help link that could take you >to >the wiki home page, or we can use the info tag with its current >drawbacks. > >Kind regards > >Johnathan > >On 10 March 2013 17:47, Tom Reijnders <reijnders at tor.nl> wrote: > >> You can, that's no problem at all: >> >> http://www.xerte.org.uk/wiki/index.php/Template_walkthrough >> >> Tom >> >> Op 10-3-2013 18:10, Kemp Johnathan schreef: >> >> It would be nice if there was a way of accessing the wiki page about >a >> specific Xerte / XOT page type, perhaps before having added that page >type >> to your project. This could then help both with selecting the page >type to >> use as well as assisting the author in the using of that page. >> >> This is in contrast to just having a generic link to the wiki home >page. >> >> Kind regards >> >> Johnathan >> >> On 8 March 2013 13:55, Smith, John <J.J.Smith at gcu.ac.uk> wrote: >> >>> A wiki? >>> >>> >>> >>> >>> >>> Regards, >>> >>> >>> >>> John Smith >>> >>> Learning Technologist >>> >>> School of Health & Life Sciences >>> >>> Glasgow Caledonian University >>> >>> >>> >>> *From:* xerte-dev-bounces at lists.nottingham.ac.uk [mailto: >>> xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Julian >Tenney >>> *Sent:* Friday, March 08, 2013 1:48 PM >>> >>> *To:* For Xerte technical developers >>> *Subject:* [Xerte-dev] Re: use of info tag in xwd forms >>> >>> >>> >>> I don?t much like the idea of separate files (pdfs / docs etc) I >think it >>> would be better as a central resource on a web site, maybe the >community >>> site? >>> >>> >>> >>> *From:* xerte-dev-bounces at lists.nottingham.ac.uk [ >>> >mailto:xerte-dev-bounces at lists.nottingham.ac.uk<xerte-dev-bounces at lists.nottingham.ac.uk>] >>> *On Behalf Of *Kemp Johnathan >>> *Sent:* 06 March 2013 18:57 >>> *To:* For Xerte technical developers >>> *Subject:* [Xerte-dev] Re: use of info tag in xwd forms >>> >>> >>> >>> I suppose one alternative would be to set up a wiki, but I am not >sure >>> this is the best approach for help documents. >>> >>> >>> >>> One thought that has just sprung to mind - what about using an ebook >>> editor? I know next to nothing about them but it would seem a >possibly >>> logical platform to publish to. I am not sure if this would be the >right >>> approach if we only want to create a set of individual files that >are each >>> a single publication? >>> >>> >>> >>> I did a quick google and found an open source wysiwyg editor called >>> sigil. It looks quite powerful, but it appears designed to pull >together >>> large numbers of separate files into a single document. >>> >>> >>> >>> I don't know if there is anyone on the list who is familiar with >this >>> stuff and could pass a more informed opinion? >>> >>> >>> >>> I have to admit, the one thing that concerns me with using Open >Office is >>> that someone will go and open up the file in Word and bugger up its >>> formatting :-( >>> >>> >>> >>> What concerns me about not using Open Office is the possible lack of >a >>> familiar, versatile, and easy to use interface for creating the >documents. >>> >>> >>> >>> JK >>> >>> >>> >>> >>> >>> On 6 March 2013 18:25, Dave Burnett <d_b_burnett at hotmail.com> wrote: >>> >>> >>> >>> Just my personal preference. >>> >>> Static documents usually lead to version control nightmares. >>> >>> I still believe in the Java "write once, deliver everywhere" >fantasy. >>> >>> ;-) >>> >>> >>> ------------------------------ >>> >>> Date: Wed, 6 Mar 2013 18:20:51 +0000 >>> From: johnathan.kemp at ntlworld.com >>> To: xerte-dev at lists.nottingham.ac.uk >>> >>> >>> Subject: [Xerte-dev] Re: use of info tag in xwd forms >>> >>> Advantage of pdf? >>> >>> >>> >>> A single file that contains text and graphics and will maintain its >>> format when printed out (some people still like to print things >out). >>> >>> >>> >>> My approach so far has been to author the files in Open Office which >will >>> export to pdf. This provides a master file (the Open Office odt) >file that >>> is editable, and the pdf export of the odt file that can be >published for >>> Author usage. >>> >>> >>> >>> So whilst at present the file the Author uses is pdf, this is >generated >>> from a single, easily edited odt file. Open Office is free, open >source, >>> and available in many languages. >>> >>> >>> >>> I agree with the idea of allowing those with svn access to edit the >help >>> files. The current approach fully facilitates that. >>> >>> Folks with svn access can edit (or make a copy and translate) the >odt >>> file and then generate a new pdf file for publication. >>> >>> >>> >>> I am not sure of the benefit of trying to edit the help documents in >a >>> Xerte app. Why try to create a cut down word processor in Xerte, if >there >>> is already a fully featured one available for free? >>> >>> >>> >>> The only downside I see is that each help file consists of two files >>> (rather than one) - the odt source file and the published public >accessed >>> pdf file. But this has upsides as well. The odt help file can be >edited >>> without affecting the published pdf file, which can be re-published >once >>> the editing / updating is completed. >>> >>> >>> >>> Just my take on things >>> >>> >>> >>> Johnathan >>> >>> >>> >>> >>> >>> On 6 March 2013 12:35, Dave Burnett <d_b_burnett at hotmail.com> wrote: >>> >>> >>> >>> Advantage of pdf? >>> >>> >>> >>> I would bet we get a lot more contribution if it's dynamic. >>> >>> Maybe something editable in a Xerte app? >>> >>> Folks with svn access can edit? >>> >>> >>> >>> > From: J.J.Smith at gcu.ac.uk >>> > To: xerte-dev at lists.nottingham.ac.uk >>> > Date: Wed, 6 Mar 2013 12:09:21 +0000 >>> >>> >>> > Subject: [Xerte-dev] Re: use of info tag in xwd forms >>> > >>> > Sure Tom, I suppose an alternative would be to funnel everything >>> through help/index.php?language=XX&file=YYY and let it decide which >to >>> serve up... >>> > >>> > I'm having to do similar with the api... >>> > >>> > Regards, >>> > >>> > John Smith >>> > Learning Technologist >>> > School of Health & Life Sciences >>> > Glasgow Caledonian University >>> > >>> > >>> > -----Original Message----- >>> > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto: >>> xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders >>> > Sent: Wednesday, March 06, 2013 11:05 AM >>> > To: For Xerte technical developers >>> > Subject: [Xerte-dev] Re: use of info tag in xwd forms >>> > >>> > It's not too much work to fall back to English if we need to, >>> > >>> > So have a help/<language code> for the help forlder location like >we >>> have wizard/<language code> now. >>> > >>> > >>> > The thing I have against mod_rewrites is that it's webserver >specific. >>> > >>> > So, now we only have to agree on the help file format. .pdf is >fine >>> with me... >>> > >>> > Tom >>> > >>> > Citeren "Smith, John" <J.J.Smith at gcu.ac.uk>: >>> > >>> > > Why not just append the language code to the URL (new website) >and mod >>> > > rewrite the url. If there is a language file that matches send >that, >>> > > otherwise send the English one... >>> > > >>> > > >>> > > Regards, >>> > > >>> > > John Smith >>> > > Learning Technologist >>> > > School of Health & Life Sciences >>> > > Glasgow Caledonian University >>> > > >>> > > From: xerte-dev-bounces at lists.nottingham.ac.uk >>> > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of >>> > > Julian Tenney >>> > > Sent: Wednesday, March 06, 2013 10:38 AM >>> > > To: For Xerte technical developers >>> > > Subject: [Xerte-dev] Re: use of info tag in xwd forms >>> > > >>> > > What about languages? You might want help in several languages. >But >>> > > we can cope with multi lingual wizards, so why not multi lingual >help? >>> > > >>> > > The form is a bit of a pain because now we have advanced / >language >>> > > options, redrawing the form is a bit of a pain, so thinking >>> > > differently might be a good idea. >>> > > >>> > > From: >>> > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: >>> xerte-dev-bounces at lists.nottingham.ac.uk> [mailto: >>> xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp >>> > > Johnathan >>> > > Sent: 06 March 2013 10:02 >>> > > To: For Xerte technical developers >>> > > Subject: [Xerte-dev] Re: use of info tag in xwd forms >>> > > >>> > > Hi Folks, >>> > > >>> > > What I would like to be able to achieve is a means of providing >a >>> > > link to a pdf file that the author can access to provide >additional >>> > > information to support the use of the page type. My original >need >>> > > was to support the connector pages and the inventory page with >more >>> > > information about how the page worked and how, in the case of >>> > > connector pages they could be used in conjunction with other >pages. >>> > > However the help file could provide other stuff such as examples >of >>> > > use or pedagogical information. >>> > > >>> > > How that link is made available to the author I don't have a >strong >>> > > view on. It just seemed that the <info> tag already provided the >>> > > functionality (except for this frustrating glitch). If resolving >the >>> > > glitch was a simple matter then the <info> tag might be a >convenient >>> > > way of doing this without involving much time input. If however >the >>> > > glitch is difficult to pin down then a different approach might >be >>> > > appropriate. >>> > > >>> > > By putting the link in the xwd file it keeps everything about >the >>> > > page in one place. However it does have the disadvantage of >making >>> > > it difficult to change the location of the help files. >>> > > >>> > > Perhaps an approach that assumed the help file would use the >same >>> > > stem as the model file but have a pdf extension (e.g. quiz.rlm >and >>> > > quiz.pdf), would allow a Xerte or XOT project to define a single >>> > > folder location for all the help files. The specific help file >for a >>> > > page type would then be accessed by combining the single folder >>> > > address with the model name and a pdf extension. >>> > > >>> > > This would allow help files to be either located on a remote >server >>> > > or on a local server, or even in a desktop Xerte installation >folder >>> > > e.g. Xerte\pages\help\. It would also make it easier to change >the >>> > > locations of the help files as there would be only one path to >change. >>> > > >>> > > Kind regards >>> > > >>> > > Johnathan >>> > > >>> > > On 6 March 2013 07:50, Julian Tenney >>> > > ><Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk >>> >> >>> > > wrote: >>> > > Maybe we should tackle this differently: rather than trying to >>> > > display the <info> on the form, why not pop it up in a message >or >>> > > show it somewhere else? >>> > > >>> > > From: >>> > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: >>> xerte-dev-bounces at lists.nottingham.ac.uk> [mailto: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto: >>> xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp >>> > > Johnathan >>> > > Sent: 05 March 2013 17:53 >>> > > To: For Xerte technical developers >>> > > >>> > > Subject: [Xerte-dev] Re: use of info tag in xwd forms >>> > > >>> > > The most recent version of the desktop would ensure you have the >>> > > latest version of wizard.swf, but if you can see the Show >Language >>> > > Options I think that should be enough to demonstrate the issue. >>> > > >>> > > The "here is the help" text is the text contained in the info >tag. >>> > > >>> > > If you click in the Show Language Options check box you will see >>> > > that some additional fields are displayed in the form but that >there >>> > > is an expanse of blank grey form before the "here is the help" >text >>> > > is displayed. >>> > > >>> > > If you mouse over the grey area above the "here is the help" >text >>> > > you will see the mouse pointer change as it hovers over where >the >>> > > text entry boxes for the hidden language options are positioned. >>> > > >>> > > If you click on the Quiz2 page to open its xwd form the effect >is >>> > > clear as none of the fields are flagged as language options so >as >>> > > soon as the form opens you see that the display of labels and >fields >>> > > ends abruptly and then there is again the grey expanse of blank >form >>> > > before the "here is the help" text is displayed. You have >noticed, >>> > > in your second post that the entry below "single answer wrong" >is >>> > > cut short vertically. There are also more fields below this >which >>> > > are not displaying at all. >>> > > >>> > > If you edit the quiz.xwd file in the page002 folder to remove >the >>> > > "info" tag then all the fields defined in the form are displayed >>> > > correctly. So it is the "info" tag that is causing the display >issue. >>> > > >>> > > Kind regards >>> > > >>> > > Johnathan >>> > > >>> > > On 5 March 2013 10:43, Dave Burnett >>> > > <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: >>> > > What version of desktop is required? >>> > > The only language related object I have showing is "Show >Language >>> > > Options" in the bottom bar. >>> > > >>> > > (I do see "Here is the help" in blue near the bottom). >>> > > >>> > > >>> > > ________________________________ >>> > > Date: Tue, 5 Mar 2013 10:23:23 +0000 >>> > > From: >johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> >>> > > To: xerte-dev at lists.nottingham.ac.uk<mailto: >>> xerte-dev at lists.nottingham.ac.uk> >>> > > Subject: [Xerte-dev] Re: use of info tag in xwd forms >>> > > >>> > > If you include the info tag in an xwd form it can result in the >none >>> > > display of the last entries in the form. >>> > > >>> > > The info tag displays at the bottom of the form with a blank >area of >>> > > form above it where the missing fields and field labels should >be >>> > > displayed. >>> > > >>> > > If you move the mouse pointer over the blank area of the form >then >>> > > the mouse pointer will change indicating that the fields are >there - >>> > > you just can't see them. >>> > > >>> > > The easiest way to explain what is happening is for you to see >it >>> > > for yourself. >>> > > >>> > > I have attached a simple demo. The demo is a standard Xerte >project >>> > > (not a "Pages" type project - I have manually set up the xwd >links >>> > > for the pages) in which I have set up two copies of the Quiz >page. >>> > > >>> > > 1. Open this project in Xerte >>> > > 2. Double click on the Quiz page to open the xwd form >>> > > 3. Click on the language tab to display the language fields >>> > > 4. Scroll down the form - you will see the blank area where the >>> > > hidden language fields should appear and the blue info comment >at >>> > > the bottom. >>> > > 5. The language tag is not significant to this issue. >>> > > 6. Double click on the Quiz2 page, you will see the same effect >>> > > without the use of the language tag (I deleted them from this >pages >>> > > xwd file) >>> > > I don't know if the cause is to do with layers or visibility >>> > > settings. I don't know what happens when the info tag is >actioned in >>> > > the code. >>> > > >>> > > I hope this makes the effect clear (if not the cause :-( ) >>> > > >>> > > Kind regards >>> > > >>> > > Johnathan >>> > > >>> > > >>> > > >>> > > On 5 March 2013 09:40, Julian Tenney >>> > > ><Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk >>> >> >>> > > wrote: >>> > > >>> > > What's the problem in a nutshell? >>> > > >>> > > >>> > > >>> > > From: >>> > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: >>> xerte-dev-bounces at lists.nottingham.ac.uk> [mailto: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto: >>> xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp >>> > > Johnathan >>> > > Sent: 04 March 2013 22:18 >>> > > To: Xerte Developers Discussion List >>> > > Subject: [Xerte-dev] use of info tag in xwd forms >>> > > >>> > > >>> > > >>> > > On the 4th December I posted to the developer list an issue with >the >>> > > xwd forms relating to the use of the "info" tag. >>> > > >>> > > >>> > > >>> > > The inclusion of an info tag in the xwd form can result in space >>> > > being allocated above the info tag for the display of the last >few >>> > > properties in the xwd form definition, but the properties are >not >>> > > visible in the form. You can however confirm their "presence" as >the >>> > > mouse pointer responds to them if moved over the input fields. >>> > > >>> > > >>> > > >>> > > You can test this out in Xerte (or XOT) by creating a page using >one >>> > > of the Connector page types. The info tag has been used in these >>> > > pages to link to a pdf help file that is hosted on the Xerte >>> > > community web site, but the "language" flagged form properties >are >>> > > no longer all editable, due to the presence of the info tag. >>> > > >>> > > >>> > > >>> > > This is a pity as the info tag could be used to provide a link >to an >>> > > external document that gives the Author useful additional >>> > > information to assist them in making the best use of that page >type. >>> > > e.g. >>> > > >>> > > * Information about what the page is designed to do >>> > > >>> > > * Instructions on what the properties in the form are to >>> > > help in completing the form created by the xwd file; >>> > > >>> > > * examples of actual uses of that page type in real projects. >>> > > >>> > > * examples of combining this page type with other page types >>> > > to achieve a particular pedagogical approach >>> > > >>> > > * guidance as to how accessible the page is with respect to >>> > > particular types of user, or what features the page has as >optional >>> > > properties to provide additional accessibility >>> > > >>> > > However at present if the "info" tag is used then the ability to >>> > > edit the language flagged elements of the page is compromised. >>> > > >>> > > >>> > > >>> > > Is this something that is intended to be addressed before the >next >>> > > release of Xerte / XOT? >>> > > >>> > > >>> > > >>> > > Sorry to be a nuisance, but it seems such a potentially useful >>> > > feature it seems a shame not to be able to use it. >>> > > >>> > > >>> > > >>> > > Kind regards >>> > > >>> > > >>> > > >>> > > Johnathan >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > _______________________________________________ >>> > > Xerte-dev mailing list >>> > > Xerte-dev at lists.nottingham.ac.uk<mailto: >>> Xerte-dev at lists.nottingham.ac.uk> >>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> > > >>> > > >>> > > _______________________________________________ Xerte-dev >mailing >>> > > list >>> > > Xerte-dev at lists.nottingham.ac.uk<mailto: >>> Xerte-dev at lists.nottingham.ac.uk> >>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> > > >>> > > >>> > > _______________________________________________ >>> > > Xerte-dev mailing list >>> > > Xerte-dev at lists.nottingham.ac.uk<mailto: >>> Xerte-dev at lists.nottingham.ac.uk> >>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> > > >>> > > >>> > > >>> > > _______________________________________________ >>> > > Xerte-dev mailing list >>> > > Xerte-dev at lists.nottingham.ac.uk<mailto: >>> Xerte-dev at lists.nottingham.ac.uk> >>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> > > >>> > > >>> > > >>> > > >>> > > Glasgow Caledonian University is a registered Scottish charity, >>> > > number SC021474 >>> > > >>> > > Winner: Times Higher Education's Widening Participation >Initiative >>> > > of the Year 2009 and Herald Society's Education Initiative of >the >>> > > Year 2009. >>> > > >>> >http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >>> > > >>> > > Winner: Times Higher Education's Outstanding Support for Early >>> > > Career Researchers of the Year 2010, GCU as a lead with >Universities >>> > > Scotland partners. >>> > > >>> >http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >>> > > >>> > > This message and any attachment are intended solely for the >>> > > addressee and may contain confidential information. If you have >>> > > received this message in error, please send it back to me, and >>> > > immediately delete it. Please do not use, copy or disclose the >>> > > information contained in this message or in any attachment. Any >>> > > views or opinions expressed by the author of this email do not >>> > > necessarily reflect the views of the University of Nottingham. >>> > > >>> > > >>> > > >>> > > This message has been checked for viruses but the contents of an >>> attachment >>> > > >>> > > may still contain software viruses which could damage your >computer >>> system: >>> > > >>> > > you are advised to perform your own checks. Email communications >with >>> the >>> > > >>> > > University of Nottingham may be monitored as permitted by UK >>> legislation. >>> > > >>> > > >>> > >>> > >>> > >>> > ---------------------------------------------------------------- >>> > This message was sent using IMP, the Internet Messaging Program. >>> > >>> > >>> > _______________________________________________ >>> > Xerte-dev mailing list >>> > Xerte-dev at lists.nottingham.ac.uk >>> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> > This message and any attachment are intended solely for the >addressee >>> and may contain confidential information. If you have received this >message >>> in error, please send it back to me, and immediately delete it. >Please do >>> not use, copy or disclose the information contained in this message >or in >>> any attachment. Any views or opinions expressed by the author of >this email >>> do not necessarily reflect the views of the University of >Nottingham. >>> > >>> > This message has been checked for viruses but the contents of an >>> attachment >>> > may still contain software viruses which could damage your >computer >>> system: >>> > you are advised to perform your own checks. Email communications >with >>> the >>> > University of Nottingham may be monitored as permitted by UK >>> legislation. >>> > >>> > Glasgow Caledonian University is a registered Scottish charity, >number >>> SC021474 >>> > >>> > Winner: Times Higher Education?s Widening Participation Initiative >of >>> the Year 2009 and Herald Society?s Education Initiative of the Year >2009. >>> > >>> >http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >>> > >>> > Winner: Times Higher Education?s Outstanding Support for Early >Career >>> Researchers of the Year 2010, GCU as a lead with Universities >Scotland >>> partners. >>> > >>> >http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >>> > _______________________________________________ >>> > Xerte-dev mailing list >>> > Xerte-dev at lists.nottingham.ac.uk >>> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> >>> >>> >>> >>> _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> >>> >>> >>> _______________________________________________ Xerte-dev mailing >list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> >>> >>> >>> >>> _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> >>> >>> >>> >>> >>> >>> Glasgow Caledonian University is a registered Scottish charity, >number >>> SC021474 >>> >>> Winner: Times Higher Education?s Widening Participation Initiative >of the >>> Year 2009 and Herald Society?s Education Initiative of the Year >2009. >>> >>> >http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >>> >>> Winner: Times Higher Education?s Outstanding Support for Early >Career >>> Researchers of the Year 2010, GCU as a lead with Universities >Scotland >>> partners. >>> >>> >http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >>> >>> >>> >>> >>> _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> >>> >> >> >> _______________________________________________ >> Xerte-dev mailing >listXerte-dev at lists.nottingham.ac.ukhttp://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> -- >> -- >> >> Tom Reijnders >> TOR Informatica >> Chopinlaan 27 >> 5242HM Rosmalen >> Tel: 073 5226191 >> Fax: 073 5226196 >> >> >> >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> > >This message and any attachment are intended solely for the addressee >and may contain confidential information. If you have received this >message in error, please send it back to me, and immediately delete it. >Please do not use, copy or disclose the information contained in this >message or in any attachment. Any views or opinions expressed by the >author of this email do not necessarily reflect the views of the >University of Nottingham. > > > >This message has been checked for viruses but the contents of an >attachment > >may still contain software viruses which could damage your computer >system: > >you are advised to perform your own checks. Email communications with >the > >University of Nottingham may be monitored as permitted by UK >legislation. > > > >------------------------------------------------------------------------ > >_______________________________________________ >Xerte-dev mailing list >Xerte-dev at lists.nottingham.ac.uk >http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- Verzonden van mijn Android telefoon met K-9 Mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130310/624fe7cb/attachment-0001.html> From J.J.Smith at gcu.ac.uk Sun Mar 10 20:19:51 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Sun, 10 Mar 2013 20:19:51 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms Message-ID: <rt6oy559dl0ww5nuk5h6a9m6.1362946603096@email.android.com> How about just an icon (?) in the menu, after the name... Click on it and it ajaxes some help in a js popover. The menu xml could then just have a new field added (help_url) for example... If its present add the (?) icon, if its not don't... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Tom Reijnders <reijnders at tor.nl> wrote: We could use the info tag to provide a one line help, including a link to a wiki page AND we could provide for the same link to the wiki page from the thumbnail area. We could even automate it. We have a fixed wiki. (Community website), and a fixed link (page name). Tom Kemp Johnathan <johnathan.kemp at ntlworld.com> schreef: What I was thinking requires to things to be available 1. A url within the wiki that takes you to a specific page (which appears possible from the link you have provided) 2. A means in Xerte / XOT to link to that specific page (e.g. in the way I was using the info tag to link to a specific page) There are two issues at present with using the info tag a) It can result in some of the xwd fields failing to be displayed b) It is only available to the Author after they have added the page type, since the link is from the xwd form. I was thinking that as the wiki expands any contents page that listed all the pages could get very long. So for an author a way of going directly from Xerte / XOT to a specific page type's wiki entry could be very user friendly and helpful. At present I think we may have a generic help link that could take you to the wiki home page, or we can use the info tag with its current drawbacks. Kind regards Johnathan On 10 March 2013 17:47, Tom Reijnders <reijnders at tor.nl<mailto:reijnders at tor.nl>> wrote: You can, that's no problem at all: http://www.xerte.org.uk/wiki/index.php/Template_walkthrough Tom Op 10-3-2013 18:10, Kemp Johnathan schreef: It would be nice if there was a way of accessing the wiki page about a specific Xerte / XOT page type, perhaps before having added that page type to your project. This could then help both with selecting the page type to use as well as assisting the author in the using of that page. This is in contrast to just having a generic link to the wiki home page. Kind regards Johnathan On 8 March 2013 13:55, Smith, John <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: A wiki? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: use of info tag in xwd forms I don?t much like the idea of separate files (pdfs / docs etc) I think it would be better as a central resource on a web site, maybe the community site? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp Johnathan Sent: 06 March 2013 18:57 To: For Xerte technical developers Subject: [Xerte-dev] Re: use of info tag in xwd forms I suppose one alternative would be to set up a wiki, but I am not sure this is the best approach for help documents. One thought that has just sprung to mind - what about using an ebook editor? I know next to nothing about them but it would seem a possibly logical platform to publish to. I am not sure if this would be the right approach if we only want to create a set of individual files that are each a single publication? I did a quick google and found an open source wysiwyg editor called sigil. It looks quite powerful, but it appears designed to pull together large numbers of separate files into a single document. I don't know if there is anyone on the list who is familiar with this stuff and could pass a more informed opinion? I have to admit, the one thing that concerns me with using Open Office is that someone will go and open up the file in Word and bugger up its formatting :-( What concerns me about not using Open Office is the possible lack of a familiar, versatile, and easy to use interface for creating the documents. JK On 6 March 2013 18:25, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: Just my personal preference. Static documents usually lead to version control nightmares. I still believe in the Java "write once, deliver everywhere" fantasy. ;-) ________________________________ Date: Wed, 6 Mar 2013 18:20:51 +0000 From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: use of info tag in xwd forms Advantage of pdf? A single file that contains text and graphics and will maintain its format when printed out (some people still like to print things out). My approach so far has been to author the files in Open Office which will export to pdf. This provides a master file (the Open Office odt) file that is editable, and the pdf export of the odt file that can be published for Author usage. So whilst at present the file the Author uses is pdf, this is generated from a single, easily edited odt file. Open Office is free, open source, and available in many languages. I agree with the idea of allowing those with svn access to edit the help files. The current approach fully facilitates that. Folks with svn access can edit (or make a copy and translate) the odt file and then generate a new pdf file for publication. I am not sure of the benefit of trying to edit the help documents in a Xerte app. Why try to create a cut down word processor in Xerte, if there is already a fully featured one available for free? The only downside I see is that each help file consists of two files (rather than one) - the odt source file and the published public accessed pdf file. But this has upsides as well. The odt help file can be edited without affecting the published pdf file, which can be re-published once the editing / updating is completed. Just my take on things Johnathan On 6 March 2013 12:35, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: Advantage of pdf? I would bet we get a lot more contribution if it's dynamic. Maybe something editable in a Xerte app? Folks with svn access can edit? > From: J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk> > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> > Date: Wed, 6 Mar 2013 12:09:21 +0000 > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > Sure Tom, I suppose an alternative would be to funnel everything through help/index.php?language=XX&file=YYY and let it decide which to serve up... > > I'm having to do similar with the api... > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Tom Reijnders > Sent: Wednesday, March 06, 2013 11:05 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > It's not too much work to fall back to English if we need to, > > So have a help/<language code> for the help forlder location like we have wizard/<language code> now. > > > The thing I have against mod_rewrites is that it's webserver specific. > > So, now we only have to agree on the help file format. .pdf is fine with me... > > Tom > > Citeren "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>>: > > > Why not just append the language code to the URL (new website) and mod > > rewrite the url. If there is a language file that matches send that, > > otherwise send the English one... > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of > > Julian Tenney > > Sent: Wednesday, March 06, 2013 10:38 AM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > What about languages? You might want help in several languages. But > > we can cope with multi lingual wizards, so why not multi lingual help? > > > > The form is a bit of a pain because now we have advanced / language > > options, redrawing the form is a bit of a pain, so thinking > > differently might be a good idea. > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Kemp > > Johnathan > > Sent: 06 March 2013 10:02 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > Hi Folks, > > > > What I would like to be able to achieve is a means of providing a > > link to a pdf file that the author can access to provide additional > > information to support the use of the page type. My original need > > was to support the connector pages and the inventory page with more > > information about how the page worked and how, in the case of > > connector pages they could be used in conjunction with other pages. > > However the help file could provide other stuff such as examples of > > use or pedagogical information. > > > > How that link is made available to the author I don't have a strong > > view on. It just seemed that the <info> tag already provided the > > functionality (except for this frustrating glitch). If resolving the > > glitch was a simple matter then the <info> tag might be a convenient > > way of doing this without involving much time input. If however the > > glitch is difficult to pin down then a different approach might be > > appropriate. > > > > By putting the link in the xwd file it keeps everything about the > > page in one place. However it does have the disadvantage of making > > it difficult to change the location of the help files. > > > > Perhaps an approach that assumed the help file would use the same > > stem as the model file but have a pdf extension (e.g. quiz.rlm and > > quiz.pdf), would allow a Xerte or XOT project to define a single > > folder location for all the help files. The specific help file for a > > page type would then be accessed by combining the single folder > > address with the model name and a pdf extension. > > > > This would allow help files to be either located on a remote server > > or on a local server, or even in a desktop Xerte installation folder > > e.g. Xerte\pages\help\. It would also make it easier to change the > > locations of the help files as there would be only one path to change. > > > > Kind regards > > > > Johnathan > > > > On 6 March 2013 07:50, Julian Tenney > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk><mailto:Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>>> > > wrote: > > Maybe we should tackle this differently: rather than trying to > > display the <info> on the form, why not pop it up in a message or > > show it somewhere else? > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>>] On Behalf Of Kemp > > Johnathan > > Sent: 05 March 2013 17:53 > > To: For Xerte technical developers > > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > The most recent version of the desktop would ensure you have the > > latest version of wizard.swf, but if you can see the Show Language > > Options I think that should be enough to demonstrate the issue. > > > > The "here is the help" text is the text contained in the info tag. > > > > If you click in the Show Language Options check box you will see > > that some additional fields are displayed in the form but that there > > is an expanse of blank grey form before the "here is the help" text > > is displayed. > > > > If you mouse over the grey area above the "here is the help" text > > you will see the mouse pointer change as it hovers over where the > > text entry boxes for the hidden language options are positioned. > > > > If you click on the Quiz2 page to open its xwd form the effect is > > clear as none of the fields are flagged as language options so as > > soon as the form opens you see that the display of labels and fields > > ends abruptly and then there is again the grey expanse of blank form > > before the "here is the help" text is displayed. You have noticed, > > in your second post that the entry below "single answer wrong" is > > cut short vertically. There are also more fields below this which > > are not displaying at all. > > > > If you edit the quiz.xwd file in the page002 folder to remove the > > "info" tag then all the fields defined in the form are displayed > > correctly. So it is the "info" tag that is causing the display issue. > > > > Kind regards > > > > Johnathan > > > > On 5 March 2013 10:43, Dave Burnett > > <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com><mailto:d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>>> wrote: > > What version of desktop is required? > > The only language related object I have showing is "Show Language > > Options" in the bottom bar. > > > > (I do see "Here is the help" in blue near the bottom). > > > > > > ________________________________ > > Date: Tue, 5 Mar 2013 10:23:23 +0000 > > From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com><mailto:johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com>> > > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk><mailto:xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk>> > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > If you include the info tag in an xwd form it can result in the none > > display of the last entries in the form. > > > > The info tag displays at the bottom of the form with a blank area of > > form above it where the missing fields and field labels should be > > displayed. > > > > If you move the mouse pointer over the blank area of the form then > > the mouse pointer will change indicating that the fields are there - > > you just can't see them. > > > > The easiest way to explain what is happening is for you to see it > > for yourself. > > > > I have attached a simple demo. The demo is a standard Xerte project > > (not a "Pages" type project - I have manually set up the xwd links > > for the pages) in which I have set up two copies of the Quiz page. > > > > 1. Open this project in Xerte > > 2. Double click on the Quiz page to open the xwd form > > 3. Click on the language tab to display the language fields > > 4. Scroll down the form - you will see the blank area where the > > hidden language fields should appear and the blue info comment at > > the bottom. > > 5. The language tag is not significant to this issue. > > 6. Double click on the Quiz2 page, you will see the same effect > > without the use of the language tag (I deleted them from this pages > > xwd file) > > I don't know if the cause is to do with layers or visibility > > settings. I don't know what happens when the info tag is actioned in > > the code. > > > > I hope this makes the effect clear (if not the cause :-( ) > > > > Kind regards > > > > Johnathan > > > > > > > > On 5 March 2013 09:40, Julian Tenney > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk><mailto:Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>>> > > wrote: > > > > What's the problem in a nutshell? > > > > > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>>] On Behalf Of Kemp > > Johnathan > > Sent: 04 March 2013 22:18 > > To: Xerte Developers Discussion List > > Subject: [Xerte-dev] use of info tag in xwd forms > > > > > > > > On the 4th December I posted to the developer list an issue with the > > xwd forms relating to the use of the "info" tag. > > > > > > > > The inclusion of an info tag in the xwd form can result in space > > being allocated above the info tag for the display of the last few > > properties in the xwd form definition, but the properties are not > > visible in the form. You can however confirm their "presence" as the > > mouse pointer responds to them if moved over the input fields. > > > > > > > > You can test this out in Xerte (or XOT) by creating a page using one > > of the Connector page types. The info tag has been used in these > > pages to link to a pdf help file that is hosted on the Xerte > > community web site, but the "language" flagged form properties are > > no longer all editable, due to the presence of the info tag. > > > > > > > > This is a pity as the info tag could be used to provide a link to an > > external document that gives the Author useful additional > > information to assist them in making the best use of that page type. > > e.g. > > > > * Information about what the page is designed to do > > > > * Instructions on what the properties in the form are to > > help in completing the form created by the xwd file; > > > > * examples of actual uses of that page type in real projects. > > > > * examples of combining this page type with other page types > > to achieve a particular pedagogical approach > > > > * guidance as to how accessible the page is with respect to > > particular types of user, or what features the page has as optional > > properties to provide additional accessibility > > > > However at present if the "info" tag is used then the ability to > > edit the language flagged elements of the page is compromised. > > > > > > > > Is this something that is intended to be addressed before the next > > release of Xerte / XOT? > > > > > > > > Sorry to be a nuisance, but it seems such a potentially useful > > feature it seems a shame not to be able to use it. > > > > > > > > Kind regards > > > > > > > > Johnathan > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ Xerte-dev mailing > > list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, > > number SC021474 > > > > Winner: Times Higher Education's Widening Participation Initiative > > of the Year 2009 and Herald Society's Education Initiative of the > > Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c6219%2cen.html> > > > > Winner: Times Higher Education's Outstanding Support for Early > > Career Researchers of the Year 2010, GCU as a lead with Universities > > Scotland partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c15691%2cen.html> > > > > This message and any attachment are intended solely for the > > addressee and may contain confidential information. If you have > > received this message in error, please send it back to me, and > > immediately delete it. Please do not use, copy or disclose the > > information contained in this message or in any attachment. Any > > views or opinions expressed by the author of this email do not > > necessarily reflect the views of the University of Nottingham. > > > > > > > > This message has been checked for viruses but the contents of an attachment > > > > may still contain software viruses which could damage your computer system: > > > > you are advised to perform your own checks. Email communications with the > > > > University of Nottingham may be monitored as permitted by UK legislation. > > > > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c6219%2cen.html> > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name%2c15691%2cen.html> > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev ________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- Verzonden van mijn Android telefoon met K-9 Mail. Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From Julian.Tenney at nottingham.ac.uk Mon Mar 11 09:28:32 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 11 Mar 2013 09:28:32 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <rt6oy559dl0ww5nuk5h6a9m6.1362946603096@email.android.com> References: <rt6oy559dl0ww5nuk5h6a9m6.1362946603096@email.android.com> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69911@EXCHANGE1.ad.nottingham.ac.uk> I'm going to do something like this: pop the help up in a window somewhere. I think it's better that the help stays in the xwd, then it can be translated etc, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 10 March 2013 20:20 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: use of info tag in xwd forms How about just an icon (?) in the menu, after the name... Click on it and it ajaxes some help in a js popover. The menu xml could then just have a new field added (help_url) for example... If its present add the (?) icon, if its not don't... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Tom Reijnders <reijnders at tor.nl> wrote: We could use the info tag to provide a one line help, including a link to a wiki page AND we could provide for the same link to the wiki page from the thumbnail area. We could even automate it. We have a fixed wiki. (Community website), and a fixed link (page name). Tom Kemp Johnathan <johnathan.kemp at ntlworld.com> schreef: What I was thinking requires to things to be available 1. A url within the wiki that takes you to a specific page (which appears possible from the link you have provided) 2. A means in Xerte / XOT to link to that specific page (e.g. in the way I was using the info tag to link to a specific page) There are two issues at present with using the info tag a) It can result in some of the xwd fields failing to be displayed b) It is only available to the Author after they have added the page type, since the link is from the xwd form. I was thinking that as the wiki expands any contents page that listed all the pages could get very long. So for an author a way of going directly from Xerte / XOT to a specific page type's wiki entry could be very user friendly and helpful. At present I think we may have a generic help link that could take you to the wiki home page, or we can use the info tag with its current drawbacks. Kind regards Johnathan On 10 March 2013 17:47, Tom Reijnders <reijnders at tor.nl<mailto:reijnders at tor.nl>> wrote: You can, that's no problem at all: http://www.xerte.org.uk/wiki/index.php/Template_walkthrough Tom Op 10-3-2013 18:10, Kemp Johnathan schreef: It would be nice if there was a way of accessing the wiki page about a specific Xerte / XOT page type, perhaps before having added that page type to your project. This could then help both with selecting the page type to use as well as assisting the author in the using of that page. This is in contrast to just having a generic link to the wiki home page. Kind regards Johnathan On 8 March 2013 13:55, Smith, John <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: A wiki? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: use of info tag in xwd forms I don?t much like the idea of separate files (pdfs / docs etc) I think it would be better as a central resource on a web site, maybe the community site? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp Johnathan Sent: 06 March 2013 18:57 To: For Xerte technical developers Subject: [Xerte-dev] Re: use of info tag in xwd forms I suppose one alternative would be to set up a wiki, but I am not sure this is the best approach for help documents. One thought that has just sprung to mind - what about using an ebook editor? I know next to nothing about them but it would seem a possibly logical platform to publish to. I am not sure if this would be the right approach if we only want to create a set of individual files that are each a single publication? I did a quick google and found an open source wysiwyg editor called sigil. It looks quite powerful, but it appears designed to pull together large numbers of separate files into a single document. I don't know if there is anyone on the list who is familiar with this stuff and could pass a more informed opinion? I have to admit, the one thing that concerns me with using Open Office is that someone will go and open up the file in Word and bugger up its formatting :-( What concerns me about not using Open Office is the possible lack of a familiar, versatile, and easy to use interface for creating the documents. JK On 6 March 2013 18:25, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: Just my personal preference. Static documents usually lead to version control nightmares. I still believe in the Java "write once, deliver everywhere" fantasy. ;-) ________________________________ Date: Wed, 6 Mar 2013 18:20:51 +0000 From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: use of info tag in xwd forms Advantage of pdf? A single file that contains text and graphics and will maintain its format when printed out (some people still like to print things out). My approach so far has been to author the files in Open Office which will export to pdf. This provides a master file (the Open Office odt) file that is editable, and the pdf export of the odt file that can be published for Author usage. So whilst at present the file the Author uses is pdf, this is generated from a single, easily edited odt file. Open Office is free, open source, and available in many languages. I agree with the idea of allowing those with svn access to edit the help files. The current approach fully facilitates that. Folks with svn access can edit (or make a copy and translate) the odt file and then generate a new pdf file for publication. I am not sure of the benefit of trying to edit the help documents in a Xerte app. Why try to create a cut down word processor in Xerte, if there is already a fully featured one available for free? The only downside I see is that each help file consists of two files (rather than one) - the odt source file and the published public accessed pdf file. But this has upsides as well. The odt help file can be edited without affecting the published pdf file, which can be re-published once the editing / updating is completed. Just my take on things Johnathan On 6 March 2013 12:35, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: Advantage of pdf? I would bet we get a lot more contribution if it's dynamic. Maybe something editable in a Xerte app? Folks with svn access can edit? > From: J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk> > To: > xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac. > uk> > Date: Wed, 6 Mar 2013 12:09:21 +0000 > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > Sure Tom, I suppose an alternative would be to funnel everything through help/index.php?language=XX&file=YYY and let it decide which to serve up... > > I'm having to do similar with the api... > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-boun > ces at lists.nottingham.ac.uk>] On Behalf Of Tom Reijnders > Sent: Wednesday, March 06, 2013 11:05 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > It's not too much work to fall back to English if we need to, > > So have a help/<language code> for the help forlder location like we have wizard/<language code> now. > > > The thing I have against mod_rewrites is that it's webserver specific. > > So, now we only have to agree on the help file format. .pdf is fine with me... > > Tom > > Citeren "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>>: > > > Why not just append the language code to the URL (new website) and > > mod rewrite the url. If there is a language file that matches send > > that, otherwise send the English one... > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li > > sts.nottingham.ac.uk> > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bo > > unces at lists.nottingham.ac.uk>] On Behalf Of Julian Tenney > > Sent: Wednesday, March 06, 2013 10:38 AM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > What about languages? You might want help in several languages. But > > we can cope with multi lingual wizards, so why not multi lingual help? > > > > The form is a bit of a pain because now we have advanced / language > > options, redrawing the form is a bit of a pain, so thinking > > differently might be a good idea. > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li > > sts.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.u > > k<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bo > > unces at lists.nottingham.ac.uk>] On Behalf Of Kemp Johnathan > > Sent: 06 March 2013 10:02 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > Hi Folks, > > > > What I would like to be able to achieve is a means of providing a > > link to a pdf file that the author can access to provide additional > > information to support the use of the page type. My original need > > was to support the connector pages and the inventory page with more > > information about how the page worked and how, in the case of > > connector pages they could be used in conjunction with other pages. > > However the help file could provide other stuff such as examples of > > use or pedagogical information. > > > > How that link is made available to the author I don't have a strong > > view on. It just seemed that the <info> tag already provided the > > functionality (except for this frustrating glitch). If resolving the > > glitch was a simple matter then the <info> tag might be a convenient > > way of doing this without involving much time input. If however the > > glitch is difficult to pin down then a different approach might be > > appropriate. > > > > By putting the link in the xwd file it keeps everything about the > > page in one place. However it does have the disadvantage of making > > it difficult to change the location of the help files. > > > > Perhaps an approach that assumed the help file would use the same > > stem as the model file but have a pdf extension (e.g. quiz.rlm and > > quiz.pdf), would allow a Xerte or XOT project to define a single > > folder location for all the help files. The specific help file for a > > page type would then be accessed by combining the single folder > > address with the model name and a pdf extension. > > > > This would allow help files to be either located on a remote server > > or on a local server, or even in a desktop Xerte installation folder > > e.g. Xerte\pages\help\. It would also make it easier to change the > > locations of the help files as there would be only one path to change. > > > > Kind regards > > > > Johnathan > > > > On 6 March 2013 07:50, Julian Tenney > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.u > > k><mailto:Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottin > > gham.ac.uk>>> > > wrote: > > Maybe we should tackle this differently: rather than trying to > > display the <info> on the form, why not pop it up in a message or > > show it somewhere else? > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li > > sts.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.u > > k<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bo > > unces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.notting > > ham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>>] On > > Behalf Of Kemp Johnathan > > Sent: 05 March 2013 17:53 > > To: For Xerte technical developers > > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > The most recent version of the desktop would ensure you have the > > latest version of wizard.swf, but if you can see the Show Language > > Options I think that should be enough to demonstrate the issue. > > > > The "here is the help" text is the text contained in the info tag. > > > > If you click in the Show Language Options check box you will see > > that some additional fields are displayed in the form but that there > > is an expanse of blank grey form before the "here is the help" text > > is displayed. > > > > If you mouse over the grey area above the "here is the help" text > > you will see the mouse pointer change as it hovers over where the > > text entry boxes for the hidden language options are positioned. > > > > If you click on the Quiz2 page to open its xwd form the effect is > > clear as none of the fields are flagged as language options so as > > soon as the form opens you see that the display of labels and fields > > ends abruptly and then there is again the grey expanse of blank form > > before the "here is the help" text is displayed. You have noticed, > > in your second post that the entry below "single answer wrong" is > > cut short vertically. There are also more fields below this which > > are not displaying at all. > > > > If you edit the quiz.xwd file in the page002 folder to remove the > > "info" tag then all the fields defined in the form are displayed > > correctly. So it is the "info" tag that is causing the display issue. > > > > Kind regards > > > > Johnathan > > > > On 5 March 2013 10:43, Dave Burnett > > <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com><mailto:d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>>> wrote: > > What version of desktop is required? > > The only language related object I have showing is "Show Language > > Options" in the bottom bar. > > > > (I do see "Here is the help" in blue near the bottom). > > > > > > ________________________________ > > Date: Tue, 5 Mar 2013 10:23:23 +0000 > > From: > > johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com><mail > > to:johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com>> > > To: > > xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.a > > c.uk><mailto:xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists > > .nottingham.ac.uk>> > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > If you include the info tag in an xwd form it can result in the none > > display of the last entries in the form. > > > > The info tag displays at the bottom of the form with a blank area of > > form above it where the missing fields and field labels should be > > displayed. > > > > If you move the mouse pointer over the blank area of the form then > > the mouse pointer will change indicating that the fields are there - > > you just can't see them. > > > > The easiest way to explain what is happening is for you to see it > > for yourself. > > > > I have attached a simple demo. The demo is a standard Xerte project > > (not a "Pages" type project - I have manually set up the xwd links > > for the pages) in which I have set up two copies of the Quiz page. > > > > 1. Open this project in Xerte > > 2. Double click on the Quiz page to open the xwd form 3. Click on > > the language tab to display the language fields 4. Scroll down the > > form - you will see the blank area where the hidden language fields > > should appear and the blue info comment at the bottom. > > 5. The language tag is not significant to this issue. > > 6. Double click on the Quiz2 page, you will see the same effect > > without the use of the language tag (I deleted them from this pages > > xwd file) I don't know if the cause is to do with layers or > > visibility settings. I don't know what happens when the info tag is > > actioned in the code. > > > > I hope this makes the effect clear (if not the cause :-( ) > > > > Kind regards > > > > Johnathan > > > > > > > > On 5 March 2013 09:40, Julian Tenney > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.u > > k><mailto:Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottin > > gham.ac.uk>>> > > wrote: > > > > What's the problem in a nutshell? > > > > > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li > > sts.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.u > > k<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bo > > unces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.notting > > ham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>>] On > > Behalf Of Kemp Johnathan > > Sent: 04 March 2013 22:18 > > To: Xerte Developers Discussion List > > Subject: [Xerte-dev] use of info tag in xwd forms > > > > > > > > On the 4th December I posted to the developer list an issue with the > > xwd forms relating to the use of the "info" tag. > > > > > > > > The inclusion of an info tag in the xwd form can result in space > > being allocated above the info tag for the display of the last few > > properties in the xwd form definition, but the properties are not > > visible in the form. You can however confirm their "presence" as the > > mouse pointer responds to them if moved over the input fields. > > > > > > > > You can test this out in Xerte (or XOT) by creating a page using one > > of the Connector page types. The info tag has been used in these > > pages to link to a pdf help file that is hosted on the Xerte > > community web site, but the "language" flagged form properties are > > no longer all editable, due to the presence of the info tag. > > > > > > > > This is a pity as the info tag could be used to provide a link to an > > external document that gives the Author useful additional > > information to assist them in making the best use of that page type. > > e.g. > > > > * Information about what the page is designed to do > > > > * Instructions on what the properties in the form are to help in > > completing the form created by the xwd file; > > > > * examples of actual uses of that page type in real projects. > > > > * examples of combining this page type with other page types to > > achieve a particular pedagogical approach > > > > * guidance as to how accessible the page is with respect to > > particular types of user, or what features the page has as optional > > properties to provide additional accessibility > > > > However at present if the "info" tag is used then the ability to > > edit the language flagged elements of the page is compromised. > > > > > > > > Is this something that is intended to be addressed before the next > > release of Xerte / XOT? > > > > > > > > Sorry to be a nuisance, but it seems such a potentially useful > > feature it seems a shame not to be able to use it. > > > > > > > > Kind regards > > > > > > > > Johnathan > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.a > > c.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists > > .nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ Xerte-dev mailing > > list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.a > > c.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists > > .nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.a > > c.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists > > .nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.a > > c.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists > > .nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, > > number SC021474 > > > > Winner: Times Higher Education's Widening Participation Initiative > > of the Year 2009 and Herald Society's Education Initiative of the > > Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name > > ,6219,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuni > > versity/1/name%2c6219%2cen.html> > > > > Winner: Times Higher Education's Outstanding Support for Early > > Career Researchers of the Year 2010, GCU as a lead with Universities > > Scotland partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name > > ,15691,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theun > > iversity/1/name%2c15691%2cen.html> > > > > This message and any attachment are intended solely for the > > addressee and may contain confidential information. If you have > > received this message in error, please send it back to me, and > > immediately delete it. Please do not use, copy or disclose the > > information contained in this message or in any attachment. Any > > views or opinions expressed by the author of this email do not > > necessarily reflect the views of the University of Nottingham. > > > > > > > > This message has been checked for viruses but the contents of an > > attachment > > > > may still contain software viruses which could damage your computer system: > > > > you are advised to perform your own checks. Email communications > > with the > > > > University of Nottingham may be monitored as permitted by UK legislation. > > > > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac. > uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theunivers > ity/1/name%2c6219%2cen.html> > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniver > sity/1/name%2c15691%2cen.html> > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac. > uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev ________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- Verzonden van mijn Android telefoon met K-9 Mail. Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From Julian.Tenney at nottingham.ac.uk Mon Mar 11 09:50:49 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 11 Mar 2013 09:50:49 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69911@EXCHANGE1.ad.nottingham.ac.uk> References: <rt6oy559dl0ww5nuk5h6a9m6.1362946603096@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69911@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DB6994F@EXCHANGE1.ad.nottingham.ac.uk> ...but possibly Tom's idea of a help system built into the community site is a good idea as well, using the model filenames to generate the URLs. You could also auto-generate a stub for the help page based on the properties defined in the xwd? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 09:29 To: For Xerte technical developers Subject: [Xerte-dev] Re: use of info tag in xwd forms I'm going to do something like this: pop the help up in a window somewhere. I think it's better that the help stays in the xwd, then it can be translated etc, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 10 March 2013 20:20 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: use of info tag in xwd forms How about just an icon (?) in the menu, after the name... Click on it and it ajaxes some help in a js popover. The menu xml could then just have a new field added (help_url) for example... If its present add the (?) icon, if its not don't... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Tom Reijnders <reijnders at tor.nl> wrote: We could use the info tag to provide a one line help, including a link to a wiki page AND we could provide for the same link to the wiki page from the thumbnail area. We could even automate it. We have a fixed wiki. (Community website), and a fixed link (page name). Tom Kemp Johnathan <johnathan.kemp at ntlworld.com> schreef: What I was thinking requires to things to be available 1. A url within the wiki that takes you to a specific page (which appears possible from the link you have provided) 2. A means in Xerte / XOT to link to that specific page (e.g. in the way I was using the info tag to link to a specific page) There are two issues at present with using the info tag a) It can result in some of the xwd fields failing to be displayed b) It is only available to the Author after they have added the page type, since the link is from the xwd form. I was thinking that as the wiki expands any contents page that listed all the pages could get very long. So for an author a way of going directly from Xerte / XOT to a specific page type's wiki entry could be very user friendly and helpful. At present I think we may have a generic help link that could take you to the wiki home page, or we can use the info tag with its current drawbacks. Kind regards Johnathan On 10 March 2013 17:47, Tom Reijnders <reijnders at tor.nl<mailto:reijnders at tor.nl>> wrote: You can, that's no problem at all: http://www.xerte.org.uk/wiki/index.php/Template_walkthrough Tom Op 10-3-2013 18:10, Kemp Johnathan schreef: It would be nice if there was a way of accessing the wiki page about a specific Xerte / XOT page type, perhaps before having added that page type to your project. This could then help both with selecting the page type to use as well as assisting the author in the using of that page. This is in contrast to just having a generic link to the wiki home page. Kind regards Johnathan On 8 March 2013 13:55, Smith, John <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: A wiki? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Julian Tenney Sent: Friday, March 08, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: use of info tag in xwd forms I don?t much like the idea of separate files (pdfs / docs etc) I think it would be better as a central resource on a web site, maybe the community site? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp Johnathan Sent: 06 March 2013 18:57 To: For Xerte technical developers Subject: [Xerte-dev] Re: use of info tag in xwd forms I suppose one alternative would be to set up a wiki, but I am not sure this is the best approach for help documents. One thought that has just sprung to mind - what about using an ebook editor? I know next to nothing about them but it would seem a possibly logical platform to publish to. I am not sure if this would be the right approach if we only want to create a set of individual files that are each a single publication? I did a quick google and found an open source wysiwyg editor called sigil. It looks quite powerful, but it appears designed to pull together large numbers of separate files into a single document. I don't know if there is anyone on the list who is familiar with this stuff and could pass a more informed opinion? I have to admit, the one thing that concerns me with using Open Office is that someone will go and open up the file in Word and bugger up its formatting :-( What concerns me about not using Open Office is the possible lack of a familiar, versatile, and easy to use interface for creating the documents. JK On 6 March 2013 18:25, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: Just my personal preference. Static documents usually lead to version control nightmares. I still believe in the Java "write once, deliver everywhere" fantasy. ;-) ________________________________ Date: Wed, 6 Mar 2013 18:20:51 +0000 From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: use of info tag in xwd forms Advantage of pdf? A single file that contains text and graphics and will maintain its format when printed out (some people still like to print things out). My approach so far has been to author the files in Open Office which will export to pdf. This provides a master file (the Open Office odt) file that is editable, and the pdf export of the odt file that can be published for Author usage. So whilst at present the file the Author uses is pdf, this is generated from a single, easily edited odt file. Open Office is free, open source, and available in many languages. I agree with the idea of allowing those with svn access to edit the help files. The current approach fully facilitates that. Folks with svn access can edit (or make a copy and translate) the odt file and then generate a new pdf file for publication. I am not sure of the benefit of trying to edit the help documents in a Xerte app. Why try to create a cut down word processor in Xerte, if there is already a fully featured one available for free? The only downside I see is that each help file consists of two files (rather than one) - the odt source file and the published public accessed pdf file. But this has upsides as well. The odt help file can be edited without affecting the published pdf file, which can be re-published once the editing / updating is completed. Just my take on things Johnathan On 6 March 2013 12:35, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: Advantage of pdf? I would bet we get a lot more contribution if it's dynamic. Maybe something editable in a Xerte app? Folks with svn access can edit? > From: J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk> > To: > xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac. > uk> > Date: Wed, 6 Mar 2013 12:09:21 +0000 > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > Sure Tom, I suppose an alternative would be to funnel everything through help/index.php?language=XX&file=YYY and let it decide which to serve up... > > I'm having to do similar with the api... > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-boun > ces at lists.nottingham.ac.uk>] On Behalf Of Tom Reijnders > Sent: Wednesday, March 06, 2013 11:05 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > It's not too much work to fall back to English if we need to, > > So have a help/<language code> for the help forlder location like we have wizard/<language code> now. > > > The thing I have against mod_rewrites is that it's webserver specific. > > So, now we only have to agree on the help file format. .pdf is fine with me... > > Tom > > Citeren "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>>: > > > Why not just append the language code to the URL (new website) and > > mod rewrite the url. If there is a language file that matches send > > that, otherwise send the English one... > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li > > sts.nottingham.ac.uk> > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bo > > unces at lists.nottingham.ac.uk>] On Behalf Of Julian Tenney > > Sent: Wednesday, March 06, 2013 10:38 AM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > What about languages? You might want help in several languages. But > > we can cope with multi lingual wizards, so why not multi lingual help? > > > > The form is a bit of a pain because now we have advanced / language > > options, redrawing the form is a bit of a pain, so thinking > > differently might be a good idea. > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li > > sts.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.u > > k<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bo > > unces at lists.nottingham.ac.uk>] On Behalf Of Kemp Johnathan > > Sent: 06 March 2013 10:02 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > Hi Folks, > > > > What I would like to be able to achieve is a means of providing a > > link to a pdf file that the author can access to provide additional > > information to support the use of the page type. My original need > > was to support the connector pages and the inventory page with more > > information about how the page worked and how, in the case of > > connector pages they could be used in conjunction with other pages. > > However the help file could provide other stuff such as examples of > > use or pedagogical information. > > > > How that link is made available to the author I don't have a strong > > view on. It just seemed that the <info> tag already provided the > > functionality (except for this frustrating glitch). If resolving the > > glitch was a simple matter then the <info> tag might be a convenient > > way of doing this without involving much time input. If however the > > glitch is difficult to pin down then a different approach might be > > appropriate. > > > > By putting the link in the xwd file it keeps everything about the > > page in one place. However it does have the disadvantage of making > > it difficult to change the location of the help files. > > > > Perhaps an approach that assumed the help file would use the same > > stem as the model file but have a pdf extension (e.g. quiz.rlm and > > quiz.pdf), would allow a Xerte or XOT project to define a single > > folder location for all the help files. The specific help file for a > > page type would then be accessed by combining the single folder > > address with the model name and a pdf extension. > > > > This would allow help files to be either located on a remote server > > or on a local server, or even in a desktop Xerte installation folder > > e.g. Xerte\pages\help\. It would also make it easier to change the > > locations of the help files as there would be only one path to change. > > > > Kind regards > > > > Johnathan > > > > On 6 March 2013 07:50, Julian Tenney > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.u > > k><mailto:Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottin > > gham.ac.uk>>> > > wrote: > > Maybe we should tackle this differently: rather than trying to > > display the <info> on the form, why not pop it up in a message or > > show it somewhere else? > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li > > sts.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.u > > k<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bo > > unces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.notting > > ham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>>] On > > Behalf Of Kemp Johnathan > > Sent: 05 March 2013 17:53 > > To: For Xerte technical developers > > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > The most recent version of the desktop would ensure you have the > > latest version of wizard.swf, but if you can see the Show Language > > Options I think that should be enough to demonstrate the issue. > > > > The "here is the help" text is the text contained in the info tag. > > > > If you click in the Show Language Options check box you will see > > that some additional fields are displayed in the form but that there > > is an expanse of blank grey form before the "here is the help" text > > is displayed. > > > > If you mouse over the grey area above the "here is the help" text > > you will see the mouse pointer change as it hovers over where the > > text entry boxes for the hidden language options are positioned. > > > > If you click on the Quiz2 page to open its xwd form the effect is > > clear as none of the fields are flagged as language options so as > > soon as the form opens you see that the display of labels and fields > > ends abruptly and then there is again the grey expanse of blank form > > before the "here is the help" text is displayed. You have noticed, > > in your second post that the entry below "single answer wrong" is > > cut short vertically. There are also more fields below this which > > are not displaying at all. > > > > If you edit the quiz.xwd file in the page002 folder to remove the > > "info" tag then all the fields defined in the form are displayed > > correctly. So it is the "info" tag that is causing the display issue. > > > > Kind regards > > > > Johnathan > > > > On 5 March 2013 10:43, Dave Burnett > > <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com><mailto:d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>>> wrote: > > What version of desktop is required? > > The only language related object I have showing is "Show Language > > Options" in the bottom bar. > > > > (I do see "Here is the help" in blue near the bottom). > > > > > > ________________________________ > > Date: Tue, 5 Mar 2013 10:23:23 +0000 > > From: > > johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com><mail > > to:johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com>> > > To: > > xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.a > > c.uk><mailto:xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists > > .nottingham.ac.uk>> > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > If you include the info tag in an xwd form it can result in the none > > display of the last entries in the form. > > > > The info tag displays at the bottom of the form with a blank area of > > form above it where the missing fields and field labels should be > > displayed. > > > > If you move the mouse pointer over the blank area of the form then > > the mouse pointer will change indicating that the fields are there - > > you just can't see them. > > > > The easiest way to explain what is happening is for you to see it > > for yourself. > > > > I have attached a simple demo. The demo is a standard Xerte project > > (not a "Pages" type project - I have manually set up the xwd links > > for the pages) in which I have set up two copies of the Quiz page. > > > > 1. Open this project in Xerte > > 2. Double click on the Quiz page to open the xwd form 3. Click on > > the language tab to display the language fields 4. Scroll down the > > form - you will see the blank area where the hidden language fields > > should appear and the blue info comment at the bottom. > > 5. The language tag is not significant to this issue. > > 6. Double click on the Quiz2 page, you will see the same effect > > without the use of the language tag (I deleted them from this pages > > xwd file) I don't know if the cause is to do with layers or > > visibility settings. I don't know what happens when the info tag is > > actioned in the code. > > > > I hope this makes the effect clear (if not the cause :-( ) > > > > Kind regards > > > > Johnathan > > > > > > > > On 5 March 2013 09:40, Julian Tenney > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.u > > k><mailto:Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottin > > gham.ac.uk>>> > > wrote: > > > > What's the problem in a nutshell? > > > > > > > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li > > sts.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.u > > k<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bo > > unces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.notting > > ham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>>] On > > Behalf Of Kemp Johnathan > > Sent: 04 March 2013 22:18 > > To: Xerte Developers Discussion List > > Subject: [Xerte-dev] use of info tag in xwd forms > > > > > > > > On the 4th December I posted to the developer list an issue with the > > xwd forms relating to the use of the "info" tag. > > > > > > > > The inclusion of an info tag in the xwd form can result in space > > being allocated above the info tag for the display of the last few > > properties in the xwd form definition, but the properties are not > > visible in the form. You can however confirm their "presence" as the > > mouse pointer responds to them if moved over the input fields. > > > > > > > > You can test this out in Xerte (or XOT) by creating a page using one > > of the Connector page types. The info tag has been used in these > > pages to link to a pdf help file that is hosted on the Xerte > > community web site, but the "language" flagged form properties are > > no longer all editable, due to the presence of the info tag. > > > > > > > > This is a pity as the info tag could be used to provide a link to an > > external document that gives the Author useful additional > > information to assist them in making the best use of that page type. > > e.g. > > > > * Information about what the page is designed to do > > > > * Instructions on what the properties in the form are to help in > > completing the form created by the xwd file; > > > > * examples of actual uses of that page type in real projects. > > > > * examples of combining this page type with other page types to > > achieve a particular pedagogical approach > > > > * guidance as to how accessible the page is with respect to > > particular types of user, or what features the page has as optional > > properties to provide additional accessibility > > > > However at present if the "info" tag is used then the ability to > > edit the language flagged elements of the page is compromised. > > > > > > > > Is this something that is intended to be addressed before the next > > release of Xerte / XOT? > > > > > > > > Sorry to be a nuisance, but it seems such a potentially useful > > feature it seems a shame not to be able to use it. > > > > > > > > Kind regards > > > > > > > > Johnathan > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.a > > c.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists > > .nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ Xerte-dev mailing > > list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.a > > c.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists > > .nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.a > > c.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists > > .nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.a > > c.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists > > .nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, > > number SC021474 > > > > Winner: Times Higher Education's Widening Participation Initiative > > of the Year 2009 and Herald Society's Education Initiative of the > > Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name > > ,6219,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuni > > versity/1/name%2c6219%2cen.html> > > > > Winner: Times Higher Education's Outstanding Support for Early > > Career Researchers of the Year 2010, GCU as a lead with Universities > > Scotland partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name > > ,15691,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theun > > iversity/1/name%2c15691%2cen.html> > > > > This message and any attachment are intended solely for the > > addressee and may contain confidential information. If you have > > received this message in error, please send it back to me, and > > immediately delete it. Please do not use, copy or disclose the > > information contained in this message or in any attachment. Any > > views or opinions expressed by the author of this email do not > > necessarily reflect the views of the University of Nottingham. > > > > > > > > This message has been checked for viruses but the contents of an > > attachment > > > > may still contain software viruses which could damage your computer system: > > > > you are advised to perform your own checks. Email communications > > with the > > > > University of Nottingham may be monitored as permitted by UK legislation. > > > > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac. > uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theunivers > ity/1/name%2c6219%2cen.html> > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniver > sity/1/name%2c15691%2cen.html> > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac. > uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev ________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- Verzonden van mijn Android telefoon met K-9 Mail. Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From Julian.Tenney at nottingham.ac.uk Mon Mar 11 09:54:05 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 11 Mar 2013 09:54:05 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 23:51 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& > before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which > ends path=) and appended the path but it must be doing some strange > parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - > http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >> document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) >> is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out >> the code I added for now. All it would do then is the session check, >> although even that check was commented out in the svn and probably >> the 1.9 release, no idea why though or by who and whether adding that >> back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way >> forward here, so happy to go with a recommendation, but would like to >> see it all implemented at once in the svn so we?re not in a position >> where exporting the svn creates an install that won?t upload >> anything? >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is >> not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated >> the select code into a comma separated list so that it can be moved >> elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. >> I think it would be best practice to use extensions, content headers, >> mimetypes and any other method available to whitelist the allowable >> files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we >> should try to find a good way to shore this up before the next >> release. What do you think? I?ll have a go at adding in some code to >> deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne >> ws/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From J.J.Smith at gcu.ac.uk Mon Mar 11 10:18:59 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Mon, 11 Mar 2013 10:18:59 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4BA@ITSEMBXCLUS.enterprise.gcal.ac.uk> Will commit some changes later... It seems to be working fine in Firefox now - the session id was already being passed by Flash, just not being used... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 9:54 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 23:51 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& > before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which > ends path=) and appended the path but it must be doing some strange > parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - > http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >> document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) >> is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out >> the code I added for now. All it would do then is the session check, >> although even that check was commented out in the svn and probably >> the 1.9 release, no idea why though or by who and whether adding that >> back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way >> forward here, so happy to go with a recommendation, but would like to >> see it all implemented at once in the svn so we?re not in a position >> where exporting the svn creates an install that won?t upload >> anything? >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is >> not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated >> the select code into a comma separated list so that it can be moved >> elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. >> I think it would be best practice to use extensions, content headers, >> mimetypes and any other method available to whitelist the allowable >> files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we >> should try to find a good way to shore this up before the next >> release. What do you think? I?ll have a go at adding in some code to >> deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne >> ws/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From Julian.Tenney at nottingham.ac.uk Mon Mar 11 10:22:03 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 11 Mar 2013 10:22:03 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4BA@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4BA@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DB699B6@EXCHANGE1.ad.nottingham.ac.uk> OK, thanks, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 10:19 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Will commit some changes later... It seems to be working fine in Firefox now - the session id was already being passed by Flash, just not being used... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 9:54 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 23:51 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& > before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which > ends path=) and appended the path but it must be doing some strange > parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - > http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >> document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) >> is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out >> the code I added for now. All it would do then is the session check, >> although even that check was commented out in the svn and probably >> the 1.9 release, no idea why though or by who and whether adding that >> back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way >> forward here, so happy to go with a recommendation, but would like to >> see it all implemented at once in the svn so we?re not in a position >> where exporting the svn creates an install that won?t upload >> anything? >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is >> not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated >> the select code into a comma separated list so that it can be moved >> elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. >> I think it would be best practice to use extensions, content headers, >> mimetypes and any other method available to whitelist the allowable >> files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we >> should try to find a good way to shore this up before the next >> release. What do you think? I?ll have a go at adding in some code to >> deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne >> ws/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From reijnders at tor.nl Mon Mar 11 10:23:19 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Mon, 11 Mar 2013 11:23:19 +0100 Subject: [Xerte-dev] Encoding issues Message-ID: <513DB097.3010209@tor.nl> I think we need to get the encoding of XOT fixed properly. It is not working at the moment. I'll give you an example: - The create button in the list of templates, text of that button is in 'DISPLAY_CREATE' (from display_library.inc) 1. At first it's generated through php in iso encoding (all's fine here) 2. After creating a new template the list is recreated through an ajax call (to website_code/php/templates/general_templates.php). As Ajax uses the default encoding of the webserver, it uses utf8, and I have to utf8_encode(DISPLAY_CREATE) to display it correctly. In stead of utf8_encoding all appropriate strings in Ajax calls, wouldn't it be better to move to utf8? Or am I missing something completely. Tom -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 From J.J.Smith at gcu.ac.uk Mon Mar 11 10:18:59 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Mon, 11 Mar 2013 10:18:59 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4BA@ITSEMBXCLUS.enterprise.gcal.ac.uk> Will commit some changes later... It seems to be working fine in Firefox now - the session id was already being passed by Flash, just not being used... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 9:54 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 23:51 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& > before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which > ends path=) and appended the path but it must be doing some strange > parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - > http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >> document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) >> is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out >> the code I added for now. All it would do then is the session check, >> although even that check was commented out in the svn and probably >> the 1.9 release, no idea why though or by who and whether adding that >> back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way >> forward here, so happy to go with a recommendation, but would like to >> see it all implemented at once in the svn so we?re not in a position >> where exporting the svn creates an install that won?t upload >> anything? >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is >> not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated >> the select code into a comma separated list so that it can be moved >> elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. >> I think it would be best practice to use extensions, content headers, >> mimetypes and any other method available to whitelist the allowable >> files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we >> should try to find a good way to shore this up before the next >> release. What do you think? I?ll have a go at adding in some code to >> deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne >> ws/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From david at palepurple.co.uk Mon Mar 11 10:30:50 2013 From: david at palepurple.co.uk (David Goodwin) Date: Mon, 11 Mar 2013 10:30:50 +0000 Subject: [Xerte-dev] Re: Encoding issues In-Reply-To: <513DB097.3010209@tor.nl> References: <513DB097.3010209@tor.nl> Message-ID: <B1F28647-996C-47B6-BF3F-88C43B794004@palepurple.co.uk> On 11 Mar 2013, at 10:23, Tom Reijnders <reijnders at tor.nl> wrote: > I think we need to get the encoding of XOT fixed properly. It is not working at the moment. > > I'll give you an example: > - The create button in the list of templates, text of that button is in 'DISPLAY_CREATE' (from display_library.inc) > 1. At first it's generated through php in iso encoding (all's fine here) > 2. After creating a new template the list is recreated through an ajax call (to website_code/php/templates/general_templates.php). As Ajax uses the default encoding of the webserver, it uses utf8, and I have to utf8_encode(DISPLAY_CREATE) to display it correctly. > > In stead of utf8_encoding all appropriate strings in Ajax calls, wouldn't it be better to move to utf8? Or am I missing something completely. > Yes. Especially given PHP 5.4's default of utf-8 for the default charset - http://php.net/releases/5_4_0.php (which presumably would fix the issue you're seeing anyway?) David. Pale Purple Ltd. (Company No: 5580814) 'Web and Mobile Application Development for Business' http://www.palepurple.co.uk Office: 0845 0046746 Mobile: 07792380669 Follow us on Twitter: @PalePurpleLtd From johnathan.kemp at ntlworld.com Mon Mar 11 12:09:11 2013 From: johnathan.kemp at ntlworld.com (Kemp Johnathan) Date: Mon, 11 Mar 2013 12:09:11 +0000 Subject: [Xerte-dev] Re: use of info tag in xwd forms In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4DB6994F@EXCHANGE1.ad.nottingham.ac.uk> References: <rt6oy559dl0ww5nuk5h6a9m6.1362946603096@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69911@EXCHANGE1.ad.nottingham.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB6994F@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <CABtG3=X4uYnZoE6XAzgZsud8c8NYfUb0D5T51c_GTtJu8OANFA@mail.gmail.com> I am quite happy to go along with what people prefer. I just want to be able to provide help files for the pages I have created. I can convert the pdf files I have supplied so far to wiki pages or whatever, once I know where to put them and can figure out the editing features of the wiki. If we are using a filename to provide an automated reference for a page then we need to use the model name and not the xwd name. The xwd files that are used to build the templates.xwd file are not always the same xwd that is used in Xerte (think connector pages here, where Xerte cannot offer the drop down list of pages when selecting a connection, but XOT can). If we are using a wiki, will this automatically name the pages created, forcing us to use the name created by the wiki, rather than one related to the model file? Kind regards Johnathan On 11 March 2013 09:50, Julian Tenney <Julian.Tenney at nottingham.ac.uk>wrote: > ...but possibly Tom's idea of a help system built into the community site > is a good idea as well, using the model filenames to generate the URLs. You > could also auto-generate a stub for the help page based on the properties > defined in the xwd? > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: 11 March 2013 09:29 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > I'm going to do something like this: pop the help up in a window > somewhere. I think it's better that the help stays in the xwd, then it can > be translated etc, > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 10 March 2013 20:20 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > How about just an icon (?) in the menu, after the name... Click on it and > it ajaxes some help in a js popover. The menu xml could then just have a > new field added (help_url) for example... If its present add the (?) icon, > if its not don't... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > Tom Reijnders <reijnders at tor.nl> wrote: > > > We could use the info tag to provide a one line help, including a link to > a wiki page AND we could provide for the same link to the wiki page from > the thumbnail area. > > We could even automate it. We have a fixed wiki. (Community website), and > a fixed link (page name). > > > Tom > > Kemp Johnathan <johnathan.kemp at ntlworld.com> schreef: > What I was thinking requires to things to be available > > 1. A url within the wiki that takes you to a specific page (which appears > possible from the link you have provided) 2. A means in Xerte / XOT to link > to that specific page (e.g. in the way I was using the info tag to link to > a specific page) > > There are two issues at present with using the info tag > a) It can result in some of the xwd fields failing to be displayed > b) It is only available to the Author after they have added the page type, > since the link is from the xwd form. > > I was thinking that as the wiki expands any contents page that listed all > the pages could get very long. So for an author a way of going directly > from Xerte / XOT to a specific page type's wiki entry could be very user > friendly and helpful. > > At present I think we may have a generic help link that could take you to > the wiki home page, or we can use the info tag with its current drawbacks. > > Kind regards > > Johnathan > > On 10 March 2013 17:47, Tom Reijnders <reijnders at tor.nl<mailto: > reijnders at tor.nl>> wrote: > You can, that's no problem at all: > > http://www.xerte.org.uk/wiki/index.php/Template_walkthrough > > Tom > > Op 10-3-2013 18:10, Kemp Johnathan schreef: > It would be nice if there was a way of accessing the wiki page about a > specific Xerte / XOT page type, perhaps before having added that page type > to your project. This could then help both with selecting the page type to > use as well as assisting the author in the using of that page. > > This is in contrast to just having a generic link to the wiki home page. > > Kind regards > > Johnathan > > On 8 March 2013 13:55, Smith, John <J.J.Smith at gcu.ac.uk<mailto: > J.J.Smith at gcu.ac.uk>> wrote: > A wiki? > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk> [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of Julian Tenney > Sent: Friday, March 08, 2013 1:48 PM > > To: For Xerte technical developers > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > I don?t much like the idea of separate files (pdfs / docs etc) I think it > would be better as a central resource on a web site, maybe the community > site? > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto: > xerte-dev-bounces at lists.nottingham.ac.uk> [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp Johnathan > Sent: 06 March 2013 18:57 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > I suppose one alternative would be to set up a wiki, but I am not sure > this is the best approach for help documents. > > One thought that has just sprung to mind - what about using an ebook > editor? I know next to nothing about them but it would seem a possibly > logical platform to publish to. I am not sure if this would be the right > approach if we only want to create a set of individual files that are each > a single publication? > > I did a quick google and found an open source wysiwyg editor called sigil. > It looks quite powerful, but it appears designed to pull together large > numbers of separate files into a single document. > > I don't know if there is anyone on the list who is familiar with this > stuff and could pass a more informed opinion? > > I have to admit, the one thing that concerns me with using Open Office is > that someone will go and open up the file in Word and bugger up its > formatting :-( > > What concerns me about not using Open Office is the possible lack of a > familiar, versatile, and easy to use interface for creating the documents. > > JK > > > On 6 March 2013 18:25, Dave Burnett <d_b_burnett at hotmail.com<mailto: > d_b_burnett at hotmail.com>> wrote: > > Just my personal preference. > Static documents usually lead to version control nightmares. > I still believe in the Java "write once, deliver everywhere" fantasy. > ;-) > > ________________________________ > Date: Wed, 6 Mar 2013 18:20:51 +0000 > From: johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com> > To: xerte-dev at lists.nottingham.ac.uk<mailto: > xerte-dev at lists.nottingham.ac.uk> > > Subject: [Xerte-dev] Re: use of info tag in xwd forms Advantage of pdf? > > A single file that contains text and graphics and will maintain its format > when printed out (some people still like to print things out). > > My approach so far has been to author the files in Open Office which will > export to pdf. This provides a master file (the Open Office odt) file that > is editable, and the pdf export of the odt file that can be published for > Author usage. > > So whilst at present the file the Author uses is pdf, this is generated > from a single, easily edited odt file. Open Office is free, open source, > and available in many languages. > > I agree with the idea of allowing those with svn access to edit the help > files. The current approach fully facilitates that. > Folks with svn access can edit (or make a copy and translate) the odt file > and then generate a new pdf file for publication. > > I am not sure of the benefit of trying to edit the help documents in a > Xerte app. Why try to create a cut down word processor in Xerte, if there > is already a fully featured one available for free? > > The only downside I see is that each help file consists of two files > (rather than one) - the odt source file and the published public accessed > pdf file. But this has upsides as well. The odt help file can be edited > without affecting the published pdf file, which can be re-published once > the editing / updating is completed. > > Just my take on things > > Johnathan > > > On 6 March 2013 12:35, Dave Burnett <d_b_burnett at hotmail.com<mailto: > d_b_burnett at hotmail.com>> wrote: > > Advantage of pdf? > > I would bet we get a lot more contribution if it's dynamic. > Maybe something editable in a Xerte app? > Folks with svn access can edit? > > > From: J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk> > > To: > > xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac. > > uk> > > Date: Wed, 6 Mar 2013 12:09:21 +0000 > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > Sure Tom, I suppose an alternative would be to funnel everything through > help/index.php?language=XX&file=YYY and let it decide which to serve up... > > > > I'm having to do similar with the api... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > > s.nottingham.ac.uk> > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-boun > > ces at lists.nottingham.ac.uk>] On Behalf Of Tom Reijnders > > Sent: Wednesday, March 06, 2013 11:05 AM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > It's not too much work to fall back to English if we need to, > > > > So have a help/<language code> for the help forlder location like we > have wizard/<language code> now. > > > > > > The thing I have against mod_rewrites is that it's webserver specific. > > > > So, now we only have to agree on the help file format. .pdf is fine with > me... > > > > Tom > > > > Citeren "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>>: > > > > > Why not just append the language code to the URL (new website) and > > > mod rewrite the url. If there is a language file that matches send > > > that, otherwise send the English one... > > > > > > > > > Regards, > > > > > > John Smith > > > Learning Technologist > > > School of Health & Life Sciences > > > Glasgow Caledonian University > > > > > > From: > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li > > > sts.nottingham.ac.uk> > > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bo > > > unces at lists.nottingham.ac.uk>] On Behalf Of Julian Tenney > > > Sent: Wednesday, March 06, 2013 10:38 AM > > > To: For Xerte technical developers > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > What about languages? You might want help in several languages. But > > > we can cope with multi lingual wizards, so why not multi lingual help? > > > > > > The form is a bit of a pain because now we have advanced / language > > > options, redrawing the form is a bit of a pain, so thinking > > > differently might be a good idea. > > > > > > From: > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li > > > sts.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.u > > > k<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> > > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bo > > > unces at lists.nottingham.ac.uk>] On Behalf Of Kemp Johnathan > > > Sent: 06 March 2013 10:02 > > > To: For Xerte technical developers > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > Hi Folks, > > > > > > What I would like to be able to achieve is a means of providing a > > > link to a pdf file that the author can access to provide additional > > > information to support the use of the page type. My original need > > > was to support the connector pages and the inventory page with more > > > information about how the page worked and how, in the case of > > > connector pages they could be used in conjunction with other pages. > > > However the help file could provide other stuff such as examples of > > > use or pedagogical information. > > > > > > How that link is made available to the author I don't have a strong > > > view on. It just seemed that the <info> tag already provided the > > > functionality (except for this frustrating glitch). If resolving the > > > glitch was a simple matter then the <info> tag might be a convenient > > > way of doing this without involving much time input. If however the > > > glitch is difficult to pin down then a different approach might be > > > appropriate. > > > > > > By putting the link in the xwd file it keeps everything about the > > > page in one place. However it does have the disadvantage of making > > > it difficult to change the location of the help files. > > > > > > Perhaps an approach that assumed the help file would use the same > > > stem as the model file but have a pdf extension (e.g. quiz.rlm and > > > quiz.pdf), would allow a Xerte or XOT project to define a single > > > folder location for all the help files. The specific help file for a > > > page type would then be accessed by combining the single folder > > > address with the model name and a pdf extension. > > > > > > This would allow help files to be either located on a remote server > > > or on a local server, or even in a desktop Xerte installation folder > > > e.g. Xerte\pages\help\. It would also make it easier to change the > > > locations of the help files as there would be only one path to change. > > > > > > Kind regards > > > > > > Johnathan > > > > > > On 6 March 2013 07:50, Julian Tenney > > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.u > > > k><mailto:Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottin > > > gham.ac.uk>>> > > > wrote: > > > Maybe we should tackle this differently: rather than trying to > > > display the <info> on the form, why not pop it up in a message or > > > show it somewhere else? > > > > > > From: > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li > > > sts.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.u > > > k<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> > > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bo > > > unces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.notting > > > ham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>>] On > > > Behalf Of Kemp Johnathan > > > Sent: 05 March 2013 17:53 > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > The most recent version of the desktop would ensure you have the > > > latest version of wizard.swf, but if you can see the Show Language > > > Options I think that should be enough to demonstrate the issue. > > > > > > The "here is the help" text is the text contained in the info tag. > > > > > > If you click in the Show Language Options check box you will see > > > that some additional fields are displayed in the form but that there > > > is an expanse of blank grey form before the "here is the help" text > > > is displayed. > > > > > > If you mouse over the grey area above the "here is the help" text > > > you will see the mouse pointer change as it hovers over where the > > > text entry boxes for the hidden language options are positioned. > > > > > > If you click on the Quiz2 page to open its xwd form the effect is > > > clear as none of the fields are flagged as language options so as > > > soon as the form opens you see that the display of labels and fields > > > ends abruptly and then there is again the grey expanse of blank form > > > before the "here is the help" text is displayed. You have noticed, > > > in your second post that the entry below "single answer wrong" is > > > cut short vertically. There are also more fields below this which > > > are not displaying at all. > > > > > > If you edit the quiz.xwd file in the page002 folder to remove the > > > "info" tag then all the fields defined in the form are displayed > > > correctly. So it is the "info" tag that is causing the display issue. > > > > > > Kind regards > > > > > > Johnathan > > > > > > On 5 March 2013 10:43, Dave Burnett > > > <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com><mailto: > d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>>> wrote: > > > What version of desktop is required? > > > The only language related object I have showing is "Show Language > > > Options" in the bottom bar. > > > > > > (I do see "Here is the help" in blue near the bottom). > > > > > > > > > ________________________________ > > > Date: Tue, 5 Mar 2013 10:23:23 +0000 > > > From: > > > johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com><mail > > > to:johnathan.kemp at ntlworld.com<mailto:johnathan.kemp at ntlworld.com>> > > > To: > > > xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.a > > > c.uk><mailto:xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists > > > .nottingham.ac.uk>> > > > Subject: [Xerte-dev] Re: use of info tag in xwd forms > > > > > > If you include the info tag in an xwd form it can result in the none > > > display of the last entries in the form. > > > > > > The info tag displays at the bottom of the form with a blank area of > > > form above it where the missing fields and field labels should be > > > displayed. > > > > > > If you move the mouse pointer over the blank area of the form then > > > the mouse pointer will change indicating that the fields are there - > > > you just can't see them. > > > > > > The easiest way to explain what is happening is for you to see it > > > for yourself. > > > > > > I have attached a simple demo. The demo is a standard Xerte project > > > (not a "Pages" type project - I have manually set up the xwd links > > > for the pages) in which I have set up two copies of the Quiz page. > > > > > > 1. Open this project in Xerte > > > 2. Double click on the Quiz page to open the xwd form 3. Click on > > > the language tab to display the language fields 4. Scroll down the > > > form - you will see the blank area where the hidden language fields > > > should appear and the blue info comment at the bottom. > > > 5. The language tag is not significant to this issue. > > > 6. Double click on the Quiz2 page, you will see the same effect > > > without the use of the language tag (I deleted them from this pages > > > xwd file) I don't know if the cause is to do with layers or > > > visibility settings. I don't know what happens when the info tag is > > > actioned in the code. > > > > > > I hope this makes the effect clear (if not the cause :-( ) > > > > > > Kind regards > > > > > > Johnathan > > > > > > > > > > > > On 5 March 2013 09:40, Julian Tenney > > > <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.u > > > k><mailto:Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottin > > > gham.ac.uk>>> > > > wrote: > > > > > > What's the problem in a nutshell? > > > > > > > > > > > > From: > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li > > > sts.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.nottingham.ac.u > > > k<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>> > > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bo > > > unces at lists.nottingham.ac.uk><mailto:xerte-dev-bounces at lists.notting > > > ham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>>] On > > > Behalf Of Kemp Johnathan > > > Sent: 04 March 2013 22:18 > > > To: Xerte Developers Discussion List > > > Subject: [Xerte-dev] use of info tag in xwd forms > > > > > > > > > > > > On the 4th December I posted to the developer list an issue with the > > > xwd forms relating to the use of the "info" tag. > > > > > > > > > > > > The inclusion of an info tag in the xwd form can result in space > > > being allocated above the info tag for the display of the last few > > > properties in the xwd form definition, but the properties are not > > > visible in the form. You can however confirm their "presence" as the > > > mouse pointer responds to them if moved over the input fields. > > > > > > > > > > > > You can test this out in Xerte (or XOT) by creating a page using one > > > of the Connector page types. The info tag has been used in these > > > pages to link to a pdf help file that is hosted on the Xerte > > > community web site, but the "language" flagged form properties are > > > no longer all editable, due to the presence of the info tag. > > > > > > > > > > > > This is a pity as the info tag could be used to provide a link to an > > > external document that gives the Author useful additional > > > information to assist them in making the best use of that page type. > > > e.g. > > > > > > * Information about what the page is designed to do > > > > > > * Instructions on what the properties in the form are to help in > > > completing the form created by the xwd file; > > > > > > * examples of actual uses of that page type in real projects. > > > > > > * examples of combining this page type with other page types to > > > achieve a particular pedagogical approach > > > > > > * guidance as to how accessible the page is with respect to > > > particular types of user, or what features the page has as optional > > > properties to provide additional accessibility > > > > > > However at present if the "info" tag is used then the ability to > > > edit the language flagged elements of the page is compromised. > > > > > > > > > > > > Is this something that is intended to be addressed before the next > > > release of Xerte / XOT? > > > > > > > > > > > > Sorry to be a nuisance, but it seems such a potentially useful > > > feature it seems a shame not to be able to use it. > > > > > > > > > > > > Kind regards > > > > > > > > > > > > Johnathan > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.a > > > c.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists > > > .nottingham.ac.uk>> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > _______________________________________________ Xerte-dev mailing > > > list > > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.a > > > c.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists > > > .nottingham.ac.uk>> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.a > > > c.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists > > > .nottingham.ac.uk>> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.a > > > c.uk><mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists > > > .nottingham.ac.uk>> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, > > > number SC021474 > > > > > > Winner: Times Higher Education's Widening Participation Initiative > > > of the Year 2009 and Herald Society's Education Initiative of the > > > Year 2009. > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name > > > ,6219,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuni > > > versity/1/name%2c6219%2cen.html> > > > > > > Winner: Times Higher Education's Outstanding Support for Early > > > Career Researchers of the Year 2010, GCU as a lead with Universities > > > Scotland partners. > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name > > > ,15691,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theun > > > iversity/1/name%2c15691%2cen.html> > > > > > > This message and any attachment are intended solely for the > > > addressee and may contain confidential information. If you have > > > received this message in error, please send it back to me, and > > > immediately delete it. Please do not use, copy or disclose the > > > information contained in this message or in any attachment. Any > > > views or opinions expressed by the author of this email do not > > > necessarily reflect the views of the University of Nottingham. > > > > > > > > > > > > This message has been checked for viruses but the contents of an > > > attachment > > > > > > may still contain software viruses which could damage your computer > system: > > > > > > you are advised to perform your own checks. Email communications > > > with the > > > > > > University of Nottingham may be monitored as permitted by UK > legislation. > > > > > > > > > > > > > > ---------------------------------------------------------------- > > This message was sent using IMP, the Internet Messaging Program. > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac. > > uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > This message and any attachment are intended solely for the addressee > and may contain confidential information. If you have received this message > in error, please send it back to me, and immediately delete it. Please do > not use, copy or disclose the information contained in this message or in > any attachment. Any views or opinions expressed by the author of this email > do not necessarily reflect the views of the University of Nottingham. > > > > This message has been checked for viruses but the contents of an > > attachment may still contain software viruses which could damage your > computer system: > > you are advised to perform your own checks. Email communications with > > the University of Nottingham may be monitored as permitted by UK > legislation. > > > > Glasgow Caledonian University is a registered Scottish charity, number > > SC021474 > > > > Winner: Times Higher Education?s Widening Participation Initiative of > the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > > 219,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theunivers > > ity/1/name%2c6219%2cen.html> > > > > Winner: Times Higher Education?s Outstanding Support for Early Career > Researchers of the Year 2010, GCU as a lead with Universities Scotland > partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > > 5691,en.html<http://www.gcu.ac.uk/newsevents/news/bycategory/theuniver > > sity/1/name%2c15691%2cen.html> > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac. > > uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the > Year 2009 and Herald Society?s Education Initiative of the Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career > Researchers of the Year 2010, GCU as a lead with Universities Scotland > partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > ________________________________ > > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > -- > Verzonden van mijn Android telefoon met K-9 Mail. > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the > Year 2009 and Herald Society?s Education Initiative of the Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career > Researchers of the Year 2010, GCU as a lead with Universities Scotland > partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130311/6b258c1c/attachment-0001.html> From J.J.Smith at gcu.ac.uk Mon Mar 11 12:44:52 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Mon, 11 Mar 2013 12:44:52 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4FC@ITSEMBXCLUS.enterprise.gcal.ac.uk> Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 9:54 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 23:51 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& > before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which > ends path=) and appended the path but it must be doing some strange > parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - > http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >> document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) >> is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out >> the code I added for now. All it would do then is the session check, >> although even that check was commented out in the svn and probably >> the 1.9 release, no idea why though or by who and whether adding that >> back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way >> forward here, so happy to go with a recommendation, but would like to >> see it all implemented at once in the svn so we?re not in a position >> where exporting the svn creates an install that won?t upload >> anything? >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is >> not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated >> the select code into a comma separated list so that it can be moved >> elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. >> I think it would be best practice to use extensions, content headers, >> mimetypes and any other method available to whitelist the allowable >> files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we >> should try to find a good way to shore this up before the next >> release. What do you think? I?ll have a go at adding in some code to >> deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne >> ws/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From Julian.Tenney at nottingham.ac.uk Mon Mar 11 13:21:08 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 11 Mar 2013 13:21:08 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4FC@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4FC@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B21@EXCHANGE1.ad.nottingham.ac.uk> NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 9:54 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 23:51 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& > before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which > ends path=) and appended the path but it must be doing some strange > parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - > http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >> document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) >> is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out >> the code I added for now. All it would do then is the session check, >> although even that check was commented out in the svn and probably >> the 1.9 release, no idea why though or by who and whether adding that >> back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way >> forward here, so happy to go with a recommendation, but would like to >> see it all implemented at once in the svn so we?re not in a position >> where exporting the svn creates an install that won?t upload >> anything? >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is >> not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated >> the select code into a comma separated list so that it can be moved >> elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. >> I think it would be best practice to use extensions, content headers, >> mimetypes and any other method available to whitelist the allowable >> files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we >> should try to find a good way to shore this up before the next >> release. What do you think? I?ll have a go at adding in some code to >> deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne >> ws/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From J.J.Smith at gcu.ac.uk Mon Mar 11 13:32:38 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Mon, 11 Mar 2013 13:32:38 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B21@EXCHANGE1.ad.nottingham.ac.uk> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4FC@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B21@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D50B@ITSEMBXCLUS.enterprise.gcal.ac.uk> Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 9:54 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 23:51 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& > before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which > ends path=) and appended the path but it must be doing some strange > parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - > http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >> document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) >> is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out >> the code I added for now. All it would do then is the session check, >> although even that check was commented out in the svn and probably >> the 1.9 release, no idea why though or by who and whether adding that >> back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way >> forward here, so happy to go with a recommendation, but would like to >> see it all implemented at once in the svn so we?re not in a position >> where exporting the svn creates an install that won?t upload >> anything? >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is >> not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated >> the select code into a comma separated list so that it can be moved >> elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. >> I think it would be best practice to use extensions, content headers, >> mimetypes and any other method available to whitelist the allowable >> files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we >> should try to find a good way to shore this up before the next >> release. What do you think? I?ll have a go at adding in some code to >> deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne >> ws/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From Julian.Tenney at nottingham.ac.uk Mon Mar 11 13:48:13 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 11 Mar 2013 13:48:13 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D50B@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4FC@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B21@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D50B@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B51@EXCHANGE1.ad.nottingham.ac.uk> I'm not sure you can do much with that class, it's just a black box. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 9:54 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 23:51 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& > before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which > ends path=) and appended the path but it must be doing some strange > parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - > http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >> document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) >> is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out >> the code I added for now. All it would do then is the session check, >> although even that check was commented out in the svn and probably >> the 1.9 release, no idea why though or by who and whether adding that >> back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way >> forward here, so happy to go with a recommendation, but would like to >> see it all implemented at once in the svn so we?re not in a position >> where exporting the svn creates an install that won?t upload >> anything? >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is >> not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated >> the select code into a comma separated list so that it can be moved >> elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. >> I think it would be best practice to use extensions, content headers, >> mimetypes and any other method available to whitelist the allowable >> files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we >> should try to find a good way to shore this up before the next >> release. What do you think? I?ll have a go at adding in some code to >> deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne >> ws/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From J.J.Smith at gcu.ac.uk Mon Mar 11 13:56:57 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Mon, 11 Mar 2013 13:56:57 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B51@EXCHANGE1.ad.nottingham.ac.uk> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4FC@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B21@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D50B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B51@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D513@ITSEMBXCLUS.enterprise.gcal.ac.uk> No way to receive whether the upload was successful or not? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm not sure you can do much with that class, it's just a black box. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 9:54 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 23:51 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& > before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which > ends path=) and appended the path but it must be doing some strange > parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - > http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >> document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) >> is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out >> the code I added for now. All it would do then is the session check, >> although even that check was commented out in the svn and probably >> the 1.9 release, no idea why though or by who and whether adding that >> back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way >> forward here, so happy to go with a recommendation, but would like to >> see it all implemented at once in the svn so we?re not in a position >> where exporting the svn creates an install that won?t upload >> anything? >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is >> not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated >> the select code into a comma separated list so that it can be moved >> elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. >> I think it would be best practice to use extensions, content headers, >> mimetypes and any other method available to whitelist the allowable >> files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we >> should try to find a good way to shore this up before the next >> release. What do you think? I?ll have a go at adding in some code to >> deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne >> ws/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From xerte at pgogywebstuff.com Mon Mar 11 14:01:07 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Mon, 11 Mar 2013 14:01:07 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D513@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4FC@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B21@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D50B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B51@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D513@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <DCBC1420-77D4-4442-BF7B-D9B8E83D6CF4@pgogywebstuff.com> The file object can handle a response from the php as it did early on. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 11 Mar 2013, at 13:56, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > No way to receive whether the upload was successful or not? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Monday, March 11, 2013 1:48 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I'm not sure you can do much with that class, it's just a black box. > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 11 March 2013 13:33 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Perhaps it should just feedback error codes, and the flash class translates them... > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Monday, March 11, 2013 1:21 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 11 March 2013 12:45 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... > > > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Monday, March 11, 2013 9:54 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 08 March 2013 23:51 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. > > Anyway cheers for listening to my rants... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > I haven't got flash on the laptop, but I don't recall it doing anything. > > Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> Its bizarre. If i modify the parameter in any way by adding x=y& >> before path then the querystring is mangled >> >> I just assumed that the flash took the upload_path parameter (which >> ends path=) and appended the path but it must be doing some strange >> parsing which cant handle extra params >> >> I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... >> >> Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... >> >> Regards >> >> John Smith >> Learning Technologist >> School of Health and Life Sciences >> >> Sent from Samsung Galaxy SII >> >> >> >> "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: >> >> >> Assuming you know the fixed session if wont work? >> >> I think the wizard alters the URL - but might you need to URL encode the string? >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: >> >>> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >>> >>> I've changed the upload_path code to >>> >>> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >>> document.cookie + "&path="); >>> >>> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >>> >>> but when the Flash Post's the URL (as viewed in the Network console) >>> is munged to >>> >>> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >>> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >>> >>> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >>> >>> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >>> >>> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >>> session_start(); >>> >>> Regards, >>> >>> John Smith | Learning Technologist >>> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >>> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >>> ________________________________________ >>> From: xerte-dev-bounces at lists.nottingham.ac.uk >>> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >>> [xerte at pgogywebstuff.com] >>> Sent: 08 March 2013 17:59 >>> To: For Xerte technical developers >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> Pass session Id in as a flashvar? >>> >>> Pgogy Webstuff - >>> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >>> Makers of web things of a fair to middling quality >>> >>> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >>> >>> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >>> ts.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >>> John >>> Sent: 08 March 2013 14:12 >>> To: For Xerte technical developers >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >>> >>> >>> Regards, >>> >>> John Smith >>> Learning Technologist >>> School of Health & Life Sciences >>> Glasgow Caledonian University >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >>> ts.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >>> Tenney >>> Sent: Friday, March 08, 2013 2:05 PM >>> To: For Xerte technical developers >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> I commented it out because it didn?t work in firefox. >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >>> ts.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >>> John >>> Sent: 08 March 2013 13:55 >>> To: For Xerte technical developers >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> If we get pushed for time and we need to then we can just comment out >>> the code I added for now. All it would do then is the session check, >>> although even that check was commented out in the svn and probably >>> the 1.9 release, no idea why though or by who and whether adding that >>> back in will be causing an issue? >>> >>> Regards, >>> >>> John Smith >>> Learning Technologist >>> School of Health & Life Sciences >>> Glasgow Caledonian University >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >>> ts.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >>> Tenney >>> Sent: Friday, March 08, 2013 1:47 PM >>> To: For Xerte technical developers >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> I?m not sure I?m close enough to the detail to recommend a way >>> forward here, so happy to go with a recommendation, but would like to >>> see it all implemented at once in the svn so we?re not in a position >>> where exporting the svn creates an install that won?t upload >>> anything? >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >>> ts.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >>> John >>> Sent: 08 March 2013 13:26 >>> To: For Xerte technical developers >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >>> >>> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >>> >>> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >>> >>> Regards, >>> >>> John Smith >>> Learning Technologist >>> School of Health & Life Sciences >>> Glasgow Caledonian University >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >>> ts.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >>> Tenney >>> Sent: Friday, March 08, 2013 1:13 PM >>> To: For Xerte technical developers >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >>> ts.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >>> Pgogy >>> Sent: 07 March 2013 17:14 >>> To: For Xerte technical developers >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> Hello, >>> >>> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >>> >>> I agree preventing php is a good thing, but I think the problem is >>> not knowing what types are acceptable is a real curveball >>> >>> Pgogy Webstuff - >>> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >>> Makers of web things of a fair to middling quality >>> >>> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >>> Hi Pat, >>> >>> I didn?t copy your regexp or your select list directly but translated >>> the select code into a comma separated list so that it can be moved >>> elsewhere if required? >>> >>> I noticed the list in the sitedetails table but it is of Mime Types. >>> I think it would be best practice to use extensions, content headers, >>> mimetypes and any other method available to whitelist the allowable >>> files but I think that might take a bit more work? >>> >>> I think it is leaving a load of sites out there very vulnerable so we >>> should try to find a good way to shore this up before the next >>> release. What do you think? I?ll have a go at adding in some code to >>> deal with content headers and mimetypes >>> >>> Regards, >>> >>> John Smith >>> Learning Technologist >>> School of Health & Life Sciences >>> Glasgow Caledonian University >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >>> ts.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >>> Pgogy >>> Sent: Thursday, March 07, 2013 2:54 PM >>> To: For Xerte technical developers >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> Hello, >>> >>> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >>> >>> My reg exp is a bit flaky as well, if you copied that over. >>> >>> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >>> >>> Pgogy Webstuff - >>> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >>> Makers of web things of a fair to middling quality >>> >>> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >>> Hi, >>> >>> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >>> >>> Can someone test this and advise if there are any other media types that we want/need to allow? >>> >>> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >>> >>> Regards, >>> >>> John Smith >>> Learning Technologist >>> School of Health & Life Sciences >>> Glasgow Caledonian University >>> >>> >>> Glasgow Caledonian University is a registered Scottish charity, >>> number SC021474 >>> >>> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >>> 6219,en.html >>> >>> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >>> 15691,en.html _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >>> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> >>> >>> Glasgow Caledonian University is a registered Scottish charity, >>> number SC021474 >>> >>> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >>> 6219,en.html >>> >>> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >>> 15691,en.html _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >>> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> >>> Glasgow Caledonian University is a registered Scottish charity, >>> number SC021474 >>> >>> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >>> 6219,en.html >>> >>> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >>> 15691,en.html >>> >>> Glasgow Caledonian University is a registered Scottish charity, >>> number SC021474 >>> >>> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >>> 6219,en.html >>> >>> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >>> 15691,en.html >>> >>> Glasgow Caledonian University is a registered Scottish charity, >>> number SC021474 >>> >>> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >>> 6219,en.html >>> >>> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >>> 15691,en.html _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >>> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> >>> >>> >>> Glasgow Caledonian University is a registered Scottish charity, >>> number SC021474 >>> >>> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >>> 6219,en.html >>> >>> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >>> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne >>> ws/bycategory/theuniversity/1/name,15691,en.html> >> >> Glasgow Caledonian University is a registered Scottish charity, number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 >> 5691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From Julian.Tenney at nottingham.ac.uk Mon Mar 11 14:01:44 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 11 Mar 2013 14:01:44 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D513@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4FC@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B21@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D50B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B51@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D513@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B6F@EXCHANGE1.ad.nottingham.ac.uk> Oh, yes, it broadcasts events, for various things, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:57 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No way to receive whether the upload was successful or not? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm not sure you can do much with that class, it's just a black box. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 9:54 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 23:51 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& > before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which > ends path=) and appended the path but it must be doing some strange > parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - > http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >> document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) >> is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out >> the code I added for now. All it would do then is the session check, >> although even that check was commented out in the svn and probably >> the 1.9 release, no idea why though or by who and whether adding that >> back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way >> forward here, so happy to go with a recommendation, but would like to >> see it all implemented at once in the svn so we?re not in a position >> where exporting the svn creates an install that won?t upload >> anything? >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is >> not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated >> the select code into a comma separated list so that it can be moved >> elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. >> I think it would be best practice to use extensions, content headers, >> mimetypes and any other method available to whitelist the allowable >> files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we >> should try to find a good way to shore this up before the next >> release. What do you think? I?ll have a go at adding in some code to >> deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne >> ws/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From Julian.Tenney at nottingham.ac.uk Mon Mar 11 14:06:24 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 11 Mar 2013 14:06:24 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B6F@EXCHANGE1.ad.nottingham.ac.uk> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4FC@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B21@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D50B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B51@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D513@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B6F@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B78@EXCHANGE1.ad.nottingham.ac.uk> It looks like it works well. I guess what your recent messages re alluding to is getting some sort of error to the flash user if their file didn't upload? I get an error if I upload blah.php from media and quota, but if I upload it from flash, it appears to upload - but doesn't, and I'm not told that. So, the file object thing could put an error up? I don't think we'd need to do anything other than handle the event? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 14:02 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Oh, yes, it broadcasts events, for various things, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:57 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No way to receive whether the upload was successful or not? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm not sure you can do much with that class, it's just a black box. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 9:54 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 23:51 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& > before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which > ends path=) and appended the path but it must be doing some strange > parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - > http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >> document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) >> is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out >> the code I added for now. All it would do then is the session check, >> although even that check was commented out in the svn and probably >> the 1.9 release, no idea why though or by who and whether adding that >> back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way >> forward here, so happy to go with a recommendation, but would like to >> see it all implemented at once in the svn so we?re not in a position >> where exporting the svn creates an install that won?t upload >> anything? >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is >> not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated >> the select code into a comma separated list so that it can be moved >> elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. >> I think it would be best practice to use extensions, content headers, >> mimetypes and any other method available to whitelist the allowable >> files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we >> should try to find a good way to shore this up before the next >> release. What do you think? I?ll have a go at adding in some code to >> deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne >> ws/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From J.J.Smith at gcu.ac.uk Mon Mar 11 14:19:42 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Mon, 11 Mar 2013 14:19:42 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D513@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4FC@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B21@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D50B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B51@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D513@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D51B@ITSEMBXCLUS.enterprise.gcal.ac.uk> Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 1:57 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No way to receive whether the upload was successful or not? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm not sure you can do much with that class, it's just a black box. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 9:54 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 23:51 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& > before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which > ends path=) and appended the path but it must be doing some strange > parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - > http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >> document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) >> is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out >> the code I added for now. All it would do then is the session check, >> although even that check was commented out in the svn and probably >> the 1.9 release, no idea why though or by who and whether adding that >> back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way >> forward here, so happy to go with a recommendation, but would like to >> see it all implemented at once in the svn so we?re not in a position >> where exporting the svn creates an install that won?t upload >> anything? >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is >> not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated >> the select code into a comma separated list so that it can be moved >> elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. >> I think it would be best practice to use extensions, content headers, >> mimetypes and any other method available to whitelist the allowable >> files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we >> should try to find a good way to shore this up before the next >> release. What do you think? I?ll have a go at adding in some code to >> deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne >> ws/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From Julian.Tenney at nottingham.ac.uk Mon Mar 11 14:27:29 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 11 Mar 2013 14:27:29 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D51B@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4FC@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B21@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D50B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B51@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D513@ITSEMBXCLUS.enterprise.gcal.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D51B@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69BB6@EXCHANGE1.ad.nottingham.ac.uk> Hold on, I'll see if I can get the events to trip, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 14:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 1:57 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No way to receive whether the upload was successful or not? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm not sure you can do much with that class, it's just a black box. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 9:54 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 23:51 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& > before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which > ends path=) and appended the path but it must be doing some strange > parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - > http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >> document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) >> is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out >> the code I added for now. All it would do then is the session check, >> although even that check was commented out in the svn and probably >> the 1.9 release, no idea why though or by who and whether adding that >> back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way >> forward here, so happy to go with a recommendation, but would like to >> see it all implemented at once in the svn so we?re not in a position >> where exporting the svn creates an install that won?t upload >> anything? >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is >> not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated >> the select code into a comma separated list so that it can be moved >> elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. >> I think it would be best practice to use extensions, content headers, >> mimetypes and any other method available to whitelist the allowable >> files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we >> should try to find a good way to shore this up before the next >> release. What do you think? I?ll have a go at adding in some code to >> deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne >> ws/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From Julian.Tenney at nottingham.ac.uk Mon Mar 11 14:32:16 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 11 Mar 2013 14:32:16 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69BB6@EXCHANGE1.ad.nottingham.ac.uk> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4FC@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B21@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D50B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B51@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D513@ITSEMBXCLUS.enterprise.gcal.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D51B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69BB6@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69BC3@EXCHANGE1.ad.nottingham.ac.uk> If I try and upload php files, onComplete still fires... -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 14:27 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hold on, I'll see if I can get the events to trip, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 14:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 1:57 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No way to receive whether the upload was successful or not? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm not sure you can do much with that class, it's just a black box. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 9:54 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 23:51 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& > before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which > ends path=) and appended the path but it must be doing some strange > parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - > http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >> document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) >> is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out >> the code I added for now. All it would do then is the session check, >> although even that check was commented out in the svn and probably >> the 1.9 release, no idea why though or by who and whether adding that >> back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way >> forward here, so happy to go with a recommendation, but would like to >> see it all implemented at once in the svn so we?re not in a position >> where exporting the svn creates an install that won?t upload >> anything? >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is >> not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated >> the select code into a comma separated list so that it can be moved >> elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. >> I think it would be best practice to use extensions, content headers, >> mimetypes and any other method available to whitelist the allowable >> files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we >> should try to find a good way to shore this up before the next >> release. What do you think? I?ll have a go at adding in some code to >> deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne >> ws/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From J.J.Smith at gcu.ac.uk Mon Mar 11 15:18:43 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Mon, 11 Mar 2013 15:18:43 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69BC3@EXCHANGE1.ad.nottingham.ac.uk> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4FC@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B21@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D50B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B51@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D513@ITSEMBXCLUS.enterprise.gcal.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D51B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69BB6@EXCHANGE1.ad.nottingham.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69BC3@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D52F@ITSEMBXCLUS.enterprise.gcal.ac.uk> Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 2:32 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If I try and upload php files, onComplete still fires... -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 14:27 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hold on, I'll see if I can get the events to trip, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 14:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 1:57 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No way to receive whether the upload was successful or not? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm not sure you can do much with that class, it's just a black box. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 9:54 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 23:51 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& > before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which > ends path=) and appended the path but it must be doing some strange > parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - > http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >> document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) >> is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out >> the code I added for now. All it would do then is the session check, >> although even that check was commented out in the svn and probably >> the 1.9 release, no idea why though or by who and whether adding that >> back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way >> forward here, so happy to go with a recommendation, but would like to >> see it all implemented at once in the svn so we?re not in a position >> where exporting the svn creates an install that won?t upload >> anything? >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is >> not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated >> the select code into a comma separated list so that it can be moved >> elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. >> I think it would be best practice to use extensions, content headers, >> mimetypes and any other method available to whitelist the allowable >> files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we >> should try to find a good way to shore this up before the next >> release. What do you think? I?ll have a go at adding in some code to >> deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne >> ws/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From J.J.Smith at gcu.ac.uk Mon Mar 11 15:41:45 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Mon, 11 Mar 2013 15:41:45 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D52F@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4FC@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B21@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D50B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B51@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D513@ITSEMBXCLUS.enterprise.gcal.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D51B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69BB6@EXCHANGE1.ad.nottingham.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69BC3@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D52F@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D53A@ITSEMBXCLUS.enterprise.gcal.ac.uk> Are you using FileReference class? This code snippet suggests you can extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA with var strData:String = StringUtil.trim(evt.data); private function init():void { fileRef = new FileReference(); fileRef.addEventListener(Event.SELECT, fileRef_select); fileRef.addEventListener(Event.COMPLETE, fileRef_complete); fileRef.addEventListener(IOErrorEvent.IO_ERROR, fileRef_ioError); fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, fileRef_uploadCompleteData); urlReq = new URLRequest(); urlReq.url = "http://localhost:8300/fileref/uploader.cfm"; } private function fileRef_uploadCompleteData(evt:DataEvent):void { var strData:String = StringUtil.trim(evt.data); var vars:URLVariables = new URLVariables(strData); Alert.show(vars.fileName, "fileName"); } Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 3:19 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 2:32 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If I try and upload php files, onComplete still fires... -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 14:27 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hold on, I'll see if I can get the events to trip, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 14:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 1:57 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No way to receive whether the upload was successful or not? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm not sure you can do much with that class, it's just a black box. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 9:54 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 23:51 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& > before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which > ends path=) and appended the path but it must be doing some strange > parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - > http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >> document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) >> is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out >> the code I added for now. All it would do then is the session check, >> although even that check was commented out in the svn and probably >> the 1.9 release, no idea why though or by who and whether adding that >> back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way >> forward here, so happy to go with a recommendation, but would like to >> see it all implemented at once in the svn so we?re not in a position >> where exporting the svn creates an install that won?t upload >> anything? >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is >> not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated >> the select code into a comma separated list so that it can be moved >> elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. >> I think it would be best practice to use extensions, content headers, >> mimetypes and any other method available to whitelist the allowable >> files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we >> should try to find a good way to shore this up before the next >> release. What do you think? I?ll have a go at adding in some code to >> deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne >> ws/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From Julian.Tenney at nottingham.ac.uk Mon Mar 11 16:08:33 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 11 Mar 2013 16:08:33 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69BC3@EXCHANGE1.ad.nottingham.ac.uk> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4FC@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B21@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D50B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B51@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D513@ITSEMBXCLUS.enterprise.gcal.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D51B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69BB6@EXCHANGE1.ad.nottingham.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69BC3@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69CA7@EXCHANGE1.ad.nottingham.ac.uk> I'll have a look at the detail later in the week, I'm running out of day now... -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 14:32 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If I try and upload php files, onComplete still fires... -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 14:27 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hold on, I'll see if I can get the events to trip, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 14:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 1:57 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No way to receive whether the upload was successful or not? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm not sure you can do much with that class, it's just a black box. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 9:54 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 23:51 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& > before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which > ends path=) and appended the path but it must be doing some strange > parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - > http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >> document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) >> is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out >> the code I added for now. All it would do then is the session check, >> although even that check was commented out in the svn and probably >> the 1.9 release, no idea why though or by who and whether adding that >> back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way >> forward here, so happy to go with a recommendation, but would like to >> see it all implemented at once in the svn so we?re not in a position >> where exporting the svn creates an install that won?t upload >> anything? >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is >> not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated >> the select code into a comma separated list so that it can be moved >> elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. >> I think it would be best practice to use extensions, content headers, >> mimetypes and any other method available to whitelist the allowable >> files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we >> should try to find a good way to shore this up before the next >> release. What do you think? I?ll have a go at adding in some code to >> deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne >> ws/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From Julian.Tenney at nottingham.ac.uk Mon Mar 11 16:18:27 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 11 Mar 2013 16:18:27 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D53A@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4FC@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B21@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D50B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B51@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D513@ITSEMBXCLUS.enterprise.gcal.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D51B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69BB6@EXCHANGE1.ad.nottingham.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69BC3@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D52F@ITSEMBXCLUS.enterprise.gcal.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D53A@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69CD3@EXCHANGE1.ad.nottingham.ac.uk> There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. I've added some alerts for now so you can see what gets tripped, we can take these out later, and I?ve commited the wizard with these in , listener.onComplete = function(file:FileReference):Void { Alert.show("Upload successful"); --etc-- } listener.onHTTPError = function(file:FileReference):Void { Alert.show("Upload failed: HTTPError"); --etc-- } listener.onIOError = function(file:FileReference):Void { Alert.show("Upload failed: IOError"); --etc-- } listener.onSecurityError = function(file:FileReference, errorString:String):Void { Alert.show("Upload failed: Security Error"); --etc-- } -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 15:42 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Are you using FileReference class? This code snippet suggests you can extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA with var strData:String = StringUtil.trim(evt.data); private function init():void { fileRef = new FileReference(); fileRef.addEventListener(Event.SELECT, fileRef_select); fileRef.addEventListener(Event.COMPLETE, fileRef_complete); fileRef.addEventListener(IOErrorEvent.IO_ERROR, fileRef_ioError); fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, fileRef_uploadCompleteData); urlReq = new URLRequest(); urlReq.url = "http://localhost:8300/fileref/uploader.cfm"; } private function fileRef_uploadCompleteData(evt:DataEvent):void { var strData:String = StringUtil.trim(evt.data); var vars:URLVariables = new URLVariables(strData); Alert.show(vars.fileName, "fileName"); } Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 3:19 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 2:32 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If I try and upload php files, onComplete still fires... -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 14:27 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hold on, I'll see if I can get the events to trip, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 14:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 1:57 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No way to receive whether the upload was successful or not? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm not sure you can do much with that class, it's just a black box. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 9:54 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 23:51 To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com<mailto:xerte at pgogywebstuff.com>> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& > before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which > ends path=) and appended the path but it must be doing some strange > parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com<mailto:xerte at pgogywebstuff.com>> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - > http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/<http://www.pgogywebstuff.com%3chttp:/www.pgogywebstuff.com/>> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >> document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) >> is munged to >> >> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/<http://www.pgogywebstuff.com%3chttp:/www.pgogywebstuff.com/>> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk%3cmailto:Julian.Tenney at nottingham.ac.uk>>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis<mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at lis> >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis<mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at lis> >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis<mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at lis> >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out >> the code I added for now. All it would do then is the session check, >> although even that check was commented out in the svn and probably >> the 1.9 release, no idea why though or by who and whether adding that >> back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis<mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at lis> >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way >> forward here, so happy to go with a recommendation, but would like to >> see it all implemented at once in the svn so we?re not in a position >> where exporting the svn creates an install that won?t upload >> anything? >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis<mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at lis> >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis<mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at lis> >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis<mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at lis> >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is >> not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/<http://www.pgogywebstuff.com%3chttp:/www.pgogywebstuff.com/>> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk%3cmailto:J.J.Smith at gcu.ac.uk>>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated >> the select code into a comma separated list so that it can be moved >> elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. >> I think it would be best practice to use extensions, content headers, >> mimetypes and any other method available to whitelist the allowable >> files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we >> should try to find a good way to shore this up before the next >> release. What do you think? I?ll have a go at adding in some code to >> deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis<mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at lis> >> ts.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - >> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/<http://www.pgogywebstuff.com%3chttp:/www.pgogywebstuff.com/>> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk%3cmailto:J.J.Smith at gcu.ac.uk>>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac<mailto:Xerte-dev at lists.nottingham.ac.uk%3cmailto:Xerte-dev at lists.nottingham.ac> >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac<mailto:Xerte-dev at lists.nottingham.ac.uk%3cmailto:Xerte-dev at lists.nottingham.ac> >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac<mailto:Xerte-dev at lists.nottingham.ac.uk%3cmailto:Xerte-dev at lists.nottingham.ac> >> .uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne%3chttp:/www.gcu.ac.uk/newsevents/ne> >> ws/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130311/de8cf03a/attachment-0001.html> From ronm at mitchellmedia.co.uk Tue Mar 12 19:02:32 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Tue, 12 Mar 2013 19:02:32 -0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4DB69CD3@EXCHANGE1.ad.nottingham.ac.uk> References: <we1lod39nc9shi442ggfu59v.1362786650279@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69957@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D4FC@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B21@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D50B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69B51@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D513@ITSEMBXCLUS.enterprise.gcal.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D51B@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69BB6@EXCHANGE1.ad.nottingham.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69BC3@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D52F@ITSEMBXCLUS.enterprise.gcal.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D53A@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DB69CD3@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <004e01ce1f54$27ac4bc0$7704e340$@co.uk> Hi sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 16:18 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. I've added some alerts for now so you can see what gets tripped, we can take these out later, and I?ve commited the wizard with these in , listener.onComplete = function(file:FileReference):Void { Alert.show("Upload successful"); --etc-- } listener.onHTTPError = function(file:FileReference):Void { Alert.show("Upload failed: HTTPError"); --etc-- } listener.onIOError = function(file:FileReference):Void { Alert.show("Upload failed: IOError"); --etc-- } listener.onSecurityError = function(file:FileReference, errorString:String):Void { Alert.show("Upload failed: Security Error"); --etc-- } -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 15:42 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Are you using FileReference class? This code snippet suggests you can extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA with var strData:String = StringUtil.trim(evt.data); private function init():void { fileRef = new FileReference(); fileRef.addEventListener(Event.SELECT, fileRef_select); fileRef.addEventListener(Event.COMPLETE, fileRef_complete); fileRef.addEventListener(IOErrorEvent.IO_ERROR, fileRef_ioError); fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, fileRef_uploadCompleteData); urlReq = new URLRequest(); urlReq.url = " <http://localhost:8300/fileref/uploader.cfm> http://localhost:8300/fileref/uploader.cfm"; } private function fileRef_uploadCompleteData(evt:DataEvent):void { var strData:String = StringUtil.trim(evt.data); var vars:URLVariables = new URLVariables(strData); Alert.show(vars.fileName, "fileName"); } Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 3:19 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 2:32 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If I try and upload php files, onComplete still fires... -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 14:27 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hold on, I'll see if I can get the events to trip, -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 14:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 1:57 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No way to receive whether the upload was successful or not? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm not sure you can do much with that class, it's just a black box. -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 9:54 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks for looking at this: did you get it finished and committed? I can test it if it's in there, -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 08 March 2013 23:51 To: <mailto:xerte-dev at lists.nottingham.ac.uk> xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Forget it I've figured it out and got it working... Only now with the code commented out firefox is sending session from Flash... Need to get some sleep. Anyway cheers for listening to my rants... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" < <mailto:xerte at pgogywebstuff.com> xerte at pgogywebstuff.com> wrote: I haven't got flash on the laptop, but I don't recall it doing anything. Pgogy Webstuff - <http://www.pgogywebstuff.com> http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 8 Mar 2013, at 21:05, "Smith, John" < <mailto:J.J.Smith at gcu.ac.uk> J.J.Smith at gcu.ac.uk> wrote: > Its bizarre. If i modify the parameter in any way by adding x=y& > before path then the querystring is mangled > > I just assumed that the flash took the upload_path parameter (which > ends path=) and appended the path but it must be doing some strange > parsing which cant handle extra params > > I can make it work by wrapping everything in a way i can parse but i'd rather know its not going to break down the line if someone changes upload_path in management or we get an unexpected char... > > Its weird... Can't get my head around what its doing - maybe Julian is best placed to know, short of my downloading a Flash trial and sifting through the actionscript... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" < <mailto:xerte at pgogywebstuff.com> xerte at pgogywebstuff.com> wrote: > > > Assuming you know the fixed session if wont work? > > I think the wizard alters the URL - but might you need to URL encode the string? > > Pgogy Webstuff - > <http://www.pgogywebstuff.com%3chttp:/www.pgogywebstuff.com/> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 8 Mar 2013, at 19:47, "Smith, John" < <mailto:J.J.Smith at gcu.ac.uk> J.J.Smith at gcu.ac.uk> wrote: > >> So... I have session working in Firefox too, with a hardcoded value in update.php... but... trying to pass in session id is acting a bit strange... >> >> I've changed the upload_path code to >> >> so.addVariable("upload_path", "upload.php?nonce=123456789&" + >> document.cookie + "&path="); >> >> which results in upload_path being set to "upload.php?nonce=123456789&PHPSESSID=5ib4fqev4foikttj4hfogsivr5&path=" >> >> but when the Flash Post's the URL (as viewed in the Network console) >> is munged to >> >> <http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234> http://localhost/XOT_TRUNK/modules/xerte/engine/upload.php?nonce=1234 >> 56789USER-FILES/2-guest2-Nottingham/media/&kvv8f9ri086mg8nq9hfa66fdg4 >> >> and you can't access $_GET['path'] any more... is the Flash file parsing the upload_path variable?? I can get it working by wrapping it in characters and string parsing but i'd rather use $_GET['PHPSESSID'] directly... I know I don't need the nonce anymore, it's just in there to add another variable... >> >> Any clues what's destroying the URL?? This seems to be solving the problems in Firefox by the way, on xammp - any reason why it wouldn't work on other server setups? >> >> if (session_id() == '') session_id('5ib4fqev4foikttj4hfogsivr5'); >> session_start(); >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy >> [xerte at pgogywebstuff.com] >> Sent: 08 March 2013 17:59 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Pass session Id in as a flashvar? >> >> Pgogy Webstuff - >> <http://www.pgogywebstuff.com%3chttp:/www.pgogywebstuff.com/> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 8 Mar 2013, at 14:14, Julian Tenney < <mailto:Julian.Tenney at nottingham.ac.uk%3cmailto:Julian.Tenney at nottingham.ac.uk> Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: >> >> It?s because upload.php is being hit from flash, which isn?t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up in the end. >> >> From: >> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at lis> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 14:12 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Ok I?ll look at that and see why? maybe config isn?t being included properly? sessions work elsewhere in Firefox so why not here? >> >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at lis> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 2:05 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I commented it out because it didn?t work in firefox. >> >> From: >> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at lis> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:55 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> If we get pushed for time and we need to then we can just comment out >> the code I added for now. All it would do then is the session check, >> although even that check was commented out in the svn and probably >> the 1.9 release, no idea why though or by who and whether adding that >> back in will be causing an issue? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at lis> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:47 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I?m not sure I?m close enough to the detail to recommend a way >> forward here, so happy to go with a recommendation, but would like to >> see it all implemented at once in the svn so we?re not in a position >> where exporting the svn creates an install that won?t upload >> anything? >> >> From: >> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at lis> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 08 March 2013 13:26 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model fully usable? would that be duplicating and adding to the confusion of having a mime types field in sitedetails too? >> >> Well I?ll work on the basis that I?ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension). >> >> One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed ? should it just be ?failed? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at lis> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Friday, March 08, 2013 1:13 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings if they want to. >> >> From: >> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at lis> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: 07 March 2013 17:14 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly? >> >> I agree preventing php is a good thing, but I think the problem is >> not knowing what types are acceptable is a real curveball >> >> Pgogy Webstuff - >> <http://www.pgogywebstuff.com%3chttp:/www.pgogywebstuff.com/> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 15:32, "Smith, John" < <mailto:J.J.Smith at gcu.ac.uk%3cmailto:J.J.Smith at gcu.ac.uk> J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi Pat, >> >> I didn?t copy your regexp or your select list directly but translated >> the select code into a comma separated list so that it can be moved >> elsewhere if required? >> >> I noticed the list in the sitedetails table but it is of Mime Types. >> I think it would be best practice to use extensions, content headers, >> mimetypes and any other method available to whitelist the allowable >> files but I think that might take a bit more work? >> >> I think it is leaving a load of sites out there very vulnerable so we >> should try to find a good way to shore this up before the next >> release. What do you think? I?ll have a go at adding in some code to >> deal with content headers and mimetypes >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> From: >> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at lis> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> ts.nottingham.ac.uk> >> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ >> Pgogy >> Sent: Thursday, March 07, 2013 2:54 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hello, >> >> I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem). >> >> My reg exp is a bit flaky as well, if you copied that over. >> >> There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list. >> >> Pgogy Webstuff - >> <http://www.pgogywebstuff.com%3chttp:/www.pgogywebstuff.com/> http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> >> Makers of web things of a fair to middling quality >> >> On 7 Mar 2013, at 13:01, "Smith, John" < <mailto:J.J.Smith at gcu.ac.uk%3cmailto:J.J.Smith at gcu.ac.uk> J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: >> Hi, >> >> I?ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I?ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins. >> >> Can someone test this and advise if there are any other media types that we want/need to allow? >> >> There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I?ve uncommented this now but does anyone know why it was commented out in the first place? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> <mailto:Xerte-dev at lists.nottingham.ac.uk%3cmailto:Xerte-dev at lists.nottingham.ac> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> <mailto:Xerte-dev at lists.nottingham.ac.uk%3cmailto:Xerte-dev at lists.nottingham.ac> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> <mailto:Xerte-dev at lists.nottingham.ac.uk%3cmailto:Xerte-dev at lists.nottingham.ac> Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac >> .uk> <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> <http://www.gcu.ac.uk/newsevents/ne%3chttp:/www.gcu.ac.uk/newsevents/ne> http://www.gcu.ac.uk/newsevents/ne<http://www.gcu.ac.uk/newsevents/ne >> ws/bycategory/theuniversity/1/name,15691,en.html> > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk > <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130312/d8e51e93/attachment-0001.html> From J.J.Smith at gcu.ac.uk Tue Mar 12 19:56:02 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Tue, 12 Mar 2013 19:56:02 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Message-ID: <7uc1rjphm9anvndw29868h91.1363118162948@email.android.com> Hi Ron Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: Hi sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 16:18 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. I've added some alerts for now so you can see what gets tripped, we can take these out later, and I?ve commited the wizard with these in , listener.onComplete = function(file:FileReference):Void { Alert.show("Upload successful"); --etc-- } listener.onHTTPError = function(file:FileReference):Void { Alert.show("Upload failed: HTTPError"); --etc-- } listener.onIOError = function(file:FileReference):Void { Alert.show("Upload failed: IOError"); --etc-- } listener.onSecurityError = function(file:FileReference, errorString:String):Void { Alert.show("Upload failed: Security Error"); --etc-- } -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 15:42 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Are you using FileReference class? This code snippet suggests you can extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA with var strData:String = StringUtil.trim(evt.data); private function init():void { fileRef = new FileReference(); fileRef.addEventListener(Event.SELECT, fileRef_select); fileRef.addEventListener(Event.COMPLETE, fileRef_complete); fileRef.addEventListener(IOErrorEvent.IO_ERROR, fileRef_ioError); fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, fileRef_uploadCompleteData); urlReq = new URLRequest(); urlReq.url = "http://localhost:8300/fileref/uploader.cfm"; } private function fileRef_uploadCompleteData(evt:DataEvent):void { var strData:String = StringUtil.trim(evt.data); var vars:URLVariables = new URLVariables(strData); Alert.show(vars.fileName, "fileName"); } Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 3:19 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 2:32 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If I try and upload php files, onComplete still fires... -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 14:27 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hold on, I'll see if I can get the events to trip, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 14:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 1:57 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No way to receive whether the upload was successful or not? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm not sure you can do much with that class, it's just a black box. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From ronm at mitchellmedia.co.uk Tue Mar 12 20:17:13 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Tue, 12 Mar 2013 20:17:13 -0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <7uc1rjphm9anvndw29868h91.1363118162948@email.android.com> References: <7uc1rjphm9anvndw29868h91.1363118162948@email.android.com> Message-ID: <006001ce1f5e$964208e0$c2c61aa0$@co.uk> Hi John Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... I'm almost hesitant to mention this... I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. Cheers Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 12 March 2013 19:56 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Ron Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: Hi sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 16:18 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. I've added some alerts for now so you can see what gets tripped, we can take these out later, and I?ve commited the wizard with these in , listener.onComplete = function(file:FileReference):Void { Alert.show("Upload successful"); --etc-- } listener.onHTTPError = function(file:FileReference):Void { Alert.show("Upload failed: HTTPError"); --etc-- } listener.onIOError = function(file:FileReference):Void { Alert.show("Upload failed: IOError"); --etc-- } listener.onSecurityError = function(file:FileReference, errorString:String):Void { Alert.show("Upload failed: Security Error"); --etc-- } -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 15:42 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Are you using FileReference class? This code snippet suggests you can extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA with var strData:String = StringUtil.trim(evt.data); private function init():void { fileRef = new FileReference(); fileRef.addEventListener(Event.SELECT, fileRef_select); fileRef.addEventListener(Event.COMPLETE, fileRef_complete); fileRef.addEventListener(IOErrorEvent.IO_ERROR, fileRef_ioError); fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, fileRef_uploadCompleteData); urlReq = new URLRequest(); urlReq.url = "http://localhost:8300/fileref/uploader.cfm"; } private function fileRef_uploadCompleteData(evt:DataEvent):void { var strData:String = StringUtil.trim(evt.data); var vars:URLVariables = new URLVariables(strData); Alert.show(vars.fileName, "fileName"); } Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 3:19 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 2:32 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If I try and upload php files, onComplete still fires... -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 14:27 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hold on, I'll see if I can get the events to trip, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 14:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 1:57 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No way to receive whether the upload was successful or not? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm not sure you can do much with that class, it's just a black box. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From ronm at mitchellmedia.co.uk Tue Mar 12 20:31:45 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Tue, 12 Mar 2013 20:31:45 -0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <006001ce1f5e$964208e0$c2c61aa0$@co.uk> References: <7uc1rjphm9anvndw29868h91.1363118162948@email.android.com> <006001ce1f5e$964208e0$c2c61aa0$@co.uk> Message-ID: <006101ce1f60$9f6b3d90$de41b8b0$@co.uk> Hi John I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. So I guess this is either session related or a js clash? Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. Cheers Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: 12 March 2013 20:17 To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi John Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... I'm almost hesitant to mention this... I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. Cheers Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 12 March 2013 19:56 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Ron Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: Hi sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 16:18 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. I've added some alerts for now so you can see what gets tripped, we can take these out later, and I?ve commited the wizard with these in , listener.onComplete = function(file:FileReference):Void { Alert.show("Upload successful"); --etc-- } listener.onHTTPError = function(file:FileReference):Void { Alert.show("Upload failed: HTTPError"); --etc-- } listener.onIOError = function(file:FileReference):Void { Alert.show("Upload failed: IOError"); --etc-- } listener.onSecurityError = function(file:FileReference, errorString:String):Void { Alert.show("Upload failed: Security Error"); --etc-- } -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 15:42 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Are you using FileReference class? This code snippet suggests you can extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA with var strData:String = StringUtil.trim(evt.data); private function init():void { fileRef = new FileReference(); fileRef.addEventListener(Event.SELECT, fileRef_select); fileRef.addEventListener(Event.COMPLETE, fileRef_complete); fileRef.addEventListener(IOErrorEvent.IO_ERROR, fileRef_ioError); fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, fileRef_uploadCompleteData); urlReq = new URLRequest(); urlReq.url = "http://localhost:8300/fileref/uploader.cfm"; } private function fileRef_uploadCompleteData(evt:DataEvent):void { var strData:String = StringUtil.trim(evt.data); var vars:URLVariables = new URLVariables(strData); Alert.show(vars.fileName, "fileName"); } Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 3:19 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 2:32 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If I try and upload php files, onComplete still fires... -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 14:27 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hold on, I'll see if I can get the events to trip, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 14:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 1:57 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No way to receive whether the upload was successful or not? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm not sure you can do much with that class, it's just a black box. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From J.J.Smith at gcu.ac.uk Tue Mar 12 21:03:58 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Tue, 12 Mar 2013 21:03:58 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <006001ce1f5e$964208e0$c2c61aa0$@co.uk> References: <7uc1rjphm9anvndw29868h91.1363118162948@email.android.com>, <006001ce1f5e$964208e0$c2c61aa0$@co.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EF84759@ITSEMBXCLUS.enterprise.gcal.ac.uk> Thanks Ron, I've now reverted my test setup (Xampp) back to R708, before I added the plugins related code and it's still not working now... the upload.php file is as it was too, ie no session check and yet it still won't upload anything above about 4Mb in a page model... Needs further investigation, but it seems not related to the changes to upload.php... incidentally the Media and quota section won't allow me to upload .mp4 files... I thought they would be ok there but I get Invalid file type... Regards, John Smith | Learning Technologist Room A251, Govan Mbeki Building | School of Health & Life Sciences | Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA ________________________________________ From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell [ronm at mitchellmedia.co.uk] Sent: 12 March 2013 20:17 To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi John Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... I'm almost hesitant to mention this... I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. Cheers Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 12 March 2013 19:56 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Ron Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: Hi sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 16:18 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. I've added some alerts for now so you can see what gets tripped, we can take these out later, and I?ve commited the wizard with these in , listener.onComplete = function(file:FileReference):Void { Alert.show("Upload successful"); --etc-- } listener.onHTTPError = function(file:FileReference):Void { Alert.show("Upload failed: HTTPError"); --etc-- } listener.onIOError = function(file:FileReference):Void { Alert.show("Upload failed: IOError"); --etc-- } listener.onSecurityError = function(file:FileReference, errorString:String):Void { Alert.show("Upload failed: Security Error"); --etc-- } -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 15:42 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Are you using FileReference class? This code snippet suggests you can extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA with var strData:String = StringUtil.trim(evt.data); private function init():void { fileRef = new FileReference(); fileRef.addEventListener(Event.SELECT, fileRef_select); fileRef.addEventListener(Event.COMPLETE, fileRef_complete); fileRef.addEventListener(IOErrorEvent.IO_ERROR, fileRef_ioError); fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, fileRef_uploadCompleteData); urlReq = new URLRequest(); urlReq.url = "http://localhost:8300/fileref/uploader.cfm"; } private function fileRef_uploadCompleteData(evt:DataEvent):void { var strData:String = StringUtil.trim(evt.data); var vars:URLVariables = new URLVariables(strData); Alert.show(vars.fileName, "fileName"); } Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 3:19 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 2:32 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If I try and upload php files, onComplete still fires... -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 14:27 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hold on, I'll see if I can get the events to trip, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 14:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 1:57 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No way to receive whether the upload was successful or not? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm not sure you can do much with that class, it's just a black box. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From J.J.Smith at gcu.ac.uk Tue Mar 12 21:20:57 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Tue, 12 Mar 2013 21:20:57 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <006101ce1f60$9f6b3d90$de41b8b0$@co.uk> References: <7uc1rjphm9anvndw29868h91.1363118162948@email.android.com> <006001ce1f5e$964208e0$c2c61aa0$@co.uk>, <006101ce1f60$9f6b3d90$de41b8b0$@co.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EF8475B@ITSEMBXCLUS.enterprise.gcal.ac.uk> Hi Ron, Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... Regards, John Smith | Learning Technologist Room A251, Govan Mbeki Building | School of Health & Life Sciences | Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA ________________________________________ From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell [ronm at mitchellmedia.co.uk] Sent: 12 March 2013 20:31 To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi John I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. So I guess this is either session related or a js clash? Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. Cheers Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: 12 March 2013 20:17 To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi John Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... I'm almost hesitant to mention this... I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. Cheers Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 12 March 2013 19:56 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Ron Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: Hi sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 16:18 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. I've added some alerts for now so you can see what gets tripped, we can take these out later, and I?ve commited the wizard with these in , listener.onComplete = function(file:FileReference):Void { Alert.show("Upload successful"); --etc-- } listener.onHTTPError = function(file:FileReference):Void { Alert.show("Upload failed: HTTPError"); --etc-- } listener.onIOError = function(file:FileReference):Void { Alert.show("Upload failed: IOError"); --etc-- } listener.onSecurityError = function(file:FileReference, errorString:String):Void { Alert.show("Upload failed: Security Error"); --etc-- } -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 15:42 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Are you using FileReference class? This code snippet suggests you can extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA with var strData:String = StringUtil.trim(evt.data); private function init():void { fileRef = new FileReference(); fileRef.addEventListener(Event.SELECT, fileRef_select); fileRef.addEventListener(Event.COMPLETE, fileRef_complete); fileRef.addEventListener(IOErrorEvent.IO_ERROR, fileRef_ioError); fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, fileRef_uploadCompleteData); urlReq = new URLRequest(); urlReq.url = "http://localhost:8300/fileref/uploader.cfm"; } private function fileRef_uploadCompleteData(evt:DataEvent):void { var strData:String = StringUtil.trim(evt.data); var vars:URLVariables = new URLVariables(strData); Alert.show(vars.fileName, "fileName"); } Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 3:19 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 2:32 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If I try and upload php files, onComplete still fires... -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 14:27 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hold on, I'll see if I can get the events to trip, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 14:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 1:57 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No way to receive whether the upload was successful or not? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm not sure you can do much with that class, it's just a black box. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From ronm at mitchellmedia.co.uk Wed Mar 13 09:24:51 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Wed, 13 Mar 2013 09:24:51 -0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EF84759@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <7uc1rjphm9anvndw29868h91.1363118162948@email.android.com>, <006001ce1f5e$964208e0$c2c61aa0$@co.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EF84759@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <008501ce1fcc$9e90c400$dbb24c00$@co.uk> Hi John forgive stating the obvious but did you close all browser windows after reverting back? On both my install with static authentication and the techdis xot install using Moodle authentication uploading .mp4 (and image formats etc) via media and quota works fine. But as we know the techdis xot install using moodle authentication and the latest code doesn't upload via page types. HTH Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 12 March 2013 21:04 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks Ron, I've now reverted my test setup (Xampp) back to R708, before I added the plugins related code and it's still not working now... the upload.php file is as it was too, ie no session check and yet it still won't upload anything above about 4Mb in a page model... Needs further investigation, but it seems not related to the changes to upload.php... incidentally the Media and quota section won't allow me to upload .mp4 files... I thought they would be ok there but I get Invalid file type... Regards, John Smith | Learning Technologist Room A251, Govan Mbeki Building | School of Health & Life Sciences | Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA ________________________________________ From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell [ronm at mitchellmedia.co.uk] Sent: 12 March 2013 20:17 To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi John Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... I'm almost hesitant to mention this... I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. Cheers Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 12 March 2013 19:56 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Ron Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: Hi sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 16:18 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. I've added some alerts for now so you can see what gets tripped, we can take these out later, and I've commited the wizard with these in , listener.onComplete = function(file:FileReference):Void { Alert.show("Upload successful"); --etc-- } listener.onHTTPError = function(file:FileReference):Void { Alert.show("Upload failed: HTTPError"); --etc-- } listener.onIOError = function(file:FileReference):Void { Alert.show("Upload failed: IOError"); --etc-- } listener.onSecurityError = function(file:FileReference, errorString:String):Void { Alert.show("Upload failed: Security Error"); --etc-- } -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 15:42 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Are you using FileReference class? This code snippet suggests you can extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA with var strData:String = StringUtil.trim(evt.data); private function init():void { fileRef = new FileReference(); fileRef.addEventListener(Event.SELECT, fileRef_select); fileRef.addEventListener(Event.COMPLETE, fileRef_complete); fileRef.addEventListener(IOErrorEvent.IO_ERROR, fileRef_ioError); fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, fileRef_uploadCompleteData); urlReq = new URLRequest(); urlReq.url = "http://localhost:8300/fileref/uploader.cfm"; } private function fileRef_uploadCompleteData(evt:DataEvent):void { var strData:String = StringUtil.trim(evt.data); var vars:URLVariables = new URLVariables(strData); Alert.show(vars.fileName, "fileName"); } Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 3:19 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 2:32 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If I try and upload php files, onComplete still fires... -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 14:27 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hold on, I'll see if I can get the events to trip, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 14:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah, it's the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 1:57 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No way to receive whether the upload was successful or not? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm not sure you can do much with that class, it's just a black box. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system: you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation. From xerte at pgogywebstuff.com Wed Mar 13 09:24:02 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Wed, 13 Mar 2013 09:24:02 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EF8475B@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <7uc1rjphm9anvndw29868h91.1363118162948@email.android.com> <006001ce1f5e$964208e0$c2c61aa0$@co.uk> <006101ce1f60$9f6b3d90$de41b8b0$@co.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EF8475B@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <921F88B8-FEDE-4153-AFC3-61444EDAC8AE@pgogywebstuff.com> Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | Glasgow Caledonian University > Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > Sent: 12 March 2013 20:17 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... > > I'm almost hesitant to mention this... > > I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 12 March 2013 19:56 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Ron > > Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... > > I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: > > > Hi > sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? > Ron > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: 11 March 2013 16:18 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > I've added some alerts for now so you can see what gets tripped, we can take these out later, and I?ve commited the wizard with these in , > > > > listener.onComplete = function(file:FileReference):Void { > > > > Alert.show("Upload successful"); > > > > --etc-- > > > > } > > > > > > listener.onHTTPError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: HTTPError"); > > > > --etc-- > > > > } > > > > listener.onIOError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: IOError"); > > > > --etc-- > > > > } > > listener.onSecurityError = function(file:FileReference, errorString:String):Void { > > > > Alert.show("Upload failed: Security Error"); > > > > --etc-- > > > > } > > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 11 March 2013 15:42 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Are you using FileReference class? This code snippet suggests you can extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA with var strData:String = StringUtil.trim(evt.data); > > > > > > > > private function init():void { > > fileRef = new FileReference(); > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > fileRef.addEventListener(Event.COMPLETE, fileRef_complete); > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, fileRef_ioError); > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, fileRef_uploadCompleteData); > > > > urlReq = new URLRequest(); > > urlReq.url = "http://localhost:8300/fileref/uploader.cfm"; > > } > > > > private function fileRef_uploadCompleteData(evt:DataEvent):void { > > var strData:String = StringUtil.trim(evt.data); > > var vars:URLVariables = new URLVariables(strData); > > Alert.show(vars.fileName, "fileName"); > > } > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 3:19 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... > > > > At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 2:32 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > If I try and upload php files, onComplete still fires... > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > > Sent: 11 March 2013 14:27 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hold on, I'll see if I can get the events to trip, > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > > Sent: 11 March 2013 14:20 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 1:57 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > No way to receive whether the upload was successful or not? > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:48 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > I'm not sure you can do much with that class, it's just a black box. > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > > Sent: 11 March 2013 13:33 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Perhaps it should just feedback error codes, and the flash class translates them... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:21 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > > Sent: 11 March 2013 12:45 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. From J.J.Smith at gcu.ac.uk Wed Mar 13 11:30:00 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Wed, 13 Mar 2013 11:30:00 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Message-ID: <q3ejna8wyowtk7qaodp4ttl3.1363174198909@email.android.com> Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | Glasgow Caledonian University > Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > Sent: 12 March 2013 20:17 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... > > I'm almost hesitant to mention this... > > I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 12 March 2013 19:56 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Ron > > Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... > > I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: > > > Hi > sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? > Ron > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: 11 March 2013 16:18 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > I've added some alerts for now so you can see what gets tripped, we can take these out later, and I?ve commited the wizard with these in , > > > > listener.onComplete = function(file:FileReference):Void { > > > > Alert.show("Upload successful"); > > > > --etc-- > > > > } > > > > > > listener.onHTTPError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: HTTPError"); > > > > --etc-- > > > > } > > > > listener.onIOError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: IOError"); > > > > --etc-- > > > > } > > listener.onSecurityError = function(file:FileReference, errorString:String):Void { > > > > Alert.show("Upload failed: Security Error"); > > > > --etc-- > > > > } > > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 11 March 2013 15:42 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Are you using FileReference class? This code snippet suggests you can extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA with var strData:String = StringUtil.trim(evt.data); > > > > > > > > private function init():void { > > fileRef = new FileReference(); > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > fileRef.addEventListener(Event.COMPLETE, fileRef_complete); > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, fileRef_ioError); > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, fileRef_uploadCompleteData); > > > > urlReq = new URLRequest(); > > urlReq.url = "http://localhost:8300/fileref/uploader.cfm"; > > } > > > > private function fileRef_uploadCompleteData(evt:DataEvent):void { > > var strData:String = StringUtil.trim(evt.data); > > var vars:URLVariables = new URLVariables(strData); > > Alert.show(vars.fileName, "fileName"); > > } > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 3:19 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... > > > > At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 2:32 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > If I try and upload php files, onComplete still fires... > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > > Sent: 11 March 2013 14:27 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hold on, I'll see if I can get the events to trip, > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > > Sent: 11 March 2013 14:20 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 1:57 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > No way to receive whether the upload was successful or not? > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:48 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > I'm not sure you can do much with that class, it's just a black box. > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > > Sent: 11 March 2013 13:33 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Perhaps it should just feedback error codes, and the flash class translates them... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:21 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > > Sent: 11 March 2013 12:45 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From J.J.Smith at gcu.ac.uk Wed Mar 13 12:11:49 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Wed, 13 Mar 2013 12:11:49 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <008501ce1fcc$9e90c400$dbb24c00$@co.uk> References: <7uc1rjphm9anvndw29868h91.1363118162948@email.android.com>, <006001ce1f5e$964208e0$c2c61aa0$@co.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EF84759@ITSEMBXCLUS.enterprise.gcal.ac.uk> <008501ce1fcc$9e90c400$dbb24c00$@co.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D68C@ITSEMBXCLUS.enterprise.gcal.ac.uk> Yeah I closed everything down and restarted xampp and it seemed to fix the problem... but while I had the problem I was seeing a lot of strange errors from the Flash editor and dialog boxes opening all broken up etc... quite weird... Anyway, I've reverted back to the old upload code and added back in the blacklist code and will commit soon. It doesn't restart the session anymore so won't work in Firefox. Will see if we can ajax the upload and still get upload status back to Flash... I'm sure it's possible and should solve the Flash-Firefox-Cookie issue. Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: Wednesday, March 13, 2013 9:25 AM To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi John forgive stating the obvious but did you close all browser windows after reverting back? On both my install with static authentication and the techdis xot install using Moodle authentication uploading .mp4 (and image formats etc) via media and quota works fine. But as we know the techdis xot install using moodle authentication and the latest code doesn't upload via page types. HTH Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 12 March 2013 21:04 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Thanks Ron, I've now reverted my test setup (Xampp) back to R708, before I added the plugins related code and it's still not working now... the upload.php file is as it was too, ie no session check and yet it still won't upload anything above about 4Mb in a page model... Needs further investigation, but it seems not related to the changes to upload.php... incidentally the Media and quota section won't allow me to upload .mp4 files... I thought they would be ok there but I get Invalid file type... Regards, John Smith | Learning Technologist Room A251, Govan Mbeki Building | School of Health & Life Sciences | Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA ________________________________________ From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell [ronm at mitchellmedia.co.uk] Sent: 12 March 2013 20:17 To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi John Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... I'm almost hesitant to mention this... I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. Cheers Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 12 March 2013 19:56 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Ron Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: Hi sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 16:18 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. I've added some alerts for now so you can see what gets tripped, we can take these out later, and I've commited the wizard with these in , listener.onComplete = function(file:FileReference):Void { Alert.show("Upload successful"); --etc-- } listener.onHTTPError = function(file:FileReference):Void { Alert.show("Upload failed: HTTPError"); --etc-- } listener.onIOError = function(file:FileReference):Void { Alert.show("Upload failed: IOError"); --etc-- } listener.onSecurityError = function(file:FileReference, errorString:String):Void { Alert.show("Upload failed: Security Error"); --etc-- } -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 15:42 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Are you using FileReference class? This code snippet suggests you can extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA with var strData:String = StringUtil.trim(evt.data); private function init():void { fileRef = new FileReference(); fileRef.addEventListener(Event.SELECT, fileRef_select); fileRef.addEventListener(Event.COMPLETE, fileRef_complete); fileRef.addEventListener(IOErrorEvent.IO_ERROR, fileRef_ioError); fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, fileRef_uploadCompleteData); urlReq = new URLRequest(); urlReq.url = "http://localhost:8300/fileref/uploader.cfm"; } private function fileRef_uploadCompleteData(evt:DataEvent):void { var strData:String = StringUtil.trim(evt.data); var vars:URLVariables = new URLVariables(strData); Alert.show(vars.fileName, "fileName"); } Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 3:19 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 2:32 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If I try and upload php files, onComplete still fires... -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 11 March 2013 14:27 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hold on, I'll see if I can get the events to trip, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 14:20 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah, it's the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Monday, March 11, 2013 1:57 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No way to receive whether the upload was successful or not? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:48 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm not sure you can do much with that class, it's just a black box. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 13:33 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Perhaps it should just feedback error codes, and the flash class translates them... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Monday, March 11, 2013 1:21 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 11 March 2013 12:45 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system: you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation. _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system: you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation. Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From xerte at pgogywebstuff.com Wed Mar 13 22:22:05 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Wed, 13 Mar 2013 22:22:05 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <q3ejna8wyowtk7qaodp4ttl3.1363174198909@email.android.com> References: <q3ejna8wyowtk7qaodp4ttl3.1363174198909@email.android.com> Message-ID: <C3FFFCD9-54D2-4189-B6C1-0C829404775A@pgogywebstuff.com> Hello, Once I feel a bit better will look at this - bit under the weather. Can flash access the php cookie? Pat Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 13 Mar 2013, at 11:30, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Hi Pat > > Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... > > If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id > > Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. > > I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> Hi Ron, >> >> Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | Glasgow Caledonian University >> Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell [ronm at mitchellmedia.co.uk] >> Sent: 12 March 2013 20:31 >> To: 'For Xerte technical developers' >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi John >> I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. >> >> So I guess this is either session related or a js clash? >> >> Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. >> >> I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. >> >> Cheers >> Ron >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell >> Sent: 12 March 2013 20:17 >> To: 'For Xerte technical developers' >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi John >> Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... >> >> I'm almost hesitant to mention this... >> >> I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. >> >> Cheers >> Ron >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> Sent: 12 March 2013 19:56 >> To: xerte-dev at lists.nottingham.ac.uk >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi Ron >> >> Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... >> >> I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... >> >> Regards >> >> John Smith >> Learning Technologist >> School of Health and Life Sciences >> >> Sent from Samsung Galaxy SII >> >> >> >> Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: >> >> >> Hi >> sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? >> Ron >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney >> Sent: 11 March 2013 16:18 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. >> >> >> >> I've added some alerts for now so you can see what gets tripped, we can take these out later, and I?ve commited the wizard with these in , >> >> >> >> listener.onComplete = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload successful"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> >> >> listener.onHTTPError = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload failed: HTTPError"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> listener.onIOError = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload failed: IOError"); >> >> >> >> --etc-- >> >> >> >> } >> >> listener.onSecurityError = function(file:FileReference, errorString:String):Void { >> >> >> >> Alert.show("Upload failed: Security Error"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> Sent: 11 March 2013 15:42 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Are you using FileReference class? This code snippet suggests you can extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA with var strData:String = StringUtil.trim(evt.data); >> >> >> >> >> >> >> >> private function init():void { >> >> fileRef = new FileReference(); >> >> fileRef.addEventListener(Event.SELECT, fileRef_select); >> >> fileRef.addEventListener(Event.COMPLETE, fileRef_complete); >> >> fileRef.addEventListener(IOErrorEvent.IO_ERROR, fileRef_ioError); >> >> fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, fileRef_uploadCompleteData); >> >> >> >> urlReq = new URLRequest(); >> >> urlReq.url = "http://localhost:8300/fileref/uploader.cfm"; >> >> } >> >> >> >> private function fileRef_uploadCompleteData(evt:DataEvent):void { >> >> var strData:String = StringUtil.trim(evt.data); >> >> var vars:URLVariables = new URLVariables(strData); >> >> Alert.show(vars.fileName, "fileName"); >> >> } >> >> >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> >> Sent: Monday, March 11, 2013 3:19 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... >> >> >> >> At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney >> >> Sent: Monday, March 11, 2013 2:32 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> If I try and upload php files, onComplete still fires... >> >> >> >> -----Original Message----- >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney >> >> Sent: 11 March 2013 14:27 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Hold on, I'll see if I can get the events to trip, >> >> >> >> -----Original Message----- >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> >> Sent: 11 March 2013 14:20 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> >> Sent: Monday, March 11, 2013 1:57 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> No way to receive whether the upload was successful or not? >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney >> >> Sent: Monday, March 11, 2013 1:48 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for From J.J.Smith at gcu.ac.uk Wed Mar 13 22:50:54 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Wed, 13 Mar 2013 22:50:54 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Message-ID: <iantvqkyrrv9w82khhm6wltu.1363214114298@email.android.com> No worries... Get better soon. Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: Hello, Once I feel a bit better will look at this - bit under the weather. Can flash access the php cookie? Pat Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> Makers of web things of a fair to middling quality On 13 Mar 2013, at 11:30, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Hi Pat > > Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... > > If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id > > Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. > > I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before > > Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> > Makers of web things of a fair to middling quality > > On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> Hi Ron, >> >> Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | Glasgow Caledonian University >> Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell [ronm at mitchellmedia.co.uk] >> Sent: 12 March 2013 20:31 >> To: 'For Xerte technical developers' >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi John >> I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. >> >> So I guess this is either session related or a js clash? >> >> Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. >> >> I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. >> >> Cheers >> Ron >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell >> Sent: 12 March 2013 20:17 >> To: 'For Xerte technical developers' >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi John >> Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... >> >> I'm almost hesitant to mention this... >> >> I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. >> >> Cheers >> Ron >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> Sent: 12 March 2013 19:56 >> To: xerte-dev at lists.nottingham.ac.uk >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi Ron >> >> Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... >> >> I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... >> >> Regards >> >> John Smith >> Learning Technologist >> School of Health and Life Sciences >> >> Sent from Samsung Galaxy SII >> >> >> >> Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: >> >> >> Hi >> sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? >> Ron >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney >> Sent: 11 March 2013 16:18 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. >> >> >> >> I've added some alerts for now so you can see what gets tripped, we can take these out later, and I?ve commited the wizard with these in , >> >> >> >> listener.onComplete = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload successful"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> >> >> listener.onHTTPError = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload failed: HTTPError"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> listener.onIOError = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload failed: IOError"); >> >> >> >> --etc-- >> >> >> >> } >> >> listener.onSecurityError = function(file:FileReference, errorString:String):Void { >> >> >> >> Alert.show("Upload failed: Security Error"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> Sent: 11 March 2013 15:42 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Are you using FileReference class? This code snippet suggests you can extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA with var strData:String = StringUtil.trim(evt.data); >> >> >> >> >> >> >> >> private function init():void { >> >> fileRef = new FileReference(); >> >> fileRef.addEventListener(Event.SELECT, fileRef_select); >> >> fileRef.addEventListener(Event.COMPLETE, fileRef_complete); >> >> fileRef.addEventListener(IOErrorEvent.IO_ERROR, fileRef_ioError); >> >> fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, fileRef_uploadCompleteData); >> >> >> >> urlReq = new URLRequest(); >> >> urlReq.url = "http://localhost:8300/fileref/uploader.cfm"; >> >> } >> >> >> >> private function fileRef_uploadCompleteData(evt:DataEvent):void { >> >> var strData:String = StringUtil.trim(evt.data); >> >> var vars:URLVariables = new URLVariables(strData); >> >> Alert.show(vars.fileName, "fileName"); >> >> } >> >> >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> >> Sent: Monday, March 11, 2013 3:19 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... >> >> >> >> At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney >> >> Sent: Monday, March 11, 2013 2:32 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> If I try and upload php files, onComplete still fires... >> >> >> >> -----Original Message----- >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney >> >> Sent: 11 March 2013 14:27 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Hold on, I'll see if I can get the events to trip, >> >> >> >> -----Original Message----- >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> >> Sent: 11 March 2013 14:20 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John >> >> Sent: Monday, March 11, 2013 1:57 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> No way to receive whether the upload was successful or not? >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney >> >> Sent: Monday, March 11, 2013 1:48 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From reijnders at tor.nl Thu Mar 14 11:00:05 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Thu, 14 Mar 2013 12:00:05 +0100 Subject: [Xerte-dev] Is integration_top still in use? Message-ID: <5141ADB5.7080501@tor.nl> I noticed that integration_top is an (old) duplicate of some of the contents of index.php and that integration_top is used by webctlink.php. Is that still in use, or is the webctlink.php not used anymore? Otherwise we should use integration_top in index.php as well. Tom -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 From Julian.Tenney at nottingham.ac.uk Thu Mar 14 12:03:40 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Thu, 14 Mar 2013 12:03:40 +0000 Subject: [Xerte-dev] Re: Is integration_top still in use? In-Reply-To: <5141ADB5.7080501@tor.nl> References: <5141ADB5.7080501@tor.nl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DD1C96D@EXCHANGE1.ad.nottingham.ac.uk> I don't think webctlink is used anymore, at least, it's not used here, and I think it existed for a specific Nottingham reason, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 14 March 2013 11:00 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Is integration_top still in use? I noticed that integration_top is an (old) duplicate of some of the contents of index.php and that integration_top is used by webctlink.php. Is that still in use, or is the webctlink.php not used anymore? Otherwise we should use integration_top in index.php as well. Tom -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From Greavesv at beaumontcollege.org Thu Mar 14 14:05:26 2013 From: Greavesv at beaumontcollege.org (Vicky Greaves) Date: Thu, 14 Mar 2013 14:05:26 +0000 Subject: [Xerte-dev] XOT installation help please Message-ID: <E2E25586E39BBB4C95EAE0ECD32AC8D9053023B0@DAG1.beaumontcollege.org> We've just installed XOT, this time on Xampp. When we try to import a project (we're using AssessSnack.zip to test with), we get the error message 'You can only import Zip Files.' Does anybody know what's causing this, or better still, how to sort it out? Thanks very much Vicky ________________________________ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130314/8e52fe2e/attachment.html> From reijnders at tor.nl Thu Mar 14 14:31:44 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Thu, 14 Mar 2013 15:31:44 +0100 Subject: [Xerte-dev] Import central template? Message-ID: <5141DF50.6050203@tor.nl> I am in the process of trying to make all buttons translatable. And so far, it's working ok. I wanted to test some changes to import.js, but apparently the Import button has been removed (at least, I can't find it). Was that deliberate? Tom -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 From d_b_burnett at hotmail.com Thu Mar 14 14:55:13 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Thu, 14 Mar 2013 10:55:13 -0400 Subject: [Xerte-dev] Re: XOT installation help please In-Reply-To: <E2E25586E39BBB4C95EAE0ECD32AC8D9053023B0@DAG1.beaumontcollege.org> References: <E2E25586E39BBB4C95EAE0ECD32AC8D9053023B0@DAG1.beaumontcollege.org> Message-ID: <BLU153-W23755B22EA482D72781A4EA7EC0@phx.gbl> What browser?Where/how was the zip created? From: Greavesv at beaumontcollege.org To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 14 Mar 2013 14:05:26 +0000 Subject: [Xerte-dev] XOT installation help please We?ve just installed XOT, this time on Xampp. When we try to import a project (we?re using AssessSnack.zip to test with), we get the error message ?You can only import Zip Files.? Does anybody know what?s causing this, or better still, how to sort it out? Thanks very much Vicky Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130314/5f1a9fb2/attachment.html> From Julian.Tenney at nottingham.ac.uk Thu Mar 14 16:11:42 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Thu, 14 Mar 2013 16:11:42 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <q3ejna8wyowtk7qaodp4ttl3.1363174198909@email.android.com> References: <q3ejna8wyowtk7qaodp4ttl3.1363174198909@email.android.com> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB67@EXCHANGE1.ad.nottingham.ac.uk> Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 13 March 2013 11:30 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron > Mitchell > Sent: 12 March 2013 20:17 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... > > I'm almost hesitant to mention this... > > I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 12 March 2013 19:56 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Ron > > Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... > > I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: > > > Hi > sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? > Ron > > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: 11 March 2013 16:18 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > I've added some alerts for now so you can see what gets tripped, we > can take these out later, and I?ve commited the wizard with these in , > > > > listener.onComplete = function(file:FileReference):Void { > > > > Alert.show("Upload successful"); > > > > --etc-- > > > > } > > > > > > listener.onHTTPError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: HTTPError"); > > > > --etc-- > > > > } > > > > listener.onIOError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: IOError"); > > > > --etc-- > > > > } > > listener.onSecurityError = function(file:FileReference, > errorString:String):Void { > > > > Alert.show("Upload failed: Security Error"); > > > > --etc-- > > > > } > > > > -----Original Message----- > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > Sent: 11 March 2013 15:42 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Are you using FileReference class? This code snippet suggests you can > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA > with var strData:String = StringUtil.trim(evt.data); > > > > > > > > private function init():void { > > fileRef = new FileReference(); > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > fileRef.addEventListener(Event.COMPLETE, > fileRef_complete); > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, > fileRef_ioError); > > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, > fileRef_uploadCompleteData); > > > > urlReq = new URLRequest(); > > urlReq.url = > "http://localhost:8300/fileref/uploader.cfm"; > > } > > > > private function > fileRef_uploadCompleteData(evt:DataEvent):void { > > var strData:String = StringUtil.trim(evt.data); > > var vars:URLVariables = new URLVariables(strData); > > Alert.show(vars.fileName, "fileName"); > > } > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 3:19 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... > > > > At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 2:32 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > If I try and upload php files, onComplete still fires... > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: 11 March 2013 14:27 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hold on, I'll see if I can get the events to trip, > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 14:20 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 1:57 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > No way to receive whether the upload was successful or not? > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:48 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > I'm not sure you can do much with that class, it's just a black box. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 13:33 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Perhaps it should just feedback error codes, and the flash class translates them... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:21 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 12:45 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From Greavesv at beaumontcollege.org Thu Mar 14 16:03:31 2013 From: Greavesv at beaumontcollege.org (Vicky Greaves) Date: Thu, 14 Mar 2013 16:03:31 +0000 Subject: [Xerte-dev] Re: XOT installation help please In-Reply-To: <BLU153-W23755B22EA482D72781A4EA7EC0@phx.gbl> References: <E2E25586E39BBB4C95EAE0ECD32AC8D9053023B0@DAG1.beaumontcollege.org> <BLU153-W23755B22EA482D72781A4EA7EC0@phx.gbl> Message-ID: <E2E25586E39BBB4C95EAE0ECD32AC8D905302638@DAG1.beaumontcollege.org> Both Chrome and IE. The zip was from Alistair McNaught. Both AssessSnack.zip and knowSnack2.zip - from one of the tutorials, I believe. I've just created a quick LO in our new XOT (using Chrome). It exported fine but I couldn't re-import it (in Chrome or IE)- the same error 'You can only import Zip Files.' Our institution has a policy of not using Firefox. Any ideas? Thanks very much From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: 14 March 2013 14:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: XOT installation help please What browser? Where/how was the zip created? ________________________________ From: Greavesv at beaumontcollege.org To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 14 Mar 2013 14:05:26 +0000 Subject: [Xerte-dev] XOT installation help please We've just installed XOT, this time on Xampp. When we try to import a project (we're using AssessSnack.zip to test with), we get the error message 'You can only import Zip Files.' Does anybody know what's causing this, or better still, how to sort it out? Thanks very much Vicky ________________________________ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev ________________________________ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130314/df066c2f/attachment.html> From Greavesv at beaumontcollege.org Thu Mar 14 16:03:31 2013 From: Greavesv at beaumontcollege.org (Vicky Greaves) Date: Thu, 14 Mar 2013 16:03:31 +0000 Subject: [Xerte-dev] Re: XOT installation help please In-Reply-To: <BLU153-W23755B22EA482D72781A4EA7EC0@phx.gbl> References: <E2E25586E39BBB4C95EAE0ECD32AC8D9053023B0@DAG1.beaumontcollege.org> <BLU153-W23755B22EA482D72781A4EA7EC0@phx.gbl> Message-ID: <E2E25586E39BBB4C95EAE0ECD32AC8D905302638@DAG1.beaumontcollege.org> Both Chrome and IE. The zip was from Alistair McNaught. Both AssessSnack.zip and knowSnack2.zip - from one of the tutorials, I believe. I've just created a quick LO in our new XOT (using Chrome). It exported fine but I couldn't re-import it (in Chrome or IE)- the same error 'You can only import Zip Files.' Our institution has a policy of not using Firefox. Any ideas? Thanks very much From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: 14 March 2013 14:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: XOT installation help please What browser? Where/how was the zip created? ________________________________ From: Greavesv at beaumontcollege.org To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 14 Mar 2013 14:05:26 +0000 Subject: [Xerte-dev] XOT installation help please We've just installed XOT, this time on Xampp. When we try to import a project (we're using AssessSnack.zip to test with), we get the error message 'You can only import Zip Files.' Does anybody know what's causing this, or better still, how to sort it out? Thanks very much Vicky ________________________________ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev ________________________________ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130314/df066c2f/attachment-0003.html> From reijnders at tor.nl Thu Mar 14 16:12:53 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Thu, 14 Mar 2013 17:12:53 +0100 Subject: [Xerte-dev] Re: Is integration_top still in use? In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4DD1C96D@EXCHANGE1.ad.nottingham.ac.uk> References: <5141ADB5.7080501@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1C96D@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <5141F705.8070708@tor.nl> Ok thnx. Should we try to remove dead code from svn more actively? Tom Op 14-3-2013 13:03, Julian Tenney schreef: > I don't think webctlink is used anymore, at least, it's not used here, and I think it existed for a specific Nottingham reason, > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders > Sent: 14 March 2013 11:00 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Is integration_top still in use? > > I noticed that integration_top is an (old) duplicate of some of the contents of index.php and that integration_top is used by webctlink.php. > > Is that still in use, or is the webctlink.php not used anymore? > Otherwise we should use integration_top in index.php as well. > > Tom > > > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 From J.J.Smith at gcu.ac.uk Thu Mar 14 16:22:27 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Thu, 14 Mar 2013 16:22:27 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB67@EXCHANGE1.ad.nottingham.ac.uk> References: <q3ejna8wyowtk7qaodp4ttl3.1363174198909@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB67@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D764@ITSEMBXCLUS.enterprise.gcal.ac.uk> I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... I think we might have to resort to js though... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:12 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 13 March 2013 11:30 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron > Mitchell > Sent: 12 March 2013 20:17 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... > > I'm almost hesitant to mention this... > > I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 12 March 2013 19:56 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Ron > > Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... > > I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: > > > Hi > sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? > Ron > > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: 11 March 2013 16:18 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > I've added some alerts for now so you can see what gets tripped, we > can take these out later, and I?ve commited the wizard with these in , > > > > listener.onComplete = function(file:FileReference):Void { > > > > Alert.show("Upload successful"); > > > > --etc-- > > > > } > > > > > > listener.onHTTPError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: HTTPError"); > > > > --etc-- > > > > } > > > > listener.onIOError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: IOError"); > > > > --etc-- > > > > } > > listener.onSecurityError = function(file:FileReference, > errorString:String):Void { > > > > Alert.show("Upload failed: Security Error"); > > > > --etc-- > > > > } > > > > -----Original Message----- > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > Sent: 11 March 2013 15:42 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Are you using FileReference class? This code snippet suggests you can > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA > with var strData:String = StringUtil.trim(evt.data); > > > > > > > > private function init():void { > > fileRef = new FileReference(); > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > fileRef.addEventListener(Event.COMPLETE, > fileRef_complete); > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, > fileRef_ioError); > > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, > fileRef_uploadCompleteData); > > > > urlReq = new URLRequest(); > > urlReq.url = > "http://localhost:8300/fileref/uploader.cfm"; > > } > > > > private function > fileRef_uploadCompleteData(evt:DataEvent):void { > > var strData:String = StringUtil.trim(evt.data); > > var vars:URLVariables = new URLVariables(strData); > > Alert.show(vars.fileName, "fileName"); > > } > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 3:19 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... > > > > At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 2:32 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > If I try and upload php files, onComplete still fires... > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: 11 March 2013 14:27 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hold on, I'll see if I can get the events to trip, > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 14:20 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 1:57 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > No way to receive whether the upload was successful or not? > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:48 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > I'm not sure you can do much with that class, it's just a black box. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 13:33 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Perhaps it should just feedback error codes, and the flash class translates them... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:21 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 12:45 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From Julian.Tenney at nottingham.ac.uk Thu Mar 14 16:24:00 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Thu, 14 Mar 2013 16:24:00 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D764@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <q3ejna8wyowtk7qaodp4ttl3.1363174198909@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB67@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D764@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB79@EXCHANGE1.ad.nottingham.ac.uk> Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... I think we might have to resort to js though... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:12 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 13 March 2013 11:30 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron > Mitchell > Sent: 12 March 2013 20:17 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... > > I'm almost hesitant to mention this... > > I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 12 March 2013 19:56 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Ron > > Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... > > I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: > > > Hi > sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? > Ron > > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: 11 March 2013 16:18 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > I've added some alerts for now so you can see what gets tripped, we > can take these out later, and I?ve commited the wizard with these in , > > > > listener.onComplete = function(file:FileReference):Void { > > > > Alert.show("Upload successful"); > > > > --etc-- > > > > } > > > > > > listener.onHTTPError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: HTTPError"); > > > > --etc-- > > > > } > > > > listener.onIOError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: IOError"); > > > > --etc-- > > > > } > > listener.onSecurityError = function(file:FileReference, > errorString:String):Void { > > > > Alert.show("Upload failed: Security Error"); > > > > --etc-- > > > > } > > > > -----Original Message----- > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > Sent: 11 March 2013 15:42 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Are you using FileReference class? This code snippet suggests you can > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA > with var strData:String = StringUtil.trim(evt.data); > > > > > > > > private function init():void { > > fileRef = new FileReference(); > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > fileRef.addEventListener(Event.COMPLETE, > fileRef_complete); > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, > fileRef_ioError); > > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, > fileRef_uploadCompleteData); > > > > urlReq = new URLRequest(); > > urlReq.url = > "http://localhost:8300/fileref/uploader.cfm"; > > } > > > > private function > fileRef_uploadCompleteData(evt:DataEvent):void { > > var strData:String = StringUtil.trim(evt.data); > > var vars:URLVariables = new URLVariables(strData); > > Alert.show(vars.fileName, "fileName"); > > } > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 3:19 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... > > > > At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 2:32 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > If I try and upload php files, onComplete still fires... > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: 11 March 2013 14:27 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hold on, I'll see if I can get the events to trip, > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 14:20 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 1:57 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > No way to receive whether the upload was successful or not? > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:48 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > I'm not sure you can do much with that class, it's just a black box. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 13:33 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Perhaps it should just feedback error codes, and the flash class translates them... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:21 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 12:45 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From Julian.Tenney at nottingham.ac.uk Thu Mar 14 16:24:04 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Thu, 14 Mar 2013 16:24:04 +0000 Subject: [Xerte-dev] Re: Is integration_top still in use? In-Reply-To: <5141F705.8070708@tor.nl> References: <5141ADB5.7080501@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1C96D@EXCHANGE1.ad.nottingham.ac.uk> <5141F705.8070708@tor.nl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB7A@EXCHANGE1.ad.nottingham.ac.uk> You mean review everything? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 14 March 2013 16:13 To: For Xerte technical developers Subject: [Xerte-dev] Re: Is integration_top still in use? Ok thnx. Should we try to remove dead code from svn more actively? Tom Op 14-3-2013 13:03, Julian Tenney schreef: > I don't think webctlink is used anymore, at least, it's not used here, > and I think it existed for a specific Nottingham reason, > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom > Reijnders > Sent: 14 March 2013 11:00 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Is integration_top still in use? > > I noticed that integration_top is an (old) duplicate of some of the contents of index.php and that integration_top is used by webctlink.php. > > Is that still in use, or is the webctlink.php not used anymore? > Otherwise we should use integration_top in index.php as well. > > Tom > > > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From reijnders at tor.nl Thu Mar 14 16:31:18 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Thu, 14 Mar 2013 17:31:18 +0100 Subject: [Xerte-dev] Re: Is integration_top still in use? In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB7A@EXCHANGE1.ad.nottingham.ac.uk> References: <5141ADB5.7080501@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1C96D@EXCHANGE1.ad.nottingham.ac.uk> <5141F705.8070708@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB7A@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <5141FB56.5070708@tor.nl> No, throw away files and functions that are no longer used. Op 14-3-2013 17:24, Julian Tenney schreef: > You mean review everything? > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders > Sent: 14 March 2013 16:13 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Is integration_top still in use? > > Ok thnx. > > Should we try to remove dead code from svn more actively? > > Tom > > Op 14-3-2013 13:03, Julian Tenney schreef: >> I don't think webctlink is used anymore, at least, it's not used here, >> and I think it existed for a specific Nottingham reason, >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom >> Reijnders >> Sent: 14 March 2013 11:00 >> To: xerte-dev at lists.nottingham.ac.uk >> Subject: [Xerte-dev] Is integration_top still in use? >> >> I noticed that integration_top is an (old) duplicate of some of the contents of index.php and that integration_top is used by webctlink.php. >> >> Is that still in use, or is the webctlink.php not used anymore? >> Otherwise we should use integration_top in index.php as well. >> >> Tom >> >> >> >> -- >> -- >> >> Tom Reijnders >> TOR Informatica >> Chopinlaan 27 >> 5242HM Rosmalen >> Tel: 073 5226191 >> Fax: 073 5226196 >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. >> >> This message has been checked for viruses but the contents of an >> attachment may still contain software viruses which could damage your computer system: >> you are advised to perform your own checks. Email communications with >> the University of Nottingham may be monitored as permitted by UK legislation. > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 From J.J.Smith at gcu.ac.uk Thu Mar 14 16:41:08 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Thu, 14 Mar 2013 16:41:08 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB79@EXCHANGE1.ad.nottingham.ac.uk> References: <q3ejna8wyowtk7qaodp4ttl3.1363174198909@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB67@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D764@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB79@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D76C@ITSEMBXCLUS.enterprise.gcal.ac.uk> Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:24 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... I think we might have to resort to js though... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:12 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 13 March 2013 11:30 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron > Mitchell > Sent: 12 March 2013 20:17 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... > > I'm almost hesitant to mention this... > > I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 12 March 2013 19:56 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Ron > > Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... > > I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: > > > Hi > sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? > Ron > > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: 11 March 2013 16:18 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > I've added some alerts for now so you can see what gets tripped, we > can take these out later, and I?ve commited the wizard with these in , > > > > listener.onComplete = function(file:FileReference):Void { > > > > Alert.show("Upload successful"); > > > > --etc-- > > > > } > > > > > > listener.onHTTPError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: HTTPError"); > > > > --etc-- > > > > } > > > > listener.onIOError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: IOError"); > > > > --etc-- > > > > } > > listener.onSecurityError = function(file:FileReference, > errorString:String):Void { > > > > Alert.show("Upload failed: Security Error"); > > > > --etc-- > > > > } > > > > -----Original Message----- > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > Sent: 11 March 2013 15:42 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Are you using FileReference class? This code snippet suggests you can > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA > with var strData:String = StringUtil.trim(evt.data); > > > > > > > > private function init():void { > > fileRef = new FileReference(); > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > fileRef.addEventListener(Event.COMPLETE, > fileRef_complete); > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, > fileRef_ioError); > > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, > fileRef_uploadCompleteData); > > > > urlReq = new URLRequest(); > > urlReq.url = > "http://localhost:8300/fileref/uploader.cfm"; > > } > > > > private function > fileRef_uploadCompleteData(evt:DataEvent):void { > > var strData:String = StringUtil.trim(evt.data); > > var vars:URLVariables = new URLVariables(strData); > > Alert.show(vars.fileName, "fileName"); > > } > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 3:19 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... > > > > At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 2:32 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > If I try and upload php files, onComplete still fires... > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: 11 March 2013 14:27 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hold on, I'll see if I can get the events to trip, > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 14:20 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 1:57 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > No way to receive whether the upload was successful or not? > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:48 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > I'm not sure you can do much with that class, it's just a black box. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 13:33 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Perhaps it should just feedback error codes, and the flash class translates them... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:21 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 12:45 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From d_b_burnett at hotmail.com Thu Mar 14 17:20:36 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Thu, 14 Mar 2013 13:20:36 -0400 Subject: [Xerte-dev] Re: XOT installation help please In-Reply-To: <E2E25586E39BBB4C95EAE0ECD32AC8D905302638@DAG1.beaumontcollege.org> References: <E2E25586E39BBB4C95EAE0ECD32AC8D9053023B0@DAG1.beaumontcollege.org>, <BLU153-W23755B22EA482D72781A4EA7EC0@phx.gbl>, <E2E25586E39BBB4C95EAE0ECD32AC8D905302638@DAG1.beaumontcollege.org> Message-ID: <BLU153-W6252C379728F3B0D65451FA7EC0@phx.gbl> Vaguely: The zip is being created inside an extra folder.Can you open the zip on the desktop and see what the structure looks like. Or It's something in the php header.Patrick might remember.Or not. ;-) From: Greavesv at beaumontcollege.org To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 14 Mar 2013 16:03:31 +0000 Subject: [Xerte-dev] Re: XOT installation help please Both Chrome and IE. The zip was from Alistair McNaught. Both AssessSnack.zip and knowSnack2.zip ? from one of the tutorials, I believe. I?ve just created a quick LO in our new XOT (using Chrome). It exported fine but I couldn?t re-import it (in Chrome or IE)? the same error ?You can only import Zip Files.? Our institution has a policy of not using Firefox. Any ideas? Thanks very much From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: 14 March 2013 14:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: XOT installation help please What browser? Where/how was the zip created? From: Greavesv at beaumontcollege.org To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 14 Mar 2013 14:05:26 +0000 Subject: [Xerte-dev] XOT installation help please We?ve just installed XOT, this time on Xampp. When we try to import a project (we?re using AssessSnack.zip to test with), we get the error message ?You can only import Zip Files.? Does anybody know what?s causing this, or better still, how to sort it out? Thanks very much Vicky Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130314/578b18b7/attachment.html> From reijnders at tor.nl Thu Mar 14 17:38:45 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Thu, 14 Mar 2013 18:38:45 +0100 Subject: [Xerte-dev] Re: XOT installation help please In-Reply-To: <BLU153-W6252C379728F3B0D65451FA7EC0@phx.gbl> References: <E2E25586E39BBB4C95EAE0ECD32AC8D9053023B0@DAG1.beaumontcollege.org>, <BLU153-W23755B22EA482D72781A4EA7EC0@phx.gbl>, <E2E25586E39BBB4C95EAE0ECD32AC8D905302638@DAG1.beaumontcollege.org> <BLU153-W6252C379728F3B0D65451FA7EC0@phx.gbl> Message-ID: <51420B25.8040707@tor.nl> If it was the header problem you would get php code back in the browser. Please send the file listing of the .zip (or the zip itself). What version of XOT did you install? The latest 1.91 .zip? Tom Op 14-3-2013 18:20, Dave Burnett schreef: > > Vaguely: > > The zip is being created inside an extra folder. > Can you open the zip on the desktop and see what the structure looks like. > > Or > > It's something in the php header. > Patrick might remember. > Or not. ;-) > > > > > > > > ------------------------------------------------------------------------ > From: Greavesv at beaumontcollege.org > To: xerte-dev at lists.nottingham.ac.uk > Date: Thu, 14 Mar 2013 16:03:31 +0000 > Subject: [Xerte-dev] Re: XOT installation help please > > Both Chrome and IE. > > The zip was from Alistair McNaught. Both AssessSnack.zip and > knowSnack2.zip -- from one of the tutorials, I believe. > > I've just created a quick LO in our new XOT (using Chrome). It > exported fine but I couldn't re-import it (in Chrome or IE)-- the same > error 'You can only import Zip Files.' > > Our institution has a policy of not using Firefox. > > Any ideas? > > Thanks very much > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Dave > Burnett > *Sent:* 14 March 2013 14:55 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: XOT installation help please > > What browser? > > Where/how was the zip created? > > ------------------------------------------------------------------------ > > From: Greavesv at beaumontcollege.org > To: xerte-dev at lists.nottingham.ac.uk > Date: Thu, 14 Mar 2013 14:05:26 +0000 > Subject: [Xerte-dev] XOT installation help please > > We've just installed XOT, this time on Xampp. > > When we try to import a project (we're using AssessSnack.zip to test > with), we get the error message 'You can only import Zip Files.' > > Does anybody know what's causing this, or better still, how to sort it > out? > > Thanks very much > > Vicky > > ------------------------------------------------------------------------ > > > Beaumont College is part of Scope > > Scope is a registered charity (number 208231) and a company limited by > guarantee (number 520866). > Our registered office is at 6 Market Road, London N7 9PW, England. > Our VAT number is 805156939. > > Visit our website at http://www.beaumontcollege.ac.uk > > and via Scope at http://www.scope.org.uk/services/beaumont-college > > This message, and any file(s) transmitted with it are confidential > and are intended only for the person(s) to whom they have been > addressed by the sender. This message may contain confidential and/or > privileged material. If you are not the intended recipient of this > message, or if you believe it was transmitted to you in error, you are > required to delete the message and any copies of it, and to notify the > sender immediately. Any unauthorised disclosure, copying, distribution, > or printing of this message or accompanying files, or unauthorised use > of any information contained therein, by anyone other than the > intended recipient(s) is prohibited and may be unlawful. > > Any views expressed in this message or in any file(s) transmitted with > it are those of the author, and may not necessarily represent the > views of Beaumont College or Scope > > > > > _______________________________________________ Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > ------------------------------------------------------------------------ > > Beaumont College is part of Scope > > Scope is a registered charity (number 208231) and a company limited by > guarantee (number 520866). > Our registered office is at 6 Market Road, London N7 9PW, England. > Our VAT number is 805156939. > > Visit our website at http://www.beaumontcollege.ac.uk > > and via Scope at http://www.scope.org.uk/services/beaumont-college > > This message, and any file(s) transmitted with it are confidential > and are intended only for the person(s) to whom they have been > addressed by the sender. This message may contain confidential and/or > privileged material. If you are not the intended recipient of this > message, or if you believe it was transmitted to you in error, you are > required to delete the message and any copies of it, and to notify the > sender immediately. Any unauthorised disclosure, copying, distribution, > or printing of this message or accompanying files, or unauthorised use > of any information contained therein, by anyone other than the > intended recipient(s) is prohibited and may be unlawful. > > Any views expressed in this message or in any file(s) transmitted with > it are those of the author, and may not necessarily represent the > views of Beaumont College or Scope > > > > > _______________________________________________ Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130314/762675b1/attachment-0001.html> From xerte at pgogywebstuff.com Thu Mar 14 17:41:37 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Thu, 14 Mar 2013 17:41:37 +0000 Subject: [Xerte-dev] Re: Import central template? In-Reply-To: <5141DF50.6050203@tor.nl> References: <5141DF50.6050203@tor.nl> Message-ID: <9ED028CD-85D9-4166-B61B-1E90E85752DC@pgogywebstuff.com> Following user feedback it was decided that the import button wasn't needed anymore and FTP would do Partly because each module would need its own import code? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 14 Mar 2013, at 14:31, Tom Reijnders <reijnders at tor.nl> wrote: > I am in the process of trying to make all buttons translatable. > > And so far, it's working ok. I wanted to test some changes to import.js, but apparently the Import button has been removed (at least, I can't find it). Was that deliberate? > > Tom > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. From xerte at pgogywebstuff.com Thu Mar 14 16:34:54 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Thu, 14 Mar 2013 16:34:54 +0000 Subject: [Xerte-dev] Re: Is integration_top still in use? In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB7A@EXCHANGE1.ad.nottingham.ac.uk> References: <5141ADB5.7080501@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1C96D@EXCHANGE1.ad.nottingham.ac.uk> <5141F705.8070708@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB7A@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <C0FCD9A7-4B5F-4469-A174-9661BB34C3BB@pgogywebstuff.com> Webctlink is used as a vle specific version on integration.txt - you can remove it if it does nothing for anyone. I think a lot of the HTML stub files are obsolete now Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 14 Mar 2013, at 16:24, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > You mean review everything? > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders > Sent: 14 March 2013 16:13 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: Is integration_top still in use? > > Ok thnx. > > Should we try to remove dead code from svn more actively? > > Tom > > Op 14-3-2013 13:03, Julian Tenney schreef: >> I don't think webctlink is used anymore, at least, it's not used here, >> and I think it existed for a specific Nottingham reason, >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom >> Reijnders >> Sent: 14 March 2013 11:00 >> To: xerte-dev at lists.nottingham.ac.uk >> Subject: [Xerte-dev] Is integration_top still in use? >> >> I noticed that integration_top is an (old) duplicate of some of the contents of index.php and that integration_top is used by webctlink.php. >> >> Is that still in use, or is the webctlink.php not used anymore? >> Otherwise we should use integration_top in index.php as well. >> >> Tom >> >> >> >> -- >> -- >> >> Tom Reijnders >> TOR Informatica >> Chopinlaan 27 >> 5242HM Rosmalen >> Tel: 073 5226191 >> Fax: 073 5226196 >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. >> >> This message has been checked for viruses but the contents of an >> attachment may still contain software viruses which could damage your computer system: >> you are advised to perform your own checks. Email communications with >> the University of Nottingham may be monitored as permitted by UK legislation. > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. From xerte at pgogywebstuff.com Thu Mar 14 17:20:10 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Thu, 14 Mar 2013 17:20:10 +0000 Subject: [Xerte-dev] Re: XOT installation help please In-Reply-To: <E2E25586E39BBB4C95EAE0ECD32AC8D9053023B0@DAG1.beaumontcollege.org> References: <E2E25586E39BBB4C95EAE0ECD32AC8D9053023B0@DAG1.beaumontcollege.org> Message-ID: <80FB6D22-E4AA-468A-B344-113ED5416ADB@pgogywebstuff.com> Let me have a look at this. Going to remove the mimetype test as its clearly not working anymore Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 14 Mar 2013, at 14:05, Vicky Greaves <Greavesv at beaumontcollege.org> wrote: > We?ve just installed XOT, this time on Xampp. > > When we try to import a project (we?re using AssessSnack.zip to test with), we get the error message ?You can only import Zip Files.? > > Does anybody know what?s causing this, or better still, how to sort it out? > > Thanks very much > Vicky > > > > Beaumont College is part of Scope > > Scope is a registered charity (number 208231) and a company limited by > guarantee (number 520866). > Our registered office is at 6 Market Road, London N7 9PW, England. > Our VAT number is 805156939. > > Visit our website at http://www.beaumontcollege.ac.uk > > and via Scope at http://www.scope.org.uk/services/beaumont-college > > This message, and any file(s) transmitted with it are confidential > and are intended only for the person(s) to whom they have been > addressed by the sender. This message may contain confidential and/or > privileged material. If you are not the intended recipient of this > message, or if you believe it was transmitted to you in error, you are > required to delete the message and any copies of it, and to notify the > sender immediately. Any unauthorised disclosure, copying, distribution, > or printing of this message or accompanying files, or unauthorised use > of any information contained therein, by anyone other than the > intended recipient(s) is prohibited and may be unlawful. > > Any views expressed in this message or in any file(s) transmitted with > it are those of the author, and may not necessarily represent the > views of Beaumont College or Scope > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130314/d7d0d484/attachment.html> From J.J.Smith at gcu.ac.uk Thu Mar 14 17:20:00 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Thu, 14 Mar 2013 17:20:00 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Message-ID: <23yegclo51haxlp2oertdt4v.1363281595028@email.android.com> Ok scratch that - I've managed to login to Thomas' moodle on a pensive install Let me look at the data passed in moodle session and see if i can get it working in Firefox and Moodle... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:24 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... I think we might have to resort to js though... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:12 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 13 March 2013 11:30 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron > Mitchell > Sent: 12 March 2013 20:17 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... > > I'm almost hesitant to mention this... > > I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 12 March 2013 19:56 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Ron > > Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... > > I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: > > > Hi > sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? > Ron > > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: 11 March 2013 16:18 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > I've added some alerts for now so you can see what gets tripped, we > can take these out later, and I?ve commited the wizard with these in , > > > > listener.onComplete = function(file:FileReference):Void { > > > > Alert.show("Upload successful"); > > > > --etc-- > > > > } > > > > > > listener.onHTTPError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: HTTPError"); > > > > --etc-- > > > > } > > > > listener.onIOError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: IOError"); > > > > --etc-- > > > > } > > listener.onSecurityError = function(file:FileReference, > errorString:String):Void { > > > > Alert.show("Upload failed: Security Error"); > > > > --etc-- > > > > } > > > > -----Original Message----- > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > Sent: 11 March 2013 15:42 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Are you using FileReference class? This code snippet suggests you can > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA > with var strData:String = StringUtil.trim(evt.data); > > > > > > > > private function init():void { > > fileRef = new FileReference(); > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > fileRef.addEventListener(Event.COMPLETE, > fileRef_complete); > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, > fileRef_ioError); > > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, > fileRef_uploadCompleteData); > > > > urlReq = new URLRequest(); > > urlReq.url = > "http://localhost:8300/fileref/uploader.cfm"; > > } > > > > private function > fileRef_uploadCompleteData(evt:DataEvent):void { > > var strData:String = StringUtil.trim(evt.data); > > var vars:URLVariables = new URLVariables(strData); > > Alert.show(vars.fileName, "fileName"); > > } > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 3:19 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... > > > > At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 2:32 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > If I try and upload php files, onComplete still fires... > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: 11 March 2013 14:27 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hold on, I'll see if I can get the events to trip, > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 14:20 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 1:57 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > No way to receive whether the upload was successful or not? > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:48 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > I'm not sure you can do much with that class, it's just a black box. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 13:33 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Perhaps it should just feedback error codes, and the flash class translates them... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:21 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 12:45 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From reijnders at tor.nl Thu Mar 14 17:35:54 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Thu, 14 Mar 2013 18:35:54 +0100 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D76C@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <q3ejna8wyowtk7qaodp4ttl3.1363174198909@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB67@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D764@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB79@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D76C@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <51420A7A.9060109@tor.nl> No, no default apssword. You set it during installation. But if you are able to get in mysql, you can change it easily enough. It is stored as a md5 hash in the mdl_user table. See also attached script. Tom Op 14-3-2013 17:41, Smith, John schreef: > Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... > > If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... > > Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... > > Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Thursday, March 14, 2013 4:24 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 14 March 2013 16:22 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... > > I think we might have to resort to js though... > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Thursday, March 14, 2013 4:12 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? > > This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 13 March 2013 11:30 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Pat > > Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... > > If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id > > Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. > > I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before > > Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality > > On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> Hi Ron, >> >> Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell >> [ronm at mitchellmedia.co.uk] >> Sent: 12 March 2013 20:31 >> To: 'For Xerte technical developers' >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi John >> I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. >> >> So I guess this is either session related or a js clash? >> >> Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. >> >> I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. >> >> Cheers >> Ron >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron >> Mitchell >> Sent: 12 March 2013 20:17 >> To: 'For Xerte technical developers' >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi John >> Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... >> >> I'm almost hesitant to mention this... >> >> I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. >> >> Cheers >> Ron >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 12 March 2013 19:56 >> To: xerte-dev at lists.nottingham.ac.uk >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi Ron >> >> Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... >> >> I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... >> >> Regards >> >> John Smith >> Learning Technologist >> School of Health and Life Sciences >> >> Sent from Samsung Galaxy SII >> >> >> >> Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: >> >> >> Hi >> sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? >> Ron >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: 11 March 2013 16:18 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > >> >> >> I've added some alerts for now so you can see what gets tripped, we >> can take these out later, and I?ve commited the wizard with these in , >> >> >> >> listener.onComplete = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload successful"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> >> >> listener.onHTTPError = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload failed: HTTPError"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> listener.onIOError = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload failed: IOError"); >> >> >> >> --etc-- >> >> >> >> } >> >> listener.onSecurityError = function(file:FileReference, >> errorString:String):Void { >> >> >> >> Alert.show("Upload failed: Security Error"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> -----Original Message----- >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> Sent: 11 March 2013 15:42 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Are you using FileReference class? This code snippet suggests you can >> extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA >> with var strData:String = StringUtil.trim(evt.data); >> >> >> >> >> >> >> >> private function init():void { >> >> fileRef = new FileReference(); >> >> fileRef.addEventListener(Event.SELECT, fileRef_select); >> >> fileRef.addEventListener(Event.COMPLETE, >> fileRef_complete); >> >> fileRef.addEventListener(IOErrorEvent.IO_ERROR, >> fileRef_ioError); >> >> >> fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, >> fileRef_uploadCompleteData); >> >> >> >> urlReq = new URLRequest(); >> >> urlReq.url = >> "http://localhost:8300/fileref/uploader.cfm"; >> >> } >> >> >> >> private function >> fileRef_uploadCompleteData(evt:DataEvent):void { >> >> var strData:String = StringUtil.trim(evt.data); >> >> var vars:URLVariables = new URLVariables(strData); >> >> Alert.show(vars.fileName, "fileName"); >> >> } >> >> >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: Monday, March 11, 2013 3:19 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... >> >> >> >> At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: Monday, March 11, 2013 2:32 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> If I try and upload php files, onComplete still fires... >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: 11 March 2013 14:27 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Hold on, I'll see if I can get the events to trip, >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: 11 March 2013 14:20 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: Monday, March 11, 2013 1:57 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> No way to receive whether the upload was successful or not? >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: Monday, March 11, 2013 1:48 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> I'm not sure you can do much with that class, it's just a black box. >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: 11 March 2013 13:33 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Perhaps it should just feedback error codes, and the flash class translates them... >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: Monday, March 11, 2013 1:21 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: 11 March 2013 12:45 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... >> >> >> >> >> >> >> >> >> >> >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 >> 5691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 >> 5691,en.html >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. >> >> This message has been checked for viruses but the contents of an >> attachment may still contain software viruses which could damage your computer system: >> you are advised to perform your own checks. Email communications with >> the University of Nottingham may be monitored as permitted by UK legislation. > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- A non-text attachment was scrubbed... Name: passchange.php Type: application/x-httpd-php Size: 466 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130314/7ddea472/attachment.bin> From J.J.Smith at gcu.ac.uk Thu Mar 14 17:51:21 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Thu, 14 Mar 2013 17:51:21 +0000 Subject: [Xerte-dev] Xerte @ CETIS Message-ID: <e0pbv6q45mt86ape386hr7qa.1363283479238@email.android.com> Meant to ask, did you all manage to get together for a discussion on the structure of the future Xot or the modularisation stuff? Any decisions made? Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Dave Burnett <d_b_burnett at hotmail.com> wrote: Vaguely: The zip is being created inside an extra folder. Can you open the zip on the desktop and see what the structure looks like. Or It's something in the php header. Patrick might remember. Or not. ;-) ________________________________ From: Greavesv at beaumontcollege.org To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 14 Mar 2013 16:03:31 +0000 Subject: [Xerte-dev] Re: XOT installation help please Both Chrome and IE. The zip was from Alistair McNaught. Both AssessSnack.zip and knowSnack2.zip ? from one of the tutorials, I believe. I?ve just created a quick LO in our new XOT (using Chrome). It exported fine but I couldn?t re-import it (in Chrome or IE)? the same error ?You can only import Zip Files.? Our institution has a policy of not using Firefox. Any ideas? Thanks very much From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: 14 March 2013 14:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: XOT installation help please What browser? Where/how was the zip created? ________________________________ From: Greavesv at beaumontcollege.org To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 14 Mar 2013 14:05:26 +0000 Subject: [Xerte-dev] XOT installation help please We?ve just installed XOT, this time on Xampp. When we try to import a project (we?re using AssessSnack.zip to test with), we get the error message ?You can only import Zip Files.? Does anybody know what?s causing this, or better still, how to sort it out? Thanks very much Vicky ________________________________ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev ________________________________ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From ronm at mitchellmedia.co.uk Thu Mar 14 17:13:35 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Thu, 14 Mar 2013 17:13:35 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D76C@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <q3ejna8wyowtk7qaodp4ttl3.1363174198909@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB67@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D764@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB79@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D76C@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <E93A9EE4-3FA9-40A7-9EFB-93AF5D4D2A03@mitchellmedia.co.uk> On a train so can't check but from memory if its maxos you are using I think it was admin and changeme but you are forced to change the pw upon first login. I can probably provide an up-to-date version if that would be useful but not until tomorrow Ron Sent from my iPhone On 14 Mar 2013, at 16:41, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... > > If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... > > Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... > > Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Thursday, March 14, 2013 4:24 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 14 March 2013 16:22 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... > > I think we might have to resort to js though... > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Thursday, March 14, 2013 4:12 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? > > This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 13 March 2013 11:30 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Pat > > Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... > > If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id > > Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. > > I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before > > Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality > > On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> Hi Ron, >> >> Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell >> [ronm at mitchellmedia.co.uk] >> Sent: 12 March 2013 20:31 >> To: 'For Xerte technical developers' >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi John >> I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. >> >> So I guess this is either session related or a js clash? >> >> Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. >> >> I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. >> >> Cheers >> Ron >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron >> Mitchell >> Sent: 12 March 2013 20:17 >> To: 'For Xerte technical developers' >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi John >> Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... >> >> I'm almost hesitant to mention this... >> >> I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. >> >> Cheers >> Ron >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 12 March 2013 19:56 >> To: xerte-dev at lists.nottingham.ac.uk >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi Ron >> >> Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... >> >> I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... >> >> Regards >> >> John Smith >> Learning Technologist >> School of Health and Life Sciences >> >> Sent from Samsung Galaxy SII >> >> >> >> Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: >> >> >> Hi >> sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? >> Ron >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: 11 March 2013 16:18 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > >> >> >> >> I've added some alerts for now so you can see what gets tripped, we >> can take these out later, and I?ve commited the wizard with these in , >> >> >> >> listener.onComplete = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload successful"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> >> >> listener.onHTTPError = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload failed: HTTPError"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> listener.onIOError = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload failed: IOError"); >> >> >> >> --etc-- >> >> >> >> } >> >> listener.onSecurityError = function(file:FileReference, >> errorString:String):Void { >> >> >> >> Alert.show("Upload failed: Security Error"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> -----Original Message----- >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> Sent: 11 March 2013 15:42 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Are you using FileReference class? This code snippet suggests you can >> extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA >> with var strData:String = StringUtil.trim(evt.data); >> >> >> >> >> >> >> >> private function init():void { >> >> fileRef = new FileReference(); >> >> fileRef.addEventListener(Event.SELECT, fileRef_select); >> >> fileRef.addEventListener(Event.COMPLETE, >> fileRef_complete); >> >> fileRef.addEventListener(IOErrorEvent.IO_ERROR, >> fileRef_ioError); >> >> >> fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, >> fileRef_uploadCompleteData); >> >> >> >> urlReq = new URLRequest(); >> >> urlReq.url = >> "http://localhost:8300/fileref/uploader.cfm"; >> >> } >> >> >> >> private function >> fileRef_uploadCompleteData(evt:DataEvent):void { >> >> var strData:String = StringUtil.trim(evt.data); >> >> var vars:URLVariables = new URLVariables(strData); >> >> Alert.show(vars.fileName, "fileName"); >> >> } >> >> >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: Monday, March 11, 2013 3:19 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... >> >> >> >> At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: Monday, March 11, 2013 2:32 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> If I try and upload php files, onComplete still fires... >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: 11 March 2013 14:27 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Hold on, I'll see if I can get the events to trip, >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: 11 March 2013 14:20 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: Monday, March 11, 2013 1:57 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> No way to receive whether the upload was successful or not? >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: Monday, March 11, 2013 1:48 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> I'm not sure you can do much with that class, it's just a black box. >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: 11 March 2013 13:33 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Perhaps it should just feedback error codes, and the flash class translates them... >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: Monday, March 11, 2013 1:21 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: 11 March 2013 12:45 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... >> >> >> >> >> >> >> >> >> >> >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 >> 5691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 >> 5691,en.html >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. >> >> This message has been checked for viruses but the contents of an >> attachment may still contain software viruses which could damage your computer system: >> you are advised to perform your own checks. Email communications with >> the University of Nottingham may be monitored as permitted by UK legislation. > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From reijnders at tor.nl Thu Mar 14 20:17:51 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Thu, 14 Mar 2013 21:17:51 +0100 Subject: [Xerte-dev] Re: Import central template? In-Reply-To: <9ED028CD-85D9-4166-B61B-1E90E85752DC@pgogywebstuff.com> References: <5141DF50.6050203@tor.nl> <9ED028CD-85D9-4166-B61B-1E90E85752DC@pgogywebstuff.com> Message-ID: <4a0820c0-87d9-4135-a440-9e1d4f27c359@email.android.com> Hmm, and how do you populate the database then? "Pat @ Pgogy" <xerte at pgogywebstuff.com> schreef: >Following user feedback it was decided that the import button wasn't >needed anymore and FTP would do > >Partly because each module would need its own import code? > >Pgogy Webstuff - http://www.pgogywebstuff.com >Makers of web things of a fair to middling quality > >On 14 Mar 2013, at 14:31, Tom Reijnders <reijnders at tor.nl> wrote: > >> I am in the process of trying to make all buttons translatable. >> >> And so far, it's working ok. I wanted to test some changes to >import.js, but apparently the Import button has been removed (at least, >I can't find it). Was that deliberate? >> >> Tom >> >> -- >> -- >> >> Tom Reijnders >> TOR Informatica >> Chopinlaan 27 >> 5242HM Rosmalen >> Tel: 073 5226191 >> Fax: 073 5226196 >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> This message and any attachment are intended solely for the addressee >and may contain confidential information. If you have received this >message in error, please send it back to me, and immediately delete it. >Please do not use, copy or disclose the information contained in this >message or in any attachment. Any views or opinions expressed by the >author of this email do not necessarily reflect the views of the >University of Nottingham. >> >> This message has been checked for viruses but the contents of an >attachment >> may still contain software viruses which could damage your computer >system: >> you are advised to perform your own checks. Email communications with >the >> University of Nottingham may be monitored as permitted by UK >legislation. > >_______________________________________________ >Xerte-dev mailing list >Xerte-dev at lists.nottingham.ac.uk >http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >This message and any attachment are intended solely for the addressee >and may contain confidential information. If you have received this >message in error, please send it back to me, and immediately delete it. >Please do not use, copy or disclose the information contained in this >message or in any attachment. Any views or opinions expressed by the >author of this email do not necessarily reflect the views of the >University of Nottingham. > >This message has been checked for viruses but the contents of an >attachment >may still contain software viruses which could damage your computer >system: >you are advised to perform your own checks. Email communications with >the >University of Nottingham may be monitored as permitted by UK >legislation. -- Verzonden van mijn Android telefoon met K-9 Mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130314/4e7e0b85/attachment-0001.html> From xerte at pgogywebstuff.com Thu Mar 14 20:55:55 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Thu, 14 Mar 2013 20:55:55 +0000 Subject: [Xerte-dev] Re: Import central template? In-Reply-To: <4a0820c0-87d9-4135-a440-9e1d4f27c359@email.android.com> References: <5141DF50.6050203@tor.nl> <9ED028CD-85D9-4166-B61B-1E90E85752DC@pgogywebstuff.com> <4a0820c0-87d9-4135-a440-9e1d4f27c359@email.android.com> Message-ID: <05E6D97C-AA2A-48F3-A682-9C508791C47D@pgogywebstuff.com> Replacing the button is the "update" link. You click that and it updates the database The code just looks through the modules folder looking for an info file. Have a look on GitHub for the canvas plugin I uploaded a while back. Config.php has some new code at the bottom to support modules as well Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 14 Mar 2013, at 20:17, Tom Reijnders <reijnders at tor.nl> wrote: > Hmm, and how do you populate the database then? > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> schreef: >> >> Following user feedback it was decided that the import button wasn't needed anymore and FTP would do >> >> Partly because each module would need its own import code? >> >> Pgogy Webstuff - http://www.pgogywebstuff.com >> Makers of web things of a fair to middling quality >> >> On 14 Mar 2013, at 14:31, Tom Reijnders <reijnders at tor.nl> wrote: >> >>> I am in the process of trying to make all buttons translatable. >>> >>> And so far, it's working ok. I wanted to test some changes to import.js, but apparently the Import button has been removed (at least, I can't find it). Was that deliberate? >>> >>> Tom >>> >>> -- >>> -- >>> >>> Tom Reijnders >>> TOR Informatica >>> Chopinlaan 275242HM Rosmalen >>> Tel: 073 5226191 >>> Fax: 073 5226196 >>> >>> >>> >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. >>> >>> This message has been checked for viruses but the contents of an attachment >>> may still contain software viruses which could damage your computer system: >>> you are advised to perform your own checks. Email communications with the >>> Unive >>> rsity >>> of Nottingham may be monitored as permitted by UK legislation. >> >> >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. >> >> This message has been checked for viruses but the contents of an attachment >> may still contain software viruses which could damage your computer system: >> you are advised to perform your own checks. Email communications with the >> Uni >> versity >> of Nottingham may be monitored as permitted by UK legislation. > > -- > Verzonden van mijn Android telefoon met K-9 Mail. > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130314/f31e53e1/attachment.html> From reijnders at tor.nl Thu Mar 14 21:16:06 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Thu, 14 Mar 2013 22:16:06 +0100 Subject: [Xerte-dev] Re: Import central template? In-Reply-To: <05E6D97C-AA2A-48F3-A682-9C508791C47D@pgogywebstuff.com> References: <5141DF50.6050203@tor.nl> <9ED028CD-85D9-4166-B61B-1E90E85752DC@pgogywebstuff.com> <4a0820c0-87d9-4135-a440-9e1d4f27c359@email.android.com> <05E6D97C-AA2A-48F3-A682-9C508791C47D@pgogywebstuff.com> Message-ID: <51423E16.6000901@tor.nl> Ok, clear! Thanks. Perhaps some explanatory text next to the update button wouldn't hurt.... Tom Op 14-3-2013 21:55, Pat @ Pgogy schreef: > Replacing the button is the "update" link. You click that and it > updates the database > > The code just looks through the modules folder looking for an info > file. Have a look on GitHub for the canvas plugin I uploaded a while > back. Config.php has some new code at the bottom to support modules as > well > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 14 Mar 2013, at 20:17, Tom Reijnders <reijnders at tor.nl > <mailto:reijnders at tor.nl>> wrote: > >> Hmm, and how do you populate the database then? >> >> "Pat @ Pgogy" <xerte at pgogywebstuff.com >> <mailto:xerte at pgogywebstuff.com>> schreef: >> >> Following user feedback it was decided that the import button wasn't needed anymore and FTP would do >> >> Partly because each module would need its own import code? >> >> Pgogy Webstuff -http://www.pgogywebstuff.com >> Makers of web things of a fair to middling quality >> >> On 14 Mar 2013, at 14:31, Tom Reijnders <reijnders at tor.nl <mailto:reijnders at tor.nl>> wrote: >> >> I am in the process of trying to make all buttons >> translatable. And so far, it's working ok. I wanted to test >> some changes to import.js, but apparently the Import button >> has been removed (at least, I can't find it). Was that >> deliberate? Tom -- -- Tom Reijnders TOR Informatica >> Chopinlaan 27*5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 >> ------------------------------------------------------------------------ >> Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk >> <mailto:Xerte-dev at lists.nottingham.ac.uk> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev This >> message and any attachment are intended solely for the >> addressee and may contain confidential information. If you >> have received this message in error, please send it back to >> me, and immediately delete it. Please do not use, copy or >> disclose the information contained in this message or in any >> attachment. Any views or opinions expressed by the author of >> this email do not necessarily reflect the views of the >> University of Nottingham. This message has been checked for >> viruses but the contents of an attachment may still contain >> software viruses which could damage your computer system: you >> are advised to perform your own checks. Email communications >> with the Unive rsity of Nottingham may be monitored as >> permitted by UK legislation.* >> >> * >> ------------------------------------------------------------------------ >> >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. >> >> This message has been checked for viruses but the contents of an attachment >> may still contain software viruses which could damage your computer system: >> you are advised to perform your own checks. Email communications with the >> Uni >> versity >> of Nottingham may be monitored as permitted by UK legislation. >> * >> >> * >> -- >> Verzonden van mijn Android telefoon met K-9 Mail. >> >> >> * >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> <mailto:Xerte-dev at lists.nottingham.ac.uk> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130314/da99cb61/attachment.html> From xerte at pgogywebstuff.com Thu Mar 14 21:30:11 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Thu, 14 Mar 2013 21:30:11 +0000 Subject: [Xerte-dev] Re: Import central template? In-Reply-To: <51423E16.6000901@tor.nl> References: <5141DF50.6050203@tor.nl> <9ED028CD-85D9-4166-B61B-1E90E85752DC@pgogywebstuff.com> <4a0820c0-87d9-4135-a440-9e1d4f27c359@email.android.com> <05E6D97C-AA2A-48F3-A682-9C508791C47D@pgogywebstuff.com> <51423E16.6000901@tor.nl> Message-ID: <F791A2A1-4D0C-46F0-A5F6-7F02E0E6619B@pgogywebstuff.com> Sorry for troubles. This is the management side which no one ever looked at till a month ago :) Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 14 Mar 2013, at 21:16, Tom Reijnders <reijnders at tor.nl> wrote: > Ok, clear! Thanks. > > Perhaps some explanatory text next to the update button wouldn't hurt.... > > Tom > > Op 14-3-2013 21:55, Pat @ Pgogy schreef: >> Replacing the button is the "update" link. You click that and it updates the database >> >> The code just looks through the modules folder looking for an info file. Have a look on GitHub for the canvas plugin I uploaded a while back. Config.php has some new code at the bottom to support modules as well >> >> Pgogy Webstuff - http://www.pgogywebstuff.com >> Makers of web things of a fair to middling quality >> >> On 14 Mar 2013, at 20:17, Tom Reijnders <reijnders at tor.nl> wrote: >> >>> Hmm, and how do you populate the database then? >>> >>> "Pat @ Pgogy" <xerte at pgogywebstuff.com> schreef: >>>> >>>> Following user feedback it was decided that the import button wasn't needed anymore and FTP would do >>>> >>>> Partly because each module would need its own import code? >>>> >>>> Pgogy Webstuff - http://www.pgogywebstuff.com >>>> Makers of web things of a fair to middling quality >>>> >>>> On 14 Mar 2013, at 14:31, Tom Reijnders <reijnders at tor.nl> wrote: >>>> >>>>> I am in the process of trying to make all buttons translatable. >>>>> >>>>> And so far, it's working ok. I wanted to test some changes to import.js, but apparently the Import button has been removed (at least, I can't find it). Was that deliberate? >>>>> >>>>> Tom >>>>> >>>>> -- >>>>> -- >>>>> >>>>> Tom Reijnders >>>>> TOR Informatica >>>>> Chopinlaan 275242HM Rosmalen >>>>> Tel: 073 5226191 >>>>> Fax: 073 5226196 >>>>> >>>>> >>>>> >>>>> Xerte-dev mailing list >>>>> Xerte-dev at lists.nottingham.ac.uk >>>>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>>>> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. >>>>> >>>>> This message has been checked for viruses but the contents of an attachment >>>>> may still contain software viruses which could damage your computer system: >>>>> you are advised to perform your own checks. Email communications with the >>>>> Unive >>>>> rsity >>>>> of Nottingham may be monitored as permitted by UK legislation. >>>> >>>> >>>> Xerte-dev mailing list >>>> Xerte-dev at lists.nottingham.ac.uk >>>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>>> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. >>>> >>>> This message has been checked for viruses but the contents of an attachment >>>> may still contain software viruses which could damage your computer system: >>>> you are advised to perform your own checks. Email communications with the >>>> Uni >>>> versity >>>> of Nottingham may be monitored as permitted by UK legislation. >>> >>> -- >>> Verzonden van mijn Android telefoon met K-9 Mail. >>> _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130314/30e9568d/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Fri Mar 15 08:38:00 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Fri, 15 Mar 2013 08:38:00 +0000 Subject: [Xerte-dev] Re: Xerte @ CETIS In-Reply-To: <e0pbv6q45mt86ape386hr7qa.1363283479238@email.android.com> References: <e0pbv6q45mt86ape386hr7qa.1363283479238@email.android.com> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CC3D@EXCHANGE1.ad.nottingham.ac.uk> No, there wasn't enough time really, so we still need to have some discussion, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 17:51 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Xerte @ CETIS Meant to ask, did you all manage to get together for a discussion on the structure of the future Xot or the modularisation stuff? Any decisions made? Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Dave Burnett <d_b_burnett at hotmail.com> wrote: Vaguely: The zip is being created inside an extra folder. Can you open the zip on the desktop and see what the structure looks like. Or It's something in the php header. Patrick might remember. Or not. ;-) ________________________________ From: Greavesv at beaumontcollege.org To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 14 Mar 2013 16:03:31 +0000 Subject: [Xerte-dev] Re: XOT installation help please Both Chrome and IE. The zip was from Alistair McNaught. Both AssessSnack.zip and knowSnack2.zip - from one of the tutorials, I believe. I've just created a quick LO in our new XOT (using Chrome). It exported fine but I couldn't re-import it (in Chrome or IE)- the same error 'You can only import Zip Files.' Our institution has a policy of not using Firefox. Any ideas? Thanks very much From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: 14 March 2013 14:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: XOT installation help please What browser? Where/how was the zip created? ________________________________ From: Greavesv at beaumontcollege.org To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 14 Mar 2013 14:05:26 +0000 Subject: [Xerte-dev] XOT installation help please We've just installed XOT, this time on Xampp. When we try to import a project (we're using AssessSnack.zip to test with), we get the error message 'You can only import Zip Files.' Does anybody know what's causing this, or better still, how to sort it out? Thanks very much Vicky ________________________________ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev ________________________________ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From Julian.Tenney at nottingham.ac.uk Fri Mar 15 08:40:21 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Fri, 15 Mar 2013 08:40:21 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D76C@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <q3ejna8wyowtk7qaodp4ttl3.1363174198909@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB67@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D764@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB79@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D76C@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CC3F@EXCHANGE1.ad.nottingham.ac.uk> So is the problem the upload script, or the way the moodle authentication works? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:24 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... I think we might have to resort to js though... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:12 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 13 March 2013 11:30 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron > Mitchell > Sent: 12 March 2013 20:17 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... > > I'm almost hesitant to mention this... > > I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 12 March 2013 19:56 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Ron > > Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... > > I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: > > > Hi > sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? > Ron > > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: 11 March 2013 16:18 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > I've added some alerts for now so you can see what gets tripped, we > can take these out later, and I?ve commited the wizard with these in , > > > > listener.onComplete = function(file:FileReference):Void { > > > > Alert.show("Upload successful"); > > > > --etc-- > > > > } > > > > > > listener.onHTTPError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: HTTPError"); > > > > --etc-- > > > > } > > > > listener.onIOError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: IOError"); > > > > --etc-- > > > > } > > listener.onSecurityError = function(file:FileReference, > errorString:String):Void { > > > > Alert.show("Upload failed: Security Error"); > > > > --etc-- > > > > } > > > > -----Original Message----- > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > Sent: 11 March 2013 15:42 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Are you using FileReference class? This code snippet suggests you can > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA > with var strData:String = StringUtil.trim(evt.data); > > > > > > > > private function init():void { > > fileRef = new FileReference(); > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > fileRef.addEventListener(Event.COMPLETE, > fileRef_complete); > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, > fileRef_ioError); > > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, > fileRef_uploadCompleteData); > > > > urlReq = new URLRequest(); > > urlReq.url = > "http://localhost:8300/fileref/uploader.cfm"; > > } > > > > private function > fileRef_uploadCompleteData(evt:DataEvent):void { > > var strData:String = StringUtil.trim(evt.data); > > var vars:URLVariables = new URLVariables(strData); > > Alert.show(vars.fileName, "fileName"); > > } > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 3:19 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... > > > > At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 2:32 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > If I try and upload php files, onComplete still fires... > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: 11 March 2013 14:27 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hold on, I'll see if I can get the events to trip, > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 14:20 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 1:57 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > No way to receive whether the upload was successful or not? > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:48 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > I'm not sure you can do much with that class, it's just a black box. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 13:33 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Perhaps it should just feedback error codes, and the flash class translates them... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:21 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 12:45 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From J.J.Smith at gcu.ac.uk Fri Mar 15 09:10:19 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 15 Mar 2013 09:10:19 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Message-ID: <wli5m6ocuasvpl70r49olsm2.1363338613081@email.android.com> The way the Moodle authentication works - its so complicated that there is no way to restart it in upload when we are using Firefox... The upload script as reported by Ron does work as long as we're not using Moodle As i said we can check for Moodle auth and simply not check for session but that still leaves a gaping hole... Bootstrapping the upload via js 'should' allow config.php to handle the session as it does on other pages... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: So is the problem the upload script, or the way the moodle authentication works? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:24 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... I think we might have to resort to js though... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:12 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 13 March 2013 11:30 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron > Mitchell > Sent: 12 March 2013 20:17 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... > > I'm almost hesitant to mention this... > > I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 12 March 2013 19:56 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Ron > > Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... > > I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: > > > Hi > sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? > Ron > > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: 11 March 2013 16:18 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > I've added some alerts for now so you can see what gets tripped, we > can take these out later, and I?ve commited the wizard with these in , > > > > listener.onComplete = function(file:FileReference):Void { > > > > Alert.show("Upload successful"); > > > > --etc-- > > > > } > > > > > > listener.onHTTPError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: HTTPError"); > > > > --etc-- > > > > } > > > > listener.onIOError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: IOError"); > > > > --etc-- > > > > } > > listener.onSecurityError = function(file:FileReference, > errorString:String):Void { > > > > Alert.show("Upload failed: Security Error"); > > > > --etc-- > > > > } > > > > -----Original Message----- > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > Sent: 11 March 2013 15:42 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Are you using FileReference class? This code snippet suggests you can > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA > with var strData:String = StringUtil.trim(evt.data); > > > > > > > > private function init():void { > > fileRef = new FileReference(); > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > fileRef.addEventListener(Event.COMPLETE, > fileRef_complete); > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, > fileRef_ioError); > > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, > fileRef_uploadCompleteData); > > > > urlReq = new URLRequest(); > > urlReq.url = > "http://localhost:8300/fileref/uploader.cfm"; > > } > > > > private function > fileRef_uploadCompleteData(evt:DataEvent):void { > > var strData:String = StringUtil.trim(evt.data); > > var vars:URLVariables = new URLVariables(strData); > > Alert.show(vars.fileName, "fileName"); > > } > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 3:19 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... > > > > At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 2:32 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > If I try and upload php files, onComplete still fires... > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: 11 March 2013 14:27 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hold on, I'll see if I can get the events to trip, > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 14:20 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 1:57 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > No way to receive whether the upload was successful or not? > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:48 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > I'm not sure you can do much with that class, it's just a black box. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 13:33 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Perhaps it should just feedback error codes, and the flash class translates them... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:21 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 12:45 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From Julian.Tenney at nottingham.ac.uk Fri Mar 15 09:15:36 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Fri, 15 Mar 2013 09:15:36 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <wli5m6ocuasvpl70r49olsm2.1363338613081@email.android.com> References: <wli5m6ocuasvpl70r49olsm2.1363338613081@email.android.com> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CC77@EXCHANGE1.ad.nottingham.ac.uk> Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the problem, then I think that's what we should fix. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 09:10 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php The way the Moodle authentication works - its so complicated that there is no way to restart it in upload when we are using Firefox... The upload script as reported by Ron does work as long as we're not using Moodle As i said we can check for Moodle auth and simply not check for session but that still leaves a gaping hole... Bootstrapping the upload via js 'should' allow config.php to handle the session as it does on other pages... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: So is the problem the upload script, or the way the moodle authentication works? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:24 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... I think we might have to resort to js though... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:12 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 13 March 2013 11:30 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron > Mitchell > Sent: 12 March 2013 20:17 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... > > I'm almost hesitant to mention this... > > I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 12 March 2013 19:56 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Ron > > Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... > > I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: > > > Hi > sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? > Ron > > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: 11 March 2013 16:18 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > I've added some alerts for now so you can see what gets tripped, we > can take these out later, and I?ve commited the wizard with these in , > > > > listener.onComplete = function(file:FileReference):Void { > > > > Alert.show("Upload successful"); > > > > --etc-- > > > > } > > > > > > listener.onHTTPError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: HTTPError"); > > > > --etc-- > > > > } > > > > listener.onIOError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: IOError"); > > > > --etc-- > > > > } > > listener.onSecurityError = function(file:FileReference, > errorString:String):Void { > > > > Alert.show("Upload failed: Security Error"); > > > > --etc-- > > > > } > > > > -----Original Message----- > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > Sent: 11 March 2013 15:42 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Are you using FileReference class? This code snippet suggests you can > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA > with var strData:String = StringUtil.trim(evt.data); > > > > > > > > private function init():void { > > fileRef = new FileReference(); > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > fileRef.addEventListener(Event.COMPLETE, > fileRef_complete); > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, > fileRef_ioError); > > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, > fileRef_uploadCompleteData); > > > > urlReq = new URLRequest(); > > urlReq.url = > "http://localhost:8300/fileref/uploader.cfm"; > > } > > > > private function > fileRef_uploadCompleteData(evt:DataEvent):void { > > var strData:String = StringUtil.trim(evt.data); > > var vars:URLVariables = new URLVariables(strData); > > Alert.show(vars.fileName, "fileName"); > > } > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 3:19 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... > > > > At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 2:32 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > If I try and upload php files, onComplete still fires... > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: 11 March 2013 14:27 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hold on, I'll see if I can get the events to trip, > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 14:20 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 1:57 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > No way to receive whether the upload was successful or not? > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:48 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > I'm not sure you can do much with that class, it's just a black box. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 13:33 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Perhaps it should just feedback error codes, and the flash class translates them... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:21 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 12:45 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From reijnders at tor.nl Fri Mar 15 10:07:10 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Fri, 15 Mar 2013 11:07:10 +0100 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CC77@EXCHANGE1.ad.nottingham.ac.uk> References: <wli5m6ocuasvpl70r49olsm2.1363338613081@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CC77@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <5142F2CE.7050101@tor.nl> Hmmm, not too sure about that. I mean recreating the session really sounds to me like an awful hack.... And that's basically what we tried to do, right John? I think, really, that we should prohibit the use of all browsers, except mine... (Haven't got one yet, but it will be awesome and solve all our issues!) But seriously, I would like moodle integration to work! I use it in several key installations I have to maintain. Tom Op 15-3-2013 10:15, Julian Tenney schreef: > Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the problem, then I think that's what we should fix. > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 15 March 2013 09:10 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > The way the Moodle authentication works - its so complicated that there is no way to restart it in upload when we are using Firefox... The upload script as reported by Ron does work as long as we're not using Moodle > > As i said we can check for Moodle auth and simply not check for session but that still leaves a gaping hole... > > Bootstrapping the upload via js 'should' allow config.php to handle the session as it does on other pages... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > > > So is the problem the upload script, or the way the moodle authentication works? > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 14 March 2013 16:41 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... > > If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... > > Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... > > Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Thursday, March 14, 2013 4:24 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 14 March 2013 16:22 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... > > I think we might have to resort to js though... > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney > Sent: Thursday, March 14, 2013 4:12 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? > > This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 13 March 2013 11:30 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Pat > > Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... > > If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id > > Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. > > I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before > > Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality > > On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> Hi Ron, >> >> Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell >> [ronm at mitchellmedia.co.uk] >> Sent: 12 March 2013 20:31 >> To: 'For Xerte technical developers' >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi John >> I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. >> >> So I guess this is either session related or a js clash? >> >> Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. >> >> I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. >> >> Cheers >> Ron >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron >> Mitchell >> Sent: 12 March 2013 20:17 >> To: 'For Xerte technical developers' >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi John >> Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... >> >> I'm almost hesitant to mention this... >> >> I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. >> >> Cheers >> Ron >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 12 March 2013 19:56 >> To: xerte-dev at lists.nottingham.ac.uk >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi Ron >> >> Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... >> >> I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... >> >> Regards >> >> John Smith >> Learning Technologist >> School of Health and Life Sciences >> >> Sent from Samsung Galaxy SII >> >> >> >> Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: >> >> >> Hi >> sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? >> Ron >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: 11 March 2013 16:18 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > > >> >> >> I've added some alerts for now so you can see what gets tripped, we >> can take these out later, and I?ve commited the wizard with these in , >> >> >> >> listener.onComplete = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload successful"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> >> >> listener.onHTTPError = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload failed: HTTPError"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> listener.onIOError = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload failed: IOError"); >> >> >> >> --etc-- >> >> >> >> } >> >> listener.onSecurityError = function(file:FileReference, >> errorString:String):Void { >> >> >> >> Alert.show("Upload failed: Security Error"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> -----Original Message----- >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> Sent: 11 March 2013 15:42 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Are you using FileReference class? This code snippet suggests you can >> extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA >> with var strData:String = StringUtil.trim(evt.data); >> >> >> >> >> >> >> >> private function init():void { >> >> fileRef = new FileReference(); >> >> fileRef.addEventListener(Event.SELECT, fileRef_select); >> >> fileRef.addEventListener(Event.COMPLETE, >> fileRef_complete); >> >> fileRef.addEventListener(IOErrorEvent.IO_ERROR, >> fileRef_ioError); >> >> >> fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, >> fileRef_uploadCompleteData); >> >> >> >> urlReq = new URLRequest(); >> >> urlReq.url = >> "http://localhost:8300/fileref/uploader.cfm"; >> >> } >> >> >> >> private function >> fileRef_uploadCompleteData(evt:DataEvent):void { >> >> var strData:String = StringUtil.trim(evt.data); >> >> var vars:URLVariables = new URLVariables(strData); >> >> Alert.show(vars.fileName, "fileName"); >> >> } >> >> >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: Monday, March 11, 2013 3:19 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... >> >> >> >> At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: Monday, March 11, 2013 2:32 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> If I try and upload php files, onComplete still fires... >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: 11 March 2013 14:27 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Hold on, I'll see if I can get the events to trip, >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: 11 March 2013 14:20 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: Monday, March 11, 2013 1:57 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> No way to receive whether the upload was successful or not? >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: Monday, March 11, 2013 1:48 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> I'm not sure you can do much with that class, it's just a black box. >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: 11 March 2013 13:33 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Perhaps it should just feedback error codes, and the flash class translates them... >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: Monday, March 11, 2013 1:21 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list >> s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: 11 March 2013 12:45 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... >> >> >> >> >> >> >> >> >> >> >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 >> 5691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 >> 5691,en.html >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. >> >> This message has been checked for viruses but the contents of an >> attachment may still contain software viruses which could damage your computer system: >> you are advised to perform your own checks. Email communications with >> the University of Nottingham may be monitored as permitted by UK legislation. > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 From J.J.Smith at gcu.ac.uk Fri Mar 15 10:13:49 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 15 Mar 2013 10:13:49 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Message-ID: <bj8955psl73nk2xnfedc79ml.1363342427911@email.android.com> True but Moodle is a red herring here... The problem is Firefox - it is the tail... If you can live without Firefox being supported, only in the editor, then we can probably keep Moodle auth as is... Depends who you want to keep happiest... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the problem, then I think that's what we should fix. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 09:10 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php The way the Moodle authentication works - its so complicated that there is no way to restart it in upload when we are using Firefox... The upload script as reported by Ron does work as long as we're not using Moodle As i said we can check for Moodle auth and simply not check for session but that still leaves a gaping hole... Bootstrapping the upload via js 'should' allow config.php to handle the session as it does on other pages... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: So is the problem the upload script, or the way the moodle authentication works? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:24 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... I think we might have to resort to js though... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:12 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 13 March 2013 11:30 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron > Mitchell > Sent: 12 March 2013 20:17 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... > > I'm almost hesitant to mention this... > > I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 12 March 2013 19:56 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Ron > > Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... > > I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: > > > Hi > sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? > Ron > > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: 11 March 2013 16:18 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > I've added some alerts for now so you can see what gets tripped, we > can take these out later, and I?ve commited the wizard with these in , > > > > listener.onComplete = function(file:FileReference):Void { > > > > Alert.show("Upload successful"); > > > > --etc-- > > > > } > > > > > > listener.onHTTPError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: HTTPError"); > > > > --etc-- > > > > } > > > > listener.onIOError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: IOError"); > > > > --etc-- > > > > } > > listener.onSecurityError = function(file:FileReference, > errorString:String):Void { > > > > Alert.show("Upload failed: Security Error"); > > > > --etc-- > > > > } > > > > -----Original Message----- > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > Sent: 11 March 2013 15:42 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Are you using FileReference class? This code snippet suggests you can > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA > with var strData:String = StringUtil.trim(evt.data); > > > > > > > > private function init():void { > > fileRef = new FileReference(); > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > fileRef.addEventListener(Event.COMPLETE, > fileRef_complete); > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, > fileRef_ioError); > > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, > fileRef_uploadCompleteData); > > > > urlReq = new URLRequest(); > > urlReq.url = > "http://localhost:8300/fileref/uploader.cfm"; > > } > > > > private function > fileRef_uploadCompleteData(evt:DataEvent):void { > > var strData:String = StringUtil.trim(evt.data); > > var vars:URLVariables = new URLVariables(strData); > > Alert.show(vars.fileName, "fileName"); > > } > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 3:19 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... > > > > At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 2:32 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > If I try and upload php files, onComplete still fires... > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: 11 March 2013 14:27 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hold on, I'll see if I can get the events to trip, > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 14:20 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 1:57 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > No way to receive whether the upload was successful or not? > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:48 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > I'm not sure you can do much with that class, it's just a black box. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 13:33 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Perhaps it should just feedback error codes, and the flash class translates them... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:21 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 12:45 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From J.J.Smith at gcu.ac.uk Fri Mar 15 10:40:08 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 15 Mar 2013 10:40:08 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <5142F2CE.7050101@tor.nl> References: <wli5m6ocuasvpl70r49olsm2.1363338613081@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CC77@EXCHANGE1.ad.nottingham.ac.uk> <5142F2CE.7050101@tor.nl> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D7C9@ITSEMBXCLUS.enterprise.gcal.ac.uk> Hi Tom, yes we're having to manually tell upload.php which session to use but I wouldn't say it's that awful a hack - it's had to be done for years where Flash and Firefox are concerned - Adobe is the hack!! The problem is the two different style Session variables - mixing Xerte Session with Moodle session... If we plan to remove flash from the editing cycle too at some point then this would just be a step towards that, albeit at a far earlier stage than anticipated... I don't think it would be that hard to do on the js end - the trouble would be the upload status but could that be a js pop over so we tell the js which file to upload and let it handle it, passing back a code to flash when done: successful, failed, not logged in, etc... I don't know what's for the best here, or easiest to work into the Flash... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: Friday, March 15, 2013 10:07 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hmmm, not too sure about that. I mean recreating the session really sounds to me like an awful hack.... And that's basically what we tried to do, right John? I think, really, that we should prohibit the use of all browsers, except mine... (Haven't got one yet, but it will be awesome and solve all our issues!) But seriously, I would like moodle integration to work! I use it in several key installations I have to maintain. Tom Op 15-3-2013 10:15, Julian Tenney schreef: > Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the problem, then I think that's what we should fix. > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 15 March 2013 09:10 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > The way the Moodle authentication works - its so complicated that > there is no way to restart it in upload when we are using Firefox... > The upload script as reported by Ron does work as long as we're not > using Moodle > > As i said we can check for Moodle auth and simply not check for session but that still leaves a gaping hole... > > Bootstrapping the upload via js 'should' allow config.php to handle the session as it does on other pages... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > > > So is the problem the upload script, or the way the moodle authentication works? > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 14 March 2013 16:41 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... > > If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... > > Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... > > Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: Thursday, March 14, 2013 4:24 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 14 March 2013 16:22 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... > > I think we might have to resort to js though... > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: Thursday, March 14, 2013 4:12 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? > > This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 13 March 2013 11:30 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Pat > > Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... > > If we are in Firefox and include config.php before setting the session > id then when config starts session we get a new session id > > Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. > > I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Try including config.php or doing a MySQL select db back to the xerte > db, that fixed most of the moodle problems before > > Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of > a fair to middling quality > > On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> Hi Ron, >> >> Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell >> [ronm at mitchellmedia.co.uk] >> Sent: 12 March 2013 20:31 >> To: 'For Xerte technical developers' >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi John >> I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. >> >> So I guess this is either session related or a js clash? >> >> Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. >> >> I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. >> >> Cheers >> Ron >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron >> Mitchell >> Sent: 12 March 2013 20:17 >> To: 'For Xerte technical developers' >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi John >> Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... >> >> I'm almost hesitant to mention this... >> >> I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. >> >> Cheers >> Ron >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 12 March 2013 19:56 >> To: xerte-dev at lists.nottingham.ac.uk >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi Ron >> >> Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... >> >> I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... >> >> Regards >> >> John Smith >> Learning Technologist >> School of Health and Life Sciences >> >> Sent from Samsung Galaxy SII >> >> >> >> Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: >> >> >> Hi >> sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? >> Ron >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: 11 March 2013 16:18 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > > >> >> >> I've added some alerts for now so you can see what gets tripped, we >> can take these out later, and I?ve commited the wizard with these in >> , >> >> >> >> listener.onComplete = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload successful"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> >> >> listener.onHTTPError = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload failed: HTTPError"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> listener.onIOError = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload failed: IOError"); >> >> >> >> --etc-- >> >> >> >> } >> >> listener.onSecurityError = function(file:FileReference, >> errorString:String):Void { >> >> >> >> Alert.show("Upload failed: Security Error"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> -----Original Message----- >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> Sent: 11 March 2013 15:42 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Are you using FileReference class? This code snippet suggests you can >> extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA >> with var strData:String = StringUtil.trim(evt.data); >> >> >> >> >> >> >> >> private function init():void { >> >> fileRef = new FileReference(); >> >> fileRef.addEventListener(Event.SELECT, >> fileRef_select); >> >> fileRef.addEventListener(Event.COMPLETE, >> fileRef_complete); >> >> fileRef.addEventListener(IOErrorEvent.IO_ERROR, >> fileRef_ioError); >> >> >> fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, >> fileRef_uploadCompleteData); >> >> >> >> urlReq = new URLRequest(); >> >> urlReq.url = >> "http://localhost:8300/fileref/uploader.cfm"; >> >> } >> >> >> >> private function >> fileRef_uploadCompleteData(evt:DataEvent):void { >> >> var strData:String = StringUtil.trim(evt.data); >> >> var vars:URLVariables = new URLVariables(strData); >> >> Alert.show(vars.fileName, "fileName"); >> >> } >> >> >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: Monday, March 11, 2013 3:19 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... >> >> >> >> At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: Monday, March 11, 2013 2:32 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> If I try and upload php files, onComplete still fires... >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: 11 March 2013 14:27 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Hold on, I'll see if I can get the events to trip, >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: 11 March 2013 14:20 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: Monday, March 11, 2013 1:57 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> No way to receive whether the upload was successful or not? >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: Monday, March 11, 2013 1:48 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> I'm not sure you can do much with that class, it's just a black box. >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: 11 March 2013 13:33 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Perhaps it should just feedback error codes, and the flash class translates them... >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: Monday, March 11, 2013 1:21 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: 11 March 2013 12:45 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... >> >> >> >> >> >> >> >> >> >> >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 1 5691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 1 >> 5691,en.html >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. >> >> This message has been checked for viruses but the contents of an >> attachment may still contain software viruses which could damage your computer system: >> you are advised to perform your own checks. Email communications with >> the University of Nottingham may be monitored as permitted by UK legislation. > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From J.J.Smith at gcu.ac.uk Fri Mar 15 10:46:26 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 15 Mar 2013 10:46:26 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <E93A9EE4-3FA9-40A7-9EFB-93AF5D4D2A03@mitchellmedia.co.uk> References: <q3ejna8wyowtk7qaodp4ttl3.1363174198909@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB67@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D764@ITSEMBXCLUS.enterprise.gcal.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CB79@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D76C@ITSEMBXCLUS.enterprise.gcal.ac.uk> <E93A9EE4-3FA9-40A7-9EFB-93AF5D4D2A03@mitchellmedia.co.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D7CE@ITSEMBXCLUS.enterprise.gcal.ac.uk> Hi Ron, Although I got Moodle working last night, no matter what I did I couldn't get the integration with Xerte working... it would bounce me to Moodle to login and I could login and go around Moodle but when I went to XOT it bounced me back... followed the instructions to the letter but no cigar... So yes if you are able to provide a more up to date one to try then I would appreciate that - itching to get this upload issue resolved so that I can move on... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: Thursday, March 14, 2013 5:14 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php On a train so can't check but from memory if its maxos you are using I think it was admin and changeme but you are forced to change the pw upon first login. I can probably provide an up-to-date version if that would be useful but not until tomorrow Ron Sent from my iPhone On 14 Mar 2013, at 16:41, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... > > If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... > > Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... > > Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: Thursday, March 14, 2013 4:24 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 14 March 2013 16:22 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... > > I think we might have to resort to js though... > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: Thursday, March 14, 2013 4:12 PM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? > > This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 13 March 2013 11:30 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Pat > > Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... > > If we are in Firefox and include config.php before setting the session > id then when config starts session we get a new session id > > Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. > > I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > Try including config.php or doing a MySQL select db back to the xerte > db, that fixed most of the moodle problems before > > Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of > a fair to middling quality > > On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > >> Hi Ron, >> >> Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... >> >> Regards, >> >> John Smith | Learning Technologist >> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >> ________________________________________ >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell >> [ronm at mitchellmedia.co.uk] >> Sent: 12 March 2013 20:31 >> To: 'For Xerte technical developers' >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi John >> I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. >> >> So I guess this is either session related or a js clash? >> >> Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. >> >> I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. >> >> Cheers >> Ron >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron >> Mitchell >> Sent: 12 March 2013 20:17 >> To: 'For Xerte technical developers' >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi John >> Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... >> >> I'm almost hesitant to mention this... >> >> I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. >> >> Cheers >> Ron >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 12 March 2013 19:56 >> To: xerte-dev at lists.nottingham.ac.uk >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi Ron >> >> Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... >> >> I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... >> >> Regards >> >> John Smith >> Learning Technologist >> School of Health and Life Sciences >> >> Sent from Samsung Galaxy SII >> >> >> >> Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: >> >> >> Hi >> sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? >> Ron >> >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: 11 March 2013 16:18 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > >> >> >> >> I've added some alerts for now so you can see what gets tripped, we >> can take these out later, and I?ve commited the wizard with these in >> , >> >> >> >> listener.onComplete = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload successful"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> >> >> listener.onHTTPError = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload failed: HTTPError"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> listener.onIOError = function(file:FileReference):Void { >> >> >> >> Alert.show("Upload failed: IOError"); >> >> >> >> --etc-- >> >> >> >> } >> >> listener.onSecurityError = function(file:FileReference, >> errorString:String):Void { >> >> >> >> Alert.show("Upload failed: Security Error"); >> >> >> >> --etc-- >> >> >> >> } >> >> >> >> -----Original Message----- >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> Sent: 11 March 2013 15:42 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Are you using FileReference class? This code snippet suggests you can >> extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA >> with var strData:String = StringUtil.trim(evt.data); >> >> >> >> >> >> >> >> private function init():void { >> >> fileRef = new FileReference(); >> >> fileRef.addEventListener(Event.SELECT, fileRef_select); >> >> fileRef.addEventListener(Event.COMPLETE, >> fileRef_complete); >> >> fileRef.addEventListener(IOErrorEvent.IO_ERROR, >> fileRef_ioError); >> >> >> fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, >> fileRef_uploadCompleteData); >> >> >> >> urlReq = new URLRequest(); >> >> urlReq.url = >> "http://localhost:8300/fileref/uploader.cfm"; >> >> } >> >> >> >> private function >> fileRef_uploadCompleteData(evt:DataEvent):void { >> >> var strData:String = StringUtil.trim(evt.data); >> >> var vars:URLVariables = new URLVariables(strData); >> >> Alert.show(vars.fileName, "fileName"); >> >> } >> >> >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: Monday, March 11, 2013 3:19 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... >> >> >> >> At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: Monday, March 11, 2013 2:32 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> If I try and upload php files, onComplete still fires... >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: 11 March 2013 14:27 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Hold on, I'll see if I can get the events to trip, >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: 11 March 2013 14:20 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: Monday, March 11, 2013 1:57 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> No way to receive whether the upload was successful or not? >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: Monday, March 11, 2013 1:48 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> I'm not sure you can do much with that class, it's just a black box. >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: 11 March 2013 13:33 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Perhaps it should just feedback error codes, and the flash class translates them... >> >> >> >> Regards, >> >> >> >> John Smith >> >> Learning Technologist >> >> School of Health & Life Sciences >> >> Glasgow Caledonian University >> >> >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Julian Tenney >> >> Sent: Monday, March 11, 2013 1:21 PM >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. >> >> >> >> -----Original Message----- >> >> From: >> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >> t s.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >> On Behalf Of Smith, John >> >> Sent: 11 March 2013 12:45 >> >> To: For Xerte technical developers >> >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> >> >> Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... >> >> >> >> >> >> >> >> >> >> >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 1 5691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 1 >> 5691,en.html >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. >> >> This message has been checked for viruses but the contents of an >> attachment may still contain software viruses which could damage your computer system: >> you are advised to perform your own checks. Email communications with >> the University of Nottingham may be monitored as permitted by UK legislation. > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From reijnders at tor.nl Fri Mar 15 10:57:03 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Fri, 15 Mar 2013 11:57:03 +0100 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D7C9@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <wli5m6ocuasvpl70r49olsm2.1363338613081@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CC77@EXCHANGE1.ad.nottingham.ac.uk> <5142F2CE.7050101@tor.nl> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D7C9@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <5142FE7F.4060803@tor.nl> Well ... the fact that had to be done for years where Flash and Firefox are concerned, doesn't make it less awful... And I wasn't referring to your 'hack', but the fact that you have to do it at all...... So, yes I agree... Flash and it's non-integration in browsers is the hack.... and Apple for not supporting Flash and Adobe for giving in with Android.... And so for that matter that javascript isn't javascript. and DOM isn't DOM. It's a mess. I really like HTML5 and it's potential to solve a lot of these issues. And then they (the ones that release browsers ;-) ) MESS UP COMPLETELY with the video tag. It's DVD all over. Sorry for the rant... Tom Op 15-3-2013 11:40, Smith, John schreef: > Hi Tom, yes we're having to manually tell upload.php which session to use but I wouldn't say it's that awful a hack - it's had to be done for years where Flash and Firefox are concerned - Adobe is the hack!! > > The problem is the two different style Session variables - mixing Xerte Session with Moodle session... > > If we plan to remove flash from the editing cycle too at some point then this would just be a step towards that, albeit at a far earlier stage than anticipated... I don't think it would be that hard to do on the js end - the trouble would be the upload status but could that be a js pop over so we tell the js which file to upload and let it handle it, passing back a code to flash when done: successful, failed, not logged in, etc... > > I don't know what's for the best here, or easiest to work into the Flash... > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders > Sent: Friday, March 15, 2013 10:07 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hmmm, not too sure about that. I mean recreating the session really sounds to me like an awful hack.... And that's basically what we tried to do, right John? > > I think, really, that we should prohibit the use of all browsers, except mine... (Haven't got one yet, but it will be awesome and solve all our > issues!) > > But seriously, I would like moodle integration to work! I use it in several key installations I have to maintain. > > Tom > > Op 15-3-2013 10:15, Julian Tenney schreef: >> Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the problem, then I think that's what we should fix. >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 15 March 2013 09:10 >> To: xerte-dev at lists.nottingham.ac.uk >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> The way the Moodle authentication works - its so complicated that >> there is no way to restart it in upload when we are using Firefox... >> The upload script as reported by Ron does work as long as we're not >> using Moodle >> >> As i said we can check for Moodle auth and simply not check for session but that still leaves a gaping hole... >> >> Bootstrapping the upload via js 'should' allow config.php to handle the session as it does on other pages... >> >> Regards >> >> John Smith >> Learning Technologist >> School of Health and Life Sciences >> >> Sent from Samsung Galaxy SII >> >> >> >> Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: >> >> >> So is the problem the upload script, or the way the moodle authentication works? >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 14 March 2013 16:41 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... >> >> If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... >> >> Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... >> >> Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Thursday, March 14, 2013 4:24 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? >> >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 14 March 2013 16:22 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... >> >> I think we might have to resort to js though... >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Thursday, March 14, 2013 4:12 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? >> >> This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 13 March 2013 11:30 >> To: xerte-dev at lists.nottingham.ac.uk >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi Pat >> >> Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... >> >> If we are in Firefox and include config.php before setting the session >> id then when config starts session we get a new session id >> >> Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. >> >> I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... >> >> Regards >> >> John Smith >> Learning Technologist >> School of Health and Life Sciences >> >> Sent from Samsung Galaxy SII >> >> >> >> "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: >> >> >> Try including config.php or doing a MySQL select db back to the xerte >> db, that fixed most of the moodle problems before >> >> Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of >> a fair to middling quality >> >> On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: >> >>> Hi Ron, >>> >>> Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... >>> >>> Regards, >>> >>> John Smith | Learning Technologist >>> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >>> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >>> ________________________________________ >>> From: xerte-dev-bounces at lists.nottingham.ac.uk >>> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell >>> [ronm at mitchellmedia.co.uk] >>> Sent: 12 March 2013 20:31 >>> To: 'For Xerte technical developers' >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> Hi John >>> I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. >>> >>> So I guess this is either session related or a js clash? >>> >>> Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. >>> >>> I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. >>> >>> Cheers >>> Ron >>> >>> -----Original Message----- >>> From: xerte-dev-bounces at lists.nottingham.ac.uk >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron >>> Mitchell >>> Sent: 12 March 2013 20:17 >>> To: 'For Xerte technical developers' >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> Hi John >>> Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... >>> >>> I'm almost hesitant to mention this... >>> >>> I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. >>> >>> Cheers >>> Ron >>> >>> -----Original Message----- >>> From: xerte-dev-bounces at lists.nottingham.ac.uk >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >>> John >>> Sent: 12 March 2013 19:56 >>> To: xerte-dev at lists.nottingham.ac.uk >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> Hi Ron >>> >>> Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... >>> >>> I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... >>> >>> Regards >>> >>> John Smith >>> Learning Technologist >>> School of Health and Life Sciences >>> >>> Sent from Samsung Galaxy SII >>> >>> >>> >>> Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: >>> >>> >>> Hi >>> sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? >>> Ron >>> >>> From: xerte-dev-bounces at lists.nottingham.ac.uk >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >>> Tenney >>> Sent: 11 March 2013 16:18 >>> To: For Xerte technical developers >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. >> >> >> >> >>> >>> I've added some alerts for now so you can see what gets tripped, we >>> can take these out later, and I?ve commited the wizard with these in >>> , >>> >>> >>> >>> listener.onComplete = function(file:FileReference):Void { >>> >>> >>> >>> Alert.show("Upload successful"); >>> >>> >>> >>> --etc-- >>> >>> >>> >>> } >>> >>> >>> >>> >>> >>> listener.onHTTPError = function(file:FileReference):Void { >>> >>> >>> >>> Alert.show("Upload failed: HTTPError"); >>> >>> >>> >>> --etc-- >>> >>> >>> >>> } >>> >>> >>> >>> listener.onIOError = function(file:FileReference):Void { >>> >>> >>> >>> Alert.show("Upload failed: IOError"); >>> >>> >>> >>> --etc-- >>> >>> >>> >>> } >>> >>> listener.onSecurityError = function(file:FileReference, >>> errorString:String):Void { >>> >>> >>> >>> Alert.show("Upload failed: Security Error"); >>> >>> >>> >>> --etc-- >>> >>> >>> >>> } >>> >>> >>> >>> -----Original Message----- >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Smith, John >>> Sent: 11 March 2013 15:42 >>> To: For Xerte technical developers >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> Are you using FileReference class? This code snippet suggests you can >>> extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA >>> with var strData:String = StringUtil.trim(evt.data); >>> >>> >>> >>> >>> >>> >>> >>> private function init():void { >>> >>> fileRef = new FileReference(); >>> >>> fileRef.addEventListener(Event.SELECT, >>> fileRef_select); >>> >>> fileRef.addEventListener(Event.COMPLETE, >>> fileRef_complete); >>> >>> fileRef.addEventListener(IOErrorEvent.IO_ERROR, >>> fileRef_ioError); >>> >>> >>> fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, >>> fileRef_uploadCompleteData); >>> >>> >>> >>> urlReq = new URLRequest(); >>> >>> urlReq.url = >>> "http://localhost:8300/fileref/uploader.cfm"; >>> >>> } >>> >>> >>> >>> private function >>> fileRef_uploadCompleteData(evt:DataEvent):void { >>> >>> var strData:String = StringUtil.trim(evt.data); >>> >>> var vars:URLVariables = new URLVariables(strData); >>> >>> Alert.show(vars.fileName, "fileName"); >>> >>> } >>> >>> >>> >>> >>> >>> Regards, >>> >>> >>> >>> John Smith >>> >>> Learning Technologist >>> >>> School of Health & Life Sciences >>> >>> Glasgow Caledonian University >>> >>> >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Smith, John >>> >>> Sent: Monday, March 11, 2013 3:19 PM >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... >>> >>> >>> >>> At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... >>> >>> >>> >>> Regards, >>> >>> >>> >>> John Smith >>> >>> Learning Technologist >>> >>> School of Health & Life Sciences >>> >>> Glasgow Caledonian University >>> >>> >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Julian Tenney >>> >>> Sent: Monday, March 11, 2013 2:32 PM >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> If I try and upload php files, onComplete still fires... >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Julian Tenney >>> >>> Sent: 11 March 2013 14:27 >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> Hold on, I'll see if I can get the events to trip, >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Smith, John >>> >>> Sent: 11 March 2013 14:20 >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... >>> >>> >>> >>> Regards, >>> >>> >>> >>> John Smith >>> >>> Learning Technologist >>> >>> School of Health & Life Sciences >>> >>> Glasgow Caledonian University >>> >>> >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Smith, John >>> >>> Sent: Monday, March 11, 2013 1:57 PM >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> No way to receive whether the upload was successful or not? >>> >>> >>> >>> Regards, >>> >>> >>> >>> John Smith >>> >>> Learning Technologist >>> >>> School of Health & Life Sciences >>> >>> Glasgow Caledonian University >>> >>> >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Julian Tenney >>> >>> Sent: Monday, March 11, 2013 1:48 PM >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> I'm not sure you can do much with that class, it's just a black box. >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Smith, John >>> >>> Sent: 11 March 2013 13:33 >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> Perhaps it should just feedback error codes, and the flash class translates them... >>> >>> >>> >>> Regards, >>> >>> >>> >>> John Smith >>> >>> Learning Technologist >>> >>> School of Health & Life Sciences >>> >>> Glasgow Caledonian University >>> >>> >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Julian Tenney >>> >>> Sent: Monday, March 11, 2013 1:21 PM >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lis >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Smith, John >>> >>> Sent: 11 March 2013 12:45 >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> Glasgow Caledonian University is a registered Scottish charity, >>> number >>> SC021474 >>> >>> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >>> 6 >>> 219,en.html >>> >>> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >>> 1 5691,en.html _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> >>> >>> _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> >>> >>> _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> >>> Glasgow Caledonian University is a registered Scottish charity, >>> number >>> SC021474 >>> >>> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >>> 6 >>> 219,en.html >>> >>> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >>> 1 >>> 5691,en.html >>> >>> _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. >>> >>> This message has been checked for viruses but the contents of an >>> attachment may still contain software viruses which could damage your computer system: >>> you are advised to perform your own checks. Email communications with >>> the University of Nottingham may be monitored as permitted by UK legislation. >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 >> 5691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 >> 5691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 >> 5691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 >> 5691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 From Julian.Tenney at nottingham.ac.uk Fri Mar 15 11:21:01 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Fri, 15 Mar 2013 11:21:01 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <bj8955psl73nk2xnfedc79ml.1363342427911@email.android.com> References: <bj8955psl73nk2xnfedc79ml.1363342427911@email.android.com> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CD8A@EXCHANGE1.ad.nottingham.ac.uk> No, we have to support Firefox, but you know that already! -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 10:14 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php True but Moodle is a red herring here... The problem is Firefox - it is the tail... If you can live without Firefox being supported, only in the editor, then we can probably keep Moodle auth as is... Depends who you want to keep happiest... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the problem, then I think that's what we should fix. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 09:10 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php The way the Moodle authentication works - its so complicated that there is no way to restart it in upload when we are using Firefox... The upload script as reported by Ron does work as long as we're not using Moodle As i said we can check for Moodle auth and simply not check for session but that still leaves a gaping hole... Bootstrapping the upload via js 'should' allow config.php to handle the session as it does on other pages... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: So is the problem the upload script, or the way the moodle authentication works? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:24 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... I think we might have to resort to js though... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:12 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 13 March 2013 11:30 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron > Mitchell > Sent: 12 March 2013 20:17 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... > > I'm almost hesitant to mention this... > > I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 12 March 2013 19:56 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Ron > > Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... > > I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: > > > Hi > sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? > Ron > > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: 11 March 2013 16:18 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > I've added some alerts for now so you can see what gets tripped, we > can take these out later, and I?ve commited the wizard with these in , > > > > listener.onComplete = function(file:FileReference):Void { > > > > Alert.show("Upload successful"); > > > > --etc-- > > > > } > > > > > > listener.onHTTPError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: HTTPError"); > > > > --etc-- > > > > } > > > > listener.onIOError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: IOError"); > > > > --etc-- > > > > } > > listener.onSecurityError = function(file:FileReference, > errorString:String):Void { > > > > Alert.show("Upload failed: Security Error"); > > > > --etc-- > > > > } > > > > -----Original Message----- > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > Sent: 11 March 2013 15:42 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Are you using FileReference class? This code snippet suggests you can > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA > with var strData:String = StringUtil.trim(evt.data); > > > > > > > > private function init():void { > > fileRef = new FileReference(); > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > fileRef.addEventListener(Event.COMPLETE, > fileRef_complete); > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, > fileRef_ioError); > > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, > fileRef_uploadCompleteData); > > > > urlReq = new URLRequest(); > > urlReq.url = > "http://localhost:8300/fileref/uploader.cfm"; > > } > > > > private function > fileRef_uploadCompleteData(evt:DataEvent):void { > > var strData:String = StringUtil.trim(evt.data); > > var vars:URLVariables = new URLVariables(strData); > > Alert.show(vars.fileName, "fileName"); > > } > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 3:19 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... > > > > At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 2:32 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > If I try and upload php files, onComplete still fires... > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: 11 March 2013 14:27 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hold on, I'll see if I can get the events to trip, > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 14:20 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 1:57 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > No way to receive whether the upload was successful or not? > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:48 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > I'm not sure you can do much with that class, it's just a black box. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 13:33 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Perhaps it should just feedback error codes, and the flash class translates them... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:21 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 12:45 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From Julian.Tenney at nottingham.ac.uk Fri Mar 15 11:22:51 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Fri, 15 Mar 2013 11:22:51 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <5142FE7F.4060803@tor.nl> References: <wli5m6ocuasvpl70r49olsm2.1363338613081@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CC77@EXCHANGE1.ad.nottingham.ac.uk> <5142F2CE.7050101@tor.nl> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D7C9@ITSEMBXCLUS.enterprise.gcal.ac.uk> <5142FE7F.4060803@tor.nl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CD90@EXCHANGE1.ad.nottingham.ac.uk> OK, so think differently. If the session is so gribbly to work across everything, then can we use something else? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 15 March 2013 10:57 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Well ... the fact that had to be done for years where Flash and Firefox are concerned, doesn't make it less awful... And I wasn't referring to your 'hack', but the fact that you have to do it at all...... So, yes I agree... Flash and it's non-integration in browsers is the hack.... and Apple for not supporting Flash and Adobe for giving in with Android.... And so for that matter that javascript isn't javascript. and DOM isn't DOM. It's a mess. I really like HTML5 and it's potential to solve a lot of these issues. And then they (the ones that release browsers ;-) ) MESS UP COMPLETELY with the video tag. It's DVD all over. Sorry for the rant... Tom Op 15-3-2013 11:40, Smith, John schreef: > Hi Tom, yes we're having to manually tell upload.php which session to use but I wouldn't say it's that awful a hack - it's had to be done for years where Flash and Firefox are concerned - Adobe is the hack!! > > The problem is the two different style Session variables - mixing Xerte Session with Moodle session... > > If we plan to remove flash from the editing cycle too at some point then this would just be a step towards that, albeit at a far earlier stage than anticipated... I don't think it would be that hard to do on the js end - the trouble would be the upload status but could that be a js pop over so we tell the js which file to upload and let it handle it, passing back a code to flash when done: successful, failed, not logged in, etc... > > I don't know what's for the best here, or easiest to work into the Flash... > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom > Reijnders > Sent: Friday, March 15, 2013 10:07 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hmmm, not too sure about that. I mean recreating the session really sounds to me like an awful hack.... And that's basically what we tried to do, right John? > > I think, really, that we should prohibit the use of all browsers, > except mine... (Haven't got one yet, but it will be awesome and solve > all our > issues!) > > But seriously, I would like moodle integration to work! I use it in several key installations I have to maintain. > > Tom > > Op 15-3-2013 10:15, Julian Tenney schreef: >> Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the problem, then I think that's what we should fix. >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 15 March 2013 09:10 >> To: xerte-dev at lists.nottingham.ac.uk >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> The way the Moodle authentication works - its so complicated that >> there is no way to restart it in upload when we are using Firefox... >> The upload script as reported by Ron does work as long as we're not >> using Moodle >> >> As i said we can check for Moodle auth and simply not check for session but that still leaves a gaping hole... >> >> Bootstrapping the upload via js 'should' allow config.php to handle the session as it does on other pages... >> >> Regards >> >> John Smith >> Learning Technologist >> School of Health and Life Sciences >> >> Sent from Samsung Galaxy SII >> >> >> >> Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: >> >> >> So is the problem the upload script, or the way the moodle authentication works? >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 14 March 2013 16:41 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... >> >> If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... >> >> Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... >> >> Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Thursday, March 14, 2013 4:24 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? >> >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 14 March 2013 16:22 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... >> >> I think we might have to resort to js though... >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Thursday, March 14, 2013 4:12 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? >> >> This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 13 March 2013 11:30 >> To: xerte-dev at lists.nottingham.ac.uk >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi Pat >> >> Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... >> >> If we are in Firefox and include config.php before setting the >> session id then when config starts session we get a new session id >> >> Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. >> >> I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... >> >> Regards >> >> John Smith >> Learning Technologist >> School of Health and Life Sciences >> >> Sent from Samsung Galaxy SII >> >> >> >> "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: >> >> >> Try including config.php or doing a MySQL select db back to the xerte >> db, that fixed most of the moodle problems before >> >> Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of >> a fair to middling quality >> >> On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: >> >>> Hi Ron, >>> >>> Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... >>> >>> Regards, >>> >>> John Smith | Learning Technologist >>> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >>> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >>> ________________________________________ >>> From: xerte-dev-bounces at lists.nottingham.ac.uk >>> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell >>> [ronm at mitchellmedia.co.uk] >>> Sent: 12 March 2013 20:31 >>> To: 'For Xerte technical developers' >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> Hi John >>> I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. >>> >>> So I guess this is either session related or a js clash? >>> >>> Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. >>> >>> I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. >>> >>> Cheers >>> Ron >>> >>> -----Original Message----- >>> From: xerte-dev-bounces at lists.nottingham.ac.uk >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron >>> Mitchell >>> Sent: 12 March 2013 20:17 >>> To: 'For Xerte technical developers' >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> Hi John >>> Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... >>> >>> I'm almost hesitant to mention this... >>> >>> I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. >>> >>> Cheers >>> Ron >>> >>> -----Original Message----- >>> From: xerte-dev-bounces at lists.nottingham.ac.uk >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of >>> Smith, John >>> Sent: 12 March 2013 19:56 >>> To: xerte-dev at lists.nottingham.ac.uk >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> Hi Ron >>> >>> Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... >>> >>> I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... >>> >>> Regards >>> >>> John Smith >>> Learning Technologist >>> School of Health and Life Sciences >>> >>> Sent from Samsung Galaxy SII >>> >>> >>> >>> Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: >>> >>> >>> Hi >>> sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? >>> Ron >>> >>> From: xerte-dev-bounces at lists.nottingham.ac.uk >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of >>> Julian Tenney >>> Sent: 11 March 2013 16:18 >>> To: For Xerte technical developers >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. >> >> >> >> >>> >>> I've added some alerts for now so you can see what gets tripped, we >>> can take these out later, and I?ve commited the wizard with these in >>> , >>> >>> >>> >>> listener.onComplete = function(file:FileReference):Void { >>> >>> >>> >>> Alert.show("Upload successful"); >>> >>> >>> >>> --etc-- >>> >>> >>> >>> } >>> >>> >>> >>> >>> >>> listener.onHTTPError = function(file:FileReference):Void { >>> >>> >>> >>> Alert.show("Upload failed: HTTPError"); >>> >>> >>> >>> --etc-- >>> >>> >>> >>> } >>> >>> >>> >>> listener.onIOError = function(file:FileReference):Void { >>> >>> >>> >>> Alert.show("Upload failed: IOError"); >>> >>> >>> >>> --etc-- >>> >>> >>> >>> } >>> >>> listener.onSecurityError = function(file:FileReference, >>> errorString:String):Void { >>> >>> >>> >>> Alert.show("Upload failed: Security Error"); >>> >>> >>> >>> --etc-- >>> >>> >>> >>> } >>> >>> >>> >>> -----Original Message----- >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Smith, John >>> Sent: 11 March 2013 15:42 >>> To: For Xerte technical developers >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> Are you using FileReference class? This code snippet suggests you >>> can extract data from the DataEvent object in the >>> UPLOAD_COMPLETE_DATA with var strData:String = >>> StringUtil.trim(evt.data); >>> >>> >>> >>> >>> >>> >>> >>> private function init():void { >>> >>> fileRef = new FileReference(); >>> >>> fileRef.addEventListener(Event.SELECT, >>> fileRef_select); >>> >>> fileRef.addEventListener(Event.COMPLETE, >>> fileRef_complete); >>> >>> fileRef.addEventListener(IOErrorEvent.IO_ERROR, >>> fileRef_ioError); >>> >>> >>> fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, >>> fileRef_uploadCompleteData); >>> >>> >>> >>> urlReq = new URLRequest(); >>> >>> urlReq.url = >>> "http://localhost:8300/fileref/uploader.cfm"; >>> >>> } >>> >>> >>> >>> private function >>> fileRef_uploadCompleteData(evt:DataEvent):void { >>> >>> var strData:String = StringUtil.trim(evt.data); >>> >>> var vars:URLVariables = new URLVariables(strData); >>> >>> Alert.show(vars.fileName, "fileName"); >>> >>> } >>> >>> >>> >>> >>> >>> Regards, >>> >>> >>> >>> John Smith >>> >>> Learning Technologist >>> >>> School of Health & Life Sciences >>> >>> Glasgow Caledonian University >>> >>> >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Smith, John >>> >>> Sent: Monday, March 11, 2013 3:19 PM >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... >>> >>> >>> >>> At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... >>> >>> >>> >>> Regards, >>> >>> >>> >>> John Smith >>> >>> Learning Technologist >>> >>> School of Health & Life Sciences >>> >>> Glasgow Caledonian University >>> >>> >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Julian Tenney >>> >>> Sent: Monday, March 11, 2013 2:32 PM >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> If I try and upload php files, onComplete still fires... >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Julian Tenney >>> >>> Sent: 11 March 2013 14:27 >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> Hold on, I'll see if I can get the events to trip, >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Smith, John >>> >>> Sent: 11 March 2013 14:20 >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... >>> >>> >>> >>> Regards, >>> >>> >>> >>> John Smith >>> >>> Learning Technologist >>> >>> School of Health & Life Sciences >>> >>> Glasgow Caledonian University >>> >>> >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Smith, John >>> >>> Sent: Monday, March 11, 2013 1:57 PM >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> No way to receive whether the upload was successful or not? >>> >>> >>> >>> Regards, >>> >>> >>> >>> John Smith >>> >>> Learning Technologist >>> >>> School of Health & Life Sciences >>> >>> Glasgow Caledonian University >>> >>> >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Julian Tenney >>> >>> Sent: Monday, March 11, 2013 1:48 PM >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> I'm not sure you can do much with that class, it's just a black box. >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Smith, John >>> >>> Sent: 11 March 2013 13:33 >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> Perhaps it should just feedback error codes, and the flash class translates them... >>> >>> >>> >>> Regards, >>> >>> >>> >>> John Smith >>> >>> Learning Technologist >>> >>> School of Health & Life Sciences >>> >>> Glasgow Caledonian University >>> >>> >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Julian Tenney >>> >>> Sent: Monday, March 11, 2013 1:21 PM >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Smith, John >>> >>> Sent: 11 March 2013 12:45 >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> Glasgow Caledonian University is a registered Scottish charity, >>> number >>> SC021474 >>> >>> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name >>> , >>> 6 >>> 219,en.html >>> >>> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name >>> , >>> 1 5691,en.html _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> >>> >>> _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> >>> >>> _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> >>> Glasgow Caledonian University is a registered Scottish charity, >>> number >>> SC021474 >>> >>> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name >>> , >>> 6 >>> 219,en.html >>> >>> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name >>> , >>> 1 >>> 5691,en.html >>> >>> _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. >>> >>> This message has been checked for viruses but the contents of an >>> attachment may still contain software viruses which could damage your computer system: >>> you are advised to perform your own checks. Email communications >>> with the University of Nottingham may be monitored as permitted by UK legislation. >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 1 5691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 1 5691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 1 5691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 1 5691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From J.J.Smith at gcu.ac.uk Fri Mar 15 11:27:25 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 15 Mar 2013 11:27:25 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <5142FE7F.4060803@tor.nl> References: <wli5m6ocuasvpl70r49olsm2.1363338613081@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CC77@EXCHANGE1.ad.nottingham.ac.uk> <5142F2CE.7050101@tor.nl> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D7C9@ITSEMBXCLUS.enterprise.gcal.ac.uk> <5142FE7F.4060803@tor.nl> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D7E4@ITSEMBXCLUS.enterprise.gcal.ac.uk> It's fine Tom, rant away - I love a good rant... and I take no offence at all from the work hack - most of my code is hacked together anyway!! As you say there is a lot about the web that is awful which is why these hacks are necessary, almost to the point that they are not hacks any more but necessary coding styles!! I'm sure we'll fix it some way or another... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: Friday, March 15, 2013 10:57 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Well ... the fact that had to be done for years where Flash and Firefox are concerned, doesn't make it less awful... And I wasn't referring to your 'hack', but the fact that you have to do it at all...... So, yes I agree... Flash and it's non-integration in browsers is the hack.... and Apple for not supporting Flash and Adobe for giving in with Android.... And so for that matter that javascript isn't javascript. and DOM isn't DOM. It's a mess. I really like HTML5 and it's potential to solve a lot of these issues. And then they (the ones that release browsers ;-) ) MESS UP COMPLETELY with the video tag. It's DVD all over. Sorry for the rant... Tom Op 15-3-2013 11:40, Smith, John schreef: > Hi Tom, yes we're having to manually tell upload.php which session to use but I wouldn't say it's that awful a hack - it's had to be done for years where Flash and Firefox are concerned - Adobe is the hack!! > > The problem is the two different style Session variables - mixing Xerte Session with Moodle session... > > If we plan to remove flash from the editing cycle too at some point then this would just be a step towards that, albeit at a far earlier stage than anticipated... I don't think it would be that hard to do on the js end - the trouble would be the upload status but could that be a js pop over so we tell the js which file to upload and let it handle it, passing back a code to flash when done: successful, failed, not logged in, etc... > > I don't know what's for the best here, or easiest to work into the Flash... > > Regards, > > John Smith > Learning Technologist > School of Health & Life Sciences > Glasgow Caledonian University > > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom > Reijnders > Sent: Friday, March 15, 2013 10:07 AM > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hmmm, not too sure about that. I mean recreating the session really sounds to me like an awful hack.... And that's basically what we tried to do, right John? > > I think, really, that we should prohibit the use of all browsers, > except mine... (Haven't got one yet, but it will be awesome and solve > all our > issues!) > > But seriously, I would like moodle integration to work! I use it in several key installations I have to maintain. > > Tom > > Op 15-3-2013 10:15, Julian Tenney schreef: >> Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the problem, then I think that's what we should fix. >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 15 March 2013 09:10 >> To: xerte-dev at lists.nottingham.ac.uk >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> The way the Moodle authentication works - its so complicated that >> there is no way to restart it in upload when we are using Firefox... >> The upload script as reported by Ron does work as long as we're not >> using Moodle >> >> As i said we can check for Moodle auth and simply not check for session but that still leaves a gaping hole... >> >> Bootstrapping the upload via js 'should' allow config.php to handle the session as it does on other pages... >> >> Regards >> >> John Smith >> Learning Technologist >> School of Health and Life Sciences >> >> Sent from Samsung Galaxy SII >> >> >> >> Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: >> >> >> So is the problem the upload script, or the way the moodle authentication works? >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 14 March 2013 16:41 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... >> >> If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... >> >> Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... >> >> Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Thursday, March 14, 2013 4:24 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? >> >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 14 March 2013 16:22 >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... >> >> I think we might have to resort to js though... >> >> Regards, >> >> John Smith >> Learning Technologist >> School of Health & Life Sciences >> Glasgow Caledonian University >> >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian >> Tenney >> Sent: Thursday, March 14, 2013 4:12 PM >> To: For Xerte technical developers >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? >> >> This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, >> John >> Sent: 13 March 2013 11:30 >> To: xerte-dev at lists.nottingham.ac.uk >> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >> >> Hi Pat >> >> Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... >> >> If we are in Firefox and include config.php before setting the >> session id then when config starts session we get a new session id >> >> Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. >> >> I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... >> >> Regards >> >> John Smith >> Learning Technologist >> School of Health and Life Sciences >> >> Sent from Samsung Galaxy SII >> >> >> >> "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: >> >> >> Try including config.php or doing a MySQL select db back to the xerte >> db, that fixed most of the moodle problems before >> >> Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of >> a fair to middling quality >> >> On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: >> >>> Hi Ron, >>> >>> Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... >>> >>> Regards, >>> >>> John Smith | Learning Technologist >>> Room A251, Govan Mbeki Building | School of Health & Life Sciences | >>> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA >>> ________________________________________ >>> From: xerte-dev-bounces at lists.nottingham.ac.uk >>> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell >>> [ronm at mitchellmedia.co.uk] >>> Sent: 12 March 2013 20:31 >>> To: 'For Xerte technical developers' >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> Hi John >>> I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. >>> >>> So I guess this is either session related or a js clash? >>> >>> Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. >>> >>> I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. >>> >>> Cheers >>> Ron >>> >>> -----Original Message----- >>> From: xerte-dev-bounces at lists.nottingham.ac.uk >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron >>> Mitchell >>> Sent: 12 March 2013 20:17 >>> To: 'For Xerte technical developers' >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> Hi John >>> Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... >>> >>> I'm almost hesitant to mention this... >>> >>> I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. >>> >>> Cheers >>> Ron >>> >>> -----Original Message----- >>> From: xerte-dev-bounces at lists.nottingham.ac.uk >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of >>> Smith, John >>> Sent: 12 March 2013 19:56 >>> To: xerte-dev at lists.nottingham.ac.uk >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> Hi Ron >>> >>> Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... >>> >>> I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... >>> >>> Regards >>> >>> John Smith >>> Learning Technologist >>> School of Health and Life Sciences >>> >>> Sent from Samsung Galaxy SII >>> >>> >>> >>> Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: >>> >>> >>> Hi >>> sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? >>> Ron >>> >>> From: xerte-dev-bounces at lists.nottingham.ac.uk >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of >>> Julian Tenney >>> Sent: 11 March 2013 16:18 >>> To: For Xerte technical developers >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. >> >> >> >> >>> >>> I've added some alerts for now so you can see what gets tripped, we >>> can take these out later, and I?ve commited the wizard with these in >>> , >>> >>> >>> >>> listener.onComplete = function(file:FileReference):Void { >>> >>> >>> >>> Alert.show("Upload successful"); >>> >>> >>> >>> --etc-- >>> >>> >>> >>> } >>> >>> >>> >>> >>> >>> listener.onHTTPError = function(file:FileReference):Void { >>> >>> >>> >>> Alert.show("Upload failed: HTTPError"); >>> >>> >>> >>> --etc-- >>> >>> >>> >>> } >>> >>> >>> >>> listener.onIOError = function(file:FileReference):Void { >>> >>> >>> >>> Alert.show("Upload failed: IOError"); >>> >>> >>> >>> --etc-- >>> >>> >>> >>> } >>> >>> listener.onSecurityError = function(file:FileReference, >>> errorString:String):Void { >>> >>> >>> >>> Alert.show("Upload failed: Security Error"); >>> >>> >>> >>> --etc-- >>> >>> >>> >>> } >>> >>> >>> >>> -----Original Message----- >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Smith, John >>> Sent: 11 March 2013 15:42 >>> To: For Xerte technical developers >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> Are you using FileReference class? This code snippet suggests you >>> can extract data from the DataEvent object in the >>> UPLOAD_COMPLETE_DATA with var strData:String = >>> StringUtil.trim(evt.data); >>> >>> >>> >>> >>> >>> >>> >>> private function init():void { >>> >>> fileRef = new FileReference(); >>> >>> fileRef.addEventListener(Event.SELECT, >>> fileRef_select); >>> >>> fileRef.addEventListener(Event.COMPLETE, >>> fileRef_complete); >>> >>> fileRef.addEventListener(IOErrorEvent.IO_ERROR, >>> fileRef_ioError); >>> >>> >>> fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, >>> fileRef_uploadCompleteData); >>> >>> >>> >>> urlReq = new URLRequest(); >>> >>> urlReq.url = >>> "http://localhost:8300/fileref/uploader.cfm"; >>> >>> } >>> >>> >>> >>> private function >>> fileRef_uploadCompleteData(evt:DataEvent):void { >>> >>> var strData:String = StringUtil.trim(evt.data); >>> >>> var vars:URLVariables = new URLVariables(strData); >>> >>> Alert.show(vars.fileName, "fileName"); >>> >>> } >>> >>> >>> >>> >>> >>> Regards, >>> >>> >>> >>> John Smith >>> >>> Learning Technologist >>> >>> School of Health & Life Sciences >>> >>> Glasgow Caledonian University >>> >>> >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Smith, John >>> >>> Sent: Monday, March 11, 2013 3:19 PM >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... >>> >>> >>> >>> At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... >>> >>> >>> >>> Regards, >>> >>> >>> >>> John Smith >>> >>> Learning Technologist >>> >>> School of Health & Life Sciences >>> >>> Glasgow Caledonian University >>> >>> >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Julian Tenney >>> >>> Sent: Monday, March 11, 2013 2:32 PM >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> If I try and upload php files, onComplete still fires... >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Julian Tenney >>> >>> Sent: 11 March 2013 14:27 >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> Hold on, I'll see if I can get the events to trip, >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Smith, John >>> >>> Sent: 11 March 2013 14:20 >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... >>> >>> >>> >>> Regards, >>> >>> >>> >>> John Smith >>> >>> Learning Technologist >>> >>> School of Health & Life Sciences >>> >>> Glasgow Caledonian University >>> >>> >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Smith, John >>> >>> Sent: Monday, March 11, 2013 1:57 PM >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> No way to receive whether the upload was successful or not? >>> >>> >>> >>> Regards, >>> >>> >>> >>> John Smith >>> >>> Learning Technologist >>> >>> School of Health & Life Sciences >>> >>> Glasgow Caledonian University >>> >>> >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Julian Tenney >>> >>> Sent: Monday, March 11, 2013 1:48 PM >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> I'm not sure you can do much with that class, it's just a black box. >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Smith, John >>> >>> Sent: 11 March 2013 13:33 >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> Perhaps it should just feedback error codes, and the flash class translates them... >>> >>> >>> >>> Regards, >>> >>> >>> >>> John Smith >>> >>> Learning Technologist >>> >>> School of Health & Life Sciences >>> >>> Glasgow Caledonian University >>> >>> >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Julian Tenney >>> >>> Sent: Monday, March 11, 2013 1:21 PM >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. >>> >>> >>> >>> -----Original Message----- >>> >>> From: >>> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at li >>> s >>> t s.nottingham.ac.uk> >>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] >>> On Behalf Of Smith, John >>> >>> Sent: 11 March 2013 12:45 >>> >>> To: For Xerte technical developers >>> >>> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php >>> >>> >>> >>> Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> Glasgow Caledonian University is a registered Scottish charity, >>> number >>> SC021474 >>> >>> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name >>> , >>> 6 >>> 219,en.html >>> >>> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name >>> , >>> 1 5691,en.html _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> >>> >>> _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> >>> >>> _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> >>> Glasgow Caledonian University is a registered Scottish charity, >>> number >>> SC021474 >>> >>> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name >>> , >>> 6 >>> 219,en.html >>> >>> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name >>> , >>> 1 >>> 5691,en.html >>> >>> _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. >>> >>> This message has been checked for viruses but the contents of an >>> attachment may still contain software viruses which could damage your computer system: >>> you are advised to perform your own checks. Email communications >>> with the University of Nottingham may be monitored as permitted by UK legislation. >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 1 5691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 1 5691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 1 5691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> Glasgow Caledonian University is a registered Scottish charity, >> number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6 >> 219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 1 5691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From J.J.Smith at gcu.ac.uk Fri Mar 15 11:39:07 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 15 Mar 2013 11:39:07 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CD8A@EXCHANGE1.ad.nottingham.ac.uk> References: <bj8955psl73nk2xnfedc79ml.1363342427911@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CD8A@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D7E9@ITSEMBXCLUS.enterprise.gcal.ac.uk> Worth a try!! So we have to support Firefox AND Moodle - there's that wagging dog again ;-) Leave it with me - once I get moodle integration working I'll take a look at the moodle session and see if we do anything... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 15, 2013 11:21 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No, we have to support Firefox, but you know that already! -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 10:14 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php True but Moodle is a red herring here... The problem is Firefox - it is the tail... If you can live without Firefox being supported, only in the editor, then we can probably keep Moodle auth as is... Depends who you want to keep happiest... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the problem, then I think that's what we should fix. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 09:10 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php The way the Moodle authentication works - its so complicated that there is no way to restart it in upload when we are using Firefox... The upload script as reported by Ron does work as long as we're not using Moodle As i said we can check for Moodle auth and simply not check for session but that still leaves a gaping hole... Bootstrapping the upload via js 'should' allow config.php to handle the session as it does on other pages... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: So is the problem the upload script, or the way the moodle authentication works? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:24 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... I think we might have to resort to js though... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:12 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 13 March 2013 11:30 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron > Mitchell > Sent: 12 March 2013 20:17 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... > > I'm almost hesitant to mention this... > > I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 12 March 2013 19:56 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Ron > > Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... > > I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: > > > Hi > sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? > Ron > > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: 11 March 2013 16:18 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > I've added some alerts for now so you can see what gets tripped, we > can take these out later, and I?ve commited the wizard with these in , > > > > listener.onComplete = function(file:FileReference):Void { > > > > Alert.show("Upload successful"); > > > > --etc-- > > > > } > > > > > > listener.onHTTPError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: HTTPError"); > > > > --etc-- > > > > } > > > > listener.onIOError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: IOError"); > > > > --etc-- > > > > } > > listener.onSecurityError = function(file:FileReference, > errorString:String):Void { > > > > Alert.show("Upload failed: Security Error"); > > > > --etc-- > > > > } > > > > -----Original Message----- > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > Sent: 11 March 2013 15:42 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Are you using FileReference class? This code snippet suggests you can > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA > with var strData:String = StringUtil.trim(evt.data); > > > > > > > > private function init():void { > > fileRef = new FileReference(); > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > fileRef.addEventListener(Event.COMPLETE, > fileRef_complete); > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, > fileRef_ioError); > > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, > fileRef_uploadCompleteData); > > > > urlReq = new URLRequest(); > > urlReq.url = > "http://localhost:8300/fileref/uploader.cfm"; > > } > > > > private function > fileRef_uploadCompleteData(evt:DataEvent):void { > > var strData:String = StringUtil.trim(evt.data); > > var vars:URLVariables = new URLVariables(strData); > > Alert.show(vars.fileName, "fileName"); > > } > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 3:19 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... > > > > At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 2:32 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > If I try and upload php files, onComplete still fires... > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: 11 March 2013 14:27 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hold on, I'll see if I can get the events to trip, > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 14:20 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 1:57 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > No way to receive whether the upload was successful or not? > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:48 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > I'm not sure you can do much with that class, it's just a black box. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 13:33 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Perhaps it should just feedback error codes, and the flash class translates them... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:21 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 12:45 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From ronm at mitchellmedia.co.uk Fri Mar 15 12:12:39 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Fri, 15 Mar 2013 12:12:39 -0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D7E9@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <bj8955psl73nk2xnfedc79ml.1363342427911@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CD8A@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D7E9@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <010201ce2176$659ae2b0$30d0a810$@co.uk> John sorry been in online meetings until now but will sort a working moodle/xot integrations for you to download shortly - although might take a while to upload for you to download! :-( Then again it might well me that by the time my message hits the list if suffering the delay I sometimes get like yesterday then it will be ready anyway! ;-) Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 11:39 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Worth a try!! So we have to support Firefox AND Moodle - there's that wagging dog again ;-) Leave it with me - once I get moodle integration working I'll take a look at the moodle session and see if we do anything... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 15, 2013 11:21 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No, we have to support Firefox, but you know that already! -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 10:14 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php True but Moodle is a red herring here... The problem is Firefox - it is the tail... If you can live without Firefox being supported, only in the editor, then we can probably keep Moodle auth as is... Depends who you want to keep happiest... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the problem, then I think that's what we should fix. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 09:10 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php The way the Moodle authentication works - its so complicated that there is no way to restart it in upload when we are using Firefox... The upload script as reported by Ron does work as long as we're not using Moodle As i said we can check for Moodle auth and simply not check for session but that still leaves a gaping hole... Bootstrapping the upload via js 'should' allow config.php to handle the session as it does on other pages... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: So is the problem the upload script, or the way the moodle authentication works? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:24 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... I think we might have to resort to js though... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:12 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 13 March 2013 11:30 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron > Mitchell > Sent: 12 March 2013 20:17 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... > > I'm almost hesitant to mention this... > > I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 12 March 2013 19:56 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Ron > > Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... > > I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: > > > Hi > sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? > Ron > > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: 11 March 2013 16:18 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > I've added some alerts for now so you can see what gets tripped, we > can take these out later, and I?ve commited the wizard with these in , > > > > listener.onComplete = function(file:FileReference):Void { > > > > Alert.show("Upload successful"); > > > > --etc-- > > > > } > > > > > > listener.onHTTPError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: HTTPError"); > > > > --etc-- > > > > } > > > > listener.onIOError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: IOError"); > > > > --etc-- > > > > } > > listener.onSecurityError = function(file:FileReference, > errorString:String):Void { > > > > Alert.show("Upload failed: Security Error"); > > > > --etc-- > > > > } > > > > -----Original Message----- > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > Sent: 11 March 2013 15:42 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Are you using FileReference class? This code snippet suggests you can > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA > with var strData:String = StringUtil.trim(evt.data); > > > > > > > > private function init():void { > > fileRef = new FileReference(); > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > fileRef.addEventListener(Event.COMPLETE, > fileRef_complete); > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, > fileRef_ioError); > > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, > fileRef_uploadCompleteData); > > > > urlReq = new URLRequest(); > > urlReq.url = > "http://localhost:8300/fileref/uploader.cfm"; > > } > > > > private function > fileRef_uploadCompleteData(evt:DataEvent):void { > > var strData:String = StringUtil.trim(evt.data); > > var vars:URLVariables = new URLVariables(strData); > > Alert.show(vars.fileName, "fileName"); > > } > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 3:19 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... > > > > At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 2:32 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > If I try and upload php files, onComplete still fires... > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: 11 March 2013 14:27 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hold on, I'll see if I can get the events to trip, > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 14:20 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 1:57 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > No way to receive whether the upload was successful or not? > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:48 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > I'm not sure you can do much with that class, it's just a black box. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 13:33 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Perhaps it should just feedback error codes, and the flash class translates them... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:21 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 12:45 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From ronm at mitchellmedia.co.uk Fri Mar 15 15:38:15 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Fri, 15 Mar 2013 15:38:15 -0000 Subject: [Xerte-dev] page type tweaks & possibly new page types for Maths project... Message-ID: <013d01ce2193$1d4344e0$57c9cea0$@co.uk> Hi all my messages seem to be taking an age to get through to this list again not sure why but anyway I'm hoping this gets through relatively quickly... On behalf of JISC Techdis I've recently been supporting a Maths project and those involved have been testing if XOT is suitable for what they want to achieve. There is a mix of experience amongst the group but no real developer skills etc Prior to going on holiday last week I sent them some possible solutions to interactions they were trying to achieve most of which involve wishing to drag images to images etc I showed them how/where they could add img src etc to load images where the page type only has text options but obviously this is not ideal and doesn't fully suit their needs. Here's some examples of this: possible drag and drop solutions http://vle.jisctechdis.ac.uk/xerte/play_html5_221 Patterns http://vle.jisctechdis.ac.uk/xerte/play_html5_237 Timings http://vle.jisctechdis.ac.uk/xerte/play_html5_241 The more recent example I received from them was the need for a coin interaction attached and in advance of a f2f meeting yesterday I created a quick demo of this via Xerte and uploaded as an rlm to xot: coins interaction http://vle.jisctechdis.ac.uk/xerte/play_262 Obviously that's Flash only, isn't a page type, isn't editable in xot etc which brings me to the real point of this message: The result of the f2f meeting yesterday is that they ideally want some additional functionality developed and I think this is likely to fall into two categories: 1. Adding additional options for adding images to existing page types e.g. those that involve dragging and dropping 2. Creating 1 or more new page types tat allow creation of interactions similar to the coins example The end results must work via HTML 5 if not both Flash and HTML 5 I've said that I would discuss all this via the dev list first of all to see what you think about changes to existing page types and also new page types and just as importantly to check if any or all are interested in working on this? This isn't the first time the wish for drag and drop image to image etc has cropped up and could result in additions to benefit all. BUT they need to have developed and tested pilot content by June so it's a very short timescale and although I'm involved I don't think I have the time or skills to help them with this without extra help. They will pay for development but the first step is to identify if anyone is interested in helping with this and then at some point we will need to estimate time and costs etc. What are your thoughts? First point relevant to us all is would we agree to include additions to current page types or new page types when there isn't yet parity between existing Flash and HTML 5 etc? It's a non-starter if we don't. Second point who's willing and able to help? Contact me on or off list if you are interested. Cheers Ron -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130315/f74fcbd7/attachment.html> From johnathan.kemp at ntlworld.com Sat Mar 16 12:02:28 2013 From: johnathan.kemp at ntlworld.com (Kemp Johnathan) Date: Sat, 16 Mar 2013 12:02:28 +0000 Subject: [Xerte-dev] Issues with Page Templates projects with possible implication for XOT Message-ID: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> In Xerte in Page Templates (not a Pages type) project there are currently two issues, the second of which may also compromise Xerte Online Toolkits 1. For some reason when in Xerte you do "Pages / Create Template Project >From Pages" the project is not created using the current models and templates.xwd file, but is built using the C:\Xerte\Wizards\PageTemplates.xtp file and this file is out of date. If you rename the file _PageTemplates.xtp then Xerte will not be able to find it and will use the correct models and xwd file to create your new project. 2. Connector pages depend on every page having a unique linkID. However in Page Templates type projects if you select a page and Copy it, the new copy of the page receives the same linkID as the page from which it was copied. This will compromise the pageList listing and selection of the correct page. I have not been able to test this for XOT as I currently don't have a working install, but perhaps someone could run a check on this. Kind regards Johnathan -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130316/d6c84087/attachment.html> From reijnders at tor.nl Sun Mar 17 11:23:58 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Sun, 17 Mar 2013 12:23:58 +0100 Subject: [Xerte-dev] Translatable button labels in XOT Message-ID: <5145A7CE.8030906@tor.nl> One of the last steps in making XOT multilanguage is the ability to translate button labels. A lot of buttons are roll-over images, so one solution is to provide roll-over images in all the appropriate languages, but this turned out to be very tedious and time consuming, so I took another approach. I replaced all roll-over buttons with <button> I added a 'xerte_buttons.css' as well, and perhaps someone with more CSS knowledge should have a look at that. While I was at it, I also changed all 'action' URL's to buttons as well. It's much clearer now (in my opinion) when something is am action, or when something is a link. Please let me know if you encounter any issues with functionality after my changes. Last two remaining things to really finish up internationalisation is 1. the ability to make the 'pods' on the login page in language dependent. 2. the ability to upload a language package in management.php. Tom -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 From reijnders at tor.nl Sun Mar 17 11:26:12 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Sun, 17 Mar 2013 12:26:12 +0100 Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT In-Reply-To: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> References: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> Message-ID: <5145A854.4010600@tor.nl> Didn't test it (yet) but I assume we have the same issue in XOT as well. When copying a page, we should generate a new 'unique' linkID. Should be easy to fix. Tom Op 16-3-2013 13:02, Kemp Johnathan schreef: > In Xerte in Page Templates (not a Pages type) project there are > currently two issues, the second of which may also compromise Xerte > Online Toolkits > > 1. For some reason when in Xerte you do "Pages / Create Template > Project From Pages" the project is not created using the current > models and templates.xwd file, but is built using the > C:\Xerte\Wizards\PageTemplates.xtp file and this file is out of date. > If you rename the file _PageTemplates.xtp then Xerte will not be able > to find it and will use the correct models and xwd file to create your > new project. > > 2. Connector pages depend on every page having a unique linkID. > However in Page Templates type projects if you select a page and Copy > it, the new copy of the page receives the same linkID as the page from > which it was copied. This will compromise the pageList listing and > selection of the correct page. I have not been able to test this for > XOT as I currently don't have a working install, but perhaps someone > could run a check on this. > > Kind regards > > Johnathan > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130317/92c8332d/attachment.html> From xerte at pgogywebstuff.com Sun Mar 17 11:39:44 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Sun, 17 Mar 2013 11:39:44 +0000 Subject: [Xerte-dev] Re: Translatable button labels in XOT In-Reply-To: <5145A7CE.8030906@tor.nl> References: <5145A7CE.8030906@tor.nl> Message-ID: <7D0BE73D-D5D5-477F-88C7-B95DDF281101@pgogywebstuff.com> The pods are in the database though aren't they? Also - they might be obsolete soon? I am wondering if the upload script in management could be an unzipper that isn't too fussy on file structures? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 17 Mar 2013, at 11:23, Tom Reijnders <reijnders at tor.nl> wrote: > One of the last steps in making XOT multilanguage is the ability to translate button labels. > > A lot of buttons are roll-over images, so one solution is to provide roll-over images in all the appropriate languages, but this turned out to be very tedious and time consuming, so I took another approach. I replaced all roll-over buttons with <button> > > I added a 'xerte_buttons.css' as well, and perhaps someone with more CSS knowledge should have a look at that. > > While I was at it, I also changed all 'action' URL's to buttons as well. It's much clearer now (in my opinion) when something is am action, or when something is a link. > > Please let me know if you encounter any issues with functionality after my changes. > > Last two remaining things to really finish up internationalisation is > 1. the ability to make the 'pods' on the login page in language dependent. > 2. the ability to upload a language package in management.php. > > Tom > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. From ronm at mitchellmedia.co.uk Sun Mar 17 12:28:42 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Sun, 17 Mar 2013 12:28:42 -0000 Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT In-Reply-To: <5145A854.4010600@tor.nl> References: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> <5145A854.4010600@tor.nl> Message-ID: <01c001ce230a$f75c27a0$e61476e0$@co.uk> No the same issue doesn't exist with XOT. I think I raised this here some time ago and I think it was Julian who fixed it. Not sure why it doesn't work in a page template project although I haven't tested that. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 17 March 2013 11:26 To: For Xerte technical developers Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT Didn't test it (yet) but I assume we have the same issue in XOT as well. When copying a page, we should generate a new 'unique' linkID. Should be easy to fix. Tom Op 16-3-2013 13:02, Kemp Johnathan schreef: In Xerte in Page Templates (not a Pages type) project there are currently two issues, the second of which may also compromise Xerte Online Toolkits 1. For some reason when in Xerte you do "Pages / Create Template Project >From Pages" the project is not created using the current models and templates.xwd file, but is built using the C:\Xerte\Wizards\PageTemplates.xtp file and this file is out of date. If you rename the file _PageTemplates.xtp then Xerte will not be able to find it and will use the correct models and xwd file to create your new project. 2. Connector pages depend on every page having a unique linkID. However in Page Templates type projects if you select a page and Copy it, the new copy of the page receives the same linkID as the page from which it was copied. This will compromise the pageList listing and selection of the correct page. I have not been able to test this for XOT as I currently don't have a working install, but perhaps someone could run a check on this. Kind regards Johnathan _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130317/a50a98da/attachment.html> From johnathan.kemp at ntlworld.com Sun Mar 17 13:01:52 2013 From: johnathan.kemp at ntlworld.com (Kemp Johnathan) Date: Sun, 17 Mar 2013 13:01:52 +0000 Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT In-Reply-To: <01c001ce230a$f75c27a0$e61476e0$@co.uk> References: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> <5145A854.4010600@tor.nl> <01c001ce230a$f75c27a0$e61476e0$@co.uk> Message-ID: <CABtG3=XGeOu9DUcNQ1eiE2AZsyKQp7oe4_b3-S6nK-e88Q3o0w@mail.gmail.com> Thanks Ron, That's good to know. Johnathan On 17 March 2013 12:28, Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: > No the same issue doesn't exist with XOT. I think I raised this here some > time ago and I think it was Julian who fixed it. Not sure why it doesn't > work in a page template project although I haven't tested that. > > > > HTH > > Ron > > > > *From:* xerte-dev-bounces at lists.nottingham.ac.uk [mailto: > xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Tom Reijnders > *Sent:* 17 March 2013 11:26 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Issues with Page Templates projects with > possible implication for XOT > > > > Didn't test it (yet) but I assume we have the same issue in XOT as well. > When copying a page, we should generate a new 'unique' linkID. Should be > easy to fix. > > Tom > > Op 16-3-2013 13:02, Kemp Johnathan schreef: > > In Xerte in Page Templates (not a Pages type) project there are currently > two issues, the second of which may also compromise Xerte Online Toolkits > > > > 1. For some reason when in Xerte you do "Pages / Create Template Project > From Pages" the project is not created using the current models and > templates.xwd file, but is built using the > C:\Xerte\Wizards\PageTemplates.xtp file and this file is out of date. If > you rename the file _PageTemplates.xtp then Xerte will not be able to find > it and will use the correct models and xwd file to create your new project. > > > > 2. Connector pages depend on every page having a unique linkID. However in > Page Templates type projects if you select a page and Copy it, the new copy > of the page receives the same linkID as the page from which it was copied. > This will compromise the pageList listing and selection of the correct > page. I have not been able to test this for XOT as I currently don't have a > working install, but perhaps someone could run a check on this. > > > > Kind regards > > > > Johnathan > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130317/e8822449/attachment.html> From Greavesv at beaumontcollege.org Mon Mar 18 10:26:54 2013 From: Greavesv at beaumontcollege.org (Vicky Greaves) Date: Mon, 18 Mar 2013 10:26:54 +0000 Subject: [Xerte-dev] Re: XOT installation help please In-Reply-To: <51420B25.8040707@tor.nl> References: <E2E25586E39BBB4C95EAE0ECD32AC8D9053023B0@DAG1.beaumontcollege.org>, <BLU153-W23755B22EA482D72781A4EA7EC0@phx.gbl>, <E2E25586E39BBB4C95EAE0ECD32AC8D905302638@DAG1.beaumontcollege.org> <BLU153-W6252C379728F3B0D65451FA7EC0@phx.gbl> <51420B25.8040707@tor.nl> Message-ID: <E2E25586E39BBB4C95EAE0ECD32AC8D9053029D2@DAG1.beaumontcollege.org> Apologies for the delay (I'm not in on Fridays). Zip files attached... Test.zip created in our XOT, exported but cannot re-import. AssessSnack.zip from Alistair McNaught - also cannot import. Issue 2 - uploading .flv files Our XOT will not always upload .flv files. For those that do not install directly to the page of the LO, I have then tried uploading via 'properties' to 'media and quota'. I then get the attached xertePhpReport.jpg This was an intermittent issue on our first attempt at installing XOT as some files wouldn't upload on numerous attempts and then suddenly did! I haven't attempted to use this installation of XOT enough to know if that is still the case. I am told it's the latest version of XOT. This is also our second attempt at installing it with the same issues. Our first attempt was on WAMP, this time on XAMPP Thanks very much, all. Vicky From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 14 March 2013 17:39 To: For Xerte technical developers Subject: [Xerte-dev] Re: XOT installation help please If it was the header problem you would get php code back in the browser. Please send the file listing of the .zip (or the zip itself). What version of XOT did you install? The latest 1.91 .zip? Tom Op 14-3-2013 18:20, Dave Burnett schreef: Vaguely: The zip is being created inside an extra folder. Can you open the zip on the desktop and see what the structure looks like. Or It's something in the php header. Patrick might remember. Or not. ;-) ________________________________ From: Greavesv at beaumontcollege.org<mailto:Greavesv at beaumontcollege.org> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Date: Thu, 14 Mar 2013 16:03:31 +0000 Subject: [Xerte-dev] Re: XOT installation help please Both Chrome and IE. The zip was from Alistair McNaught. Both AssessSnack.zip and knowSnack2.zip - from one of the tutorials, I believe. I've just created a quick LO in our new XOT (using Chrome). It exported fine but I couldn't re-import it (in Chrome or IE)- the same error 'You can only import Zip Files.' Our institution has a policy of not using Firefox. Any ideas? Thanks very much From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: 14 March 2013 14:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: XOT installation help please What browser? Where/how was the zip created? ________________________________ From: Greavesv at beaumontcollege.org<mailto:Greavesv at beaumontcollege.org> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Date: Thu, 14 Mar 2013 14:05:26 +0000 Subject: [Xerte-dev] XOT installation help please We've just installed XOT, this time on Xampp. When we try to import a project (we're using AssessSnack.zip to test with), we get the error message 'You can only import Zip Files.' Does anybody know what's causing this, or better still, how to sort it out? Thanks very much Vicky ________________________________ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev ________________________________ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 ________________________________ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130318/8194dad9/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: test.zip Type: application/x-zip-compressed Size: 2346888 bytes Desc: test.zip URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130318/8194dad9/attachment-0002.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: AssessSnack.zip Type: application/x-zip-compressed Size: 2881772 bytes Desc: AssessSnack.zip URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130318/8194dad9/attachment-0003.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: xertePhpReport.JPG Type: image/jpeg Size: 90422 bytes Desc: xertePhpReport.JPG URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130318/8194dad9/attachment-0001.jpe> From J.J.Smith at gcu.ac.uk Mon Mar 18 12:07:52 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Mon, 18 Mar 2013 12:07:52 +0000 Subject: [Xerte-dev] Re: page type tweaks & possibly new page types for Maths project... Message-ID: <nqmhmmp7k1wqsa92ces924ys.1363608472618@email.android.com> Hi Ron Sorry meant to respond earlier - don't have any experience of altering page type functionality or adding page types to the wizard but if someone else can do that (or point me in the general direction of how to) then I'll be happy to work on the html side of it... Id rather know how to do the full thing though as we have some ideas for page types also... As far as adding options to the wizard then i was going to ask the same question - i was assuming that as long as it doesn't break old LOs then it would be ok?? Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: Hi all my messages seem to be taking an age to get through to this list again not sure why but anyway I'm hoping this gets through relatively quickly... On behalf of JISC Techdis I've recently been supporting a Maths project and those involved have been testing if XOT is suitable for what they want to achieve. There is a mix of experience amongst the group but no real developer skills etc Prior to going on holiday last week I sent them some possible solutions to interactions they were trying to achieve most of which involve wishing to drag images to images etc I showed them how/where they could add img src etc to load images where the page type only has text options but obviously this is not ideal and doesn't fully suit their needs. Here's some examples of this: possible drag and drop solutions http://vle.jisctechdis.ac.uk/xerte/play_html5_221 Patterns http://vle.jisctechdis.ac.uk/xerte/play_html5_237 Timings http://vle.jisctechdis.ac.uk/xerte/play_html5_241 The more recent example I received from them was the need for a coin interaction attached and in advance of a f2f meeting yesterday I created a quick demo of this via Xerte and uploaded as an rlm to xot: coins interaction http://vle.jisctechdis.ac.uk/xerte/play_262 Obviously that's Flash only, isn't a page type, isn't editable in xot etc which brings me to the real point of this message: The result of the f2f meeting yesterday is that they ideally want some additional functionality developed and I think this is likely to fall into two categories: 1. Adding additional options for adding images to existing page types e.g. those that involve dragging and dropping 2. Creating 1 or more new page types tat allow creation of interactions similar to the coins example The end results must work via HTML 5 if not both Flash and HTML 5 I've said that I would discuss all this via the dev list first of all to see what you think about changes to existing page types and also new page types and just as importantly to check if any or all are interested in working on this? This isn't the first time the wish for drag and drop image to image etc has cropped up and could result in additions to benefit all. BUT they need to have developed and tested pilot content by June so it's a very short timescale and although I'm involved I don't think I have the time or skills to help them with this without extra help. They will pay for development but the first step is to identify if anyone is interested in helping with this and then at some point we will need to estimate time and costs etc. What are your thoughts? First point relevant to us all is would we agree to include additions to current page types or new page types when there isn't yet parity between existing Flash and HTML 5 etc? It's a non-starter if we don't. Second point who's willing and able to help? Contact me on or off list if you are interested. Cheers Ron Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From J.J.Smith at gcu.ac.uk Mon Mar 18 12:15:09 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Mon, 18 Mar 2013 12:15:09 +0000 Subject: [Xerte-dev] Re: XOT installation help please Message-ID: <fmbfsxgqkof9layi1aehnrnw.1363608716824@email.android.com> Could this be a php.ini 'upload_max_filesize' or'post_max_size'. Ive been seeing similar inconsistencies uploading media while working on the upload issues... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Vicky Greaves <Greavesv at beaumontcollege.org> wrote: Apologies for the delay (I?m not in on Fridays). Zip files attached? Test.zip created in our XOT, exported but cannot re-import. AssessSnack.zip from Alistair McNaught ? also cannot import. Issue 2 ? uploading .flv files Our XOT will not always upload .flv files. For those that do not install directly to the page of the LO, I have then tried uploading via ?properties? to ?media and quota?. I then get the attached xertePhpReport.jpg This was an intermittent issue on our first attempt at installing XOT as some files wouldn?t upload on numerous attempts and then suddenly did! I haven?t attempted to use this installation of XOT enough to know if that is still the case. I am told it?s the latest version of XOT. This is also our second attempt at installing it with the same issues. Our first attempt was on WAMP, this time on XAMPP Thanks very much, all. Vicky From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 14 March 2013 17:39 To: For Xerte technical developers Subject: [Xerte-dev] Re: XOT installation help please If it was the header problem you would get php code back in the browser. Please send the file listing of the .zip (or the zip itself). What version of XOT did you install? The latest 1.91 .zip? Tom Op 14-3-2013 18:20, Dave Burnett schreef: Vaguely: The zip is being created inside an extra folder. Can you open the zip on the desktop and see what the structure looks like. Or It's something in the php header. Patrick might remember. Or not. ;-) ________________________________ From: Greavesv at beaumontcollege.org<mailto:Greavesv at beaumontcollege.org> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Date: Thu, 14 Mar 2013 16:03:31 +0000 Subject: [Xerte-dev] Re: XOT installation help please Both Chrome and IE. The zip was from Alistair McNaught. Both AssessSnack.zip and knowSnack2.zip ? from one of the tutorials, I believe. I?ve just created a quick LO in our new XOT (using Chrome). It exported fine but I couldn?t re-import it (in Chrome or IE)? the same error ?You can only import Zip Files.? Our institution has a policy of not using Firefox. Any ideas? Thanks very much From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: 14 March 2013 14:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: XOT installation help please What browser? Where/how was the zip created? ________________________________ From: Greavesv at beaumontcollege.org<mailto:Greavesv at beaumontcollege.org> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Date: Thu, 14 Mar 2013 14:05:26 +0000 Subject: [Xerte-dev] XOT installation help please We?ve just installed XOT, this time on Xampp. When we try to import a project (we?re using AssessSnack.zip to test with), we get the error message ?You can only import Zip Files.? Does anybody know what?s causing this, or better still, how to sort it out? Thanks very much Vicky ________________________________ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev ________________________________ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 ________________________________ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From ronm at mitchellmedia.co.uk Mon Mar 18 12:30:06 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Mon, 18 Mar 2013 12:30:06 -0000 Subject: [Xerte-dev] Re: XOT installation help please In-Reply-To: <E2E25586E39BBB4C95EAE0ECD32AC8D9053029D2@DAG1.beaumontcollege.org> References: <E2E25586E39BBB4C95EAE0ECD32AC8D9053023B0@DAG1.beaumontcollege.org>, <BLU153-W23755B22EA482D72781A4EA7EC0@phx.gbl>, <E2E25586E39BBB4C95EAE0ECD32AC8D905302638@DAG1.beaumontcollege.org> <BLU153-W6252C379728F3B0D65451FA7EC0@phx.gbl> <51420B25.8040707@tor.nl> <E2E25586E39BBB4C95EAE0ECD32AC8D9053029D2@DAG1.beaumontcollege.org> Message-ID: <026201ce23d4$53e6b2f0$fbb418d0$@co.uk> Hi to eliminate a few things here... 1. The problem isn't with either of those two zips - both import fine into an up-to-date installation so it's not the structure of the zips 2. In your test zip there's reference to the following: FileLocation + 'media/videoAlex.flv' FileLocation + 'media/disclosure4.flv' But videoAlex.flv isn't in the zip. Is there a big difference in file size between those two flv files? If so I wonder if php upload or timeout settings are the problem? 3. The problems aren't really likely to be relevant to whether it's wamp or xampp as long as everything is configured correctly HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Vicky Greaves Sent: 18 March 2013 10:27 To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: XOT installation help please Apologies for the delay (I'm not in on Fridays). Zip files attached. Test.zip created in our XOT, exported but cannot re-import. AssessSnack.zip from Alistair McNaught - also cannot import. Issue 2 - uploading .flv files Our XOT will not always upload .flv files. For those that do not install directly to the page of the LO, I have then tried uploading via 'properties' to 'media and quota'. I then get the attached xertePhpReport.jpg This was an intermittent issue on our first attempt at installing XOT as some files wouldn't upload on numerous attempts and then suddenly did! I haven't attempted to use this installation of XOT enough to know if that is still the case. I am told it's the latest version of XOT. This is also our second attempt at installing it with the same issues. Our first attempt was on WAMP, this time on XAMPP Thanks very much, all. Vicky From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 14 March 2013 17:39 To: For Xerte technical developers Subject: [Xerte-dev] Re: XOT installation help please If it was the header problem you would get php code back in the browser. Please send the file listing of the .zip (or the zip itself). What version of XOT did you install? The latest 1.91 .zip? Tom Op 14-3-2013 18:20, Dave Burnett schreef: Vaguely: The zip is being created inside an extra folder. Can you open the zip on the desktop and see what the structure looks like. Or It's something in the php header. Patrick might remember. Or not. ;-) _____ From: Greavesv at beaumontcollege.org To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 14 Mar 2013 16:03:31 +0000 Subject: [Xerte-dev] Re: XOT installation help please Both Chrome and IE. The zip was from Alistair McNaught. Both AssessSnack.zip and knowSnack2.zip - from one of the tutorials, I believe. I've just created a quick LO in our new XOT (using Chrome). It exported fine but I couldn't re-import it (in Chrome or IE)- the same error 'You can only import Zip Files.' Our institution has a policy of not using Firefox. Any ideas? Thanks very much From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: 14 March 2013 14:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: XOT installation help please What browser? Where/how was the zip created? _____ From: Greavesv at beaumontcollege.org To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 14 Mar 2013 14:05:26 +0000 Subject: [Xerte-dev] XOT installation help please We've just installed XOT, this time on Xampp. When we try to import a project (we're using AssessSnack.zip to test with), we get the error message 'You can only import Zip Files.' Does anybody know what's causing this, or better still, how to sort it out? Thanks very much Vicky _____ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _____ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _____ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130318/f11c26b2/attachment-0001.html> From d_b_burnett at hotmail.com Mon Mar 18 13:23:29 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Mon, 18 Mar 2013 09:23:29 -0400 Subject: [Xerte-dev] Re: XOT installation help please In-Reply-To: <fmbfsxgqkof9layi1aehnrnw.1363608716824@email.android.com> References: <fmbfsxgqkof9layi1aehnrnw.1363608716824@email.android.com> Message-ID: <BLU153-W3871257F133A017BF36219A7E80@phx.gbl> Good idea to check it, but both zips are ~ 3 mb. It would have to have been an old DOS hand to have set it that low. ;-) Dave > From: J.J.Smith at gcu.ac.uk > To: xerte-dev at lists.nottingham.ac.uk > Date: Mon, 18 Mar 2013 12:15:09 +0000 > Subject: [Xerte-dev] Re: XOT installation help please > > Could this be a php.ini 'upload_max_filesize' or'post_max_size'. Ive been seeing similar inconsistencies uploading media while working on the upload issues... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > Vicky Greaves <Greavesv at beaumontcollege.org> wrote: > > > Apologies for the delay (I?m not in on Fridays). > > Zip files attached? > Test.zip created in our XOT, exported but cannot re-import. > AssessSnack.zip from Alistair McNaught ? also cannot import. > > Issue 2 ? uploading .flv files > Our XOT will not always upload .flv files. For those that do not install directly to the page of the LO, I have then tried uploading via ?properties? to ?media and quota?. I then get the attached xertePhpReport.jpg > This was an intermittent issue on our first attempt at installing XOT as some files wouldn?t upload on numerous attempts and then suddenly did! I haven?t attempted to use this installation of XOT enough to know if that is still the case. > > I am told it?s the latest version of XOT. This is also our second attempt at installing it with the same issues. Our first attempt was on WAMP, this time on XAMPP > > Thanks very much, all. > Vicky > > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders > Sent: 14 March 2013 17:39 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: XOT installation help please > > If it was the header problem you would get php code back in the browser. > > Please send the file listing of the .zip (or the zip itself). > > What version of XOT did you install? The latest 1.91 .zip? > > Tom > Op 14-3-2013 18:20, Dave Burnett schreef: > > Vaguely: > > The zip is being created inside an extra folder. > Can you open the zip on the desktop and see what the structure looks like. > > Or > > It's something in the php header. > Patrick might remember. > Or not. ;-) > > > > > > > > ________________________________ > From: Greavesv at beaumontcollege.org<mailto:Greavesv at beaumontcollege.org> > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> > Date: Thu, 14 Mar 2013 16:03:31 +0000 > Subject: [Xerte-dev] Re: XOT installation help please > > Both Chrome and IE. > > The zip was from Alistair McNaught. Both AssessSnack.zip and knowSnack2.zip ? from one of the tutorials, I believe. > > > > I?ve just created a quick LO in our new XOT (using Chrome). It exported fine but I couldn?t re-import it (in Chrome or IE)? the same error ?You can only import Zip Files.? > > > > Our institution has a policy of not using Firefox. > > > > Any ideas? > > Thanks very much > > > > > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett > Sent: 14 March 2013 14:55 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: XOT installation help please > > > > > > What browser? > > Where/how was the zip created? > > > > > > ________________________________ > > From: Greavesv at beaumontcollege.org<mailto:Greavesv at beaumontcollege.org> > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> > Date: Thu, 14 Mar 2013 14:05:26 +0000 > Subject: [Xerte-dev] XOT installation help please > > We?ve just installed XOT, this time on Xampp. > > > > When we try to import a project (we?re using AssessSnack.zip to test with), we get the error message ?You can only import Zip Files.? > > > > Does anybody know what?s causing this, or better still, how to sort it out? > > > > Thanks very much > > Vicky > > > > > > ________________________________ > > Beaumont College is part of Scope > > Scope is a registered charity (number 208231) and a company limited by > guarantee (number 520866). > Our registered office is at 6 Market Road, London N7 9PW, England. > Our VAT number is 805156939. > > Visit our website at http://www.beaumontcollege.ac.uk > > and via Scope at http://www.scope.org.uk/services/beaumont-college > > This message, and any file(s) transmitted with it are confidential > and are intended only for the person(s) to whom they have been > addressed by the sender. This message may contain confidential and/or > privileged material. If you are not the intended recipient of this > message, or if you believe it was transmitted to you in error, you are > required to delete the message and any copies of it, and to notify the > sender immediately. Any unauthorised disclosure, copying, distribution, > or printing of this message or accompanying files, or unauthorised use > of any information contained therein, by anyone other than the > intended recipient(s) is prohibited and may be unlawful. > > Any views expressed in this message or in any file(s) transmitted with > it are those of the author, and may not necessarily represent the > views of Beaumont College or Scope > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > ________________________________ > > Beaumont College is part of Scope > > Scope is a registered charity (number 208231) and a company limited by > guarantee (number 520866). > Our registered office is at 6 Market Road, London N7 9PW, England. > Our VAT number is 805156939. > > Visit our website at http://www.beaumontcollege.ac.uk > > and via Scope at http://www.scope.org.uk/services/beaumont-college > > This message, and any file(s) transmitted with it are confidential > and are intended only for the person(s) to whom they have been > addressed by the sender. This message may contain confidential and/or > privileged material. If you are not the intended recipient of this > message, or if you believe it was transmitted to you in error, you are > required to delete the message and any copies of it, and to notify the > sender immediately. Any unauthorised disclosure, copying, distribution, > or printing of this message or accompanying files, or unauthorised use > of any information contained therein, by anyone other than the > intended recipient(s) is prohibited and may be unlawful. > > Any views expressed in this message or in any file(s) transmitted with > it are those of the author, and may not necessarily represent the > views of Beaumont College or Scope > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > ________________________________ > > Beaumont College is part of Scope > > Scope is a registered charity (number 208231) and a company limited by > guarantee (number 520866). > Our registered office is at 6 Market Road, London N7 9PW, England. > Our VAT number is 805156939. > > Visit our website at http://www.beaumontcollege.ac.uk > > and via Scope at http://www.scope.org.uk/services/beaumont-college > > This message, and any file(s) transmitted with it are confidential > and are intended only for the person(s) to whom they have been > addressed by the sender. This message may contain confidential and/or > privileged material. If you are not the intended recipient of this > message, or if you believe it was transmitted to you in error, you are > required to delete the message and any copies of it, and to notify the > sender immediately. Any unauthorised disclosure, copying, distribution, > or printing of this message or accompanying files, or unauthorised use > of any information contained therein, by anyone other than the > intended recipient(s) is prohibited and may be unlawful. > > Any views expressed in this message or in any file(s) transmitted with > it are those of the author, and may not necessarily represent the > views of Beaumont College or Scope > > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130318/96b1f045/attachment.html> From Greavesv at beaumontcollege.org Mon Mar 18 13:37:17 2013 From: Greavesv at beaumontcollege.org (Vicky Greaves) Date: Mon, 18 Mar 2013 13:37:17 +0000 Subject: [Xerte-dev] Re: XOT installation help please In-Reply-To: <026201ce23d4$53e6b2f0$fbb418d0$@co.uk> References: <E2E25586E39BBB4C95EAE0ECD32AC8D9053023B0@DAG1.beaumontcollege.org>, <BLU153-W23755B22EA482D72781A4EA7EC0@phx.gbl>, <E2E25586E39BBB4C95EAE0ECD32AC8D905302638@DAG1.beaumontcollege.org> <BLU153-W6252C379728F3B0D65451FA7EC0@phx.gbl> <51420B25.8040707@tor.nl> <E2E25586E39BBB4C95EAE0ECD32AC8D9053029D2@DAG1.beaumontcollege.org> <026201ce23d4$53e6b2f0$fbb418d0$@co.uk> Message-ID: <E2E25586E39BBB4C95EAE0ECD32AC8D905302AC1@DAG1.beaumontcollege.org> Hi Ron videoAlex.flv is 2.22MB - so not big. A video file I'm struggling with at the moment is big (44MB) but I did get it to upload eventually in our last XOT setup. Thanks Vicky From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: 18 March 2013 12:30 To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: XOT installation help please Hi to eliminate a few things here... 1. The problem isn't with either of those two zips - both import fine into an up-to-date installation so it's not the structure of the zips 2. In your test zip there's reference to the following: FileLocation + 'media/videoAlex.flv' FileLocation + 'media/disclosure4.flv' But videoAlex.flv isn't in the zip. Is there a big difference in file size between those two flv files? If so I wonder if php upload or timeout settings are the problem? 3. The problems aren't really likely to be relevant to whether it's wamp or xampp as long as everything is configured correctly HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Vicky Greaves Sent: 18 March 2013 10:27 To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: XOT installation help please Apologies for the delay (I'm not in on Fridays). Zip files attached... Test.zip created in our XOT, exported but cannot re-import. AssessSnack.zip from Alistair McNaught - also cannot import. Issue 2 - uploading .flv files Our XOT will not always upload .flv files. For those that do not install directly to the page of the LO, I have then tried uploading via 'properties' to 'media and quota'. I then get the attached xertePhpReport.jpg This was an intermittent issue on our first attempt at installing XOT as some files wouldn't upload on numerous attempts and then suddenly did! I haven't attempted to use this installation of XOT enough to know if that is still the case. I am told it's the latest version of XOT. This is also our second attempt at installing it with the same issues. Our first attempt was on WAMP, this time on XAMPP Thanks very much, all. Vicky From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 14 March 2013 17:39 To: For Xerte technical developers Subject: [Xerte-dev] Re: XOT installation help please If it was the header problem you would get php code back in the browser. Please send the file listing of the .zip (or the zip itself). What version of XOT did you install? The latest 1.91 .zip? Tom Op 14-3-2013 18:20, Dave Burnett schreef: Vaguely: The zip is being created inside an extra folder. Can you open the zip on the desktop and see what the structure looks like. Or It's something in the php header. Patrick might remember. Or not. ;-) ________________________________ From: Greavesv at beaumontcollege.org<mailto:Greavesv at beaumontcollege.org> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Date: Thu, 14 Mar 2013 16:03:31 +0000 Subject: [Xerte-dev] Re: XOT installation help please Both Chrome and IE. The zip was from Alistair McNaught. Both AssessSnack.zip and knowSnack2.zip - from one of the tutorials, I believe. I've just created a quick LO in our new XOT (using Chrome). It exported fine but I couldn't re-import it (in Chrome or IE)- the same error 'You can only import Zip Files.' Our institution has a policy of not using Firefox. Any ideas? Thanks very much From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: 14 March 2013 14:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: XOT installation help please What browser? Where/how was the zip created? ________________________________ From: Greavesv at beaumontcollege.org<mailto:Greavesv at beaumontcollege.org> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Date: Thu, 14 Mar 2013 14:05:26 +0000 Subject: [Xerte-dev] XOT installation help please We've just installed XOT, this time on Xampp. When we try to import a project (we're using AssessSnack.zip to test with), we get the error message 'You can only import Zip Files.' Does anybody know what's causing this, or better still, how to sort it out? Thanks very much Vicky ________________________________ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev ________________________________ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 ________________________________ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope ________________________________ Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130318/ee08d667/attachment-0001.html> From d_b_burnett at hotmail.com Mon Mar 18 14:14:58 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Mon, 18 Mar 2013 10:14:58 -0400 Subject: [Xerte-dev] Re: XOT installation help please In-Reply-To: <E2E25586E39BBB4C95EAE0ECD32AC8D905302AC1@DAG1.beaumontcollege.org> References: <E2E25586E39BBB4C95EAE0ECD32AC8D9053023B0@DAG1.beaumontcollege.org>, , <BLU153-W23755B22EA482D72781A4EA7EC0@phx.gbl>, , <E2E25586E39BBB4C95EAE0ECD32AC8D905302638@DAG1.beaumontcollege.org>, <BLU153-W6252C379728F3B0D65451FA7EC0@phx.gbl> <51420B25.8040707@tor.nl>, <E2E25586E39BBB4C95EAE0ECD32AC8D9053029D2@DAG1.beaumontcollege.org>, <026201ce23d4$53e6b2f0$fbb418d0$@co.uk>, <E2E25586E39BBB4C95EAE0ECD32AC8D905302AC1@DAG1.beaumontcollege.org> Message-ID: <BLU153-W36B47AF4D79BF63C7B0071A7E80@phx.gbl> Vicky, extract the files from the Xerte generated zip and make a new zip of them using your desktop zip client. Same error? From: Greavesv at beaumontcollege.org To: xerte-dev at lists.nottingham.ac.uk Date: Mon, 18 Mar 2013 13:37:17 +0000 Subject: [Xerte-dev] Re: XOT installation help please Hi Ron videoAlex.flv is 2.22MB ? so not big. A video file I?m struggling with at the moment is big (44MB) but I did get it to upload eventually in our last XOT setup. Thanks Vicky From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: 18 March 2013 12:30 To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: XOT installation help please Hi to eliminate a few things here... 1. The problem isn't with either of those two zips - both import fine into an up-to-date installation so it's not the structure of the zips 2. In your test zip there's reference to the following: FileLocation + 'media/videoAlex.flv' FileLocation + 'media/disclosure4.flv' But videoAlex.flv isn't in the zip. Is there a big difference in file size between those two flv files? If so I wonder if php upload or timeout settings are the problem? 3. The problems aren't really likely to be relevant to whether it's wamp or xampp as long as everything is configured correctly HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Vicky Greaves Sent: 18 March 2013 10:27 To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: XOT installation help please Apologies for the delay (I?m not in on Fridays). Zip files attached? Test.zip created in our XOT, exported but cannot re-import. AssessSnack.zip from Alistair McNaught ? also cannot import. Issue 2 ? uploading .flv files Our XOT will not always upload .flv files. For those that do not install directly to the page of the LO, I have then tried uploading via ?properties? to ?media and quota?. I then get the attached xertePhpReport.jpg This was an intermittent issue on our first attempt at installing XOT as some files wouldn?t upload on numerous attempts and then suddenly did! I haven?t attempted to use this installation of XOT enough to know if that is still the case. I am told it?s the latest version of XOT. This is also our second attempt at installing it with the same issues. Our first attempt was on WAMP, this time on XAMPP Thanks very much, all. Vicky From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 14 March 2013 17:39 To: For Xerte technical developers Subject: [Xerte-dev] Re: XOT installation help please If it was the header problem you would get php code back in the browser. Please send the file listing of the .zip (or the zip itself). What version of XOT did you install? The latest 1.91 .zip? Tom Op 14-3-2013 18:20, Dave Burnett schreef: Vaguely: The zip is being created inside an extra folder. Can you open the zip on the desktop and see what the structure looks like. Or It's something in the php header. Patrick might remember. Or not. ;-) From: Greavesv at beaumontcollege.org To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 14 Mar 2013 16:03:31 +0000 Subject: [Xerte-dev] Re: XOT installation help please Both Chrome and IE. The zip was from Alistair McNaught. Both AssessSnack.zip and knowSnack2.zip ? from one of the tutorials, I believe. I?ve just created a quick LO in our new XOT (using Chrome). It exported fine but I couldn?t re-import it (in Chrome or IE)? the same error ?You can only import Zip Files.? Our institution has a policy of not using Firefox. Any ideas? Thanks very much From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: 14 March 2013 14:55 To: For Xerte technical developers Subject: [Xerte-dev] Re: XOT installation help please What browser? Where/how was the zip created? From: Greavesv at beaumontcollege.org To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 14 Mar 2013 14:05:26 +0000 Subject: [Xerte-dev] XOT installation help please We?ve just installed XOT, this time on Xampp. When we try to import a project (we?re using AssessSnack.zip to test with), we get the error message ?You can only import Zip Files.? Does anybody know what?s causing this, or better still, how to sort it out? Thanks very much Vicky Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope Beaumont College is part of Scope Scope is a registered charity (number 208231) and a company limited by guarantee (number 520866). Our registered office is at 6 Market Road, London N7 9PW, England. Our VAT number is 805156939. Visit our website at http://www.beaumontcollege.ac.uk and via Scope at http://www.scope.org.uk/services/beaumont-college This message, and any file(s) transmitted with it are confidential and are intended only for the person(s) to whom they have been addressed by the sender. This message may contain confidential and/or privileged material. If you are not the intended recipient of this message, or if you believe it was transmitted to you in error, you are required to delete the message and any copies of it, and to notify the sender immediately. Any unauthorised disclosure, copying, distribution, or printing of this message or accompanying files, or unauthorised use of any information contained therein, by anyone other than the intended recipient(s) is prohibited and may be unlawful. Any views expressed in this message or in any file(s) transmitted with it are those of the author, and may not necessarily represent the views of Beaumont College or Scope _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130318/2bc205c2/attachment-0001.html> From J.J.Smith at gcu.ac.uk Mon Mar 18 14:40:06 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Mon, 18 Mar 2013 14:40:06 +0000 Subject: [Xerte-dev] Re: XOT installation help please In-Reply-To: <BLU153-W3871257F133A017BF36219A7E80@phx.gbl> References: <fmbfsxgqkof9layi1aehnrnw.1363608716824@email.android.com> <BLU153-W3871257F133A017BF36219A7E80@phx.gbl> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D8E8@ITSEMBXCLUS.enterprise.gcal.ac.uk> Should have been more specific that I was referring to Issue 2 but was on my phone and tired and grumpy ;-) Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: Monday, March 18, 2013 1:23 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: XOT installation help please Good idea to check it, but both zips are ~ 3 mb. It would have to have been an old DOS hand to have set it that low. ;-) Dave > From: J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk> > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> > Date: Mon, 18 Mar 2013 12:15:09 +0000 > Subject: [Xerte-dev] Re: XOT installation help please > > Could this be a php.ini 'upload_max_filesize' or'post_max_size'. Ive been seeing similar inconsistencies uploading media while working on the upload issues... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > Vicky Greaves <Greavesv at beaumontcollege.org<mailto:Greavesv at beaumontcollege.org>> wrote: > > > Apologies for the delay (I'm not in on Fridays). > > Zip files attached... > Test.zip created in our XOT, exported but cannot re-import. > AssessSnack.zip from Alistair McNaught - also cannot import. > > Issue 2 - uploading .flv files > Our XOT will not always upload .flv files. For those that do not install directly to the page of the LO, I have then tried uploading via 'properties' to 'media and quota'. I then get the attached xertePhpReport.jpg > This was an intermittent issue on our first attempt at installing XOT as some files wouldn't upload on numerous attempts and then suddenly did! I haven't attempted to use this installation of XOT enough to know if that is still the case. > > I am told it's the latest version of XOT. This is also our second attempt at installing it with the same issues. Our first attempt was on WAMP, this time on XAMPP > > Thanks very much, all. > Vicky > > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders > Sent: 14 March 2013 17:39 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: XOT installation help please > > If it was the header problem you would get php code back in the browser. > > Please send the file listing of the .zip (or the zip itself). > > What version of XOT did you install? The latest 1.91 .zip? > > Tom > Op 14-3-2013 18:20, Dave Burnett schreef: > > Vaguely: > > The zip is being created inside an extra folder. > Can you open the zip on the desktop and see what the structure looks like. > > Or > > It's something in the php header. > Patrick might remember. > Or not. ;-) > > > > > > > > ________________________________ > From: Greavesv at beaumontcollege.org<mailto:Greavesv at beaumontcollege.org<mailto:Greavesv at beaumontcollege.org%3cmailto:Greavesv at beaumontcollege.org>> > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk%3cmailto:xerte-dev at lists.nottingham.ac.uk>> > Date: Thu, 14 Mar 2013 16:03:31 +0000 > Subject: [Xerte-dev] Re: XOT installation help please > > Both Chrome and IE. > > The zip was from Alistair McNaught. Both AssessSnack.zip and knowSnack2.zip - from one of the tutorials, I believe. > > > > I've just created a quick LO in our new XOT (using Chrome). It exported fine but I couldn't re-import it (in Chrome or IE)- the same error 'You can only import Zip Files.' > > > > Our institution has a policy of not using Firefox. > > > > Any ideas? > > Thanks very much > > > > > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at lists.nottingham.ac.uk>> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett > Sent: 14 March 2013 14:55 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: XOT installation help please > > > > > > What browser? > > Where/how was the zip created? > > > > > > ________________________________ > > From: Greavesv at beaumontcollege.org<mailto:Greavesv at beaumontcollege.org<mailto:Greavesv at beaumontcollege.org%3cmailto:Greavesv at beaumontcollege.org>> > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk%3cmailto:xerte-dev at lists.nottingham.ac.uk>> > Date: Thu, 14 Mar 2013 14:05:26 +0000 > Subject: [Xerte-dev] XOT installation help please > > We've just installed XOT, this time on Xampp. > > > > When we try to import a project (we're using AssessSnack.zip to test with), we get the error message 'You can only import Zip Files.' > > > > Does anybody know what's causing this, or better still, how to sort it out? > > > > Thanks very much > > Vicky > > > > > > ________________________________ > > Beaumont College is part of Scope > > Scope is a registered charity (number 208231) and a company limited by > guarantee (number 520866). > Our registered office is at 6 Market Road, London N7 9PW, England. > Our VAT number is 805156939. > > Visit our website at http://www.beaumontcollege.ac.uk > > and via Scope at http://www.scope.org.uk/services/beaumont-college > > This message, and any file(s) transmitted with it are confidential > and are intended only for the person(s) to whom they have been > addressed by the sender. This message may contain confidential and/or > privileged material. If you are not the intended recipient of this > message, or if you believe it was transmitted to you in error, you are > required to delete the message and any copies of it, and to notify the > sender immediately. Any unauthorised disclosure, copying, distribution, > or printing of this message or accompanying files, or unauthorised use > of any information contained therein, by anyone other than the > intended recipient(s) is prohibited and may be unlawful. > > Any views expressed in this message or in any file(s) transmitted with > it are those of the author, and may not necessarily represent the > views of Beaumont College or Scope > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk%3cmailto:Xerte-dev at lists.nottingham.ac.uk>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > ________________________________ > > Beaumont College is part of Scope > > Scope is a registered charity (number 208231) and a company limited by > guarantee (number 520866). > Our registered office is at 6 Market Road, London N7 9PW, England. > Our VAT number is 805156939. > > Visit our website at http://www.beaumontcollege.ac.uk > > and via Scope at http://www.scope.org.uk/services/beaumont-college > > This message, and any file(s) transmitted with it are confidential > and are intended only for the person(s) to whom they have been > addressed by the sender. This message may contain confidential and/or > privileged material. If you are not the intended recipient of this > message, or if you believe it was transmitted to you in error, you are > required to delete the message and any copies of it, and to notify the > sender immediately. Any unauthorised disclosure, copying, distribution, > or printing of this message or accompanying files, or unauthorised use > of any information contained therein, by anyone other than the > intended recipient(s) is prohibited and may be unlawful. > > Any views expressed in this message or in any file(s) transmitted with > it are those of the author, and may not necessarily represent the > views of Beaumont College or Scope > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk%3cmailto:Xerte-dev at lists.nottingham.ac.uk>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk%3cmailto:Xerte-dev at lists.nottingham.ac.uk>> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > ________________________________ > > Beaumont College is part of Scope > > Scope is a registered charity (number 208231) and a company limited by > guarantee (number 520866). > Our registered office is at 6 Market Road, London N7 9PW, England. > Our VAT number is 805156939. > > Visit our website at http://www.beaumontcollege.ac.uk > > and via Scope at http://www.scope.org.uk/services/beaumont-college > > This message, and any file(s) transmitted with it are confidential > and are intended only for the person(s) to whom they have been > addressed by the sender. This message may contain confidential and/or > privileged material. If you are not the intended recipient of this > message, or if you believe it was transmitted to you in error, you are > required to delete the message and any copies of it, and to notify the > sender immediately. Any unauthorised disclosure, copying, distribution, > or printing of this message or accompanying files, or unauthorised use > of any information contained therein, by anyone other than the > intended recipient(s) is prohibited and may be unlawful. > > Any views expressed in this message or in any file(s) transmitted with > it are those of the author, and may not necessarily represent the > views of Beaumont College or Scope > > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130318/e24d2f67/attachment-0001.html> From Julian.Tenney at nottingham.ac.uk Mon Mar 18 17:32:24 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 18 Mar 2013 17:32:24 +0000 Subject: [Xerte-dev] Re: Translatable button labels in XOT In-Reply-To: <5145A7CE.8030906@tor.nl> References: <5145A7CE.8030906@tor.nl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4D8CFB2E@EXCHANGE1.ad.nottingham.ac.uk> sounds sensible to me. ________________________________________ From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders [reijnders at tor.nl] Sent: 17 March 2013 11:23 To: Xerte Developers Discussion List Subject: [Xerte-dev] Translatable button labels in XOT One of the last steps in making XOT multilanguage is the ability to translate button labels. A lot of buttons are roll-over images, so one solution is to provide roll-over images in all the appropriate languages, but this turned out to be very tedious and time consuming, so I took another approach. I replaced all roll-over buttons with <button> I added a 'xerte_buttons.css' as well, and perhaps someone with more CSS knowledge should have a look at that. While I was at it, I also changed all 'action' URL's to buttons as well. It's much clearer now (in my opinion) when something is am action, or when something is a link. Please let me know if you encounter any issues with functionality after my changes. Last two remaining things to really finish up internationalisation is 1. the ability to make the 'pods' on the login page in language dependent. 2. the ability to upload a language package in management.php. Tom -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From xerte at pgogywebstuff.com Tue Mar 19 09:26:46 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Tue, 19 Mar 2013 09:26:46 +0000 Subject: [Xerte-dev] Re: XOT installation help please In-Reply-To: <BLU153-W36B47AF4D79BF63C7B0071A7E80@phx.gbl> References: <E2E25586E39BBB4C95EAE0ECD32AC8D9053023B0@DAG1.beaumontcollege.org> <BLU153-W23755B22EA482D72781A4EA7EC0@phx.gbl> <E2E25586E39BBB4C95EAE0ECD32AC8D905302638@DAG1.beaumontcollege.org> <BLU153-W6252C379728F3B0D65451FA7EC0@phx.gbl> <51420B25.8040707@tor.nl> <E2E25586E39BBB4C95EAE0ECD32AC8D9053029D2@DAG1.beaumontcollege.org> <026201ce23d4$53e6b2f0$fbb418d0$@co.uk> <E2E25586E39BBB4C95EAE0ECD32AC8D905302AC1@DAG1.beaumontcollege.org> <BLU153-W36B47AF4D79BF63C7B0071A7E80@phx.gbl> Message-ID: <80FF4231-EED9-4934-9EB6-FFF8A38B6613@pgogywebstuff.com> The error is the crazy src hash problem. Can someone edit media and quota in properties to remove it? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 18 Mar 2013, at 14:14, Dave Burnett <d_b_burnett at hotmail.com> wrote: > Vicky, extract the files from the Xerte generated zip and make a new zip of them using your desktop zip client. > > Same error? > > From: Greavesv at beaumontcollege.org > To: xerte-dev at lists.nottingham.ac.uk > Date: Mon, 18 Mar 2013 13:37:17 +0000 > Subject: [Xerte-dev] Re: XOT installation help please > > Hi Ron > > > > videoAlex.flv is 2.22MB ? so not big. > > A video file I?m struggling with at the moment is big (44MB) but I did get it to upload eventually in our last XOT setup. > > > > Thanks > > Vicky > > > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > Sent: 18 March 2013 12:30 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: XOT installation help please > > > > Hi > > to eliminate a few things here... > > > > 1. The problem isn't with either of those two zips - both import fine into an up-to-date installation so it's not the structure of the zips > > 2. In your test zip there's reference to the following: > > FileLocation + 'media/videoAlex.flv' > > FileLocation + 'media/disclosure4.flv' > > But videoAlex.flv isn't in the zip. Is there a big difference in file size between those two flv files? If so I wonder if php upload or timeout settings are the problem? > > 3. The problems aren't really likely to be relevant to whether it's wamp or xampp as long as everything is configured correctly > > HTH > > Ron > > > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Vicky Greaves > Sent: 18 March 2013 10:27 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: XOT installation help please > > > > Apologies for the delay (I?m not in on Fridays). > > > > Zip files attached? > > Test.zip created in our XOT, exported but cannot re-import. > > AssessSnack.zip from Alistair McNaught ? also cannot import. > > > > Issue 2 ? uploading .flv files > > Our XOT will not always upload .flv files. For those that do not install directly to the page of the LO, I have then tried uploading via ?properties? to ?media and quota?. I then get the attached xertePhpReport.jpg > > This was an intermittent issue on our first attempt at installing XOT as some files wouldn?t upload on numerous attempts and then suddenly did! I haven?t attempted to use this installation of XOT enough to know if that is still the case. > > > > I am told it?s the latest version of XOT. This is also our second attempt at installing it with the same issues. Our first attempt was on WAMP, this time on XAMPP > > > > Thanks very much, all. > > Vicky > > > > > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders > Sent: 14 March 2013 17:39 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: XOT installation help please > > > > If it was the header problem you would get php code back in the browser. > > Please send the file listing of the .zip (or the zip itself). > > What version of XOT did you install? The latest 1.91 .zip? > > Tom > > Op 14-3-2013 18:20, Dave Burnett schreef: > > > > Vaguely: > > > > The zip is being created inside an extra folder. > > Can you open the zip on the desktop and see what the structure looks like. > > > > Or > > > > It's something in the php header. > > Patrick might remember. > > Or not. ;-) > > > > > > > > > > > > > > > > From: Greavesv at beaumontcollege.org > To: xerte-dev at lists.nottingham.ac.uk > Date: Thu, 14 Mar 2013 16:03:31 +0000 > Subject: [Xerte-dev] Re: XOT installation help please > > Both Chrome and IE. > > The zip was from Alistair McNaught. Both AssessSnack.zip and knowSnack2.zip ? from one of the tutorials, I believe. > > > > I?ve just created a quick LO in our new XOT (using Chrome). It exported fine but I couldn?t re-import it (in Chrome or IE)? the same error ?You can only import Zip Files.? > > > > Our institution has a policy of not using Firefox. > > > > Any ideas? > > Thanks very much > > > > > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett > Sent: 14 March 2013 14:55 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: XOT installation help please > > > > > > What browser? > > Where/how was the zip created? > > > > > > From: Greavesv at beaumontcollege.org > To: xerte-dev at lists.nottingham.ac.uk > Date: Thu, 14 Mar 2013 14:05:26 +0000 > Subject: [Xerte-dev] XOT installation help please > > We?ve just installed XOT, this time on Xampp. > > > > When we try to import a project (we?re using AssessSnack.zip to test with), we get the error message ?You can only import Zip Files.? > > > > Does anybody know what?s causing this, or better still, how to sort it out? > > > > Thanks very much > > Vicky > > > > > > > Beaumont College is part of Scope > > Scope is a registered charity (number 208231) and a company limited by > guarantee (number 520866). > Our registered office is at 6 Market Road, London N7 9PW, England. > Our VAT number is 805156939. > > Visit our website at http://www.beaumontcollege.ac.uk > > and via Scope at http://www.scope.org.uk/services/beaumont-college > > This message, and any file(s) transmitted with it are confidential > and are intended only for the person(s) to whom they have been > addressed by the sender. This message may contain confidential and/or > privileged material. If you are not the intended recipient of this > message, or if you believe it was transmitted to you in error, you are > required to delete the message and any copies of it, and to notify the > sender immediately. Any unauthorised disclosure, copying, distribution, > or printing of this message or accompanying files, or unauthorised use > of any information contained therein, by anyone other than the > intended recipient(s) is prohibited and may be unlawful. > > Any views expressed in this message or in any file(s) transmitted with > it are those of the author, and may not necessarily represent the > views of Beaumont College or Scope > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > Beaumont College is part of Scope > > Scope is a registered charity (number 208231) and a company limited by > guarantee (number 520866). > Our registered office is at 6 Market Road, London N7 9PW, England. > Our VAT number is 805156939. > > Visit our website at http://www.beaumontcollege.ac.uk > > and via Scope at http://www.scope.org.uk/services/beaumont-college > > This message, and any file(s) transmitted with it are confidential > and are intended only for the person(s) to whom they have been > addressed by the sender. This message may contain confidential and/or > privileged material. If you are not the intended recipient of this > message, or if you believe it was transmitted to you in error, you are > required to delete the message and any copies of it, and to notify the > sender immediately. Any unauthorised disclosure, copying, distribution, > or printing of this message or accompanying files, or unauthorised use > of any information contained therein, by anyone other than the > intended recipient(s) is prohibited and may be unlawful. > > Any views expressed in this message or in any file(s) transmitted with > it are those of the author, and may not necessarily represent the > views of Beaumont College or Scope > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > > > > Beaumont College is part of Scope > > Scope is a registered charity (number 208231) and a company limited by > guarantee (number 520866). > Our registered office is at 6 Market Road, London N7 9PW, England. > Our VAT number is 805156939. > > Visit our website at http://www.beaumontcollege.ac.uk > > and via Scope at http://www.scope.org.uk/services/beaumont-college > > This message, and any file(s) transmitted with it are confidential > and are intended only for the person(s) to whom they have been > addressed by the sender. This message may contain confidential and/or > privileged material. If you are not the intended recipient of this > message, or if you believe it was transmitted to you in error, you are > required to delete the message and any copies of it, and to notify the > sender immediately. Any unauthorised disclosure, copying, distribution, > or printing of this message or accompanying files, or unauthorised use > of any information contained therein, by anyone other than the > intended recipient(s) is prohibited and may be unlawful. > > Any views expressed in this message or in any file(s) transmitted with > it are those of the author, and may not necessarily represent the > views of Beaumont College or Scope > > > > > > > > Beaumont College is part of Scope > > Scope is a registered charity (number 208231) and a company limited by > guarantee (number 520866). > Our registered office is at 6 Market Road, London N7 9PW, England. > Our VAT number is 805156939. > > Visit our website at http://www.beaumontcollege.ac.uk > > and via Scope at http://www.scope.org.uk/services/beaumont-college > > This message, and any file(s) transmitted with it are confidential > and are intended only for the person(s) to whom they have been > addressed by the sender. This message may contain confidential and/or > privileged material. If you are not the intended recipient of this > message, or if you believe it was transmitted to you in error, you are > required to delete the message and any copies of it, and to notify the > sender immediately. Any unauthorised disclosure, copying, distribution, > or printing of this message or accompanying files, or unauthorised use > of any information contained therein, by anyone other than the > intended recipient(s) is prohibited and may be unlawful. > > Any views expressed in this message or in any file(s) transmitted with > it are those of the author, and may not necessarily represent the > views of Beaumont College or Scope > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130319/8c8d2dbd/attachment-0001.html> From ronm at mitchellmedia.co.uk Tue Mar 19 18:31:21 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Tue, 19 Mar 2013 18:31:21 -0000 Subject: [Xerte-dev] Re: page type tweaks & possibly new page types for Maths project... In-Reply-To: <nqmhmmp7k1wqsa92ces924ys.1363608472618@email.android.com> References: <nqmhmmp7k1wqsa92ces924ys.1363608472618@email.android.com> Message-ID: <045701ce24cf$f5be4240$e13ac6c0$@co.uk> Hi John likewise apologies for my delayed response. I have another meeting with the people involved tomorrow along with some Techdis colleagues and will hopefully have a better idea of requirements after that. Will be in touch... Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 18 March 2013 12:08 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: page type tweaks & possibly new page types for Maths project... Hi Ron Sorry meant to respond earlier - don't have any experience of altering page type functionality or adding page types to the wizard but if someone else can do that (or point me in the general direction of how to) then I'll be happy to work on the html side of it... Id rather know how to do the full thing though as we have some ideas for page types also... As far as adding options to the wizard then i was going to ask the same question - i was assuming that as long as it doesn't break old LOs then it would be ok?? Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: Hi all my messages seem to be taking an age to get through to this list again not sure why but anyway I'm hoping this gets through relatively quickly... On behalf of JISC Techdis I've recently been supporting a Maths project and those involved have been testing if XOT is suitable for what they want to achieve. There is a mix of experience amongst the group but no real developer skills etc Prior to going on holiday last week I sent them some possible solutions to interactions they were trying to achieve most of which involve wishing to drag images to images etc I showed them how/where they could add img src etc to load images where the page type only has text options but obviously this is not ideal and doesn't fully suit their needs. Here's some examples of this: possible drag and drop solutions http://vle.jisctechdis.ac.uk/xerte/play_html5_221 Patterns http://vle.jisctechdis.ac.uk/xerte/play_html5_237 Timings http://vle.jisctechdis.ac.uk/xerte/play_html5_241 The more recent example I received from them was the need for a coin interaction attached and in advance of a f2f meeting yesterday I created a quick demo of this via Xerte and uploaded as an rlm to xot: coins interaction http://vle.jisctechdis.ac.uk/xerte/play_262 Obviously that's Flash only, isn't a page type, isn't editable in xot etc which brings me to the real point of this message: The result of the f2f meeting yesterday is that they ideally want some additional functionality developed and I think this is likely to fall into two categories: 1. Adding additional options for adding images to existing page types e.g. those that involve dragging and dropping 2. Creating 1 or more new page types tat allow creation of interactions similar to the coins example The end results must work via HTML 5 if not both Flash and HTML 5 I've said that I would discuss all this via the dev list first of all to see what you think about changes to existing page types and also new page types and just as importantly to check if any or all are interested in working on this? This isn't the first time the wish for drag and drop image to image etc has cropped up and could result in additions to benefit all. BUT they need to have developed and tested pilot content by June so it's a very short timescale and although I'm involved I don't think I have the time or skills to help them with this without extra help. They will pay for development but the first step is to identify if anyone is interested in helping with this and then at some point we will need to estimate time and costs etc. What are your thoughts? First point relevant to us all is would we agree to include additions to current page types or new page types when there isn't yet parity between existing Flash and HTML 5 etc? It's a non-starter if we don't. Second point who's willing and able to help? Contact me on or off list if you are interested. Cheers Ron Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From A.D.Furr at southampton.ac.uk Wed Mar 20 07:51:57 2013 From: A.D.Furr at southampton.ac.uk (Furr A.D.) Date: Wed, 20 Mar 2013 07:51:57 +0000 Subject: [Xerte-dev] uploading html zip? Message-ID: <CB432CFB9A85A74081FB8020BE1C208435EAAAEC@UOS-MSG00042-SI.soton.ac.uk> Hi, We've got some html interactive stuff outside Xerte we want to embed within it. I might be missing how to do this, so is this possible? Either a) Upload a zip file which then unpacks b) Include an iframe / embed code Any of these on the cards or already possible? Alex Dr Alex Furr eLearning Systems Consultant and Developer The Centre for Innovation in Technologies and Education (CITE) www.cite.soton.ac.uk The University of Southampton ----------------------------------- e: alexfurr at soton.ac.uk t: 07779 606934 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130320/404fec3a/attachment.html> From ronm at mitchellmedia.co.uk Wed Mar 20 08:22:42 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Wed, 20 Mar 2013 08:22:42 -0000 Subject: [Xerte-dev] Re: uploading html zip? In-Reply-To: <CB432CFB9A85A74081FB8020BE1C208435EAAAEC@UOS-MSG00042-SI.soton.ac.uk> References: <CB432CFB9A85A74081FB8020BE1C208435EAAAEC@UOS-MSG00042-SI.soton.ac.uk> Message-ID: <048801ce2544$1ab88ff0$5029afd0$@co.uk> Does your zip contain multiple files and sub folders etc or just all files in the root of the zip? At the moment there's isn't an option in XOT to upload and extract non xot zips but you can upload and link to individual files via media and quota. If your zip contains folders or lots of files your best option is to upload to a public facing web server via some other means and then use the relevant link in the embed content page. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Furr A.D. Sent: 20 March 2013 07:52 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] uploading html zip? Hi, We've got some html interactive stuff outside Xerte we want to embed within it. I might be missing how to do this, so is this possible? Either a) Upload a zip file which then unpacks b) Include an iframe / embed code Any of these on the cards or already possible? Alex Dr Alex Furr eLearning Systems Consultant and Developer The Centre for Innovation in Technologies and Education (CITE) www.cite.soton.ac.uk The University of Southampton ----------------------------------- e: alexfurr at soton.ac.uk t: 07779 606934 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130320/771eddbd/attachment-0001.html> From johnathan.kemp at ntlworld.com Wed Mar 20 09:35:29 2013 From: johnathan.kemp at ntlworld.com (Kemp Johnathan) Date: Wed, 20 Mar 2013 09:35:29 +0000 Subject: [Xerte-dev] Re: page type tweaks & possibly new page types for Maths project... In-Reply-To: <nqmhmmp7k1wqsa92ces924ys.1363608472618@email.android.com> References: <nqmhmmp7k1wqsa92ces924ys.1363608472618@email.android.com> Message-ID: <CABtG3=WAuOADQjT6=M+pqQ6ipWzSQ=U5B4WcpNs9-Yq8iJg5pg@mail.gmail.com> don't have any experience of altering page type functionality or adding page types to the wizard but if someone else can do that (or point me in the general direction of how to) In XOT and pageTemplates type projects there is a single xwd file that contains the details for the wizard forms for all the available pages. In Xerte each page type has its own xwd file to define the wizard form for that page type. Tom wrote a script that builds the single xwd file that XOT uses from the individual page xwds. So part of the process of adding a new page type is to create an xwd file for that page. You can find all the individual xwd files in the xerte svn in the runtime / pages / wizards / en-GB folder or in a Xerte install in the xerte installation folder \ pages \ wizards \ en-GB folder. If you open up a few of the xwd files you will soon see how they relate to the wizard forms that they create and to the xerte / XOT menu system. Before modularisation Xerte did not have individual page templates so there was no problem with several pages having an element with the same name e.g. the mcq page and the quiz page both have an <option> element - see the newNodes section for each of these page types. In the XOT xwd file the option element is defined once for all page types that use it. However in the individual page xwds the option element is defined in each xwd file that uses it. So it was important at the time to make sure that each individual page xwd that had an option element defined it with the same attributes. This is a legacy thing. For new page types it is better to ensure that all the elements they use are unique to that page type. This will avoid any risk of having the same element name used in two different page xwds but defined with different attributes in each page type. This would work fine in Xerte but could cause problems once the individual xwds are combined into a single xwd for use in XOT. Incidentally whilst you want to keep element names unique, it is OK for the attribute names to duplicate. If you compare the xwd files mcq.xwd and cMcq.xwd (The multiple choice question wizard and the multiple choice question connector page wizard) you will get a feel for what I am saying here. I built the multiple choice connector page off the multiple choice page. If you want to add new attributes to an existing page you have to be careful. Each page at the start of the xwd file has a newNodes section that is used to build the initial xml data for the page.. There needs to be an entry in this for each attribute of the element that is not optional. If you add a new non-optional element to an existing page, then I believe that this can cause problems for XOT projects that have used this page before the new element was introduced, as their xml data will be missing this attribute. The safest way to add new attributes to an existing page definition is to make them optional, as this will avoid the above issue. Its the HTML5 / jQuery stuff I am trying to get up to speed on. But if I can help you to get your head around the xwd side of things please ask away :-) Kind regards Johnathan On 18 March 2013 12:07, Smith, John <J.J.Smith at gcu.ac.uk> wrote: > Hi Ron > > Sorry meant to respond earlier - don't have any experience of altering > page type functionality or adding page types to the wizard but if someone > else can do that (or point me in the general direction of how to) then I'll > be happy to work on the html side of it... Id rather know how to do the > full thing though as we have some ideas for page types also... > > As far as adding options to the wizard then i was going to ask the same > question - i was assuming that as long as it doesn't break old LOs then it > would be ok?? > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: > > > Hi all > my messages seem to be taking an age to get through to this list again not > sure why but anyway I'm hoping this gets through relatively quickly... > > On behalf of JISC Techdis I've recently been supporting a Maths project > and those involved have been testing if XOT is suitable for what they want > to achieve. There is a mix of experience amongst the group but no real > developer skills etc > > Prior to going on holiday last week I sent them some possible solutions to > interactions they were trying to achieve most of which involve wishing to > drag images to images etc I showed them how/where they could add img src > etc to load images where the page type only has text options but obviously > this is not ideal and doesn't fully suit their needs. Here's some examples > of this: > > possible drag and drop solutions > http://vle.jisctechdis.ac.uk/xerte/play_html5_221 > > Patterns > http://vle.jisctechdis.ac.uk/xerte/play_html5_237 > > Timings > http://vle.jisctechdis.ac.uk/xerte/play_html5_241 > > The more recent example I received from them was the need for a coin > interaction attached and in advance of a f2f meeting yesterday I created a > quick demo of this via Xerte and uploaded as an rlm to xot: > > coins interaction > http://vle.jisctechdis.ac.uk/xerte/play_262 > Obviously that's Flash only, isn't a page type, isn't editable in xot etc > which brings me to the real point of this message: > > The result of the f2f meeting yesterday is that they ideally want some > additional functionality developed and I think this is likely to fall into > two categories: > 1. Adding additional options for adding images to existing page types e.g. > those that involve dragging and dropping > 2. Creating 1 or more new page types tat allow creation of interactions > similar to the coins example > The end results must work via HTML 5 if not both Flash and HTML 5 > > I've said that I would discuss all this via the dev list first of all to > see what you think about changes to existing page types and also new page > types and just as importantly to check if any or all are interested in > working on this? > > This isn't the first time the wish for drag and drop image to image etc > has cropped up and could result in additions to benefit all. BUT they need > to have developed and tested pilot content by June so it's a very short > timescale and although I'm involved I don't think I have the time or skills > to help them with this without extra help. They will pay for development > but the first step is to identify if anyone is interested in helping with > this and then at some point we will need to estimate time and costs etc. > > What are your thoughts? > First point relevant to us all is would we agree to include additions to > current page types or new page types when there isn't yet parity between > existing Flash and HTML 5 etc? It's a non-starter if we don't. > Second point who's willing and able to help? > > Contact me on or off list if you are interested. > > Cheers > Ron > > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the > Year 2009 and Herald Society?s Education Initiative of the Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career > Researchers of the Year 2010, GCU as a lead with Universities Scotland > partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130320/b20e90a1/attachment.html> From Fay.Cross at nottingham.ac.uk Wed Mar 20 09:51:26 2013 From: Fay.Cross at nottingham.ac.uk (Fay Cross) Date: Wed, 20 Mar 2013 09:51:26 +0000 Subject: [Xerte-dev] Re: page type tweaks & possibly new page types for Maths project... In-Reply-To: <CABtG3=WAuOADQjT6=M+pqQ6ipWzSQ=U5B4WcpNs9-Yq8iJg5pg@mail.gmail.com> References: <nqmhmmp7k1wqsa92ces924ys.1363608472618@email.android.com> <CABtG3=WAuOADQjT6=M+pqQ6ipWzSQ=U5B4WcpNs9-Yq8iJg5pg@mail.gmail.com> Message-ID: <A44245E8C549494D9561A9727B89EEC80C35FD4030@EXCHANGE1.ad.nottingham.ac.uk> Johnathan just beat me to it with a much more comprehensive explanation than I was going to give on xwds :) Ron - I don't think it would be a problem to add extra things to the HTML5 models now if you wanted to, there are only a handful of page types haven't been done yet anyway so within the next couple of weeks Flash and HTML5 should have the same templates available anyway. There are already a couple of options I've added to wizards here and there that only apply to the HTML5 models. I'm happy to add the image options to the existing drag and drop pages in HTML5 for you but it will have to wait a few weeks until the other stuff is finished - John's welcome to look at it before then if he wants. I wouldn't have thought we'd add the option into the Flash versions too now though. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Kemp Johnathan Sent: 20 March 2013 09:35 To: For Xerte technical developers Subject: [Xerte-dev] Re: page type tweaks & possibly new page types for Maths project... don't have any experience of altering page type functionality or adding page types to the wizard but if someone else can do that (or point me in the general direction of how to) In XOT and pageTemplates type projects there is a single xwd file that contains the details for the wizard forms for all the available pages. In Xerte each page type has its own xwd file to define the wizard form for that page type. Tom wrote a script that builds the single xwd file that XOT uses from the individual page xwds. So part of the process of adding a new page type is to create an xwd file for that page. You can find all the individual xwd files in the xerte svn in the runtime / pages / wizards / en-GB folder or in a Xerte install in the xerte installation folder \ pages \ wizards \ en-GB folder. If you open up a few of the xwd files you will soon see how they relate to the wizard forms that they create and to the xerte / XOT menu system. Before modularisation Xerte did not have individual page templates so there was no problem with several pages having an element with the same name e.g. the mcq page and the quiz page both have an <option> element - see the newNodes section for each of these page types. In the XOT xwd file the option element is defined once for all page types that use it. However in the individual page xwds the option element is defined in each xwd file that uses it. So it was important at the time to make sure that each individual page xwd that had an option element defined it with the same attributes. This is a legacy thing. For new page types it is better to ensure that all the elements they use are unique to that page type. This will avoid any risk of having the same element name used in two different page xwds but defined with different attributes in each page type. This would work fine in Xerte but could cause problems once the individual xwds are combined into a single xwd for use in XOT. Incidentally whilst you want to keep element names unique, it is OK for the attribute names to duplicate. If you compare the xwd files mcq.xwd and cMcq.xwd (The multiple choice question wizard and the multiple choice question connector page wizard) you will get a feel for what I am saying here. I built the multiple choice connector page off the multiple choice page. If you want to add new attributes to an existing page you have to be careful. Each page at the start of the xwd file has a newNodes section that is used to build the initial xml data for the page.. There needs to be an entry in this for each attribute of the element that is not optional. If you add a new non-optional element to an existing page, then I believe that this can cause problems for XOT projects that have used this page before the new element was introduced, as their xml data will be missing this attribute. The safest way to add new attributes to an existing page definition is to make them optional, as this will avoid the above issue. Its the HTML5 / jQuery stuff I am trying to get up to speed on. But if I can help you to get your head around the xwd side of things please ask away :-) Kind regards Johnathan On 18 March 2013 12:07, Smith, John <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: Hi Ron Sorry meant to respond earlier - don't have any experience of altering page type functionality or adding page types to the wizard but if someone else can do that (or point me in the general direction of how to) then I'll be happy to work on the html side of it... Id rather know how to do the full thing though as we have some ideas for page types also... As far as adding options to the wizard then i was going to ask the same question - i was assuming that as long as it doesn't break old LOs then it would be ok?? Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Ron Mitchell <ronm at mitchellmedia.co.uk<mailto:ronm at mitchellmedia.co.uk>> wrote: Hi all my messages seem to be taking an age to get through to this list again not sure why but anyway I'm hoping this gets through relatively quickly... On behalf of JISC Techdis I've recently been supporting a Maths project and those involved have been testing if XOT is suitable for what they want to achieve. There is a mix of experience amongst the group but no real developer skills etc Prior to going on holiday last week I sent them some possible solutions to interactions they were trying to achieve most of which involve wishing to drag images to images etc I showed them how/where they could add img src etc to load images where the page type only has text options but obviously this is not ideal and doesn't fully suit their needs. Here's some examples of this: possible drag and drop solutions http://vle.jisctechdis.ac.uk/xerte/play_html5_221 Patterns http://vle.jisctechdis.ac.uk/xerte/play_html5_237 Timings http://vle.jisctechdis.ac.uk/xerte/play_html5_241 The more recent example I received from them was the need for a coin interaction attached and in advance of a f2f meeting yesterday I created a quick demo of this via Xerte and uploaded as an rlm to xot: coins interaction http://vle.jisctechdis.ac.uk/xerte/play_262 Obviously that's Flash only, isn't a page type, isn't editable in xot etc which brings me to the real point of this message: The result of the f2f meeting yesterday is that they ideally want some additional functionality developed and I think this is likely to fall into two categories: 1. Adding additional options for adding images to existing page types e.g. those that involve dragging and dropping 2. Creating 1 or more new page types tat allow creation of interactions similar to the coins example The end results must work via HTML 5 if not both Flash and HTML 5 I've said that I would discuss all this via the dev list first of all to see what you think about changes to existing page types and also new page types and just as importantly to check if any or all are interested in working on this? This isn't the first time the wish for drag and drop image to image etc has cropped up and could result in additions to benefit all. BUT they need to have developed and tested pilot content by June so it's a very short timescale and although I'm involved I don't think I have the time or skills to help them with this without extra help. They will pay for development but the first step is to identify if anyone is interested in helping with this and then at some point we will need to estimate time and costs etc. What are your thoughts? First point relevant to us all is would we agree to include additions to current page types or new page types when there isn't yet parity between existing Flash and HTML 5 etc? It's a non-starter if we don't. Second point who's willing and able to help? Contact me on or off list if you are interested. Cheers Ron Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130320/cd51972a/attachment-0001.html> From reijnders at tor.nl Wed Mar 20 09:55:58 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Wed, 20 Mar 2013 10:55:58 +0100 Subject: [Xerte-dev] Re: page type tweaks & possibly new page types for Maths project... In-Reply-To: <CABtG3=WAuOADQjT6=M+pqQ6ipWzSQ=U5B4WcpNs9-Yq8iJg5pg@mail.gmail.com> References: <nqmhmmp7k1wqsa92ces924ys.1363608472618@email.android.com> <CABtG3=WAuOADQjT6=M+pqQ6ipWzSQ=U5B4WcpNs9-Yq8iJg5pg@mail.gmail.com> Message-ID: <20130320105558.16321uos1gi0nfse@server.tor.nl> Regarding the adding of options to an existing page: 1. Make the option optional (and treat it as optional in the flash and javascript code) 2. Alternatively, make sure the flash and javascript can cope with the fact the parameter is not there at all (basically the same as option 1. in the flash and javascripty code) even if a default is set. I.e. don't depend on the fact that the default is set. And if you have specific questions on how to do things in the .xwd , ask them. Happy to answer them. Tom Citeren Kemp Johnathan <johnathan.kemp at ntlworld.com>: > don't have any experience of altering page type functionality or adding > page types to the wizard but if someone else can do that (or point me in > the general direction of how to) > > In XOT and pageTemplates type projects there is a single xwd file that > contains the details for the wizard forms for all the available pages. > > In Xerte each page type has its own xwd file to define the wizard form for > that page type. Tom wrote a script that builds the single xwd file that XOT > uses from the individual page xwds. > > So part of the process of adding a new page type is to create an xwd file > for that page. You can find all the individual xwd files in the xerte svn > in the > > runtime / pages / wizards / en-GB folder > > or in a Xerte install in the xerte installation folder \ pages \ wizards \ > en-GB folder. > > If you open up a few of the xwd files you will soon see how they relate to > the wizard forms that they create and to the xerte / XOT menu system. > > Before modularisation Xerte did not have individual page templates so there > was no problem with several pages having an element with the same name e.g. > the mcq page and the quiz page both have an <option> element - see the > newNodes section for each of these page types. In the XOT xwd file the > option element is defined once for all page types that use it. However in > the individual page xwds the option element is defined in each xwd file > that uses it. So it was important at the time to make sure that each > individual page xwd that had an option element defined it with the same > attributes. > > This is a legacy thing. For new page types it is better to ensure that all > the elements they use are unique to that page type. This will avoid any > risk of having the same element name used in two different page xwds but > defined with different attributes in each page type. This would work fine > in Xerte but could cause problems once the individual xwds are combined > into a single xwd for use in XOT. > > Incidentally whilst you want to keep element names unique, it is OK for the > attribute names to duplicate. If you compare the xwd files mcq.xwd and > cMcq.xwd (The multiple choice question wizard and the multiple choice > question connector page wizard) you will get a feel for what I am saying > here. I built the multiple choice connector page off the multiple choice > page. > > If you want to add new attributes to an existing page you have to be > careful. > > Each page at the start of the xwd file has a newNodes section that is used > to build the initial xml data for the page.. There needs to be an entry in > this for each attribute of the element that is not optional. If you add a > new non-optional element to an existing page, then I believe that this can > cause problems for XOT projects that have used this page before the new > element was introduced, as their xml data will be missing this attribute. > The safest way to add new attributes to an existing page definition is to > make them optional, as this will avoid the above issue. > > Its the HTML5 / jQuery stuff I am trying to get up to speed on. But if I > can help you to get your head around the xwd side of things please ask away > :-) > > Kind regards > > Johnathan > > > On 18 March 2013 12:07, Smith, John <J.J.Smith at gcu.ac.uk> wrote: > >> Hi Ron >> >> Sorry meant to respond earlier - don't have any experience of altering >> page type functionality or adding page types to the wizard but if someone >> else can do that (or point me in the general direction of how to) then I'll >> be happy to work on the html side of it... Id rather know how to do the >> full thing though as we have some ideas for page types also... >> >> As far as adding options to the wizard then i was going to ask the same >> question - i was assuming that as long as it doesn't break old LOs then it >> would be ok?? >> >> Regards >> >> John Smith >> Learning Technologist >> School of Health and Life Sciences >> >> Sent from Samsung Galaxy SII >> >> >> >> Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: >> >> >> Hi all >> my messages seem to be taking an age to get through to this list again not >> sure why but anyway I'm hoping this gets through relatively quickly... >> >> On behalf of JISC Techdis I've recently been supporting a Maths project >> and those involved have been testing if XOT is suitable for what they want >> to achieve. There is a mix of experience amongst the group but no real >> developer skills etc >> >> Prior to going on holiday last week I sent them some possible solutions to >> interactions they were trying to achieve most of which involve wishing to >> drag images to images etc I showed them how/where they could add img src >> etc to load images where the page type only has text options but obviously >> this is not ideal and doesn't fully suit their needs. Here's some examples >> of this: >> >> possible drag and drop solutions >> http://vle.jisctechdis.ac.uk/xerte/play_html5_221 >> >> Patterns >> http://vle.jisctechdis.ac.uk/xerte/play_html5_237 >> >> Timings >> http://vle.jisctechdis.ac.uk/xerte/play_html5_241 >> >> The more recent example I received from them was the need for a coin >> interaction attached and in advance of a f2f meeting yesterday I created a >> quick demo of this via Xerte and uploaded as an rlm to xot: >> >> coins interaction >> http://vle.jisctechdis.ac.uk/xerte/play_262 >> Obviously that's Flash only, isn't a page type, isn't editable in xot etc >> which brings me to the real point of this message: >> >> The result of the f2f meeting yesterday is that they ideally want some >> additional functionality developed and I think this is likely to fall into >> two categories: >> 1. Adding additional options for adding images to existing page types e.g. >> those that involve dragging and dropping >> 2. Creating 1 or more new page types tat allow creation of interactions >> similar to the coins example >> The end results must work via HTML 5 if not both Flash and HTML 5 >> >> I've said that I would discuss all this via the dev list first of all to >> see what you think about changes to existing page types and also new page >> types and just as importantly to check if any or all are interested in >> working on this? >> >> This isn't the first time the wish for drag and drop image to image etc >> has cropped up and could result in additions to benefit all. BUT they need >> to have developed and tested pilot content by June so it's a very short >> timescale and although I'm involved I don't think I have the time or skills >> to help them with this without extra help. They will pay for development >> but the first step is to identify if anyone is interested in helping with >> this and then at some point we will need to estimate time and costs etc. >> >> What are your thoughts? >> First point relevant to us all is would we agree to include additions to >> current page types or new page types when there isn't yet parity between >> existing Flash and HTML 5 etc? It's a non-starter if we don't. >> Second point who's willing and able to help? >> >> Contact me on or off list if you are interested. >> >> Cheers >> Ron >> >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of the >> Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career >> Researchers of the Year 2010, GCU as a lead with Universities Scotland >> partners. >> >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> > > This message and any attachment are intended solely for the > addressee and may contain confidential information. If you have > received this message in error, please send it back to me, and > immediately delete it. Please do not use, copy or disclose the > information contained in this message or in any attachment. Any > views or opinions expressed by the author of this email do not > necessarily reflect the views of the University of Nottingham. > > > > This message has been checked for viruses but the contents of an attachment > > may still contain software viruses which could damage your computer system: > > you are advised to perform your own checks. Email communications with the > > University of Nottingham may be monitored as permitted by UK legislation. > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From johnathan.kemp at ntlworld.com Wed Mar 20 10:08:31 2013 From: johnathan.kemp at ntlworld.com (Kemp Johnathan) Date: Wed, 20 Mar 2013 10:08:31 +0000 Subject: [Xerte-dev] Re: page type tweaks & possibly new page types for Maths project... In-Reply-To: <20130320105558.16321uos1gi0nfse@server.tor.nl> References: <nqmhmmp7k1wqsa92ces924ys.1363608472618@email.android.com> <CABtG3=WAuOADQjT6=M+pqQ6ipWzSQ=U5B4WcpNs9-Yq8iJg5pg@mail.gmail.com> <20130320105558.16321uos1gi0nfse@server.tor.nl> Message-ID: <CABtG3=V0a4_uaq9GySagNmPsucjnywSTjMLJPfTk=tFedKcCkw@mail.gmail.com> Further to adding a new attribute - on reflection I think my last posting had a minor inaccuracy. If you add a new non-optional attribute to an xwd then I think that as far as legacy pages are concerned the xwd wizard will display its form, but will fail to offer the newly added attribute as it does not exist in the xml of the legacy page. Any new pages created with the new xwd will display the new attribute. The point Tom makes is important. The legacy page will in XOT use the new model file. Since the new attribute will not exist in the xml the model file must handle the non-existence of that attribute in the xml data. Kind regards Johnathan On 20 March 2013 09:55, Tom Reijnders <reijnders at tor.nl> wrote: > Regarding the adding of options to an existing page: > > 1. Make the option optional (and treat it as optional in the flash and > javascript code) > > 2. Alternatively, make sure the flash and javascript can cope with the > fact the parameter is not there at all (basically the same as option 1. in > the flash and javascripty code) even if a default is set. I.e. don't depend > on the fact that the default is set. > > And if you have specific questions on how to do things in the .xwd , ask > them. Happy to answer them. > > Tom > > Citeren Kemp Johnathan <johnathan.kemp at ntlworld.com>: > > don't have any experience of altering page type functionality or adding >> page types to the wizard but if someone else can do that (or point me in >> the general direction of how to) >> >> In XOT and pageTemplates type projects there is a single xwd file that >> contains the details for the wizard forms for all the available pages. >> >> In Xerte each page type has its own xwd file to define the wizard form for >> that page type. Tom wrote a script that builds the single xwd file that >> XOT >> uses from the individual page xwds. >> >> So part of the process of adding a new page type is to create an xwd file >> for that page. You can find all the individual xwd files in the xerte svn >> in the >> >> runtime / pages / wizards / en-GB folder >> >> or in a Xerte install in the xerte installation folder \ pages \ wizards \ >> en-GB folder. >> >> If you open up a few of the xwd files you will soon see how they relate to >> the wizard forms that they create and to the xerte / XOT menu system. >> >> Before modularisation Xerte did not have individual page templates so >> there >> was no problem with several pages having an element with the same name >> e.g. >> the mcq page and the quiz page both have an <option> element - see the >> newNodes section for each of these page types. In the XOT xwd file the >> option element is defined once for all page types that use it. However in >> the individual page xwds the option element is defined in each xwd file >> that uses it. So it was important at the time to make sure that each >> individual page xwd that had an option element defined it with the same >> attributes. >> >> This is a legacy thing. For new page types it is better to ensure that all >> the elements they use are unique to that page type. This will avoid any >> risk of having the same element name used in two different page xwds but >> defined with different attributes in each page type. This would work fine >> in Xerte but could cause problems once the individual xwds are combined >> into a single xwd for use in XOT. >> >> Incidentally whilst you want to keep element names unique, it is OK for >> the >> attribute names to duplicate. If you compare the xwd files mcq.xwd and >> cMcq.xwd (The multiple choice question wizard and the multiple choice >> question connector page wizard) you will get a feel for what I am saying >> here. I built the multiple choice connector page off the multiple choice >> page. >> >> If you want to add new attributes to an existing page you have to be >> careful. >> >> Each page at the start of the xwd file has a newNodes section that is used >> to build the initial xml data for the page.. There needs to be an entry in >> this for each attribute of the element that is not optional. If you add a >> new non-optional element to an existing page, then I believe that this can >> cause problems for XOT projects that have used this page before the new >> element was introduced, as their xml data will be missing this attribute. >> The safest way to add new attributes to an existing page definition is to >> make them optional, as this will avoid the above issue. >> >> Its the HTML5 / jQuery stuff I am trying to get up to speed on. But if I >> can help you to get your head around the xwd side of things please ask >> away >> :-) >> >> Kind regards >> >> Johnathan >> >> >> On 18 March 2013 12:07, Smith, John <J.J.Smith at gcu.ac.uk> wrote: >> >> Hi Ron >>> >>> Sorry meant to respond earlier - don't have any experience of altering >>> page type functionality or adding page types to the wizard but if someone >>> else can do that (or point me in the general direction of how to) then >>> I'll >>> be happy to work on the html side of it... Id rather know how to do the >>> full thing though as we have some ideas for page types also... >>> >>> As far as adding options to the wizard then i was going to ask the same >>> question - i was assuming that as long as it doesn't break old LOs then >>> it >>> would be ok?? >>> >>> Regards >>> >>> John Smith >>> Learning Technologist >>> School of Health and Life Sciences >>> >>> Sent from Samsung Galaxy SII >>> >>> >>> >>> Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: >>> >>> >>> Hi all >>> my messages seem to be taking an age to get through to this list again >>> not >>> sure why but anyway I'm hoping this gets through relatively quickly... >>> >>> On behalf of JISC Techdis I've recently been supporting a Maths project >>> and those involved have been testing if XOT is suitable for what they >>> want >>> to achieve. There is a mix of experience amongst the group but no real >>> developer skills etc >>> >>> Prior to going on holiday last week I sent them some possible solutions >>> to >>> interactions they were trying to achieve most of which involve wishing to >>> drag images to images etc I showed them how/where they could add img src >>> etc to load images where the page type only has text options but >>> obviously >>> this is not ideal and doesn't fully suit their needs. Here's some >>> examples >>> of this: >>> >>> possible drag and drop solutions >>> http://vle.jisctechdis.ac.uk/xerte/play_html5_221 >>> >>> Patterns >>> http://vle.jisctechdis.ac.uk/xerte/play_html5_237 >>> >>> Timings >>> http://vle.jisctechdis.ac.uk/xerte/play_html5_241 >>> >>> The more recent example I received from them was the need for a coin >>> interaction attached and in advance of a f2f meeting yesterday I created >>> a >>> quick demo of this via Xerte and uploaded as an rlm to xot: >>> >>> coins interaction >>> http://vle.jisctechdis.ac.uk/xerte/play_262 >>> Obviously that's Flash only, isn't a page type, isn't editable in xot etc >>> which brings me to the real point of this message: >>> >>> The result of the f2f meeting yesterday is that they ideally want some >>> additional functionality developed and I think this is likely to fall >>> into >>> two categories: >>> 1. Adding additional options for adding images to existing page types >>> e.g. >>> those that involve dragging and dropping >>> 2. Creating 1 or more new page types tat allow creation of interactions >>> similar to the coins example >>> The end results must work via HTML 5 if not both Flash and HTML 5 >>> >>> I've said that I would discuss all this via the dev list first of all to >>> see what you think about changes to existing page types and also new page >>> types and just as importantly to check if any or all are interested in >>> working on this? >>> >>> This isn't the first time the wish for drag and drop image to image etc >>> has cropped up and could result in additions to benefit all. BUT they >>> need >>> to have developed and tested pilot content by June so it's a very short >>> timescale and although I'm involved I don't think I have the time or >>> skills >>> to help them with this without extra help. They will pay for development >>> but the first step is to identify if anyone is interested in helping with >>> this and then at some point we will need to estimate time and costs etc. >>> >>> What are your thoughts? >>> First point relevant to us all is would we agree to include additions to >>> current page types or new page types when there isn't yet parity between >>> existing Flash and HTML 5 etc? It's a non-starter if we don't. >>> Second point who's willing and able to help? >>> >>> Contact me on or off list if you are interested. >>> >>> Cheers >>> Ron >>> >>> >>> >>> >>> Glasgow Caledonian University is a registered Scottish charity, number >>> SC021474 >>> >>> Winner: Times Higher Education?s Widening Participation Initiative of the >>> Year 2009 and Herald Society?s Education Initiative of the Year 2009. >>> >>> >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html >>> >>> Winner: Times Higher Education?s Outstanding Support for Early Career >>> >>> Researchers of the Year 2010, GCU as a lead with Universities Scotland >>> partners. >>> >>> >>> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html >>> _______________________________________________ >>> Xerte-dev mailing list >>> Xerte-dev at lists.nottingham.ac.uk >>> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >>> >>> >> This message and any attachment are intended solely for the addressee and >> may contain confidential information. If you have received this message in >> error, please send it back to me, and immediately delete it. Please do >> not use, copy or disclose the information contained in this message or in >> any attachment. Any views or opinions expressed by the author of this >> email do not necessarily reflect the views of the University of Nottingham. >> >> >> >> This message has been checked for viruses but the contents of an >> attachment >> >> may still contain software viruses which could damage your computer >> system: >> >> you are advised to perform your own checks. Email communications with the >> >> University of Nottingham may be monitored as permitted by UK legislation. >> >> >> > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and > may contain confidential information. If you have received this message in > error, please send it back to me, and immediately delete it. Please do > not use, copy or disclose the information contained in this message or in > any attachment. Any views or opinions expressed by the author of this > email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130320/a6e4f044/attachment-0001.html> From Fay.Cross at nottingham.ac.uk Wed Mar 20 10:12:48 2013 From: Fay.Cross at nottingham.ac.uk (Fay Cross) Date: Wed, 20 Mar 2013 10:12:48 +0000 Subject: [Xerte-dev] Re: page type tweaks & possibly new page types for Maths project... In-Reply-To: <20130320105558.16321uos1gi0nfse@server.tor.nl> References: <nqmhmmp7k1wqsa92ces924ys.1363608472618@email.android.com> <CABtG3=WAuOADQjT6=M+pqQ6ipWzSQ=U5B4WcpNs9-Yq8iJg5pg@mail.gmail.com> <20130320105558.16321uos1gi0nfse@server.tor.nl> Message-ID: <A44245E8C549494D9561A9727B89EEC80C35FD4063@EXCHANGE1.ad.nottingham.ac.uk> I definitely agree with point 2 - even if it's not an optional field in the wizard I've had to assume that most options may not be in the xml when making the html versions as it may have not been an option when the page model was first created. I've come across lots of examples where I've made a page basing it on what you enter in the current wizard but then old projects (e.g. play_560) won't work as it's missing a bit of data that newly made projects have automatically. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 20 March 2013 09:56 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: page type tweaks & possibly new page types for Maths project... Regarding the adding of options to an existing page: 1. Make the option optional (and treat it as optional in the flash and javascript code) 2. Alternatively, make sure the flash and javascript can cope with the fact the parameter is not there at all (basically the same as option 1. in the flash and javascripty code) even if a default is set. I.e. don't depend on the fact that the default is set. And if you have specific questions on how to do things in the .xwd , ask them. Happy to answer them. Tom Citeren Kemp Johnathan <johnathan.kemp at ntlworld.com>: > don't have any experience of altering page type functionality or > adding page types to the wizard but if someone else can do that (or > point me in the general direction of how to) > > In XOT and pageTemplates type projects there is a single xwd file that > contains the details for the wizard forms for all the available pages. > > In Xerte each page type has its own xwd file to define the wizard form > for that page type. Tom wrote a script that builds the single xwd file > that XOT uses from the individual page xwds. > > So part of the process of adding a new page type is to create an xwd > file for that page. You can find all the individual xwd files in the > xerte svn in the > > runtime / pages / wizards / en-GB folder > > or in a Xerte install in the xerte installation folder \ pages \ > wizards \ en-GB folder. > > If you open up a few of the xwd files you will soon see how they > relate to the wizard forms that they create and to the xerte / XOT menu system. > > Before modularisation Xerte did not have individual page templates so > there was no problem with several pages having an element with the same name e.g. > the mcq page and the quiz page both have an <option> element - see the > newNodes section for each of these page types. In the XOT xwd file the > option element is defined once for all page types that use it. However > in the individual page xwds the option element is defined in each xwd > file that uses it. So it was important at the time to make sure that > each individual page xwd that had an option element defined it with > the same attributes. > > This is a legacy thing. For new page types it is better to ensure that > all the elements they use are unique to that page type. This will > avoid any risk of having the same element name used in two different > page xwds but defined with different attributes in each page type. > This would work fine in Xerte but could cause problems once the > individual xwds are combined into a single xwd for use in XOT. > > Incidentally whilst you want to keep element names unique, it is OK > for the attribute names to duplicate. If you compare the xwd files > mcq.xwd and cMcq.xwd (The multiple choice question wizard and the > multiple choice question connector page wizard) you will get a feel > for what I am saying here. I built the multiple choice connector page > off the multiple choice page. > > If you want to add new attributes to an existing page you have to be > careful. > > Each page at the start of the xwd file has a newNodes section that is > used to build the initial xml data for the page.. There needs to be an > entry in this for each attribute of the element that is not optional. > If you add a new non-optional element to an existing page, then I > believe that this can cause problems for XOT projects that have used > this page before the new element was introduced, as their xml data will be missing this attribute. > The safest way to add new attributes to an existing page definition is > to make them optional, as this will avoid the above issue. > > Its the HTML5 / jQuery stuff I am trying to get up to speed on. But if > I can help you to get your head around the xwd side of things please > ask away > :-) > > Kind regards > > Johnathan > > > On 18 March 2013 12:07, Smith, John <J.J.Smith at gcu.ac.uk> wrote: > >> Hi Ron >> >> Sorry meant to respond earlier - don't have any experience of >> altering page type functionality or adding page types to the wizard >> but if someone else can do that (or point me in the general direction >> of how to) then I'll be happy to work on the html side of it... Id >> rather know how to do the full thing though as we have some ideas for page types also... >> >> As far as adding options to the wizard then i was going to ask the >> same question - i was assuming that as long as it doesn't break old >> LOs then it would be ok?? >> >> Regards >> >> John Smith >> Learning Technologist >> School of Health and Life Sciences >> >> Sent from Samsung Galaxy SII >> >> >> >> Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: >> >> >> Hi all >> my messages seem to be taking an age to get through to this list >> again not sure why but anyway I'm hoping this gets through relatively quickly... >> >> On behalf of JISC Techdis I've recently been supporting a Maths >> project and those involved have been testing if XOT is suitable for >> what they want to achieve. There is a mix of experience amongst the >> group but no real developer skills etc >> >> Prior to going on holiday last week I sent them some possible >> solutions to interactions they were trying to achieve most of which >> involve wishing to drag images to images etc I showed them how/where >> they could add img src etc to load images where the page type only >> has text options but obviously this is not ideal and doesn't fully >> suit their needs. Here's some examples of this: >> >> possible drag and drop solutions >> http://vle.jisctechdis.ac.uk/xerte/play_html5_221 >> >> Patterns >> http://vle.jisctechdis.ac.uk/xerte/play_html5_237 >> >> Timings >> http://vle.jisctechdis.ac.uk/xerte/play_html5_241 >> >> The more recent example I received from them was the need for a coin >> interaction attached and in advance of a f2f meeting yesterday I >> created a quick demo of this via Xerte and uploaded as an rlm to xot: >> >> coins interaction >> http://vle.jisctechdis.ac.uk/xerte/play_262 >> Obviously that's Flash only, isn't a page type, isn't editable in xot >> etc which brings me to the real point of this message: >> >> The result of the f2f meeting yesterday is that they ideally want >> some additional functionality developed and I think this is likely to >> fall into two categories: >> 1. Adding additional options for adding images to existing page types e.g. >> those that involve dragging and dropping 2. Creating 1 or more new >> page types tat allow creation of interactions similar to the coins >> example The end results must work via HTML 5 if not both Flash and >> HTML 5 >> >> I've said that I would discuss all this via the dev list first of all >> to see what you think about changes to existing page types and also >> new page types and just as importantly to check if any or all are >> interested in working on this? >> >> This isn't the first time the wish for drag and drop image to image >> etc has cropped up and could result in additions to benefit all. BUT >> they need to have developed and tested pilot content by June so it's >> a very short timescale and although I'm involved I don't think I have >> the time or skills to help them with this without extra help. They >> will pay for development but the first step is to identify if anyone >> is interested in helping with this and then at some point we will need to estimate time and costs etc. >> >> What are your thoughts? >> First point relevant to us all is would we agree to include additions >> to current page types or new page types when there isn't yet parity >> between existing Flash and HTML 5 etc? It's a non-starter if we don't. >> Second point who's willing and able to help? >> >> Contact me on or off list if you are interested. >> >> Cheers >> Ron >> >> >> >> >> Glasgow Caledonian University is a registered Scottish charity, >> number >> SC021474 >> >> Winner: Times Higher Education?s Widening Participation Initiative of >> the Year 2009 and Herald Society?s Education Initiative of the Year 2009. >> >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 6219,en.html >> >> Winner: Times Higher Education?s Outstanding Support for Early Career >> Researchers of the Year 2010, GCU as a lead with Universities >> Scotland partners. >> >> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name, >> 15691,en.html _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> > > This message and any attachment are intended solely for the addressee > and may contain confidential information. If you have received this > message in error, please send it back to me, and > immediately delete it. Please do not use, copy or disclose the > information contained in this message or in any attachment. Any views > or opinions expressed by the author of this email do not necessarily > reflect the views of the University of Nottingham. > > > > This message has been checked for viruses but the contents of an > attachment > > may still contain software viruses which could damage your computer system: > > you are advised to perform your own checks. Email communications with > the > > University of Nottingham may be monitored as permitted by UK legislation. > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From d_b_burnett at hotmail.com Thu Mar 21 00:32:11 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Wed, 20 Mar 2013 20:32:11 -0400 Subject: [Xerte-dev] Newbie question In-Reply-To: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> References: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> Message-ID: <BLU153-W40E969CEB6E547F191D4DCA7EB0@phx.gbl> I've completely lost track of what stage the Xenith proj is at.Is it currently public in any form? Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130320/7c8bc374/attachment.html> From J.J.Smith at gcu.ac.uk Thu Mar 21 06:38:40 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Thu, 21 Mar 2013 06:38:40 +0000 Subject: [Xerte-dev] Re: Newbie question Message-ID: <9e05woaqgk3k79dpg34dq0pp.1363847919675@email.android.com> Yes the current XOT zip has many of the page types complete and the svn has some extra ones that have been completed since January and will be in the next release. They are reached by changing play.php to play_html5.php or similarly with the preview link... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Dave Burnett <d_b_burnett at hotmail.com> wrote: I've completely lost track of what stage the Xenith proj is at. Is it currently public in any form? Dave Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From A.D.Furr at southampton.ac.uk Thu Mar 21 09:17:07 2013 From: A.D.Furr at southampton.ac.uk (Furr A.D.) Date: Thu, 21 Mar 2013 09:17:07 +0000 Subject: [Xerte-dev] Re: uploading html zip? In-Reply-To: <048801ce2544$1ab88ff0$5029afd0$@co.uk> References: <CB432CFB9A85A74081FB8020BE1C208435EAAAEC@UOS-MSG00042-SI.soton.ac.uk> <048801ce2544$1ab88ff0$5029afd0$@co.uk> Message-ID: <CB432CFB9A85A74081FB8020BE1C208435EABE6D@UOS-MSG00042-SI.soton.ac.uk> Yes multiple folders etc... similar to what you can do with blackboard (eugh) at the moment. Its a handy function, but I understand why it hasn't been implemented. Thanks! Alex From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: 20 March 2013 08:23 To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: uploading html zip? Does your zip contain multiple files and sub folders etc or just all files in the root of the zip? At the moment there's isn't an option in XOT to upload and extract non xot zips but you can upload and link to individual files via media and quota. If your zip contains folders or lots of files your best option is to upload to a public facing web server via some other means and then use the relevant link in the embed content page. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Furr A.D. Sent: 20 March 2013 07:52 To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] uploading html zip? Hi, We've got some html interactive stuff outside Xerte we want to embed within it. I might be missing how to do this, so is this possible? Either a) Upload a zip file which then unpacks b) Include an iframe / embed code Any of these on the cards or already possible? Alex Dr Alex Furr eLearning Systems Consultant and Developer The Centre for Innovation in Technologies and Education (CITE) www.cite.soton.ac.uk<http://www.cite.soton.ac.uk> The University of Southampton ----------------------------------- e: alexfurr at soton.ac.uk<mailto:alexfurr at soton.ac.uk> t: 07779 606934 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130321/0fdb7447/attachment.html> From d_b_burnett at hotmail.com Thu Mar 21 11:43:19 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Thu, 21 Mar 2013 07:43:19 -0400 Subject: [Xerte-dev] Re: Newbie question In-Reply-To: <9e05woaqgk3k79dpg34dq0pp.1363847919675@email.android.com> References: <9e05woaqgk3k79dpg34dq0pp.1363847919675@email.android.com> Message-ID: <BLU153-W1725F2243A78A0F62F29D3A7EB0@phx.gbl> Thanks John. What was the latest php version req?I ran into an issue with that the last time I tried an install. > From: J.J.Smith at gcu.ac.uk > To: xerte-dev at lists.nottingham.ac.uk > Date: Thu, 21 Mar 2013 06:38:40 +0000 > Subject: [Xerte-dev] Re: Newbie question > > Yes the current XOT zip has many of the page types complete and the svn has some extra ones that have been completed since January and will be in the next release. They are reached by changing play.php to play_html5.php or similarly with the preview link... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > Dave Burnett <d_b_burnett at hotmail.com> wrote: > > > > I've completely lost track of what stage the Xenith proj is at. > Is it currently public in any form? > > Dave > > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130321/bef724c3/attachment-0001.html> From J.J.Smith at gcu.ac.uk Thu Mar 21 11:49:16 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Thu, 21 Mar 2013 11:49:16 +0000 Subject: [Xerte-dev] Re: Newbie question In-Reply-To: <BLU153-W1725F2243A78A0F62F29D3A7EB0@phx.gbl> References: <9e05woaqgk3k79dpg34dq0pp.1363847919675@email.android.com> <BLU153-W1725F2243A78A0F62F29D3A7EB0@phx.gbl> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247FC74AA2@ITSEMBXCLUS.enterprise.gcal.ac.uk> 5.1 I think... setup will throw an error I'm sure if it's lower Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: Thursday, March 21, 2013 11:43 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: Newbie question Thanks John. What was the latest php version req? I ran into an issue with that the last time I tried an install. > From: J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk> > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> > Date: Thu, 21 Mar 2013 06:38:40 +0000 > Subject: [Xerte-dev] Re: Newbie question > > Yes the current XOT zip has many of the page types complete and the svn has some extra ones that have been completed since January and will be in the next release. They are reached by changing play.php to play_html5.php or similarly with the preview link... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: > > > > I've completely lost track of what stage the Xenith proj is at. > Is it currently public in any form? > > Dave > > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130321/1d6cc8f0/attachment.html> From ronm at mitchellmedia.co.uk Thu Mar 21 11:51:39 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Thu, 21 Mar 2013 11:51:39 -0000 Subject: [Xerte-dev] Re: Newbie question In-Reply-To: <BLU153-W1725F2243A78A0F62F29D3A7EB0@phx.gbl> References: <9e05woaqgk3k79dpg34dq0pp.1363847919675@email.android.com> <BLU153-W1725F2243A78A0F62F29D3A7EB0@phx.gbl> Message-ID: <00db01ce262a$73906d50$5ab147f0$@co.uk> 5.2 I think. That's what's displayed as info during setup. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: 21 March 2013 11:43 To: For Xerte technical developers Subject: [Xerte-dev] Re: Newbie question Thanks John. What was the latest php version req? I ran into an issue with that the last time I tried an install. > From: J.J.Smith at gcu.ac.uk > To: xerte-dev at lists.nottingham.ac.uk > Date: Thu, 21 Mar 2013 06:38:40 +0000 > Subject: [Xerte-dev] Re: Newbie question > > Yes the current XOT zip has many of the page types complete and the svn has some extra ones that have been completed since January and will be in the next release. They are reached by changing play.php to play_html5.php or similarly with the preview link... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > Dave Burnett <d_b_burnett at hotmail.com> wrote: > > > > I've completely lost track of what stage the Xenith proj is at. > Is it currently public in any form? > > Dave > > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html > > Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130321/2e988012/attachment-0001.html> From xerte at pgogywebstuff.com Thu Mar 21 20:08:08 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Thu, 21 Mar 2013 20:08:08 +0000 Subject: [Xerte-dev] Re: uploading html zip? In-Reply-To: <CB432CFB9A85A74081FB8020BE1C208435EABE6D@UOS-MSG00042-SI.soton.ac.uk> References: <CB432CFB9A85A74081FB8020BE1C208435EAAAEC@UOS-MSG00042-SI.soton.ac.uk> <048801ce2544$1ab88ff0$5029afd0$@co.uk> <CB432CFB9A85A74081FB8020BE1C208435EABE6D@UOS-MSG00042-SI.soton.ac.uk> Message-ID: <6531B8C8-B52E-460D-A248-8A8A7324659E@pgogywebstuff.com> I would write a new page. Have the page take a zip as upload. Write the upload php to unpack the zip Then repurpose the embed page Or tell me more about what you want the HTML within the zip to do? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 21 Mar 2013, at 09:17, "Furr A.D." <A.D.Furr at southampton.ac.uk> wrote: > Yes multiple folders etc... similar to what you can do with blackboard (eugh) at the moment. > Its a handy function, but I understand why it hasn?t been implemented. > > Thanks! > Alex > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > Sent: 20 March 2013 08:23 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: uploading html zip? > > Does your zip contain multiple files and sub folders etc or just all files in the root of the zip? > At the moment there's isn't an option in XOT to upload and extract non xot zips but you can upload and link to individual files via media and quota. > If your zip contains folders or lots of files your best option is to upload to a public facing web server via some other means and then use the relevant link in the embed content page. > HTH > Ron > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Furr A.D. > Sent: 20 March 2013 07:52 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] uploading html zip? > > Hi, > > We?ve got some html interactive stuff outside Xerte we want to embed within it. I might be missing how to do this, so is this possible? > > Either > a) Upload a zip file which then unpacks > b) Include an iframe / embed code > > Any of these on the cards or already possible? > > Alex > > Dr Alex Furr > eLearning Systems Consultant and Developer > The Centre for Innovation in Technologies and Education (CITE) > www.cite.soton.ac.uk > The University of Southampton > ----------------------------------- > e: alexfurr at soton.ac.uk > t: 07779 606934 > > > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130321/8a62e059/attachment.html> From J.J.Smith at gcu.ac.uk Thu Mar 21 21:05:30 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Thu, 21 Mar 2013 21:05:30 +0000 Subject: [Xerte-dev] Re: uploading html zip? Message-ID: <5l8swsujphx1xn12x7oskwf8.1363899537270@email.android.com> Perhaps just detect the .zip file extention and add an "unpackage this zip" option. Zip is unpackaged to a folder. A popup lists the files and allows you to select the "entry file" which will most likely bootstrap the others when required... The checkbox would be because you may wish to upload and keep as a zip for download purposes... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: I would write a new page. Have the page take a zip as upload. Write the upload php to unpack the zip Then repurpose the embed page Or tell me more about what you want the HTML within the zip to do? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 21 Mar 2013, at 09:17, "Furr A.D." <A.D.Furr at southampton.ac.uk<mailto:A.D.Furr at southampton.ac.uk>> wrote: Yes multiple folders etc... similar to what you can do with blackboard (eugh) at the moment. Its a handy function, but I understand why it hasn?t been implemented. Thanks! Alex From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: 20 March 2013 08:23 To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: uploading html zip? Does your zip contain multiple files and sub folders etc or just all files in the root of the zip? At the moment there's isn't an option in XOT to upload and extract non xot zips but you can upload and link to individual files via media and quota. If your zip contains folders or lots of files your best option is to upload to a public facing web server via some other means and then use the relevant link in the embed content page. HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Furr A.D. Sent: 20 March 2013 07:52 To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] uploading html zip? Hi, We?ve got some html interactive stuff outside Xerte we want to embed within it. I might be missing how to do this, so is this possible? Either a) Upload a zip file which then unpacks b) Include an iframe / embed code Any of these on the cards or already possible? Alex Dr Alex Furr eLearning Systems Consultant and Developer The Centre for Innovation in Technologies and Education (CITE) www.cite.soton.ac.uk<http://www.cite.soton.ac.uk> The University of Southampton ----------------------------------- e: alexfurr at soton.ac.uk<mailto:alexfurr at soton.ac.uk> t: 07779 606934 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From xerte at pgogywebstuff.com Thu Mar 21 22:06:01 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Thu, 21 Mar 2013 22:06:01 +0000 Subject: [Xerte-dev] Re: uploading html zip? In-Reply-To: <5l8swsujphx1xn12x7oskwf8.1363899537270@email.android.com> References: <5l8swsujphx1xn12x7oskwf8.1363899537270@email.android.com> Message-ID: <319C85D7-AA66-4973-AEC1-461DFA147E2E@pgogywebstuff.com> Could be a new template as well, worried about export if this gets complex Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 21 Mar 2013, at 21:05, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Perhaps just detect the .zip file extention and add an "unpackage this zip" option. Zip is unpackaged to a folder. A popup lists the files and allows you to select the "entry file" which will most likely bootstrap the others when required... > > The checkbox would be because you may wish to upload and keep as a zip for download purposes... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: > > > I would write a new page. > Have the page take a zip as upload. > Write the upload php to unpack the zip > Then repurpose the embed page > > Or tell me more about what you want the HTML within the zip to do? > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 21 Mar 2013, at 09:17, "Furr A.D." <A.D.Furr at southampton.ac.uk<mailto:A.D.Furr at southampton.ac.uk>> wrote: > > Yes multiple folders etc... similar to what you can do with blackboard (eugh) at the moment. > Its a handy function, but I understand why it hasn?t been implemented. > > Thanks! > Alex > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > Sent: 20 March 2013 08:23 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: uploading html zip? > > Does your zip contain multiple files and sub folders etc or just all files in the root of the zip? > At the moment there's isn't an option in XOT to upload and extract non xot zips but you can upload and link to individual files via media and quota. > If your zip contains folders or lots of files your best option is to upload to a public facing web server via some other means and then use the relevant link in the embed content page. > HTH > Ron > > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Furr A.D. > Sent: 20 March 2013 07:52 > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> > Subject: [Xerte-dev] uploading html zip? > > Hi, > > We?ve got some html interactive stuff outside Xerte we want to embed within it. I might be missing how to do this, so is this possible? > > Either > > a) Upload a zip file which then unpacks > > b) Include an iframe / embed code > > Any of these on the cards or already possible? > > Alex > > Dr Alex Furr > eLearning Systems Consultant and Developer > The Centre for Innovation in Technologies and Education (CITE) > www.cite.soton.ac.uk<http://www.cite.soton.ac.uk> > The University of Southampton > ----------------------------------- > e: alexfurr at soton.ac.uk<mailto:alexfurr at soton.ac.uk> > t: 07779 606934 > > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From ronm at mitchellmedia.co.uk Fri Mar 22 08:50:02 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Fri, 22 Mar 2013 08:50:02 -0000 Subject: [Xerte-dev] reminder of what 1 means? Message-ID: <001101ce26da$3ec97840$bc5c68c0$@co.uk> Hi all very quick question - what does 1 typically mean when visiting an xot install? e.g. visiting the URL and get a blank page with only the digit 1 showing. This is an installation that someone has moved from one server to another and I know I've seen this before but can't recall the primary cause. Cheers Ron -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130322/45d55672/attachment.html> From J.J.Smith at gcu.ac.uk Fri Mar 22 09:23:43 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 22 Mar 2013 09:23:43 +0000 Subject: [Xerte-dev] Re: reminder of what 1 means? Message-ID: <awdslfom9519c79wgp0jiaiu.1363944007589@email.android.com> If you view the source then is there any html in there or does the page just consist of a single char? Had a look in svn but it could be a legacy echo statement that was in for debug purposes somewhere... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: Hi all very quick question - what does 1 typically mean when visiting an xot install? e.g. visiting the URL and get a blank page with only the digit 1 showing. This is an installation that someone has moved from one server to another and I know I've seen this before but can't recall the primary cause. Cheers Ron Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From d_b_burnett at hotmail.com Fri Mar 22 11:25:16 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Fri, 22 Mar 2013 07:25:16 -0400 Subject: [Xerte-dev] Re: reminder of what 1 means? In-Reply-To: <001101ce26da$3ec97840$bc5c68c0$@co.uk> References: <001101ce26da$3ec97840$bc5c68c0$@co.uk> Message-ID: <BLU153-W217C8B0C151B51FC74CAC0A7D40@phx.gbl> http://lists.nottingham.ac.uk/pipermail/xerte/2009-April/001541.html Its a message from RonM:-) From: ronm at mitchellmedia.co.uk To: xerte-dev at lists.nottingham.ac.uk Date: Fri, 22 Mar 2013 08:50:02 +0000 Subject: [Xerte-dev] reminder of what 1 means? Hi allvery quick question - what does 1 typically mean when visiting an xot install? e.g. visiting the URL and get a blank page with only the digit 1 showing.This is an installation that someone has moved from one server to another and I know I've seen this before but can't recall the primary cause.CheersRon _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130322/07ba9605/attachment.html> From ronm at mitchellmedia.co.uk Fri Mar 22 11:17:36 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Fri, 22 Mar 2013 11:17:36 -0000 Subject: [Xerte-dev] Re: reminder of what 1 means? In-Reply-To: <awdslfom9519c79wgp0jiaiu.1363944007589@email.android.com> References: <awdslfom9519c79wgp0jiaiu.1363944007589@email.android.com> Message-ID: <006b01ce26ee$dd844c30$988ce490$@co.uk> Hi John thanks for your response - yes viewing source also just shows 1 I know this has cropped up before on the list but just like searching the code base etc searching for just 1 brings up too many results. Fortunately this isn't urgent right now as it was just a test move to be repeated next week. I didn't do the move but I'll be keen to identify the cause/solution and will make a proper note of what this usually/typically means! I'm sure Pat can tell us once the message reaches the cave? Cheers Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 22 March 2013 09:24 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: reminder of what 1 means? If you view the source then is there any html in there or does the page just consist of a single char? Had a look in svn but it could be a legacy echo statement that was in for debug purposes somewhere... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: Hi all very quick question - what does 1 typically mean when visiting an xot install? e.g. visiting the URL and get a blank page with only the digit 1 showing. This is an installation that someone has moved from one server to another and I know I've seen this before but can't recall the primary cause. Cheers Ron Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system: you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation. From ronm at mitchellmedia.co.uk Fri Mar 22 12:08:47 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Fri, 22 Mar 2013 12:08:47 -0000 Subject: [Xerte-dev] Re: reminder of what 1 means? In-Reply-To: <BLU153-W217C8B0C151B51FC74CAC0A7D40@phx.gbl> References: <001101ce26da$3ec97840$bc5c68c0$@co.uk> <BLU153-W217C8B0C151B51FC74CAC0A7D40@phx.gbl> Message-ID: <009301ce26f6$0323a100$096ae300$@co.uk> :-) Thanks Dave but that's not the problem in this case. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: 22 March 2013 11:25 To: For Xerte technical developers Subject: [Xerte-dev] Re: reminder of what 1 means? http://lists.nottingham.ac.uk/pipermail/xerte/2009-April/001541.html Its a message from RonM :-) _____ From: ronm at mitchellmedia.co.uk To: xerte-dev at lists.nottingham.ac.uk Date: Fri, 22 Mar 2013 08:50:02 +0000 Subject: [Xerte-dev] reminder of what 1 means? Hi all very quick question - what does 1 typically mean when visiting an xot install? e.g. visiting the URL and get a blank page with only the digit 1 showing. This is an installation that someone has moved from one server to another and I know I've seen this before but can't recall the primary cause. Cheers Ron _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130322/c93bb629/attachment.html> From d_b_burnett at hotmail.com Fri Mar 22 12:27:13 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Fri, 22 Mar 2013 08:27:13 -0400 Subject: [Xerte-dev] Re: reminder of what 1 means? In-Reply-To: <009301ce26f6$0323a100$096ae300$@co.uk> References: <001101ce26da$3ec97840$bc5c68c0$@co.uk>, <BLU153-W217C8B0C151B51FC74CAC0A7D40@phx.gbl>, <009301ce26f6$0323a100$096ae300$@co.uk> Message-ID: <BLU153-W8D1A06240A548924E2838A7D40@phx.gbl> Bizarre it would throw the same error. I vaguely remember some code along the lines of fail = true; for the db connection string. From: ronm at mitchellmedia.co.uk To: xerte-dev at lists.nottingham.ac.uk Date: Fri, 22 Mar 2013 12:08:47 +0000 Subject: [Xerte-dev] Re: reminder of what 1 means? :-) Thanks Dave but that's not the problem in this case. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: 22 March 2013 11:25 To: For Xerte technical developers Subject: [Xerte-dev] Re: reminder of what 1 means? http://lists.nottingham.ac.uk/pipermail/xerte/2009-April/001541.html Its a message from RonM:-) From: ronm at mitchellmedia.co.uk To: xerte-dev at lists.nottingham.ac.uk Date: Fri, 22 Mar 2013 08:50:02 +0000 Subject: [Xerte-dev] reminder of what 1 means?Hi allvery quick question - what does 1 typically mean when visiting an xot install? e.g. visiting the URL and get a blank page with only the digit 1 showing.This is an installation that someone has moved from one server to another and I know I've seen this before but can't recall the primary cause.CheersRon _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130322/7b1aa945/attachment-0001.html> From J.J.Smith at gcu.ac.uk Fri Mar 22 12:34:32 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 22 Mar 2013 12:34:32 +0000 Subject: [Xerte-dev] Re: reminder of what 1 means? In-Reply-To: <006b01ce26ee$dd844c30$988ce490$@co.uk> References: <awdslfom9519c79wgp0jiaiu.1363944007589@email.android.com> <006b01ce26ee$dd844c30$988ce490$@co.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247FC74B7F@ITSEMBXCLUS.enterprise.gcal.ac.uk> Php true equates to 1 also (whereas false equates to '' - without the quotes - so effectively a blank string) so it could be echo true; or print($var); or anything... If no header has been sent though then it must be at the top of index.php (or in one of the includes config, display_lib, auth, etc) before the <html> tag... If you have access to the server then you could try putting an: echo basename(__FILE__); at the top of each included file (after <?php) and it will display the name of the include file... then you can see where the 1 is falling in the order that they are included... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: Friday, March 22, 2013 11:18 AM To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: reminder of what 1 means? Hi John thanks for your response - yes viewing source also just shows 1 I know this has cropped up before on the list but just like searching the code base etc searching for just 1 brings up too many results. Fortunately this isn't urgent right now as it was just a test move to be repeated next week. I didn't do the move but I'll be keen to identify the cause/solution and will make a proper note of what this usually/typically means! I'm sure Pat can tell us once the message reaches the cave? Cheers Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 22 March 2013 09:24 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: reminder of what 1 means? If you view the source then is there any html in there or does the page just consist of a single char? Had a look in svn but it could be a legacy echo statement that was in for debug purposes somewhere... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: Hi all very quick question - what does 1 typically mean when visiting an xot install? e.g. visiting the URL and get a blank page with only the digit 1 showing. This is an installation that someone has moved from one server to another and I know I've seen this before but can't recall the primary cause. Cheers Ron Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system: you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation. _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system: you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation. Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From d_b_burnett at hotmail.com Fri Mar 22 12:40:09 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Fri, 22 Mar 2013 08:40:09 -0400 Subject: [Xerte-dev] Re: reminder of what 1 means? In-Reply-To: <009301ce26f6$0323a100$096ae300$@co.uk> References: <001101ce26da$3ec97840$bc5c68c0$@co.uk>, <BLU153-W217C8B0C151B51FC74CAC0A7D40@phx.gbl>, <009301ce26f6$0323a100$096ae300$@co.uk> Message-ID: <BLU153-W32EE1E1ADB519A6BE7AABAA7D40@phx.gbl> mysql_select_db($xerte_toolkits_site->database_name) or die($database_fail = true); From: ronm at mitchellmedia.co.uk To: xerte-dev at lists.nottingham.ac.uk Date: Fri, 22 Mar 2013 12:08:47 +0000 Subject: [Xerte-dev] Re: reminder of what 1 means? :-) Thanks Dave but that's not the problem in this case. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: 22 March 2013 11:25 To: For Xerte technical developers Subject: [Xerte-dev] Re: reminder of what 1 means? http://lists.nottingham.ac.uk/pipermail/xerte/2009-April/001541.html Its a message from RonM:-) From: ronm at mitchellmedia.co.uk To: xerte-dev at lists.nottingham.ac.uk Date: Fri, 22 Mar 2013 08:50:02 +0000 Subject: [Xerte-dev] reminder of what 1 means?Hi allvery quick question - what does 1 typically mean when visiting an xot install? e.g. visiting the URL and get a blank page with only the digit 1 showing.This is an installation that someone has moved from one server to another and I know I've seen this before but can't recall the primary cause.CheersRon _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130322/0efe8eca/attachment.html> From J.J.Smith at gcu.ac.uk Fri Mar 22 12:45:40 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 22 Mar 2013 12:45:40 +0000 Subject: [Xerte-dev] Re: reminder of what 1 means? In-Reply-To: <BLU153-W32EE1E1ADB519A6BE7AABAA7D40@phx.gbl> References: <001101ce26da$3ec97840$bc5c68c0$@co.uk>, <BLU153-W217C8B0C151B51FC74CAC0A7D40@phx.gbl>, <009301ce26f6$0323a100$096ae300$@co.uk> <BLU153-W32EE1E1ADB519A6BE7AABAA7D40@phx.gbl> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247FC74B80@ITSEMBXCLUS.enterprise.gcal.ac.uk> That would do it... ;-) Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: Friday, March 22, 2013 12:40 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: reminder of what 1 means? mysql_select_db($xerte_toolkits_site->database_name) or die($database_fail = true); ________________________________ From: ronm at mitchellmedia.co.uk<mailto:ronm at mitchellmedia.co.uk> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Date: Fri, 22 Mar 2013 12:08:47 +0000 Subject: [Xerte-dev] Re: reminder of what 1 means? :-) Thanks Dave but that's not the problem in this case. From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: 22 March 2013 11:25 To: For Xerte technical developers Subject: [Xerte-dev] Re: reminder of what 1 means? http://lists.nottingham.ac.uk/pipermail/xerte/2009-April/001541.html Its a message from RonM :-) ________________________________ From: ronm at mitchellmedia.co.uk<mailto:ronm at mitchellmedia.co.uk> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Date: Fri, 22 Mar 2013 08:50:02 +0000 Subject: [Xerte-dev] reminder of what 1 means? Hi all very quick question - what does 1 typically mean when visiting an xot install? e.g. visiting the URL and get a blank page with only the digit 1 showing. This is an installation that someone has moved from one server to another and I know I've seen this before but can't recall the primary cause. Cheers Ron _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130322/858221ea/attachment-0001.html> From xerte at pgogywebstuff.com Fri Mar 22 09:07:49 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Fri, 22 Mar 2013 09:07:49 +0000 Subject: [Xerte-dev] Re: reminder of what 1 means? In-Reply-To: <001101ce26da$3ec97840$bc5c68c0$@co.uk> References: <001101ce26da$3ec97840$bc5c68c0$@co.uk> Message-ID: <7FEECFF9-BAF3-4653-8F39-9D9846E68372@pgogywebstuff.com> Database connect fail Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 22 Mar 2013, at 08:50, "Ron Mitchell" <ronm at mitchellmedia.co.uk> wrote: > Hi all > very quick question - what does 1 typically mean when visiting an xot install? e.g. visiting the URL and get a blank page with only the digit 1 showing. > This is an installation that someone has moved from one server to another and I know I've seen this before but can't recall the primary cause. > Cheers > Ron > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130322/bdda4a26/attachment.html> From ronm at mitchellmedia.co.uk Fri Mar 22 15:15:32 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Fri, 22 Mar 2013 15:15:32 -0000 Subject: [Xerte-dev] Re: reminder of what 1 means? In-Reply-To: <7FEECFF9-BAF3-4653-8F39-9D9846E68372@pgogywebstuff.com> References: <001101ce26da$3ec97840$bc5c68c0$@co.uk> <7FEECFF9-BAF3-4653-8F39-9D9846E68372@pgogywebstuff.com> Message-ID: <00e501ce2710$195b0ac0$4c112040$@co.uk> Thanks Pat/all I'll file that one away and try not to forget again! Cheers Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 22 March 2013 09:08 To: For Xerte technical developers Subject: [Xerte-dev] Re: reminder of what 1 means? Database connect fail Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 22 Mar 2013, at 08:50, "Ron Mitchell" <ronm at mitchellmedia.co.uk> wrote: Hi all very quick question - what does 1 typically mean when visiting an xot install? e.g. visiting the URL and get a blank page with only the digit 1 showing. This is an installation that someone has moved from one server to another and I know I've seen this before but can't recall the primary cause. Cheers Ron _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130322/d0f19087/attachment.html> From d_b_burnett at hotmail.com Fri Mar 22 16:33:30 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Fri, 22 Mar 2013 12:33:30 -0400 Subject: [Xerte-dev] Which file is authenticating on XOT install In-Reply-To: <BLU153-W32EE1E1ADB519A6BE7AABAA7D40@phx.gbl> References: <001101ce26da$3ec97840$bc5c68c0$@co.uk>, , <BLU153-W217C8B0C151B51FC74CAC0A7D40@phx.gbl>, , <009301ce26f6$0323a100$096ae300$@co.uk>, <BLU153-W32EE1E1ADB519A6BE7AABAA7D40@phx.gbl> Message-ID: <BLU153-W10C059379F8E2E6E22BAB3A7D40@phx.gbl> I have a new install going on a Linux box. The install guide was a great help getting that up and running in no time, especially with me a Linux newbie at the keyboard. One last thing.On completion it auto logged me in as "Guest".Neat. How do I add a couple accounts?No LDAP. Guide gives several options: ( - followed by my problem) Demo.txt- not present in rootDemo.php- not present in rootIntegration.txt- can't use, standalone installWebctlink.txt- not present in root, standalone install anyway.Switch.txt- not present in root Long ago and far away I know I hardcoded the user/pw pairs.Still doable? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130322/ab59a4a6/attachment.html> From J.J.Smith at gcu.ac.uk Fri Mar 22 16:43:40 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 22 Mar 2013 16:43:40 +0000 Subject: [Xerte-dev] Re: Which file is authenticating on XOT install In-Reply-To: <BLU153-W10C059379F8E2E6E22BAB3A7D40@phx.gbl> References: <001101ce26da$3ec97840$bc5c68c0$@co.uk>, , <BLU153-W217C8B0C151B51FC74CAC0A7D40@phx.gbl>, , <009301ce26f6$0323a100$096ae300$@co.uk>, <BLU153-W32EE1E1ADB519A6BE7AABAA7D40@phx.gbl> <BLU153-W10C059379F8E2E6E22BAB3A7D40@phx.gbl> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247FC74BE5@ITSEMBXCLUS.enterprise.gcal.ac.uk> Auth_config.php change to //$xerte_toolkits_site->authentication_method = 'Guest'; //$xerte_toolkits_site->authentication_method = 'Ldap'; //$xerte_toolkits_site->authentication_method = 'Db'; $xerte_toolkits_site->authentication_method = 'Static'; //$xerte_toolkits_site->authentication_method = "Moodle"; / library/ Xerte/ Authentication/ Static.php /** Edit this list to your hearts content ... */ private $_users = array( 'pat' => array("username" => "pat", "password" => "patpassword", "firstname" => "Pat", "surname" => "West"), 'john' => array("username" => "john", "password" => "johnpassword", "firstname" => "David", "surname" => "george"), 'bob' => array("username" => "bob", "password" => "bobpassword", "firstname" => "Robert", "surname" => "jones"), 'sarah' => array("username" => "sarah", "password" => "sarahpassword", "firstname" => "Sarah", "surname" => "smith"), ); Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: Friday, March 22, 2013 4:34 PM To: For Xerte technical developers Subject: [Xerte-dev] Which file is authenticating on XOT install I have a new install going on a Linux box. The install guide was a great help getting that up and running in no time, especially with me a Linux newbie at the keyboard. One last thing. On completion it auto logged me in as "Guest". Neat. How do I add a couple accounts? No LDAP. Guide gives several options: ( - followed by my problem) Demo.txt - not present in root Demo.php - not present in root Integration.txt - can't use, standalone install Webctlink.txt - not present in root, standalone install anyway. Switch.txt - not present in root Long ago and far away I know I hardcoded the user/pw pairs. Still doable? Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130322/9afdc494/attachment-0001.html> From thomas.rochford at jiscadvance.ac.uk Fri Mar 22 16:49:12 2013 From: thomas.rochford at jiscadvance.ac.uk (Thomas Rochford) Date: Fri, 22 Mar 2013 16:49:12 -0000 Subject: [Xerte-dev] Re: Which file is authenticating on XOT install In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247FC74BE5@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <001101ce26da$3ec97840$bc5c68c0$@co.uk>, , <BLU153-W217C8B0C151B51FC74CAC0A7D40@phx.gbl>, , <009301ce26f6$0323a100$096ae300$@co.uk>, <BLU153-W32EE1E1ADB519A6BE7AABAA7D40@phx.gbl> <BLU153-W10C059379F8E2E6E22BAB3A7D40@phx.gbl> <EE0B2AFFDB88B34AA864E00CE98914C2247FC74BE5@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <02b201ce271d$2f04ed70$8d0ec850$@jiscadvance.ac.uk> Hi everyone, It would be good if this could be an 'include' file. I assume this is possible in php but am not sure how to do it. This would be a massive help because the file could be populated semi/automatically without breaking the code. This would be especially helpful to WBL and ACL providers whose users are not normally managed through LDAP or AD. Kindest Regards, Thomas ========================================================== Thomas Rochford | e-Learning Advisor | Jisc RSC Eastern Tel: 01223 564749 | Mobile: 07500 669002 | Skype: cambridge.serendipity Email: thomas.rochford at jiscadvance.ac.uk | Web: http://www.jiscrsc.ac.uk/eastern Cambridge Serendipity, 35 Gough Way, Cambridge, CB3 9LN For the full range of RSC UK events, resources and blog, visit http://www.jiscrsc.ac.uk <http://www.jiscrsc.ac.uk/> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 22 March 2013 16:44 To: For Xerte technical developers Subject: [Xerte-dev] Re: Which file is authenticating on XOT install Auth_config.php change to //$xerte_toolkits_site->authentication_method = 'Guest'; //$xerte_toolkits_site->authentication_method = 'Ldap'; //$xerte_toolkits_site->authentication_method = 'Db'; $xerte_toolkits_site->authentication_method = 'Static'; //$xerte_toolkits_site->authentication_method = "Moodle"; / library/ Xerte/ Authentication/ Static.php /** Edit this list to your hearts content ... */ private $_users = array( 'pat' => array("username" => "pat", "password" => "patpassword", "firstname" => "Pat", "surname" => "West"), 'john' => array("username" => "john", "password" => "johnpassword", "firstname" => "David", "surname" => "george"), 'bob' => array("username" => "bob", "password" => "bobpassword", "firstname" => "Robert", "surname" => "jones"), 'sarah' => array("username" => "sarah", "password" => "sarahpassword", "firstname" => "Sarah", "surname" => "smith"), ); Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: Friday, March 22, 2013 4:34 PM To: For Xerte technical developers Subject: [Xerte-dev] Which file is authenticating on XOT install I have a new install going on a Linux box. The install guide was a great help getting that up and running in no time, especially with me a Linux newbie at the keyboard. One last thing. On completion it auto logged me in as "Guest". Neat. How do I add a couple accounts? No LDAP. Guide gives several options: ( - followed by my problem) Demo.txt - not present in root Demo.php - not present in root Integration.txt - can't use, standalone install Webctlink.txt - not present in root, standalone install anyway. Switch.txt - not present in root Long ago and far away I know I hardcoded the user/pw pairs. Still doable? Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130322/c7f978e0/attachment.html> From d_b_burnett at hotmail.com Fri Mar 22 17:21:48 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Fri, 22 Mar 2013 13:21:48 -0400 Subject: [Xerte-dev] Re: Which file is authenticating on XOT install In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247FC74BE5@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <001101ce26da$3ec97840$bc5c68c0$@co.uk>, ,,<BLU153-W217C8B0C151B51FC74CAC0A7D40@phx.gbl>, , , <009301ce26f6$0323a100$096ae300$@co.uk>, , <BLU153-W32EE1E1ADB519A6BE7AABAA7D40@phx.gbl>, <BLU153-W10C059379F8E2E6E22BAB3A7D40@phx.gbl>, <EE0B2AFFDB88B34AA864E00CE98914C2247FC74BE5@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <BLU153-W2590789848CBB64A9C0831A7D40@phx.gbl> Cheers! Have a good weekend all. From: J.J.Smith at gcu.ac.uk To: xerte-dev at lists.nottingham.ac.uk Date: Fri, 22 Mar 2013 16:43:40 +0000 Subject: [Xerte-dev] Re: Which file is authenticating on XOT install Auth_config.php change to //$xerte_toolkits_site->authentication_method = 'Guest'; //$xerte_toolkits_site->authentication_method = 'Ldap'; //$xerte_toolkits_site->authentication_method = 'Db'; $xerte_toolkits_site->authentication_method = 'Static'; //$xerte_toolkits_site->authentication_method = "Moodle"; / library/ Xerte/ Authentication/ Static.php /** Edit this list to your hearts content ... */ private $_users = array( 'pat' => array("username" => "pat", "password" => "patpassword", "firstname" => "Pat", "surname" => "West"), 'john' => array("username" => "john", "password" => "johnpassword", "firstname" => "David", "surname" => "george"), 'bob' => array("username" => "bob", "password" => "bobpassword", "firstname" => "Robert", "surname" => "jones"), 'sarah' => array("username" => "sarah", "password" => "sarahpassword", "firstname" => "Sarah", "surname" => "smith"), ); Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: Friday, March 22, 2013 4:34 PM To: For Xerte technical developers Subject: [Xerte-dev] Which file is authenticating on XOT install I have a new install going on a Linux box. The install guide was a great help getting that up and running in no time, especially with me a Linux newbie at the keyboard. One last thing. On completion it auto logged me in as "Guest". Neat. How do I add a couple accounts? No LDAP. Guide gives several options: ( - followed by my problem) Demo.txt - not present in root Demo.php - not present in root Integration.txt - can't use, standalone install Webctlink.txt - not present in root, standalone install anyway. Switch.txt - not present in root Long ago and far away I know I hardcoded the user/pw pairs. Still doable? Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130322/905ba55e/attachment-0001.html> From reijnders at tor.nl Sat Mar 23 13:43:39 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Sat, 23 Mar 2013 14:43:39 +0100 Subject: [Xerte-dev] Added language management and user management to management.php Message-ID: <514DB18B.1090205@tor.nl> L.S., I added - language management to the management.php 'site' tab to be able to install or remove extra languages as (will be) published on the community website. - user management to the management.php 'user' tab to maintain the authenticated users in case if Db authentication, and only in case of Db authentication. The latter is implemented following David Goodwins design principle, i.e. the management page 'queries' the auth mechanism, if it has management capabilities and if so, it presents a form (generated by the auth mechanism). We could consider making Db auth the default in stead of Guest. Tom -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 From reijnders at tor.nl Mon Mar 25 08:37:37 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Mon, 25 Mar 2013 09:37:37 +0100 Subject: [Xerte-dev] User experiences from a course afternoon in Belgium Message-ID: <51500CD1.5080909@tor.nl> Julian, Inge went to a Toll-Net workshop about Xerte, and watched new users work with XOT for the first time. First, the good news. people are really enthusiastic about how easy XOT is to use. And are really impressed with what they can make. There was one thing though that was causing a lot of confusion, and one thing that still doesn't work properly. 1. Confusion about the close button of the hotspot editor. So, what I tried to do was skin the close button to a green tickmark in case the image viewer is used as a hotspot editor (hotspot object != null) in the wizard. I have the skin objects (I think) but somehow, I can't get it to show properly. Have you done something like this before? I can send you the (non-functional) wizard.fla if you want to have a look. Other options? 2. After previewing and closing preview, media upload doesn't work anymore. Reported before. However, we found out if you then open preview again, and close it, upload works correctly again.... Haven't got a clue what is happening there. Tom -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 From xerte at pgogywebstuff.com Mon Mar 25 08:46:03 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Mon, 25 Mar 2013 08:46:03 +0000 Subject: [Xerte-dev] Re: User experiences from a course afternoon in Belgium In-Reply-To: <51500CD1.5080909@tor.nl> References: <51500CD1.5080909@tor.nl> Message-ID: <B3F7A28C-BF72-4BD8-ABBC-66E4EAADD965@pgogywebstuff.com> Session creation? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 25 Mar 2013, at 08:37, Tom Reijnders <reijnders at tor.nl> wrote: > Julian, > > Inge went to a Toll-Net workshop about Xerte, and watched new users work with XOT for the first time. > > First, the good news. people are really enthusiastic about how easy XOT is to use. And are really impressed with what they can make. > > There was one thing though that was causing a lot of confusion, and one thing that still doesn't work properly. > > 1. Confusion about the close button of the hotspot editor. > > So, what I tried to do was skin the close button to a green tickmark in case the image viewer is used as a hotspot editor (hotspot object != null) in the wizard. I have the skin objects (I think) but somehow, I can't get it to show properly. Have you done something like this before? > > I can send you the (non-functional) wizard.fla if you want to have a look. > > Other options? > > 2. After previewing and closing preview, media upload doesn't work anymore. Reported before. However, we found out if you then open preview again, and close it, upload works correctly again.... > > Haven't got a clue what is happening there. > > > Tom > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. From Julian.Tenney at nottingham.ac.uk Mon Mar 25 10:19:56 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 25 Mar 2013 10:19:56 +0000 Subject: [Xerte-dev] Re: User experiences from a course afternoon in Belgium In-Reply-To: <51500CD1.5080909@tor.nl> References: <51500CD1.5080909@tor.nl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4EF08A53@EXCHANGE1.ad.nottingham.ac.uk> 1. You mean you want to show some sort of confirmation, rather than a simple 'x', so users know they are saving, rather than exiting? If it's tricky to skin the button, maybe we should add another 'save' button? Then the x could simply exit, the save button could actually do the saving. 2. I'm not the best person to try and figure this out I'm afraid, I really don't know what the problem is... -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 25 March 2013 08:38 To: For Xerte technical developers Subject: [Xerte-dev] User experiences from a course afternoon in Belgium Julian, Inge went to a Toll-Net workshop about Xerte, and watched new users work with XOT for the first time. First, the good news. people are really enthusiastic about how easy XOT is to use. And are really impressed with what they can make. There was one thing though that was causing a lot of confusion, and one thing that still doesn't work properly. 1. Confusion about the close button of the hotspot editor. So, what I tried to do was skin the close button to a green tickmark in case the image viewer is used as a hotspot editor (hotspot object != null) in the wizard. I have the skin objects (I think) but somehow, I can't get it to show properly. Have you done something like this before? I can send you the (non-functional) wizard.fla if you want to have a look. Other options? 2. After previewing and closing preview, media upload doesn't work anymore. Reported before. However, we found out if you then open preview again, and close it, upload works correctly again.... Haven't got a clue what is happening there. Tom -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From d_b_burnett at hotmail.com Mon Mar 25 10:39:52 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Mon, 25 Mar 2013 06:39:52 -0400 Subject: [Xerte-dev] Re: User experiences from a course afternoon in Belgium In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4EF08A53@EXCHANGE1.ad.nottingham.ac.uk> References: <51500CD1.5080909@tor.nl>, <12C67A1EEC419342AF5E59DA31562C3F0C4EF08A53@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <BLU153-W206013EBAE9C25CBAD85CDA7D70@phx.gbl> Isn't "Save" or "Cancel" the standard thingy in this case? > From: Julian.Tenney at nottingham.ac.uk > To: xerte-dev at lists.nottingham.ac.uk > Date: Mon, 25 Mar 2013 10:19:56 +0000 > Subject: [Xerte-dev] Re: User experiences from a course afternoon in Belgium > > 1. You mean you want to show some sort of confirmation, rather than a simple 'x', so users know they are saving, rather than exiting? If it's tricky to skin the button, maybe we should add another 'save' button? Then the x could simply exit, the save button could actually do the saving. > > 2. I'm not the best person to try and figure this out I'm afraid, I really don't know what the problem is... > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders > Sent: 25 March 2013 08:38 > To: For Xerte technical developers > Subject: [Xerte-dev] User experiences from a course afternoon in Belgium > > Julian, > > Inge went to a Toll-Net workshop about Xerte, and watched new users work with XOT for the first time. > > First, the good news. people are really enthusiastic about how easy XOT is to use. And are really impressed with what they can make. > > There was one thing though that was causing a lot of confusion, and one thing that still doesn't work properly. > > 1. Confusion about the close button of the hotspot editor. > > So, what I tried to do was skin the close button to a green tickmark in case the image viewer is used as a hotspot editor (hotspot object != > null) in the wizard. I have the skin objects (I think) but somehow, I can't get it to show properly. Have you done something like this before? > > I can send you the (non-functional) wizard.fla if you want to have a look. > > Other options? > > 2. After previewing and closing preview, media upload doesn't work anymore. Reported before. However, we found out if you then open preview again, and close it, upload works correctly again.... > > Haven't got a clue what is happening there. > > > Tom > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/104e81d6/attachment.html> From Julian.Tenney at nottingham.ac.uk Mon Mar 25 10:41:59 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 25 Mar 2013 10:41:59 +0000 Subject: [Xerte-dev] Re: User experiences from a course afternoon in Belgium In-Reply-To: <BLU153-W206013EBAE9C25CBAD85CDA7D70@phx.gbl> References: <51500CD1.5080909@tor.nl>, <12C67A1EEC419342AF5E59DA31562C3F0C4EF08A53@EXCHANGE1.ad.nottingham.ac.uk> <BLU153-W206013EBAE9C25CBAD85CDA7D70@phx.gbl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4EF08A93@EXCHANGE1.ad.nottingham.ac.uk> Yes, just put those buttons along the bottom of the form. I'm going to struggle for time this week, and I'm off next week, but I can do that easily enough I think, From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: 25 March 2013 10:40 To: For Xerte technical developers Subject: [Xerte-dev] Re: User experiences from a course afternoon in Belgium Isn't "Save" or "Cancel" the standard thingy in this case? > From: Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk> > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> > Date: Mon, 25 Mar 2013 10:19:56 +0000 > Subject: [Xerte-dev] Re: User experiences from a course afternoon in Belgium > > 1. You mean you want to show some sort of confirmation, rather than a simple 'x', so users know they are saving, rather than exiting? If it's tricky to skin the button, maybe we should add another 'save' button? Then the x could simply exit, the save button could actually do the saving. > > 2. I'm not the best person to try and figure this out I'm afraid, I really don't know what the problem is... > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders > Sent: 25 March 2013 08:38 > To: For Xerte technical developers > Subject: [Xerte-dev] User experiences from a course afternoon in Belgium > > Julian, > > Inge went to a Toll-Net workshop about Xerte, and watched new users work with XOT for the first time. > > First, the good news. people are really enthusiastic about how easy XOT is to use. And are really impressed with what they can make. > > There was one thing though that was causing a lot of confusion, and one thing that still doesn't work properly. > > 1. Confusion about the close button of the hotspot editor. > > So, what I tried to do was skin the close button to a green tickmark in case the image viewer is used as a hotspot editor (hotspot object != > null) in the wizard. I have the skin objects (I think) but somehow, I can't get it to show properly. Have you done something like this before? > > I can send you the (non-functional) wizard.fla if you want to have a look. > > Other options? > > 2. After previewing and closing preview, media upload doesn't work anymore. Reported before. However, we found out if you then open preview again, and close it, upload works correctly again.... > > Haven't got a clue what is happening there. > > > Tom > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/9ae01a33/attachment-0001.html> From reijnders at tor.nl Mon Mar 25 12:37:35 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Mon, 25 Mar 2013 13:37:35 +0100 Subject: [Xerte-dev] Re: User experiences from a course afternoon in Belgium In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4EF08A93@EXCHANGE1.ad.nottingham.ac.uk> References: <51500CD1.5080909@tor.nl>, <12C67A1EEC419342AF5E59DA31562C3F0C4EF08A53@EXCHANGE1.ad.nottingham.ac.uk> <BLU153-W206013EBAE9C25CBAD85CDA7D70@phx.gbl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08A93@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <5150450F.9000609@tor.nl> I'll give it a try.... Op 25-3-2013 11:41, Julian Tenney schreef: > > Yes, just put those buttons along the bottom of the form. I'm going to > struggle for time this week, and I'm off next week, but I can do that > easily enough I think, > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Dave > Burnett > *Sent:* 25 March 2013 10:40 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: User experiences from a course afternoon in > Belgium > > Isn't "Save" or "Cancel" the standard thingy in this case? > > > From: Julian.Tenney at nottingham.ac.uk > <mailto:Julian.Tenney at nottingham.ac.uk> > > To: xerte-dev at lists.nottingham.ac.uk > <mailto:xerte-dev at lists.nottingham.ac.uk> > > Date: Mon, 25 Mar 2013 10:19:56 +0000 > > Subject: [Xerte-dev] Re: User experiences from a course afternoon in > Belgium > > > > 1. You mean you want to show some sort of confirmation, rather than > a simple 'x', so users know they are saving, rather than exiting? If > it's tricky to skin the button, maybe we should add another 'save' > button? Then the x could simply exit, the save button could actually > do the saving. > > > > 2. I'm not the best person to try and figure this out I'm afraid, I > really don't know what the problem is... > > > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom > Reijnders > > Sent: 25 March 2013 08:38 > > To: For Xerte technical developers > > Subject: [Xerte-dev] User experiences from a course afternoon in Belgium > > > > Julian, > > > > Inge went to a Toll-Net workshop about Xerte, and watched new users > work with XOT for the first time. > > > > First, the good news. people are really enthusiastic about how easy > XOT is to use. And are really impressed with what they can make. > > > > There was one thing though that was causing a lot of confusion, and > one thing that still doesn't work properly. > > > > 1. Confusion about the close button of the hotspot editor. > > > > So, what I tried to do was skin the close button to a green tickmark > in case the image viewer is used as a hotspot editor (hotspot object != > > null) in the wizard. I have the skin objects (I think) but somehow, > I can't get it to show properly. Have you done something like this before? > > > > I can send you the (non-functional) wizard.fla if you want to have a > look. > > > > Other options? > > > > 2. After previewing and closing preview, media upload doesn't work > anymore. Reported before. However, we found out if you then open > preview again, and close it, upload works correctly again.... > > > > Haven't got a clue what is happening there. > > > > > > Tom > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > This message and any attachment are intended solely for the > addressee and may contain confidential information. If you have > received this message in error, please send it back to me, and > immediately delete it. Please do not use, copy or disclose the > information contained in this message or in any attachment. Any views > or opinions expressed by the author of this email do not necessarily > reflect the views of the University of Nottingham. > > > > This message has been checked for viruses but the contents of an > attachment > > may still contain software viruses which could damage your computer > system: > > you are advised to perform your own checks. Email communications > with the > > University of Nottingham may be monitored as permitted by UK > legislation. > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/44ad9284/attachment.html> From reijnders at tor.nl Mon Mar 25 12:36:32 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Mon, 25 Mar 2013 13:36:32 +0100 Subject: [Xerte-dev] Re: Can't upload media in wizard after preview (was part of User experiences from a course afternoon in Belgium) In-Reply-To: <B3F7A28C-BF72-4BD8-ABBC-66E4EAADD965@pgogywebstuff.com> References: <51500CD1.5080909@tor.nl> <B3F7A28C-BF72-4BD8-ABBC-66E4EAADD965@pgogywebstuff.com> Message-ID: <515044D0.6060105@tor.nl> Ah, no. It doesn't show a browse window, so you can't choose a local file to be uploaded. Tom Op 25-3-2013 9:46, Pat @ Pgogy schreef: > Session creation? > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 25 Mar 2013, at 08:37, Tom Reijnders <reijnders at tor.nl> wrote: > >> Julian, >> >> Inge went to a Toll-Net workshop about Xerte, and watched new users work with XOT for the first time. >> >> First, the good news. people are really enthusiastic about how easy XOT is to use. And are really impressed with what they can make. >> >> There was one thing though that was causing a lot of confusion, and one thing that still doesn't work properly. >> >> 1. Confusion about the close button of the hotspot editor. >> >> So, what I tried to do was skin the close button to a green tickmark in case the image viewer is used as a hotspot editor (hotspot object != null) in the wizard. I have the skin objects (I think) but somehow, I can't get it to show properly. Have you done something like this before? >> >> I can send you the (non-functional) wizard.fla if you want to have a look. >> >> Other options? >> >> 2. After previewing and closing preview, media upload doesn't work anymore. Reported before. However, we found out if you then open preview again, and close it, upload works correctly again.... >> >> Haven't got a clue what is happening there. >> >> >> Tom >> >> -- >> -- >> >> Tom Reijnders >> TOR Informatica >> Chopinlaan 27 >> 5242HM Rosmalen >> Tel: 073 5226191 >> Fax: 073 5226196 >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. >> >> This message has been checked for viruses but the contents of an attachment >> may still contain software viruses which could damage your computer system: >> you are advised to perform your own checks. Email communications with the >> University of Nottingham may be monitored as permitted by UK legislation. > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 From reijnders at tor.nl Mon Mar 25 12:37:11 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Mon, 25 Mar 2013 13:37:11 +0100 Subject: [Xerte-dev] Re: User experiences from a course afternoon in Belgium In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4EF08A53@EXCHANGE1.ad.nottingham.ac.uk> References: <51500CD1.5080909@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08A53@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <515044F7.9040701@tor.nl> 1. Yes, would be even better I think. Op 25-3-2013 11:19, Julian Tenney schreef: > 1. You mean you want to show some sort of confirmation, rather than a simple 'x', so users know they are saving, rather than exiting? If it's tricky to skin the button, maybe we should add another 'save' button? Then the x could simply exit, the save button could actually do the saving. > > 2. I'm not the best person to try and figure this out I'm afraid, I really don't know what the problem is... > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders > Sent: 25 March 2013 08:38 > To: For Xerte technical developers > Subject: [Xerte-dev] User experiences from a course afternoon in Belgium > > Julian, > > Inge went to a Toll-Net workshop about Xerte, and watched new users work with XOT for the first time. > > First, the good news. people are really enthusiastic about how easy XOT is to use. And are really impressed with what they can make. > > There was one thing though that was causing a lot of confusion, and one thing that still doesn't work properly. > > 1. Confusion about the close button of the hotspot editor. > > So, what I tried to do was skin the close button to a green tickmark in case the image viewer is used as a hotspot editor (hotspot object != > null) in the wizard. I have the skin objects (I think) but somehow, I can't get it to show properly. Have you done something like this before? > > I can send you the (non-functional) wizard.fla if you want to have a look. > > Other options? > > 2. After previewing and closing preview, media upload doesn't work anymore. Reported before. However, we found out if you then open preview again, and close it, upload works correctly again.... > > Haven't got a clue what is happening there. > > > Tom > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 From Julian.Tenney at nottingham.ac.uk Mon Mar 25 14:00:33 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 25 Mar 2013 14:00:33 +0000 Subject: [Xerte-dev] Re: User experiences from a course afternoon in Belgium In-Reply-To: <515044F7.9040701@tor.nl> References: <51500CD1.5080909@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08A53@EXCHANGE1.ad.nottingham.ac.uk> <515044F7.9040701@tor.nl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4EF08C0F@EXCHANGE1.ad.nottingham.ac.uk> Leave it with me, I'll do it before we next zip things up, -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 25 March 2013 12:37 To: For Xerte technical developers Subject: [Xerte-dev] Re: User experiences from a course afternoon in Belgium 1. Yes, would be even better I think. Op 25-3-2013 11:19, Julian Tenney schreef: > 1. You mean you want to show some sort of confirmation, rather than a simple 'x', so users know they are saving, rather than exiting? If it's tricky to skin the button, maybe we should add another 'save' button? Then the x could simply exit, the save button could actually do the saving. > > 2. I'm not the best person to try and figure this out I'm afraid, I really don't know what the problem is... > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom > Reijnders > Sent: 25 March 2013 08:38 > To: For Xerte technical developers > Subject: [Xerte-dev] User experiences from a course afternoon in > Belgium > > Julian, > > Inge went to a Toll-Net workshop about Xerte, and watched new users work with XOT for the first time. > > First, the good news. people are really enthusiastic about how easy XOT is to use. And are really impressed with what they can make. > > There was one thing though that was causing a lot of confusion, and one thing that still doesn't work properly. > > 1. Confusion about the close button of the hotspot editor. > > So, what I tried to do was skin the close button to a green tickmark > in case the image viewer is used as a hotspot editor (hotspot object > != > null) in the wizard. I have the skin objects (I think) but somehow, I can't get it to show properly. Have you done something like this before? > > I can send you the (non-functional) wizard.fla if you want to have a look. > > Other options? > > 2. After previewing and closing preview, media upload doesn't work anymore. Reported before. However, we found out if you then open preview again, and close it, upload works correctly again.... > > Haven't got a clue what is happening there. > > > Tom > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From Julian.Tenney at nottingham.ac.uk Mon Mar 25 15:13:01 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 25 Mar 2013 15:13:01 +0000 Subject: [Xerte-dev] Re: User experiences from a course afternoon in Belgium In-Reply-To: <515044F7.9040701@tor.nl> References: <51500CD1.5080909@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08A53@EXCHANGE1.ad.nottingham.ac.uk> <515044F7.9040701@tor.nl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CA3@EXCHANGE1.ad.nottingham.ac.uk> I've added the button. Just for comedy value, it doesn't actually do anything (all the changes are already saved) but it gives you a nice warm feeling when you click it... [cid:image001.png at 01CE296B.3D988BD0] -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 25 March 2013 12:37 To: For Xerte technical developers Subject: [Xerte-dev] Re: User experiences from a course afternoon in Belgium 1. Yes, would be even better I think. Op 25-3-2013 11:19, Julian Tenney schreef: > 1. You mean you want to show some sort of confirmation, rather than a simple 'x', so users know they are saving, rather than exiting? If it's tricky to skin the button, maybe we should add another 'save' button? Then the x could simply exit, the save button could actually do the saving. > > 2. I'm not the best person to try and figure this out I'm afraid, I really don't know what the problem is... > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom > Reijnders > Sent: 25 March 2013 08:38 > To: For Xerte technical developers > Subject: [Xerte-dev] User experiences from a course afternoon in > Belgium > > Julian, > > Inge went to a Toll-Net workshop about Xerte, and watched new users work with XOT for the first time. > > First, the good news. people are really enthusiastic about how easy XOT is to use. And are really impressed with what they can make. > > There was one thing though that was causing a lot of confusion, and one thing that still doesn't work properly. > > 1. Confusion about the close button of the hotspot editor. > > So, what I tried to do was skin the close button to a green tickmark > in case the image viewer is used as a hotspot editor (hotspot object > != > null) in the wizard. I have the skin objects (I think) but somehow, I can't get it to show properly. Have you done something like this before? > > I can send you the (non-functional) wizard.fla if you want to have a look. > > Other options? > > 2. After previewing and closing preview, media upload doesn't work anymore. Reported before. However, we found out if you then open preview again, and close it, upload works correctly again.... > > Haven't got a clue what is happening there. > > > Tom > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/25ef331b/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 276090 bytes Desc: image001.png URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/25ef331b/attachment-0001.png> From Julian.Tenney at nottingham.ac.uk Mon Mar 25 15:22:02 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 25 Mar 2013 15:22:02 +0000 Subject: [Xerte-dev] Custom Stylesheets Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CBD@EXCHANGE1.ad.nottingham.ac.uk> Hi, I don't use custom style sheets much, but I know some of you do: does this chime with anyone? [User wrote...] I've just got a very quick query regarding style sheets within the Xerte Online Toolkit framework. I've implemented a number of CSS documents into my Xerte projects and these work very nicely. Unfortunately there seems to be a bug, relating to the attachment of a stylesheet within XOT, that I've discovered, whereby as Xerte loads the style sheet for the first time (on the first slide) the content disappears (whatever it is text, images etc.). The rest of the slides are fine and if you go back go the first slide (after the CSS document has loaded) all is OK. Is this to do with the load order (XML data first before CSS?) and can it be fixed? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/a227fbdb/attachment.html> From Julian.Tenney at nottingham.ac.uk Mon Mar 25 15:27:13 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 25 Mar 2013 15:27:13 +0000 Subject: [Xerte-dev] Re: page type tweaks & possibly new page types for Maths project... In-Reply-To: <013d01ce2193$1d4344e0$57c9cea0$@co.uk> References: <013d01ce2193$1d4344e0$57c9cea0$@co.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CC6@EXCHANGE1.ad.nottingham.ac.uk> I'm not going to have time to help out I'm afraid. The usual rules would apply: if it's of generic usefulness, then it's a candidate for development in the build. If it's getting specific, then it's either a new page type in their installation, or as you've done, a custom page. If we have to debate whether something is 'generic', it probably isn't. The problem is, with your coin one, then the image to image DnD is generic on a one to one basis, but the logic for deciding if the coins add up to ?1.00 isn't. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: 15 March 2013 15:38 To: 'For Xerte technical developers' Subject: [Xerte-dev] page type tweaks & possibly new page types for Maths project... Hi all my messages seem to be taking an age to get through to this list again not sure why but anyway I'm hoping this gets through relatively quickly... On behalf of JISC Techdis I've recently been supporting a Maths project and those involved have been testing if XOT is suitable for what they want to achieve. There is a mix of experience amongst the group but no real developer skills etc Prior to going on holiday last week I sent them some possible solutions to interactions they were trying to achieve most of which involve wishing to drag images to images etc I showed them how/where they could add img src etc to load images where the page type only has text options but obviously this is not ideal and doesn't fully suit their needs. Here's some examples of this: possible drag and drop solutions http://vle.jisctechdis.ac.uk/xerte/play_html5_221 Patterns http://vle.jisctechdis.ac.uk/xerte/play_html5_237 Timings http://vle.jisctechdis.ac.uk/xerte/play_html5_241 The more recent example I received from them was the need for a coin interaction attached and in advance of a f2f meeting yesterday I created a quick demo of this via Xerte and uploaded as an rlm to xot: coins interaction http://vle.jisctechdis.ac.uk/xerte/play_262 Obviously that's Flash only, isn't a page type, isn't editable in xot etc which brings me to the real point of this message: The result of the f2f meeting yesterday is that they ideally want some additional functionality developed and I think this is likely to fall into two categories: 1. Adding additional options for adding images to existing page types e.g. those that involve dragging and dropping 2. Creating 1 or more new page types tat allow creation of interactions similar to the coins example The end results must work via HTML 5 if not both Flash and HTML 5 I've said that I would discuss all this via the dev list first of all to see what you think about changes to existing page types and also new page types and just as importantly to check if any or all are interested in working on this? This isn't the first time the wish for drag and drop image to image etc has cropped up and could result in additions to benefit all. BUT they need to have developed and tested pilot content by June so it's a very short timescale and although I'm involved I don't think I have the time or skills to help them with this without extra help. They will pay for development but the first step is to identify if anyone is interested in helping with this and then at some point we will need to estimate time and costs etc. What are your thoughts? First point relevant to us all is would we agree to include additions to current page types or new page types when there isn't yet parity between existing Flash and HTML 5 etc? It's a non-starter if we don't. Second point who's willing and able to help? Contact me on or off list if you are interested. Cheers Ron -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/d5189ac7/attachment.html> From Julian.Tenney at nottingham.ac.uk Mon Mar 25 15:29:36 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 25 Mar 2013 15:29:36 +0000 Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT In-Reply-To: <5145A854.4010600@tor.nl> References: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> <5145A854.4010600@tor.nl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CCC@EXCHANGE1.ad.nottingham.ac.uk> Did you fix it: there appears to be code in the that creates a new PG ID... [cid:image001.png at 01CE296D.8EF862A0] From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 17 March 2013 11:26 To: For Xerte technical developers Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT Didn't test it (yet) but I assume we have the same issue in XOT as well. When copying a page, we should generate a new 'unique' linkID. Should be easy to fix. Tom Op 16-3-2013 13:02, Kemp Johnathan schreef: In Xerte in Page Templates (not a Pages type) project there are currently two issues, the second of which may also compromise Xerte Online Toolkits 1. For some reason when in Xerte you do "Pages / Create Template Project From Pages" the project is not created using the current models and templates.xwd file, but is built using the C:\Xerte\Wizards\PageTemplates.xtp file and this file is out of date. If you rename the file _PageTemplates.xtp then Xerte will not be able to find it and will use the correct models and xwd file to create your new project. 2. Connector pages depend on every page having a unique linkID. However in Page Templates type projects if you select a page and Copy it, the new copy of the page receives the same linkID as the page from which it was copied. This will compromise the pageList listing and selection of the correct page. I have not been able to test this for XOT as I currently don't have a working install, but perhaps someone could run a check on this. Kind regards Johnathan _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/144c2033/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 218535 bytes Desc: image001.png URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/144c2033/attachment-0001.png> From reijnders at tor.nl Mon Mar 25 15:51:16 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Mon, 25 Mar 2013 16:51:16 +0100 Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CCC@EXCHANGE1.ad.nottingham.ac.uk> References: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> <5145A854.4010600@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CCC@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <51507274.6060907@tor.nl> No, Ron told me (in a later email in the same thread) that it was already fixed by you... :-) Op 25-3-2013 16:29, Julian Tenney schreef: > > Did you fix it: there appears to be code in the that creates a new PG > ID... > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Tom > Reijnders > *Sent:* 17 March 2013 11:26 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Issues with Page Templates projects with > possible implication for XOT > > Didn't test it (yet) but I assume we have the same issue in XOT as > well. When copying a page, we should generate a new 'unique' linkID. > Should be easy to fix. > > Tom > > Op 16-3-2013 13:02, Kemp Johnathan schreef: > > In Xerte in Page Templates (not a Pages type) project there are > currently two issues, the second of which may also compromise > Xerte Online Toolkits > > 1. For some reason when in Xerte you do "Pages / Create Template > Project From Pages" the project is not created using the current > models and templates.xwd file, but is built using the > C:\Xerte\Wizards\PageTemplates.xtp file and this file is out of > date. If you rename the file _PageTemplates.xtp then Xerte will > not be able to find it and will use the correct models and xwd > file to create your new project. > > 2. Connector pages depend on every page having a unique linkID. > However in Page Templates type projects if you select a page and > Copy it, the new copy of the page receives the same linkID as the > page from which it was copied. This will compromise the pageList > listing and selection of the correct page. I have not been able to > test this for XOT as I currently don't have a working install, but > perhaps someone could run a check on this. > > Kind regards > > Johnathan > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/e953e8e9/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 218535 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/e953e8e9/attachment-0001.png> From Julian.Tenney at nottingham.ac.uk Mon Mar 25 16:01:19 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 25 Mar 2013 16:01:19 +0000 Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT In-Reply-To: <51507274.6060907@tor.nl> References: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> <5145A854.4010600@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CCC@EXCHANGE1.ad.nottingham.ac.uk> <51507274.6060907@tor.nl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CFD@EXCHANGE1.ad.nottingham.ac.uk> Ah, good, well done me... ;-) From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 25 March 2013 15:51 To: For Xerte technical developers Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT No, Ron told me (in a later email in the same thread) that it was already fixed by you... :-) Op 25-3-2013 16:29, Julian Tenney schreef: Did you fix it: there appears to be code in the that creates a new PG ID... [cid:image001.png at 01CE2971.FD17C600] From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 17 March 2013 11:26 To: For Xerte technical developers Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT Didn't test it (yet) but I assume we have the same issue in XOT as well. When copying a page, we should generate a new 'unique' linkID. Should be easy to fix. Tom Op 16-3-2013 13:02, Kemp Johnathan schreef: In Xerte in Page Templates (not a Pages type) project there are currently two issues, the second of which may also compromise Xerte Online Toolkits 1. For some reason when in Xerte you do "Pages / Create Template Project From Pages" the project is not created using the current models and templates.xwd file, but is built using the C:\Xerte\Wizards\PageTemplates.xtp file and this file is out of date. If you rename the file _PageTemplates.xtp then Xerte will not be able to find it and will use the correct models and xwd file to create your new project. 2. Connector pages depend on every page having a unique linkID. However in Page Templates type projects if you select a page and Copy it, the new copy of the page receives the same linkID as the page from which it was copied. This will compromise the pageList listing and selection of the correct page. I have not been able to test this for XOT as I currently don't have a working install, but perhaps someone could run a check on this. Kind regards Johnathan _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/5311b979/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 218535 bytes Desc: image001.png URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/5311b979/attachment-0001.png> From J.J.Smith at gcu.ac.uk Mon Mar 25 16:02:01 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Mon, 25 Mar 2013 16:02:01 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D7E9@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <bj8955psl73nk2xnfedc79ml.1363342427911@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CD8A@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D7E9@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247FC74C8D@ITSEMBXCLUS.enterprise.gcal.ac.uk> Hi all, Sorry it's been a while getting to this again but I seem to have made some headway. I've been able to figure out how to jump start the Moodle session also in upload.php and it has worked in my tests but would love to see how it fares in the real world. Would someone be able to test this for me? I've committed changed (some to edit.php too) as R734. Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Friday, March 15, 2013 11:39 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Worth a try!! So we have to support Firefox AND Moodle - there's that wagging dog again ;-) Leave it with me - once I get moodle integration working I'll take a look at the moodle session and see if we do anything... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 15, 2013 11:21 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No, we have to support Firefox, but you know that already! -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 10:14 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php True but Moodle is a red herring here... The problem is Firefox - it is the tail... If you can live without Firefox being supported, only in the editor, then we can probably keep Moodle auth as is... Depends who you want to keep happiest... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the problem, then I think that's what we should fix. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 09:10 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php The way the Moodle authentication works - its so complicated that there is no way to restart it in upload when we are using Firefox... The upload script as reported by Ron does work as long as we're not using Moodle As i said we can check for Moodle auth and simply not check for session but that still leaves a gaping hole... Bootstrapping the upload via js 'should' allow config.php to handle the session as it does on other pages... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: So is the problem the upload script, or the way the moodle authentication works? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:24 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... I think we might have to resort to js though... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:12 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 13 March 2013 11:30 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron > Mitchell > Sent: 12 March 2013 20:17 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... > > I'm almost hesitant to mention this... > > I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. > > Cheers > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 12 March 2013 19:56 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Ron > > Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... > > I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: > > > Hi > sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? > Ron > > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: 11 March 2013 16:18 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > I've added some alerts for now so you can see what gets tripped, we > can take these out later, and I?ve commited the wizard with these in , > > > > listener.onComplete = function(file:FileReference):Void { > > > > Alert.show("Upload successful"); > > > > --etc-- > > > > } > > > > > > listener.onHTTPError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: HTTPError"); > > > > --etc-- > > > > } > > > > listener.onIOError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: IOError"); > > > > --etc-- > > > > } > > listener.onSecurityError = function(file:FileReference, > errorString:String):Void { > > > > Alert.show("Upload failed: Security Error"); > > > > --etc-- > > > > } > > > > -----Original Message----- > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > Sent: 11 March 2013 15:42 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Are you using FileReference class? This code snippet suggests you can > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA > with var strData:String = StringUtil.trim(evt.data); > > > > > > > > private function init():void { > > fileRef = new FileReference(); > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > fileRef.addEventListener(Event.COMPLETE, > fileRef_complete); > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, > fileRef_ioError); > > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, > fileRef_uploadCompleteData); > > > > urlReq = new URLRequest(); > > urlReq.url = > "http://localhost:8300/fileref/uploader.cfm"; > > } > > > > private function > fileRef_uploadCompleteData(evt:DataEvent):void { > > var strData:String = StringUtil.trim(evt.data); > > var vars:URLVariables = new URLVariables(strData); > > Alert.show(vars.fileName, "fileName"); > > } > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 3:19 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... > > > > At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 2:32 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > If I try and upload php files, onComplete still fires... > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: 11 March 2013 14:27 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hold on, I'll see if I can get the events to trip, > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 14:20 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 1:57 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > No way to receive whether the upload was successful or not? > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:48 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > I'm not sure you can do much with that class, it's just a black box. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 13:33 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Perhaps it should just feedback error codes, and the flash class translates them... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:21 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. > > > > -----Original Message----- > > From: > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 12:45 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From ronm at mitchellmedia.co.uk Mon Mar 25 16:10:22 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Mon, 25 Mar 2013 16:10:22 -0000 Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CFD@EXCHANGE1.ad.nottingham.ac.uk> References: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> <5145A854.4010600@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CCC@EXCHANGE1.ad.nottingham.ac.uk> <51507274.6060907@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CFD@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <033401ce2973$419a1d40$c4ce57c0$@co.uk> What I actually said was... No the same issue doesn't exist with XOT. I think I raised this here some time ago and I think it was Julian who fixed it. Not sure why it doesn't work in a page template project although I haven't tested that. So I confirmed that copying a page seems to work fine in xot e.g. generates a new id but I didn't test a Page Templates project in Xerte desktop. Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 25 March 2013 16:01 To: For Xerte technical developers Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT Ah, good, well done me. ;-) From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 25 March 2013 15:51 To: For Xerte technical developers Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT No, Ron told me (in a later email in the same thread) that it was already fixed by you... :-) Op 25-3-2013 16:29, Julian Tenney schreef: Did you fix it: there appears to be code in the that creates a new PG ID. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 17 March 2013 11:26 To: For Xerte technical developers Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT Didn't test it (yet) but I assume we have the same issue in XOT as well. When copying a page, we should generate a new 'unique' linkID. Should be easy to fix. Tom Op 16-3-2013 13:02, Kemp Johnathan schreef: In Xerte in Page Templates (not a Pages type) project there are currently two issues, the second of which may also compromise Xerte Online Toolkits 1. For some reason when in Xerte you do "Pages / Create Template Project >From Pages" the project is not created using the current models and templates.xwd file, but is built using the C:\Xerte\Wizards\PageTemplates.xtp file and this file is out of date. If you rename the file _PageTemplates.xtp then Xerte will not be able to find it and will use the correct models and xwd file to create your new project. 2. Connector pages depend on every page having a unique linkID. However in Page Templates type projects if you select a page and Copy it, the new copy of the page receives the same linkID as the page from which it was copied. This will compromise the pageList listing and selection of the correct page. I have not been able to test this for XOT as I currently don't have a working install, but perhaps someone could run a check on this. Kind regards Johnathan _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/9bc727f3/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 218535 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/9bc727f3/attachment-0001.png> From reijnders at tor.nl Mon Mar 25 16:33:52 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Mon, 25 Mar 2013 17:33:52 +0100 Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT In-Reply-To: <033401ce2973$419a1d40$c4ce57c0$@co.uk> References: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> <5145A854.4010600@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CCC@EXCHANGE1.ad.nottingham.ac.uk> <51507274.6060907@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CFD@EXCHANGE1.ad.nottingham.ac.uk> <033401ce2973$419a1d40$c4ce57c0$@co.uk> Message-ID: <51507C70.4060601@tor.nl> Fair enough.., I'll test it in Xerte desktop. It should work exactly the same... Op 25-3-2013 17:10, Ron Mitchell schreef: > > What I actually said was... > > No the same issue doesn't exist with XOT. I think I raised this here > some time ago and I think it was Julian who fixed it. Not sure why it > doesn't work in a page template project although I haven't tested that. > > So I confirmed that copying a page seems to work fine in xot e.g. > generates a new id but I didn't test a Page Templates project in Xerte > desktop. > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of > *Julian Tenney > *Sent:* 25 March 2013 16:01 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Issues with Page Templates projects with > possible implication for XOT > > Ah, good, well done me... > > ;-) > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Tom > Reijnders > *Sent:* 25 March 2013 15:51 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Issues with Page Templates projects with > possible implication for XOT > > No, Ron told me (in a later email in the same thread) that it was > already fixed by you... :-) > > Op 25-3-2013 16:29, Julian Tenney schreef: > > Did you fix it: there appears to be code in the that creates a new > PG ID... > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of > *Tom Reijnders > *Sent:* 17 March 2013 11:26 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Issues with Page Templates projects > with possible implication for XOT > > Didn't test it (yet) but I assume we have the same issue in XOT as > well. When copying a page, we should generate a new 'unique' > linkID. Should be easy to fix. > > Tom > > Op 16-3-2013 13:02, Kemp Johnathan schreef: > > In Xerte in Page Templates (not a Pages type) project there > are currently two issues, the second of which may also > compromise Xerte Online Toolkits > > 1. For some reason when in Xerte you do "Pages / Create > Template Project From Pages" the project is not created using > the current models and templates.xwd file, but is built using > the C:\Xerte\Wizards\PageTemplates.xtp file and this file is > out of date. If you rename the file _PageTemplates.xtp then > Xerte will not be able to find it and will use the correct > models and xwd file to create your new project. > > 2. Connector pages depend on every page having a unique > linkID. However in Page Templates type projects if you select > a page and Copy it, the new copy of the page receives the same > linkID as the page from which it was copied. This will > compromise the pageList listing and selection of the correct > page. I have not been able to test this for XOT as I currently > don't have a working install, but perhaps someone could run a > check on this. > > Kind regards > > Johnathan > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/9b24d0ed/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 218535 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/9b24d0ed/attachment-0001.png> From Julian.Tenney at nottingham.ac.uk Mon Mar 25 16:40:34 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Mon, 25 Mar 2013 16:40:34 +0000 Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT In-Reply-To: <51507C70.4060601@tor.nl> References: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> <5145A854.4010600@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CCC@EXCHANGE1.ad.nottingham.ac.uk> <51507274.6060907@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CFD@EXCHANGE1.ad.nottingham.ac.uk> <033401ce2973$419a1d40$c4ce57c0$@co.uk> <51507C70.4060601@tor.nl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4EF08D43@EXCHANGE1.ad.nottingham.ac.uk> It works differently for page templates, that might be the point? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 25 March 2013 16:34 To: For Xerte technical developers Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT Fair enough.., I'll test it in Xerte desktop. It should work exactly the same... Op 25-3-2013 17:10, Ron Mitchell schreef: What I actually said was... No the same issue doesn't exist with XOT. I think I raised this here some time ago and I think it was Julian who fixed it. Not sure why it doesn't work in a page template project although I haven't tested that. So I confirmed that copying a page seems to work fine in xot e.g. generates a new id but I didn't test a Page Templates project in Xerte desktop. Ron From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 25 March 2013 16:01 To: For Xerte technical developers Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT Ah, good, well done me... ;-) From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 25 March 2013 15:51 To: For Xerte technical developers Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT No, Ron told me (in a later email in the same thread) that it was already fixed by you... :-) Op 25-3-2013 16:29, Julian Tenney schreef: Did you fix it: there appears to be code in the that creates a new PG ID... [cid:image001.png at 01CE2977.79030090] From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 17 March 2013 11:26 To: For Xerte technical developers Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT Didn't test it (yet) but I assume we have the same issue in XOT as well. When copying a page, we should generate a new 'unique' linkID. Should be easy to fix. Tom Op 16-3-2013 13:02, Kemp Johnathan schreef: In Xerte in Page Templates (not a Pages type) project there are currently two issues, the second of which may also compromise Xerte Online Toolkits 1. For some reason when in Xerte you do "Pages / Create Template Project From Pages" the project is not created using the current models and templates.xwd file, but is built using the C:\Xerte\Wizards\PageTemplates.xtp file and this file is out of date. If you rename the file _PageTemplates.xtp then Xerte will not be able to find it and will use the correct models and xwd file to create your new project. 2. Connector pages depend on every page having a unique linkID. However in Page Templates type projects if you select a page and Copy it, the new copy of the page receives the same linkID as the page from which it was copied. This will compromise the pageList listing and selection of the correct page. I have not been able to test this for XOT as I currently don't have a working install, but perhaps someone could run a check on this. Kind regards Johnathan _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/4aa1fcc4/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 218535 bytes Desc: image001.png URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/4aa1fcc4/attachment-0001.png> From reijnders at tor.nl Mon Mar 25 16:46:28 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Mon, 25 Mar 2013 17:46:28 +0100 Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4EF08D43@EXCHANGE1.ad.nottingham.ac.uk> References: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> <5145A854.4010600@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CCC@EXCHANGE1.ad.nottingham.ac.uk> <51507274.6060907@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CFD@EXCHANGE1.ad.nottingham.ac.uk> <033401ce2973$419a1d40$c4ce57c0$@co.uk> <51507C70.4060601@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08D43@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <51507F64.20109@tor.nl> Johnathan, What kind of project are we talink about exactly... the names remain confusing... :-) I'll check, and fix if needed. Tom Op 25-3-2013 17:40, Julian Tenney schreef: > > It works differently for page templates, that might be the point? > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Tom > Reijnders > *Sent:* 25 March 2013 16:34 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Issues with Page Templates projects with > possible implication for XOT > > Fair enough.., I'll test it in Xerte desktop. It should work exactly > the same... > > Op 25-3-2013 17:10, Ron Mitchell schreef: > > What I actually said was... > > No the same issue doesn't exist with XOT. I think I raised this > here some time ago and I think it was Julian who fixed it. Not > sure why it doesn't work in a page template project although I > haven't tested that. > > So I confirmed that copying a page seems to work fine in xot e.g. > generates a new id but I didn't test a Page Templates project in > Xerte desktop. > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of > *Julian Tenney > *Sent:* 25 March 2013 16:01 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Issues with Page Templates projects > with possible implication for XOT > > Ah, good, well done me... > > ;-) > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of > *Tom Reijnders > *Sent:* 25 March 2013 15:51 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Issues with Page Templates projects > with possible implication for XOT > > No, Ron told me (in a later email in the same thread) that it was > already fixed by you... :-) > > Op 25-3-2013 16:29, Julian Tenney schreef: > > Did you fix it: there appears to be code in the that creates a > new PG ID... > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf > Of *Tom Reijnders > *Sent:* 17 March 2013 11:26 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Issues with Page Templates projects > with possible implication for XOT > > Didn't test it (yet) but I assume we have the same issue in > XOT as well. When copying a page, we should generate a new > 'unique' linkID. Should be easy to fix. > > Tom > > Op 16-3-2013 13:02, Kemp Johnathan schreef: > > In Xerte in Page Templates (not a Pages type) project > there are currently two issues, the second of which may > also compromise Xerte Online Toolkits > > 1. For some reason when in Xerte you do "Pages / Create > Template Project From Pages" the project is not created > using the current models and templates.xwd file, but is > built using the C:\Xerte\Wizards\PageTemplates.xtp file > and this file is out of date. If you rename the file > _PageTemplates.xtp then Xerte will not be able to find it > and will use the correct models and xwd file to create > your new project. > > 2. Connector pages depend on every page having a unique > linkID. However in Page Templates type projects if you > select a page and Copy it, the new copy of the page > receives the same linkID as the page from which it was > copied. This will compromise the pageList listing and > selection of the correct page. I have not been able to > test this for XOT as I currently don't have a working > install, but perhaps someone could run a check on this. > > Kind regards > > Johnathan > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/00952a21/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 218535 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/00952a21/attachment-0001.png> From ronm at mitchellmedia.co.uk Mon Mar 25 17:09:33 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Mon, 25 Mar 2013 17:09:33 -0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247FC74C8D@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <bj8955psl73nk2xnfedc79ml.1363342427911@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CD8A@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D7E9@ITSEMBXCLUS.enterprise.gcal.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247FC74C8D@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <036f01ce297b$8647ed20$92d7c760$@co.uk> Hi John I've just updated the Techdis /xot install to R734 which obviously uses Moodle authentication and uploading via a graphics and sound page seems to work fine now whereas as you know it didn't before. However I'm not sure whether it's due to your update or the recent update by others but I notice that there's now no state change on the workspace buttons when a project is selected e.g. they still work but remain greyed out HTH Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 25 March 2013 16:02 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi all, Sorry it's been a while getting to this again but I seem to have made some headway. I've been able to figure out how to jump start the Moodle session also in upload.php and it has worked in my tests but would love to see how it fares in the real world. Would someone be able to test this for me? I've committed changed (some to edit.php too) as R734. Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Friday, March 15, 2013 11:39 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Worth a try!! So we have to support Firefox AND Moodle - there's that wagging dog again ;-) Leave it with me - once I get moodle integration working I'll take a look at the moodle session and see if we do anything... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 15, 2013 11:21 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No, we have to support Firefox, but you know that already! -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 10:14 To: <mailto:xerte-dev at lists.nottingham.ac.uk> xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php True but Moodle is a red herring here... The problem is Firefox - it is the tail... If you can live without Firefox being supported, only in the editor, then we can probably keep Moodle auth as is... Depends who you want to keep happiest... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney < <mailto:Julian.Tenney at nottingham.ac.uk> Julian.Tenney at nottingham.ac.uk> wrote: Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the problem, then I think that's what we should fix. -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 09:10 To: <mailto:xerte-dev at lists.nottingham.ac.uk> xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php The way the Moodle authentication works - its so complicated that there is no way to restart it in upload when we are using Firefox... The upload script as reported by Ron does work as long as we're not using Moodle As i said we can check for Moodle auth and simply not check for session but that still leaves a gaping hole... Bootstrapping the upload via js 'should' allow config.php to handle the session as it does on other pages... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney < <mailto:Julian.Tenney at nottingham.ac.uk> Julian.Tenney at nottingham.ac.uk> wrote: So is the problem the upload script, or the way the moodle authentication works? -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:24 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... I think we might have to resort to js though... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:12 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 13 March 2013 11:30 To: <mailto:xerte-dev at lists.nottingham.ac.uk> xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" < <mailto:xerte at pgogywebstuff.com> xerte at pgogywebstuff.com> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - <http://www.pgogywebstuff.com> http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" < <mailto:J.J.Smith at gcu.ac.uk> J.J.Smith at gcu.ac.uk> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. > > Cheers > Ron > > -----Original Message----- > From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk > [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron > Mitchell > Sent: 12 March 2013 20:17 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... > > I'm almost hesitant to mention this... > > I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. > > Cheers > Ron > > -----Original Message----- > From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk > [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 12 March 2013 19:56 > To: <mailto:xerte-dev at lists.nottingham.ac.uk> xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Ron > > Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... > > I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Ron Mitchell < <mailto:ronm at mitchellmedia.co.uk> ronm at mitchellmedia.co.uk> wrote: > > > Hi > sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? > Ron > > From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk > [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: 11 March 2013 16:18 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > I've added some alerts for now so you can see what gets tripped, we > can take these out later, and I?ve commited the wizard with these in , > > > > listener.onComplete = function(file:FileReference):Void { > > > > Alert.show("Upload successful"); > > > > --etc-- > > > > } > > > > > > listener.onHTTPError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: HTTPError"); > > > > --etc-- > > > > } > > > > listener.onIOError = function(file:FileReference):Void { > > > > Alert.show("Upload failed: IOError"); > > > > --etc-- > > > > } > > listener.onSecurityError = function(file:FileReference, > errorString:String):Void { > > > > Alert.show("Upload failed: Security Error"); > > > > --etc-- > > > > } > > > > -----Original Message----- > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > Sent: 11 March 2013 15:42 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Are you using FileReference class? This code snippet suggests you can > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA > with var strData:String = StringUtil.trim(evt.data); > > > > > > > > private function init():void { > > fileRef = new FileReference(); > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > fileRef.addEventListener(Event.COMPLETE, > fileRef_complete); > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, > fileRef_ioError); > > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, > fileRef_uploadCompleteData); > > > > urlReq = new URLRequest(); > > urlReq.url = > " <http://localhost:8300/fileref/uploader.cfm> http://localhost:8300/fileref/uploader.cfm"; > > } > > > > private function > fileRef_uploadCompleteData(evt:DataEvent):void { > > var strData:String = StringUtil.trim(evt.data); > > var vars:URLVariables = new URLVariables(strData); > > Alert.show(vars.fileName, "fileName"); > > } > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 3:19 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... > > > > At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 2:32 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > If I try and upload php files, onComplete still fires... > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: 11 March 2013 14:27 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hold on, I'll see if I can get the events to trip, > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 14:20 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah, it?s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 1:57 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > No way to receive whether the upload was successful or not? > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:48 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > I'm not sure you can do much with that class, it's just a black box. > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 13:33 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Perhaps it should just feedback error codes, and the flash class translates them... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:21 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 12:45 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk > <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk > <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk > <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html > > _______________________________________________ > Xerte-dev mailing list > <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk > <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/c7a1e293/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 8559 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/c7a1e293/attachment-0001.jpg> From J.J.Smith at gcu.ac.uk Mon Mar 25 17:33:21 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Mon, 25 Mar 2013 17:33:21 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Message-ID: <vuumo3a80kquk53w2yfq9dl2.1364232801631@email.android.com> Yeah I've only patched edit and upload but i have been seeing similar things... If you refresh then the buttons should work again. Not sure why but might try debugging later.. As for the upload patch. can you try firefox by clearing cookie logging in again and see if upload works to see whether the cookie bug is fixed? Thanks Ron. Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: Hi John I've just updated the Techdis /xot install to R734 which obviously uses Moodle authentication and uploading via a graphics and sound page seems to work fine now whereas as you know it didn't before. However I'm not sure whether it's due to your update or the recent update by others but I notice that there's now no state change on the workspace buttons when a project is selected e.g. they still work but remain greyed out [cid:_com_android_email_attachmentprovider_1_18220_RAW at sec.galaxytab] HTH Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 25 March 2013 16:02 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi all, Sorry it's been a while getting to this again but I seem to have made some headway. I've been able to figure out how to jump start the Moodle session also in upload.php and it has worked in my tests but would love to see how it fares in the real world. Would someone be able to test this for me? I've committed changed (some to edit.php too) as R734. Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Friday, March 15, 2013 11:39 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Worth a try!! So we have to support Firefox AND Moodle - there's that wagging dog again ;-) Leave it with me - once I get moodle integration working I'll take a look at the moodle session and see if we do anything... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 15, 2013 11:21 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No, we have to support Firefox, but you know that already! -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 10:14 To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php True but Moodle is a red herring here... The problem is Firefox - it is the tail... If you can live without Firefox being supported, only in the editor, then we can probably keep Moodle auth as is... Depends who you want to keep happiest... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the problem, then I think that's what we should fix. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 09:10 To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php The way the Moodle authentication works - its so complicated that there is no way to restart it in upload when we are using Firefox... The upload script as reported by Ron does work as long as we're not using Moodle As i said we can check for Moodle auth and simply not check for session but that still leaves a gaping hole... Bootstrapping the upload via js 'should' allow config.php to handle the session as it does on other pages... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: So is the problem the upload script, or the way the moodle authentication works? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:24 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... I think we might have to resort to js though... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:12 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 13 March 2013 11:30 To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com<mailto:xerte at pgogywebstuff.com>> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 8559 bytes Desc: image003.jpg URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/6fc0315e/attachment-0001.jpg> From reijnders at tor.nl Mon Mar 25 17:50:03 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Mon, 25 Mar 2013 18:50:03 +0100 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <036f01ce297b$8647ed20$92d7c760$@co.uk> References: <bj8955psl73nk2xnfedc79ml.1363342427911@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CD8A@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D7E9@ITSEMBXCLUS.enterprise.gcal.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247FC74C8D@ITSEMBXCLUS.enterprise.gcal.ac.uk> <036f01ce297b$8647ed20$92d7c760$@co.uk> Message-ID: <51508E4B.9050704@tor.nl> If the buttons don't refresh properly, it is due to my changes with the buttons. I replaced all image buttons by html buttons. That should be in SVN 727, but I can see it's not in this one (the links should be buttons as well as shown below. Am I using the correct jsic xot? Tom Op 25-3-2013 18:09, Ron Mitchell schreef: > > Hi John > > I've just updated the Techdis /xot install to R734 which obviously > uses Moodle authentication and uploading via a graphics and sound page > seems to work fine now whereas as you know it didn't before. > > However I'm not sure whether it's due to your update or the recent > update by others but I notice that there's now no state change on the > workspace buttons when a project is selected e.g. they still work but > remain greyed out > > HTH > > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > Sent: 25 March 2013 16:02 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi all, > > Sorry it's been a while getting to this again but I seem to have made > some headway. > > I've been able to figure out how to jump start the Moodle session also > in upload.php and it has worked in my tests but would love to see how > it fares in the real world. Would someone be able to test this for me? > I've committed changed (some to edit.php too) as R734. > > Regards, > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > > Sent: Friday, March 15, 2013 11:39 AM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Worth a try!! So we have to support Firefox AND Moodle - there's that > wagging dog again ;-) > > Leave it with me - once I get moodle integration working I'll take a > look at the moodle session and see if we do anything... > > Regards, > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > > Sent: Friday, March 15, 2013 11:21 AM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > No, we have to support Firefox, but you know that already! > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > > Sent: 15 March 2013 10:14 > > To: xerte-dev at lists.nottingham.ac.uk > <mailto:xerte-dev at lists.nottingham.ac.uk> > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > True but Moodle is a red herring here... > > The problem is Firefox - it is the tail... If you can live without > Firefox being supported, only in the editor, then we can probably keep > Moodle auth as is... > > Depends who you want to keep happiest... > > Regards > > John Smith > > Learning Technologist > > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > Julian Tenney <Julian.Tenney at nottingham.ac.uk > <mailto:Julian.Tenney at nottingham.ac.uk>> wrote: > > Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the > problem, then I think that's what we should fix. > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > > Sent: 15 March 2013 09:10 > > To: xerte-dev at lists.nottingham.ac.uk > <mailto:xerte-dev at lists.nottingham.ac.uk> > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > The way the Moodle authentication works - its so complicated that > there is no way to restart it in upload when we are using Firefox... > The upload script as reported by Ron does work as long as we're not > using Moodle > > As i said we can check for Moodle auth and simply not check for > session but that still leaves a gaping hole... > > Bootstrapping the upload via js 'should' allow config.php to handle > the session as it does on other pages... > > Regards > > John Smith > > Learning Technologist > > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > Julian Tenney <Julian.Tenney at nottingham.ac.uk > <mailto:Julian.Tenney at nottingham.ac.uk>> wrote: > > So is the problem the upload script, or the way the moodle > authentication works? > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > > Sent: 14 March 2013 16:41 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Yes, Flash seems to already add &sessionid to the end of the query > string and if I take that and use session_id(querystringsessionid) > before calling session_start() then it works... > > If I rely on the session start in config.php then it doesn't execute > if using moodle authentication and so the session check fails... > > Just thought though that I was still checking the xerte session > variable whereas if I can find a moodle one to check then it 'might' > still work... > > Only problem is that I don't have a working moodle install?!? Well I > do - on a pen drive copied from someone in Nottingham (Thomas?) but I > don't know the password to login to moodle... was there a default > password?? anyone?? > > Regards, > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > > Sent: Thursday, March 14, 2013 4:24 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Is it the case that you got it working in all browsers EXCEPT when > using moodle authentication? > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > > Sent: 14 March 2013 16:22 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I'm sure if upload.php knows that it's Firefox and then checks the > authentication method then it can set the passed session id IF NOT > moodle but then we might have to bypass the session check if not > Moodle... not really a solution... > > I think we might have to resort to js though... > > Regards, > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > > Sent: Thursday, March 14, 2013 4:12 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Do you think we should take Flash out of the picture and call some JS > from the wizard swf? We can still do some sort of progress / > notification stuff I think. All you need to pass to upload is the > file's path on the local machine, right? > > This has got to be sortable though, surely, but if it's gribbly and > there's an alternative, let's do that. > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John > > Sent: 13 March 2013 11:30 > > To: xerte-dev at lists.nottingham.ac.uk > <mailto:xerte-dev at lists.nottingham.ac.uk> > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Pat > > Yeah its the Firefox Flash Cookie thing that's the real ball > breaker... we are still including config.php BUT... > > If we are in Firefox and include config.php before setting the session > id then when config starts session we get a new session id > > Until we start session in upload.php though we can't tell if we are in > firefox or using moodle.. > > I suppose we can add some more complex logic as you say which checks > what authentication method we are using and does whatever is > required... We might need to indicate from flash though what browser > we are using otherwise we might still miss one of the option - Using > Firefox with moodle authentication i think cannot be detected at > present... > > Regards > > John Smith > > Learning Technologist > > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > "Pat @ Pgogy" <xerte at pgogywebstuff.com > <mailto:xerte at pgogywebstuff.com>> wrote: > > Try including config.php or doing a MySQL select db back to the xerte > db, that fixed most of the moodle problems before > > Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of > a fair to middling quality > > On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk > <mailto:J.J.Smith at gcu.ac.uk>> wrote: > > > Hi Ron, > > > > > > Hmmm there is some session restart code although it should be > restarting the same session as the session id is being passed from > Flash... I wonder why it's killing Moodle session though and none of > the others... very strange - i'll revert the changes back while we > investigate...damn though we had almost cracked it... > > > > > > Regards, > > > > > > John Smith | Learning Technologist > > > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > > > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > > > ________________________________________ > > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > > > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > > > [ronm at mitchellmedia.co.uk] > > > Sent: 12 March 2013 20:31 > > > To: 'For Xerte technical developers' > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > Hi John > > > I tested further and the issue only seems to occur with Moodle > authentication enabled. Uploading works fine with guest authentication > and static authentication I can't easily test LDAP authentication. > > > > > > So I guess this is either session related or a js clash? > > > > > > Have you added any session start code that's perhaps killing the > Moodle session? You have access to the /xot install to check js via > console etc and I've set it back to use Moodle authentication so at > the moment it's easy to replicate the issue. > > > > > > I know this probably going to raise the old chestnut about Moodle > integration etc but obviously all worked fine prior to the recent > changes and does when reverting back too. > > > > > > Cheers > > > Ron > > > > > > -----Original Message----- > > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron > > > Mitchell > > > Sent: 12 March 2013 20:17 > > > To: 'For Xerte technical developers' > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > Hi John > > > Alistair reported that it was happening with Chrome and IE. I'm not > sure what browser Simon was using but I tested via IE9 and was able to > reproduce. But... > > > > > > I'm almost hesitant to mention this... > > > > > > I'd updated my own install which worked fine so I started thinking > about what the differences are and apart from server differences a key > difference is that the Techdis installs are using Moodle for > authentication. I switched the xot install to guest and still got the > problem. I then removed the integration path via management, logged > back in and was able to upload ok. I then switched back to Moodle > authentication and put the integration path back in and was still able > to upload. So intermittent results at the moment but it does seem like > it could be session related. I'm only online until about 9pm tonight > but will test further and again in the morning. > > > > > > Cheers > > > Ron > > > > > > -----Original Message----- > > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > > > John > > > Sent: 12 March 2013 19:56 > > > To: xerte-dev at lists.nottingham.ac.uk > <mailto:xerte-dev at lists.nottingham.ac.uk> > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > Hi Ron > > > > > > Do you know if this is using Firefox or one of the other browsers? > I've tested it using several of the models (albeit on Xampp - not sure > what setup Julian tested it on) in the 3 mainstream browsers and it's > been working fine, except for the erroneous messages which we are > still trying to figure out the best way to catch them in Flash... > > > > > > I'll patch one in an hour or so and if you could try it out then it > might give us a clue as to whether its the session problem or > something else... > > > > > > Regards > > > > > > John Smith > > > Learning Technologist > > > School of Health and Life Sciences > > > > > > Sent from Samsung Galaxy SII > > > > > > > > > > > > Ron Mitchell <ronm at mitchellmedia.co.uk > <mailto:ronm at mitchellmedia.co.uk>> wrote: > > > > > > > > > Hi > > > sorry been quiet for a week or so (on holiday) but back now and > updated the Techdis installations from svn (not sandpit) and Alistair > and Simon reported issues with uploading images. I reverted one > installation back and that worked again but I've left the latest code > in the /xot test install which doesn't work. Basically uploads seem to > work ok via media & quota but not via a graphics and sound page for > instance. The image appears to upload and an upload successful prompt > appears but the image doesn't actually upload. Any ideas? > > > Ron > > > > > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > > > Tenney > > > Sent: 11 March 2013 16:18 > > > To: For Xerte technical developers > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > There's no more detail: here's a screenshot showing the code and the > relevant events to the left. onComplete means 'successfully uploaded', > so the answer will lie in the upload.php and whether, if uploading > fails, it's reflected back in the Flash stuff. > > > > > > > > > > > > I've added some alerts for now so you can see what gets tripped, we > > > can take these out later, and I've commited the wizard with these in , > > > > > > > > > > > > listener.onComplete = function(file:FileReference):Void { > > > > > > > > > > > > Alert.show("Upload successful"); > > > > > > > > > > > > --etc-- > > > > > > > > > > > > } > > > > > > > > > > > > > > > > > > listener.onHTTPError = function(file:FileReference):Void { > > > > > > > > > > > > Alert.show("Upload failed: HTTPError"); > > > > > > > > > > > > --etc-- > > > > > > > > > > > > } > > > > > > > > > > > > listener.onIOError = function(file:FileReference):Void { > > > > > > > > > > > > Alert.show("Upload failed: IOError"); > > > > > > > > > > > > --etc-- > > > > > > > > > > > > } > > > > > > listener.onSecurityError = function(file:FileReference, > > > errorString:String):Void { > > > > > > > > > > > > Alert.show("Upload failed: Security Error"); > > > > > > > > > > > > --etc-- > > > > > > > > > > > > } > > > > > > > > > > > > -----Original Message----- > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Smith, John > > > Sent: 11 March 2013 15:42 > > > To: For Xerte technical developers > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > Are you using FileReference class? This code snippet suggests you can > > > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA > > > with var strData:String = StringUtil.trim(evt.data); > > > > > > > > > > > > > > > > > > > > > > > > private function init():void { > > > > > > fileRef = new FileReference(); > > > > > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > > > > > fileRef.addEventListener(Event.COMPLETE, > > > fileRef_complete); > > > > > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, > > > fileRef_ioError); > > > > > > > > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, > > > fileRef_uploadCompleteData); > > > > > > > > > > > > urlReq = new URLRequest(); > > > > > > urlReq.url = > > > "http://localhost:8300/fileref/uploader.cfm"; > > > > > > } > > > > > > > > > > > > private function > > > fileRef_uploadCompleteData(evt:DataEvent):void { > > > > > > var strData:String = StringUtil.trim(evt.data); > > > > > > var vars:URLVariables = new URLVariables(strData); > > > > > > Alert.show(vars.fileName, "fileName"); > > > > > > } > > > > > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > John Smith > > > > > > Learning Technologist > > > > > > School of Health & Life Sciences > > > > > > Glasgow Caledonian University > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Smith, John > > > > > > Sent: Monday, March 11, 2013 3:19 PM > > > > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > Yeah it should because the upload page completes... you could try > sticking a number in the exit function for the blacklist and see if > you can get the number, exit(5); for example... > > > > > > > > > > > > At least the session bit seems to work... I've taken out all the > whitelist code and mimetype stuff just now but I have another upload > file I'm working on which attempts to detect the mimetype using > several techniques contained in drupal and wordpress modules - will > let you know if it pans out... > > > > > > > > > > > > Regards, > > > > > > > > > > > > John Smith > > > > > > Learning Technologist > > > > > > School of Health & Life Sciences > > > > > > Glasgow Caledonian University > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Julian Tenney > > > > > > Sent: Monday, March 11, 2013 2:32 PM > > > > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > If I try and upload php files, onComplete still fires... > > > > > > > > > > > > -----Original Message----- > > > > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Julian Tenney > > > > > > Sent: 11 March 2013 14:27 > > > > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > Hold on, I'll see if I can get the events to trip, > > > > > > > > > > > > -----Original Message----- > > > > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Smith, John > > > > > > Sent: 11 March 2013 14:20 > > > > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > Yeah, it's the Flash end... didn't seem to be doing anything no > matter the content of the php PRINT statements so I just removed them > for brevity... They were all in English anyway... > > > > > > > > > > > > Regards, > > > > > > > > > > > > John Smith > > > > > > Learning Technologist > > > > > > School of Health & Life Sciences > > > > > > Glasgow Caledonian University > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Smith, John > > > > > > Sent: Monday, March 11, 2013 1:57 PM > > > > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > No way to receive whether the upload was successful or not? > > > > > > > > > > > > Regards, > > > > > > > > > > > > John Smith > > > > > > Learning Technologist > > > > > > School of Health & Life Sciences > > > > > > Glasgow Caledonian University > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Julian Tenney > > > > > > Sent: Monday, March 11, 2013 1:48 PM > > > > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > I'm not sure you can do much with that class, it's just a black box. > > > > > > > > > > > > -----Original Message----- > > > > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Smith, John > > > > > > Sent: 11 March 2013 13:33 > > > > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > Perhaps it should just feedback error codes, and the flash class > translates them... > > > > > > > > > > > > Regards, > > > > > > > > > > > > John Smith > > > > > > Learning Technologist > > > > > > School of Health & Life Sciences > > > > > > Glasgow Caledonian University > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Julian Tenney > > > > > > Sent: Monday, March 11, 2013 1:21 PM > > > > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > NO, I forget the details but there is a flash player class that does > the upload thing. I'll give it a whirl. > > > > > > > > > > > > -----Original Message----- > > > > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Smith, John > > > > > > Sent: 11 March 2013 12:45 > > > > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > Hi Julian, give that a try... Does the flash editor do anything with > the returned/echoed text? I've taken them out because they didn't > seem to be doing anything in the Flash end and they could give hints > to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number > > > SC021474 > > > > > > Winner: Times Higher Education's Widening Participation Initiative > of the Year 2009 and Herald Society's Education Initiative of the Year > 2009. > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > > > 219,en.html > > > > > > Winner: Times Higher Education's Outstanding Support for Early > Career Researchers of the Year 2010, GCU as a lead with Universities > Scotland partners. > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > > > 5691,en.html _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > Glasgow Caledonian University is a registered Scottish charity, number > > > SC021474 > > > > > > Winner: Times Higher Education's Widening Participation Initiative > of the Year 2009 and Herald Society's Education Initiative of the Year > 2009. > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > > > 219,en.html > > > > > > Winner: Times Higher Education's Outstanding Support for Early > Career Researchers of the Year 2010, GCU as a lead with Universities > Scotland partners. > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > > > 5691,en.html > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > This message and any attachment are intended solely for the > addressee and may contain confidential information. If you have > received this message in error, please send it back to me, and > immediately delete it. Please do not use, copy or disclose the > information contained in this message or in any attachment. Any views > or opinions expressed by the author of this email do not necessarily > reflect the views of the University of Nottingham. > > > > > > This message has been checked for viruses but the contents of an > > > attachment may still contain software viruses which could damage > your computer system: > > > you are advised to perform your own checks. Email communications with > > > the University of Nottingham may be monitored as permitted by UK > legislation. > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of > the Year 2009 and Herald Society's Education Initiative of the Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early Career > Researchers of the Year 2010, GCU as a lead with Universities Scotland > partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of > the Year 2009 and Herald Society's Education Initiative of the Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early Career > Researchers of the Year 2010, GCU as a lead with Universities Scotland > partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of > the Year 2009 and Herald Society's Education Initiative of the Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early Career > Researchers of the Year 2010, GCU as a lead with Universities Scotland > partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of > the Year 2009 and Herald Society's Education Initiative of the Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early Career > Researchers of the Year 2010, GCU as a lead with Universities Scotland > partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of > the Year 2009 and Herald Society's Education Initiative of the Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early Career > Researchers of the Year 2010, GCU as a lead with Universities Scotland > partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of > the Year 2009 and Herald Society's Education Initiative of the Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early Career > Researchers of the Year 2010, GCU as a lead with Universities Scotland > partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of > the Year 2009 and Herald Society's Education Initiative of the Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early Career > Researchers of the Year 2010, GCU as a lead with Universities Scotland > partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/330ce8f3/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: bffhdcbf.png Type: image/png Size: 30072 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/330ce8f3/attachment-0002.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: iaagegeh.png Type: image/png Size: 34026 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/330ce8f3/attachment-0003.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 8559 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/330ce8f3/attachment-0001.jpe> From johnathan.kemp at ntlworld.com Mon Mar 25 17:51:21 2013 From: johnathan.kemp at ntlworld.com (Kemp Johnathan) Date: Mon, 25 Mar 2013 17:51:21 +0000 Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT In-Reply-To: <51507F64.20109@tor.nl> References: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> <5145A854.4010600@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CCC@EXCHANGE1.ad.nottingham.ac.uk> <51507274.6060907@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CFD@EXCHANGE1.ad.nottingham.ac.uk> <033401ce2973$419a1d40$c4ce57c0$@co.uk> <51507C70.4060601@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08D43@EXCHANGE1.ad.nottingham.ac.uk> <51507F64.20109@tor.nl> Message-ID: <CABtG3=WJE9Jev_oikACjWruOvnav1Sqxu_v7BHNL6r3GHoGr_w@mail.gmail.com> Tom, I had tested this in a Xerte desktop pageTemplates project (pages / create template project from pages) I discovered at the time that, using this route, that by default Xerte was using Page Templates.xtp to build the project, which resulted in an out of date templates.xwd being used. So I renamed Page Templates.xtp and then created the project and the correct selection of connector pages was then offered (no Plain Text Connector, no Tabbed Navigator Connector and no Redirector Connector). Kind regards Johnathan On 25 March 2013 16:46, Tom Reijnders <reijnders at tor.nl> wrote: > Johnathan, > > What kind of project are we talink about exactly... the names remain > confusing... :-) > > > I'll check, and fix if needed. > > Tom > > Op 25-3-2013 17:40, Julian Tenney schreef: > > It works differently for page templates, that might be the point? > > > > *From:* xerte-dev-bounces at lists.nottingham.ac.uk [ > mailto:xerte-dev-bounces at lists.nottingham.ac.uk<xerte-dev-bounces at lists.nottingham.ac.uk>] > *On Behalf Of *Tom Reijnders > *Sent:* 25 March 2013 16:34 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Issues with Page Templates projects with > possible implication for XOT > > > > Fair enough.., I'll test it in Xerte desktop. It should work exactly the > same... > > Op 25-3-2013 17:10, Ron Mitchell schreef: > > What I actually said was... > > > > No the same issue doesn't exist with XOT. I think I raised this here some > time ago and I think it was Julian who fixed it. Not sure why it doesn't > work in a page template project although I haven't tested that. > > > > So I confirmed that copying a page seems to work fine in xot e.g. > generates a new id but I didn't test a Page Templates project in Xerte > desktop. > > > > Ron > > > > > > *From:* xerte-dev-bounces at lists.nottingham.ac.uk [ > mailto:xerte-dev-bounces at lists.nottingham.ac.uk<xerte-dev-bounces at lists.nottingham.ac.uk>] > *On Behalf Of *Julian Tenney > *Sent:* 25 March 2013 16:01 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Issues with Page Templates projects with > possible implication for XOT > > > > Ah, good, well done me? > > > > ;-) > > > > *From:* xerte-dev-bounces at lists.nottingham.ac.uk [ > mailto:xerte-dev-bounces at lists.nottingham.ac.uk<xerte-dev-bounces at lists.nottingham.ac.uk>] > *On Behalf Of *Tom Reijnders > *Sent:* 25 March 2013 15:51 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Issues with Page Templates projects with > possible implication for XOT > > > > No, Ron told me (in a later email in the same thread) that it was already > fixed by you... :-) > > Op 25-3-2013 16:29, Julian Tenney schreef: > > Did you fix it: there appears to be code in the that creates a new PG ID? > > > > > > *From:* xerte-dev-bounces at lists.nottingham.ac.uk [ > mailto:xerte-dev-bounces at lists.nottingham.ac.uk<xerte-dev-bounces at lists.nottingham.ac.uk>] > *On Behalf Of *Tom Reijnders > *Sent:* 17 March 2013 11:26 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: Issues with Page Templates projects with > possible implication for XOT > > > > Didn't test it (yet) but I assume we have the same issue in XOT as well. > When copying a page, we should generate a new 'unique' linkID. Should be > easy to fix. > > Tom > > Op 16-3-2013 13:02, Kemp Johnathan schreef: > > In Xerte in Page Templates (not a Pages type) project there are currently > two issues, the second of which may also compromise Xerte Online Toolkits > > > > 1. For some reason when in Xerte you do "Pages / Create Template Project > From Pages" the project is not created using the current models and > templates.xwd file, but is built using the > C:\Xerte\Wizards\PageTemplates.xtp file and this file is out of date. If > you rename the file _PageTemplates.xtp then Xerte will not be able to find > it and will use the correct models and xwd file to create your new project. > > > > 2. Connector pages depend on every page having a unique linkID. However in > Page Templates type projects if you select a page and Copy it, the new copy > of the page receives the same linkID as the page from which it was copied. > This will compromise the pageList listing and selection of the correct > page. I have not been able to test this for XOT as I currently don't have a > working install, but perhaps someone could run a check on this. > > > > Kind regards > > > > Johnathan > > > > > > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > > -- > > > > Tom Reijnders > > TOR Informatica > > Chopinlaan 27 > > 5242HM Rosmalen > > Tel: 073 5226191 > > Fax: 073 5226196 > > > > > > _______________________________________________ > Xerte-dev mailing listXerte-dev at lists.nottingham.ac.ukhttp://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/190c6ec1/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 218535 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/190c6ec1/attachment-0001.png> From reijnders at tor.nl Mon Mar 25 17:56:55 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Mon, 25 Mar 2013 18:56:55 +0100 Subject: [Xerte-dev] Re: Issues with Page Templates projects with possible implication for XOT In-Reply-To: <CABtG3=WJE9Jev_oikACjWruOvnav1Sqxu_v7BHNL6r3GHoGr_w@mail.gmail.com> References: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> <5145A854.4010600@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CCC@EXCHANGE1.ad.nottingham.ac.uk> <51507274.6060907@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08CFD@EXCHANGE1.ad.nottingham.ac.uk> <033401ce2973$419a1d40$c4ce57c0$@co.uk> <51507C70.4060601@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF08D43@EXCHANGE1.ad.nottingham.ac.uk> <51507F64.20109@tor.nl> <CABtG3=WJE9Jev_oikACjWruOvnav1Sqxu_v7BHNL6r3GHoGr_w@mail.gmail.com> Message-ID: <51508FE7.3010703@tor.nl> Thank you, than I know exactly what your doing. I'll check and (try to) fix... Tom Op 25-3-2013 18:51, Kemp Johnathan schreef: > Tom, > > I had tested this in a Xerte desktop pageTemplates project (pages / > create template project from pages) > > I discovered at the time that, using this route, that by default Xerte > was using Page Templates.xtp to build the project, which resulted in > an out of date templates.xwd being used. So I renamed Page > Templates.xtp and then created the project and the correct selection > of connector pages was then offered (no Plain Text Connector, no > Tabbed Navigator Connector and no Redirector Connector). > > Kind regards > > Johnathan > > On 25 March 2013 16:46, Tom Reijnders <reijnders at tor.nl > <mailto:reijnders at tor.nl>> wrote: > > Johnathan, > > What kind of project are we talink about exactly... the names > remain confusing... :-) > > > I'll check, and fix if needed. > > Tom > > Op 25-3-2013 17:40, Julian Tenney schreef: >> >> It works differently for page templates, that might be the point? >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of >> *Tom Reijnders >> *Sent:* 25 March 2013 16:34 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: Issues with Page Templates projects >> with possible implication for XOT >> >> Fair enough.., I'll test it in Xerte desktop. It should work >> exactly the same... >> >> Op 25-3-2013 17:10, Ron Mitchell schreef: >> >> What I actually said was... >> >> No the same issue doesn't exist with XOT. I think I raised >> this here some time ago and I think it was Julian who fixed >> it. Not sure why it doesn't work in a page template project >> although I haven't tested that. >> >> So I confirmed that copying a page seems to work fine in xot >> e.g. generates a new id but I didn't test a Page Templates >> project in Xerte desktop. >> >> Ron >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf >> Of *Julian Tenney >> *Sent:* 25 March 2013 16:01 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: Issues with Page Templates >> projects with possible implication for XOT >> >> Ah, good, well done me... >> >> ;-) >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf >> Of *Tom Reijnders >> *Sent:* 25 March 2013 15:51 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: Issues with Page Templates >> projects with possible implication for XOT >> >> No, Ron told me (in a later email in the same thread) that it >> was already fixed by you... :-) >> >> Op 25-3-2013 16:29, Julian Tenney schreef: >> >> Did you fix it: there appears to be code in the that >> creates a new PG ID... >> >> *From:*xerte-dev-bounces at lists.nottingham.ac.uk >> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On >> Behalf Of *Tom Reijnders >> *Sent:* 17 March 2013 11:26 >> *To:* For Xerte technical developers >> *Subject:* [Xerte-dev] Re: Issues with Page Templates >> projects with possible implication for XOT >> >> Didn't test it (yet) but I assume we have the same issue >> in XOT as well. When copying a page, we should generate a >> new 'unique' linkID. Should be easy to fix. >> >> Tom >> >> Op 16-3-2013 13:02, Kemp Johnathan schreef: >> >> In Xerte in Page Templates (not a Pages type) project >> there are currently two issues, the second of which >> may also compromise Xerte Online Toolkits >> >> 1. For some reason when in Xerte you do "Pages / >> Create Template Project From Pages" the project is >> not created using the current models and >> templates.xwd file, but is built using the >> C:\Xerte\Wizards\PageTemplates.xtp file and this file >> is out of date. If you rename the file >> _PageTemplates.xtp then Xerte will not be able to >> find it and will use the correct models and xwd file >> to create your new project. >> >> 2. Connector pages depend on every page having a >> unique linkID. However in Page Templates type >> projects if you select a page and Copy it, the new >> copy of the page receives the same linkID as the page >> from which it was copied. This will compromise the >> pageList listing and selection of the correct page. I >> have not been able to test this for XOT as I >> currently don't have a working install, but perhaps >> someone could run a check on this. >> >> Kind regards >> >> Johnathan >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> >> -- >> >> -- >> >> >> >> Tom Reijnders >> >> TOR Informatica >> >> Chopinlaan 27 >> >> 5242HM Rosmalen >> >> Tel: 073 5226191 >> >> Fax: 073 5226196 >> >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> -- >> >> -- >> >> >> >> Tom Reijnders >> >> TOR Informatica >> >> Chopinlaan 27 >> >> 5242HM Rosmalen >> >> Tel: 073 5226191 >> >> Fax: 073 5226196 >> >> >> >> >> >> >> _______________________________________________ >> >> Xerte-dev mailing list >> >> Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> >> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> >> >> -- >> -- >> >> Tom Reijnders >> TOR Informatica >> Chopinlaan 27 >> 5242HM Rosmalen >> Tel: 073 5226191 >> Fax: 073 5226196 >> >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/4bd6d25f/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 218535 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/4bd6d25f/attachment-0001.png> From ronm at mitchellmedia.co.uk Mon Mar 25 18:03:14 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Mon, 25 Mar 2013 18:03:14 -0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <vuumo3a80kquk53w2yfq9dl2.1364232801631@email.android.com> References: <vuumo3a80kquk53w2yfq9dl2.1364232801631@email.android.com> Message-ID: <039c01ce2983$08228e20$1867aa60$@co.uk> Hi John not sure what change it's down to but refreshing doesn't change the button state issue for me. Reverting the code back to a previously working install does though. I've just tested r734 and upload via graphics and sound works fine with IE9 and Chrome but alas not with Firefox. HTH Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 25 March 2013 17:33 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah I've only patched edit and upload but i have been seeing similar things... If you refresh then the buttons should work again. Not sure why but might try debugging later.. As for the upload patch. can you try firefox by clearing cookie logging in again and see if upload works to see whether the cookie bug is fixed? Thanks Ron. Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: Hi John I've just updated the Techdis /xot install to R734 which obviously uses Moodle authentication and uploading via a graphics and sound page seems to work fine now whereas as you know it didn't before. However I'm not sure whether it's due to your update or the recent update by others but I notice that there's now no state change on the workspace buttons when a project is selected e.g. they still work but remain greyed out [cid:_com_android_email_attachmentprovider_1_18220_RAW at sec.galaxytab] HTH Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 25 March 2013 16:02 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi all, Sorry it's been a while getting to this again but I seem to have made some headway. I've been able to figure out how to jump start the Moodle session also in upload.php and it has worked in my tests but would love to see how it fares in the real world. Would someone be able to test this for me? I've committed changed (some to edit.php too) as R734. Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Friday, March 15, 2013 11:39 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Worth a try!! So we have to support Firefox AND Moodle - there's that wagging dog again ;-) Leave it with me - once I get moodle integration working I'll take a look at the moodle session and see if we do anything... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 15, 2013 11:21 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No, we have to support Firefox, but you know that already! -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 10:14 To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php True but Moodle is a red herring here... The problem is Firefox - it is the tail... If you can live without Firefox being supported, only in the editor, then we can probably keep Moodle auth as is... Depends who you want to keep happiest... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the problem, then I think that's what we should fix. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 09:10 To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php The way the Moodle authentication works - its so complicated that there is no way to restart it in upload when we are using Firefox... The upload script as reported by Ron does work as long as we're not using Moodle As i said we can check for Moodle auth and simply not check for session but that still leaves a gaping hole... Bootstrapping the upload via js 'should' allow config.php to handle the session as it does on other pages... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: So is the problem the upload script, or the way the moodle authentication works? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:24 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... I think we might have to resort to js though... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:12 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 13 March 2013 11:30 To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com<mailto:xerte at pgogywebstuff.com>> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From ronm at mitchellmedia.co.uk Mon Mar 25 18:01:32 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Mon, 25 Mar 2013 18:01:32 -0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <51508E4B.9050704@tor.nl> References: <bj8955psl73nk2xnfedc79ml.1363342427911@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CD8A@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D7E9@ITSEMBXCLUS.enterprise.gcal.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247FC74C8D@ITSEMBXCLUS.enterprise.gcal.ac.uk> <036f01ce297b$8647ed20$92d7c760$@co.uk> <51508E4B.9050704@tor.nl> Message-ID: <039601ce2982$c96faeb0$5c4f0c10$@co.uk> Hi Tom yes you are using the correct install but I reverted the code back to a previous working version just to confirm that it is a recent update that has cause that particular problem and sure enough the buttons were working ok again. At the moment the install is back to R734 so includes your updates + Johns and has the button state problem. Cheers Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 25 March 2013 17:50 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If the buttons don't refresh properly, it is due to my changes with the buttons. I replaced all image buttons by html buttons. That should be in SVN 727, but I can see it's not in this one (the links should be buttons as well as shown below. Am I using the correct jsic xot? Tom Op 25-3-2013 18:09, Ron Mitchell schreef: Hi John I've just updated the Techdis /xot install to R734 which obviously uses Moodle authentication and uploading via a graphics and sound page seems to work fine now whereas as you know it didn't before. However I'm not sure whether it's due to your update or the recent update by others but I notice that there's now no state change on the workspace buttons when a project is selected e.g. they still work but remain greyed out HTH Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 25 March 2013 16:02 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi all, Sorry it's been a while getting to this again but I seem to have made some headway. I've been able to figure out how to jump start the Moodle session also in upload.php and it has worked in my tests but would love to see how it fares in the real world. Would someone be able to test this for me? I've committed changed (some to edit.php too) as R734. Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Friday, March 15, 2013 11:39 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Worth a try!! So we have to support Firefox AND Moodle - there's that wagging dog again ;-) Leave it with me - once I get moodle integration working I'll take a look at the moodle session and see if we do anything... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 15, 2013 11:21 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No, we have to support Firefox, but you know that already! -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 10:14 To: <mailto:xerte-dev at lists.nottingham.ac.uk> xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php True but Moodle is a red herring here... The problem is Firefox - it is the tail... If you can live without Firefox being supported, only in the editor, then we can probably keep Moodle auth as is... Depends who you want to keep happiest... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney < <mailto:Julian.Tenney at nottingham.ac.uk> Julian.Tenney at nottingham.ac.uk> wrote: Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the problem, then I think that's what we should fix. -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 09:10 To: <mailto:xerte-dev at lists.nottingham.ac.uk> xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php The way the Moodle authentication works - its so complicated that there is no way to restart it in upload when we are using Firefox... The upload script as reported by Ron does work as long as we're not using Moodle As i said we can check for Moodle auth and simply not check for session but that still leaves a gaping hole... Bootstrapping the upload via js 'should' allow config.php to handle the session as it does on other pages... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney < <mailto:Julian.Tenney at nottingham.ac.uk> Julian.Tenney at nottingham.ac.uk> wrote: So is the problem the upload script, or the way the moodle authentication works? -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:24 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... I think we might have to resort to js though... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:12 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 13 March 2013 11:30 To: <mailto:xerte-dev at lists.nottingham.ac.uk> xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" < <mailto:xerte at pgogywebstuff.com> xerte at pgogywebstuff.com> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - <http://www.pgogywebstuff.com> http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" < <mailto:J.J.Smith at gcu.ac.uk> J.J.Smith at gcu.ac.uk> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. > > Cheers > Ron > > -----Original Message----- > From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk > [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron > Mitchell > Sent: 12 March 2013 20:17 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... > > I'm almost hesitant to mention this... > > I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. > > Cheers > Ron > > -----Original Message----- > From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk > [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 12 March 2013 19:56 > To: <mailto:xerte-dev at lists.nottingham.ac.uk> xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Ron > > Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... > > I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Ron Mitchell < <mailto:ronm at mitchellmedia.co.uk> ronm at mitchellmedia.co.uk> wrote: > > > Hi > sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? > Ron > > From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk > [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: 11 March 2013 16:18 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > I've added some alerts for now so you can see what gets tripped, we > can take these out later, and I've commited the wizard with these in , > > > > listener.onComplete = function(file:FileReference <file:///\\FileReference> ):Void { > > > > Alert.show("Upload successful"); > > > > --etc-- > > > > } > > > > > > listener.onHTTPError = function(file:FileReference <file:///\\FileReference> ):Void { > > > > Alert.show("Upload failed: HTTPError"); > > > > --etc-- > > > > } > > > > listener.onIOError = function(file:FileReference <file:///\\FileReference> ):Void { > > > > Alert.show("Upload failed: IOError"); > > > > --etc-- > > > > } > > listener.onSecurityError = function(file:FileReference <file:///\\FileReference> , > errorString:String):Void { > > > > Alert.show("Upload failed: Security Error"); > > > > --etc-- > > > > } > > > > -----Original Message----- > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > Sent: 11 March 2013 15:42 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Are you using FileReference class? This code snippet suggests you can > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA > with var strData:String = StringUtil.trim(evt.data); > > > > > > > > private function init():void { > > fileRef = new FileReference(); > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > fileRef.addEventListener(Event.COMPLETE, > fileRef_complete); > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, > fileRef_ioError); > > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, > fileRef_uploadCompleteData); > > > > urlReq = new URLRequest(); > > urlReq.url = > " <http://localhost:8300/fileref/uploader.cfm> http://localhost:8300/fileref/uploader.cfm"; > > } > > > > private function > fileRef_uploadCompleteData(evt:DataEvent):void { > > var strData:String = StringUtil.trim(evt.data); > > var vars:URLVariables = new URLVariables(strData); > > Alert.show(vars.fileName, "fileName"); > > } > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 3:19 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... > > > > At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 2:32 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > If I try and upload php files, onComplete still fires... > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: 11 March 2013 14:27 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hold on, I'll see if I can get the events to trip, > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 14:20 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah, it's the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 1:57 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > No way to receive whether the upload was successful or not? > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:48 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > I'm not sure you can do much with that class, it's just a black box. > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 13:33 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Perhaps it should just feedback error codes, and the flash class translates them... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:21 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 12:45 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. > <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk > <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk > <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk > <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. > <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html > > _______________________________________________ > Xerte-dev mailing list > <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk > <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,e n.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691, en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,e n.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691, en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,e n.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691, en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,e n.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691, en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,e n.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691, en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,e n.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691, en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,e n.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691, en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/fb2912c2/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 30072 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/fb2912c2/attachment-0002.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 34026 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/fb2912c2/attachment-0003.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 8559 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/fb2912c2/attachment-0001.jpg> From J.J.Smith at gcu.ac.uk Mon Mar 25 20:06:11 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Mon, 25 Mar 2013 20:06:11 +0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Message-ID: <sy58d3g82b5r7jorx6x3goto.1364241550477@email.android.com> Thanks Ron Hmmm. Its a pesky one to track down... Its working in the xampp zip that you kindly supplied and doesn't when i comment out the code so its definitely doing something... I had some hefty debug code in and i might add it back in to see what's going on on a real install. What version of Moodle is the Jisc server using? I tested in the v2 one. Can you remind me of my login details for that sever? Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: Hi John not sure what change it's down to but refreshing doesn't change the button state issue for me. Reverting the code back to a previously working install does though. I've just tested r734 and upload via graphics and sound works fine with IE9 and Chrome but alas not with Firefox. HTH Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 25 March 2013 17:33 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yeah I've only patched edit and upload but i have been seeing similar things... If you refresh then the buttons should work again. Not sure why but might try debugging later.. As for the upload patch. can you try firefox by clearing cookie logging in again and see if upload works to see whether the cookie bug is fixed? Thanks Ron. Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Ron Mitchell <ronm at mitchellmedia.co.uk> wrote: Hi John I've just updated the Techdis /xot install to R734 which obviously uses Moodle authentication and uploading via a graphics and sound page seems to work fine now whereas as you know it didn't before. However I'm not sure whether it's due to your update or the recent update by others but I notice that there's now no state change on the workspace buttons when a project is selected e.g. they still work but remain greyed out [cid:_com_android_email_attachmentprovider_1_18220_RAW at sec.galaxytab] HTH Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 25 March 2013 16:02 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi all, Sorry it's been a while getting to this again but I seem to have made some headway. I've been able to figure out how to jump start the Moodle session also in upload.php and it has worked in my tests but would love to see how it fares in the real world. Would someone be able to test this for me? I've committed changed (some to edit.php too) as R734. Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Friday, March 15, 2013 11:39 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Worth a try!! So we have to support Firefox AND Moodle - there's that wagging dog again ;-) Leave it with me - once I get moodle integration working I'll take a look at the moodle session and see if we do anything... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 15, 2013 11:21 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No, we have to support Firefox, but you know that already! -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 10:14 To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php True but Moodle is a red herring here... The problem is Firefox - it is the tail... If you can live without Firefox being supported, only in the editor, then we can probably keep Moodle auth as is... Depends who you want to keep happiest... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the problem, then I think that's what we should fix. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 09:10 To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php The way the Moodle authentication works - its so complicated that there is no way to restart it in upload when we are using Firefox... The upload script as reported by Ron does work as long as we're not using Moodle As i said we can check for Moodle auth and simply not check for session but that still leaves a gaping hole... Bootstrapping the upload via js 'should' allow config.php to handle the session as it does on other pages... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote: So is the problem the upload script, or the way the moodle authentication works? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:24 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... I think we might have to resort to js though... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:12 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 13 March 2013 11:30 To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" <xerte at pgogywebstuff.com<mailto:xerte at pgogywebstuff.com>> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From reijnders at tor.nl Mon Mar 25 20:21:39 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Mon, 25 Mar 2013 21:21:39 +0100 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <039601ce2982$c96faeb0$5c4f0c10$@co.uk> References: <bj8955psl73nk2xnfedc79ml.1363342427911@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CD8A@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D7E9@ITSEMBXCLUS.enterprise.gcal.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247FC74C8D@ITSEMBXCLUS.enterprise.gcal.ac.uk> <036f01ce297b$8647ed20$92d7c760$@co.uk> <51508E4B.9050704@tor.nl> <039601ce2982$c96faeb0$5c4f0c10$@co.uk> Message-ID: <5150B1D3.1060205@tor.nl> Hmm, it seems like index.php is not what it should be... Around lines 150 - 160 are a couple of lines drawing the buttons. These used to be img tags, and are now button tags. The enabling used to work through changing the image in display_screen.js, and now I change the css class . Can you check whether you have the correct index.php in place? Tom Op 25-3-2013 19:01, Ron Mitchell schreef: > > Hi Tom > > yes you are using the correct install but I reverted the code back to > a previous working version just to confirm that it is a recent update > that has cause that particular problem and sure enough the buttons > were working ok again. > > At the moment the install is back to R734 so includes your updates + > Johns and has the button state problem. > > Cheers > > Ron > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Tom > Reijnders > *Sent:* 25 March 2013 17:50 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Re: SECURITY PATCH for upload.php > > If the buttons don't refresh properly, it is due to my changes with > the buttons. > > I replaced all image buttons by html buttons. That should be in SVN > 727, but I can see it's not in this one (the links should be buttons > as well as shown below. > > Am I using the correct jsic xot? > > Tom > > > > > > > Op 25-3-2013 18:09, Ron Mitchell schreef: > > Hi John > > I've just updated the Techdis /xot install to R734 which obviously > uses Moodle authentication and uploading via a graphics and sound > page seems to work fine now whereas as you know it didn't before. > > However I'm not sure whether it's due to your update or the recent > update by others but I notice that there's now no state change on > the workspace buttons when a project is selected e.g. they still > work but remain greyed out > > HTH > > Ron > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of > Smith, John > Sent: 25 March 2013 16:02 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi all, > > Sorry it's been a while getting to this again but I seem to have > made some headway. > > I've been able to figure out how to jump start the Moodle session > also in upload.php and it has worked in my tests but would love to > see how it fares in the real world. Would someone be able to test > this for me? I've committed changed (some to edit.php too) as R734. > > Regards, > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of > Smith, John > > Sent: Friday, March 15, 2013 11:39 AM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Worth a try!! So we have to support Firefox AND Moodle - there's > that wagging dog again ;-) > > Leave it with me - once I get moodle integration working I'll take > a look at the moodle session and see if we do anything... > > Regards, > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of > Julian Tenney > > Sent: Friday, March 15, 2013 11:21 AM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > No, we have to support Firefox, but you know that already! > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of > Smith, John > > Sent: 15 March 2013 10:14 > > To: xerte-dev at lists.nottingham.ac.uk > <mailto:xerte-dev at lists.nottingham.ac.uk> > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > True but Moodle is a red herring here... > > The problem is Firefox - it is the tail... If you can live without > Firefox being supported, only in the editor, then we can probably > keep Moodle auth as is... > > Depends who you want to keep happiest... > > Regards > > John Smith > > Learning Technologist > > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > Julian Tenney <Julian.Tenney at nottingham.ac.uk > <mailto:Julian.Tenney at nottingham.ac.uk>> wrote: > > Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is > the problem, then I think that's what we should fix. > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of > Smith, John > > Sent: 15 March 2013 09:10 > > To: xerte-dev at lists.nottingham.ac.uk > <mailto:xerte-dev at lists.nottingham.ac.uk> > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > The way the Moodle authentication works - its so complicated that > there is no way to restart it in upload when we are using > Firefox... The upload script as reported by Ron does work as long > as we're not using Moodle > > As i said we can check for Moodle auth and simply not check for > session but that still leaves a gaping hole... > > Bootstrapping the upload via js 'should' allow config.php to > handle the session as it does on other pages... > > Regards > > John Smith > > Learning Technologist > > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > Julian Tenney <Julian.Tenney at nottingham.ac.uk > <mailto:Julian.Tenney at nottingham.ac.uk>> wrote: > > So is the problem the upload script, or the way the moodle > authentication works? > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of > Smith, John > > Sent: 14 March 2013 16:41 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Yes, Flash seems to already add &sessionid to the end of the query > string and if I take that and use session_id(querystringsessionid) > before calling session_start() then it works... > > If I rely on the session start in config.php then it doesn't > execute if using moodle authentication and so the session check > fails... > > Just thought though that I was still checking the xerte session > variable whereas if I can find a moodle one to check then it > 'might' still work... > > Only problem is that I don't have a working moodle install?!? Well > I do - on a pen drive copied from someone in Nottingham (Thomas?) > but I don't know the password to login to moodle... was there a > default password?? anyone?? > > Regards, > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of > Julian Tenney > > Sent: Thursday, March 14, 2013 4:24 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Is it the case that you got it working in all browsers EXCEPT when > using moodle authentication? > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of > Smith, John > > Sent: 14 March 2013 16:22 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > I'm sure if upload.php knows that it's Firefox and then checks the > authentication method then it can set the passed session id IF NOT > moodle but then we might have to bypass the session check if not > Moodle... not really a solution... > > I think we might have to resort to js though... > > Regards, > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of > Julian Tenney > > Sent: Thursday, March 14, 2013 4:12 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Do you think we should take Flash out of the picture and call some > JS from the wizard swf? We can still do some sort of progress / > notification stuff I think. All you need to pass to upload is the > file's path on the local machine, right? > > This has got to be sortable though, surely, but if it's gribbly > and there's an alternative, let's do that. > > -----Original Message----- > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of > Smith, John > > Sent: 13 March 2013 11:30 > > To: xerte-dev at lists.nottingham.ac.uk > <mailto:xerte-dev at lists.nottingham.ac.uk> > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Pat > > Yeah its the Firefox Flash Cookie thing that's the real ball > breaker... we are still including config.php BUT... > > If we are in Firefox and include config.php before setting the > session id then when config starts session we get a new session id > > Until we start session in upload.php though we can't tell if we > are in firefox or using moodle.. > > I suppose we can add some more complex logic as you say which > checks what authentication method we are using and does whatever > is required... We might need to indicate from flash though what > browser we are using otherwise we might still miss one of the > option - Using Firefox with moodle authentication i think cannot > be detected at present... > > Regards > > John Smith > > Learning Technologist > > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > "Pat @ Pgogy" <xerte at pgogywebstuff.com > <mailto:xerte at pgogywebstuff.com>> wrote: > > Try including config.php or doing a MySQL select db back to the > xerte db, that fixed most of the moodle problems before > > Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things > of a fair to middling quality > > On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk > <mailto:J.J.Smith at gcu.ac.uk>> wrote: > > > Hi Ron, > > > > > > Hmmm there is some session restart code although it should be > restarting the same session as the session id is being passed from > Flash... I wonder why it's killing Moodle session though and none > of the others... very strange - i'll revert the changes back while > we investigate...damn though we had almost cracked it... > > > > > > Regards, > > > > > > John Smith | Learning Technologist > > > Room A251, Govan Mbeki Building | School of Health & Life > Sciences | > > > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > > > ________________________________________ > > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > > > [xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of > Ron Mitchell > > > [ronm at mitchellmedia.co.uk <mailto:ronm at mitchellmedia.co.uk>] > > > Sent: 12 March 2013 20:31 > > > To: 'For Xerte technical developers' > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > Hi John > > > I tested further and the issue only seems to occur with Moodle > authentication enabled. Uploading works fine with guest > authentication and static authentication I can't easily test LDAP > authentication. > > > > > > So I guess this is either session related or a js clash? > > > > > > Have you added any session start code that's perhaps killing the > Moodle session? You have access to the /xot install to check js > via console etc and I've set it back to use Moodle authentication > so at the moment it's easy to replicate the issue. > > > > > > I know this probably going to raise the old chestnut about > Moodle integration etc but obviously all worked fine prior to the > recent changes and does when reverting back too. > > > > > > Cheers > > > Ron > > > > > > -----Original Message----- > > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron > > > Mitchell > > > Sent: 12 March 2013 20:17 > > > To: 'For Xerte technical developers' > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > Hi John > > > Alistair reported that it was happening with Chrome and IE. I'm > not sure what browser Simon was using but I tested via IE9 and was > able to reproduce. But... > > > > > > I'm almost hesitant to mention this... > > > > > > I'd updated my own install which worked fine so I started > thinking about what the differences are and apart from server > differences a key difference is that the Techdis installs are > using Moodle for authentication. I switched the xot install to > guest and still got the problem. I then removed the integration > path via management, logged back in and was able to upload ok. I > then switched back to Moodle authentication and put the > integration path back in and was still able to upload. So > intermittent results at the moment but it does seem like it could > be session related. I'm only online until about 9pm tonight but > will test further and again in the morning. > > > > > > Cheers > > > Ron > > > > > > -----Original Message----- > > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of > Smith, > > > John > > > Sent: 12 March 2013 19:56 > > > To: xerte-dev at lists.nottingham.ac.uk > <mailto:xerte-dev at lists.nottingham.ac.uk> > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > Hi Ron > > > > > > Do you know if this is using Firefox or one of the other > browsers? I've tested it using several of the models (albeit on > Xampp - not sure what setup Julian tested it on) in the 3 > mainstream browsers and it's been working fine, except for the > erroneous messages which we are still trying to figure out the > best way to catch them in Flash... > > > > > > I'll patch one in an hour or so and if you could try it out then > it might give us a clue as to whether its the session problem or > something else... > > > > > > Regards > > > > > > John Smith > > > Learning Technologist > > > School of Health and Life Sciences > > > > > > Sent from Samsung Galaxy SII > > > > > > > > > > > > Ron Mitchell <ronm at mitchellmedia.co.uk > <mailto:ronm at mitchellmedia.co.uk>> wrote: > > > > > > > > > Hi > > > sorry been quiet for a week or so (on holiday) but back now and > updated the Techdis installations from svn (not sandpit) and > Alistair and Simon reported issues with uploading images. I > reverted one installation back and that worked again but I've left > the latest code in the /xot test install which doesn't work. > Basically uploads seem to work ok via media & quota but not via a > graphics and sound page for instance. The image appears to upload > and an upload successful prompt appears but the image doesn't > actually upload. Any ideas? > > > Ron > > > > > > From: xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > > > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of > Julian > > > Tenney > > > Sent: 11 March 2013 16:18 > > > To: For Xerte technical developers > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > There's no more detail: here's a screenshot showing the code and > the relevant events to the left. onComplete means 'successfully > uploaded', so the answer will lie in the upload.php and whether, > if uploading fails, it's reflected back in the Flash stuff. > > > > > > > > > > > > I've added some alerts for now so you can see what gets tripped, we > > > can take these out later, and I've commited the wizard with > these in , > > > > > > > > > > > > listener.onComplete = function(file:FileReference > <file:///%5C%5CFileReference>):Void { > > > > > > > > > > > > Alert.show("Upload successful"); > > > > > > > > > > > > --etc-- > > > > > > > > > > > > } > > > > > > > > > > > > > > > > > > listener.onHTTPError = function(file:FileReference > <file:///%5C%5CFileReference>):Void { > > > > > > > > > > > > Alert.show("Upload failed: HTTPError"); > > > > > > > > > > > > --etc-- > > > > > > > > > > > > } > > > > > > > > > > > > listener.onIOError = function(file:FileReference > <file:///%5C%5CFileReference>):Void { > > > > > > > > > > > > Alert.show("Upload failed: IOError"); > > > > > > > > > > > > --etc-- > > > > > > > > > > > > } > > > > > > listener.onSecurityError = function(file:FileReference > <file:///%5C%5CFileReference>, > > > errorString:String):Void { > > > > > > > > > > > > Alert.show("Upload failed: Security Error"); > > > > > > > > > > > > --etc-- > > > > > > > > > > > > } > > > > > > > > > > > > -----Original Message----- > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Smith, John > > > Sent: 11 March 2013 15:42 > > > To: For Xerte technical developers > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > Are you using FileReference class? This code snippet suggests > you can > > > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA > > > with var strData:String = StringUtil.trim(evt.data); > > > > > > > > > > > > > > > > > > > > > > > > private function init():void { > > > > > > fileRef = new FileReference(); > > > > > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > > > > > fileRef.addEventListener(Event.COMPLETE, > > > fileRef_complete); > > > > > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, > > > fileRef_ioError); > > > > > > > > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, > > > fileRef_uploadCompleteData); > > > > > > > > > > > > urlReq = new URLRequest(); > > > > > > urlReq.url = > > > "http://localhost:8300/fileref/uploader.cfm"; > > > > > > } > > > > > > > > > > > > private function > > > fileRef_uploadCompleteData(evt:DataEvent):void { > > > > > > var strData:String = StringUtil.trim(evt.data); > > > > > > var vars:URLVariables = new URLVariables(strData); > > > > > > Alert.show(vars.fileName, "fileName"); > > > > > > } > > > > > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > John Smith > > > > > > Learning Technologist > > > > > > School of Health & Life Sciences > > > > > > Glasgow Caledonian University > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Smith, John > > > > > > Sent: Monday, March 11, 2013 3:19 PM > > > > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > Yeah it should because the upload page completes... you could > try sticking a number in the exit function for the blacklist and > see if you can get the number, exit(5); for example... > > > > > > > > > > > > At least the session bit seems to work... I've taken out all the > whitelist code and mimetype stuff just now but I have another > upload file I'm working on which attempts to detect the mimetype > using several techniques contained in drupal and wordpress modules > - will let you know if it pans out... > > > > > > > > > > > > Regards, > > > > > > > > > > > > John Smith > > > > > > Learning Technologist > > > > > > School of Health & Life Sciences > > > > > > Glasgow Caledonian University > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Julian Tenney > > > > > > Sent: Monday, March 11, 2013 2:32 PM > > > > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > If I try and upload php files, onComplete still fires... > > > > > > > > > > > > -----Original Message----- > > > > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Julian Tenney > > > > > > Sent: 11 March 2013 14:27 > > > > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > Hold on, I'll see if I can get the events to trip, > > > > > > > > > > > > -----Original Message----- > > > > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Smith, John > > > > > > Sent: 11 March 2013 14:20 > > > > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > Yeah, it's the Flash end... didn't seem to be doing anything no > matter the content of the php PRINT statements so I just removed > them for brevity... They were all in English anyway... > > > > > > > > > > > > Regards, > > > > > > > > > > > > John Smith > > > > > > Learning Technologist > > > > > > School of Health & Life Sciences > > > > > > Glasgow Caledonian University > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Smith, John > > > > > > Sent: Monday, March 11, 2013 1:57 PM > > > > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > No way to receive whether the upload was successful or not? > > > > > > > > > > > > Regards, > > > > > > > > > > > > John Smith > > > > > > Learning Technologist > > > > > > School of Health & Life Sciences > > > > > > Glasgow Caledonian University > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Julian Tenney > > > > > > Sent: Monday, March 11, 2013 1:48 PM > > > > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > I'm not sure you can do much with that class, it's just a black box. > > > > > > > > > > > > -----Original Message----- > > > > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Smith, John > > > > > > Sent: 11 March 2013 13:33 > > > > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > Perhaps it should just feedback error codes, and the flash class > translates them... > > > > > > > > > > > > Regards, > > > > > > > > > > > > John Smith > > > > > > Learning Technologist > > > > > > School of Health & Life Sciences > > > > > > Glasgow Caledonian University > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Julian Tenney > > > > > > Sent: Monday, March 11, 2013 1:21 PM > > > > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > NO, I forget the details but there is a flash player class that > does the upload thing. I'll give it a whirl. > > > > > > > > > > > > -----Original Message----- > > > > > > From: > > > > xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list> > > > s.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > > > On Behalf Of Smith, John > > > > > > Sent: 11 March 2013 12:45 > > > > > > To: For Xerte technical developers > > > > > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > > > > > > > > > Hi Julian, give that a try... Does the flash editor do anything > with the returned/echoed text? I've taken them out because they > didn't seem to be doing anything in the Flash end and they could > give hints to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, > number > > > SC021474 > > > > > > Winner: Times Higher Education's Widening Participation > Initiative of the Year 2009 and Herald Society's Education > Initiative of the Year 2009. > > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > > > 219,en.html > > > > > > Winner: Times Higher Education's Outstanding Support for Early > Career Researchers of the Year 2010, GCU as a lead with > Universities Scotland partners. > > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > > > 5691,en.html _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > Glasgow Caledonian University is a registered Scottish charity, > number > > > SC021474 > > > > > > Winner: Times Higher Education's Widening Participation > Initiative of the Year 2009 and Herald Society's Education > Initiative of the Year 2009. > > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > > > 219,en.html > > > > > > Winner: Times Higher Education's Outstanding Support for Early > Career Researchers of the Year 2010, GCU as a lead with > Universities Scotland partners. > > > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > > > 5691,en.html > > > > > > _______________________________________________ > > > Xerte-dev mailing list > > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > This message and any attachment are intended solely for the > addressee and may contain confidential information. If you have > received this message in error, please send it back to me, and > immediately delete it. Please do not use, copy or disclose the > information contained in this message or in any attachment. Any > views or opinions expressed by the author of this email do not > necessarily reflect the views of the University of Nottingham. > > > > > > This message has been checked for viruses but the contents of an > > > attachment may still contain software viruses which could damage > your computer system: > > > you are advised to perform your own checks. Email communications > with > > > the University of Nottingham may be monitored as permitted by UK > legislation. > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, > number SC021474 > > Winner: Times Higher Education's Widening Participation Initiative > of the Year 2009 and Herald Society's Education Initiative of the > Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early > Career Researchers of the Year 2010, GCU as a lead with > Universities Scotland partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, > number SC021474 > > Winner: Times Higher Education's Widening Participation Initiative > of the Year 2009 and Herald Society's Education Initiative of the > Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early > Career Researchers of the Year 2010, GCU as a lead with > Universities Scotland partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, > number SC021474 > > Winner: Times Higher Education's Widening Participation Initiative > of the Year 2009 and Herald Society's Education Initiative of the > Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early > Career Researchers of the Year 2010, GCU as a lead with > Universities Scotland partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, > number SC021474 > > Winner: Times Higher Education's Widening Participation Initiative > of the Year 2009 and Herald Society's Education Initiative of the > Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early > Career Researchers of the Year 2010, GCU as a lead with > Universities Scotland partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, > number SC021474 > > Winner: Times Higher Education's Widening Participation Initiative > of the Year 2009 and Herald Society's Education Initiative of the > Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early > Career Researchers of the Year 2010, GCU as a lead with > Universities Scotland partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, > number SC021474 > > Winner: Times Higher Education's Widening Participation Initiative > of the Year 2009 and Herald Society's Education Initiative of the > Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early > Career Researchers of the Year 2010, GCU as a lead with > Universities Scotland partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, > number SC021474 > > Winner: Times Higher Education's Widening Participation Initiative > of the Year 2009 and Herald Society's Education Initiative of the > Year 2009. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education's Outstanding Support for Early > Career Researchers of the Year 2010, GCU as a lead with > Universities Scotland partners. > > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk > <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ > > Xerte-dev mailing list > > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/c545d858/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 30072 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/c545d858/attachment-0002.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 34026 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/c545d858/attachment-0003.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 8559 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/c545d858/attachment-0001.jpe> From ronm at mitchellmedia.co.uk Mon Mar 25 20:47:39 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Mon, 25 Mar 2013 20:47:39 -0000 Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php In-Reply-To: <5150B1D3.1060205@tor.nl> References: <bj8955psl73nk2xnfedc79ml.1363342427911@email.android.com> <12C67A1EEC419342AF5E59DA31562C3F0C4DD1CD8A@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247EE6D7E9@ITSEMBXCLUS.enterprise.gcal.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247FC74C8D@ITSEMBXCLUS.enterprise.gcal.ac.uk> <036f01ce297b$8647ed20$92d7c760$@co.uk> <51508E4B.9050704@tor.nl> <039601ce2982$c96faeb0$5c4f0c10$@co.uk> <5150B1D3.1060205@tor.nl> Message-ID: <03d901ce2999$fe375fa0$faa61ee0$@co.uk> Hi Tom sorry that was probably my mistake after quickly testing if reverting resolved the issue :-( The code is now a full replace of R734 and the button state seems ok. Alas image upload via Firefox remains an issue. Cheers Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 25 March 2013 20:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hmm, it seems like index.php is not what it should be... Around lines 150 - 160 are a couple of lines drawing the buttons. These used to be img tags, and are now button tags. The enabling used to work through changing the image in display_screen.js, and now I change the css class . Can you check whether you have the correct index.php in place? Tom Op 25-3-2013 19:01, Ron Mitchell schreef: Hi Tom yes you are using the correct install but I reverted the code back to a previous working version just to confirm that it is a recent update that has cause that particular problem and sure enough the buttons were working ok again. At the moment the install is back to R734 so includes your updates + Johns and has the button state problem. Cheers Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 25 March 2013 17:50 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php If the buttons don't refresh properly, it is due to my changes with the buttons. I replaced all image buttons by html buttons. That should be in SVN 727, but I can see it's not in this one (the links should be buttons as well as shown below. Am I using the correct jsic xot? Tom Op 25-3-2013 18:09, Ron Mitchell schreef: Hi John I've just updated the Techdis /xot install to R734 which obviously uses Moodle authentication and uploading via a graphics and sound page seems to work fine now whereas as you know it didn't before. However I'm not sure whether it's due to your update or the recent update by others but I notice that there's now no state change on the workspace buttons when a project is selected e.g. they still work but remain greyed out HTH Ron -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 25 March 2013 16:02 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi all, Sorry it's been a while getting to this again but I seem to have made some headway. I've been able to figure out how to jump start the Moodle session also in upload.php and it has worked in my tests but would love to see how it fares in the real world. Would someone be able to test this for me? I've committed changed (some to edit.php too) as R734. Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: Friday, March 15, 2013 11:39 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Worth a try!! So we have to support Firefox AND Moodle - there's that wagging dog again ;-) Leave it with me - once I get moodle integration working I'll take a look at the moodle session and see if we do anything... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Friday, March 15, 2013 11:21 AM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php No, we have to support Firefox, but you know that already! -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 10:14 To: <mailto:xerte-dev at lists.nottingham.ac.uk> xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php True but Moodle is a red herring here... The problem is Firefox - it is the tail... If you can live without Firefox being supported, only in the editor, then we can probably keep Moodle auth as is... Depends who you want to keep happiest... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney < <mailto:Julian.Tenney at nottingham.ac.uk> Julian.Tenney at nottingham.ac.uk> wrote: Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the problem, then I think that's what we should fix. -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 15 March 2013 09:10 To: <mailto:xerte-dev at lists.nottingham.ac.uk> xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php The way the Moodle authentication works - its so complicated that there is no way to restart it in upload when we are using Firefox... The upload script as reported by Ron does work as long as we're not using Moodle As i said we can check for Moodle auth and simply not check for session but that still leaves a gaping hole... Bootstrapping the upload via js 'should' allow config.php to handle the session as it does on other pages... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII Julian Tenney < <mailto:Julian.Tenney at nottingham.ac.uk> Julian.Tenney at nottingham.ac.uk> wrote: So is the problem the upload script, or the way the moodle authentication works? -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:41 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works... If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails... Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work... Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone?? Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:24 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Is it the case that you got it working in all browsers EXCEPT when using moodle authentication? -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 14 March 2013 16:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution... I think we might have to resort to js though... Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: Thursday, March 14, 2013 4:12 PM To: For Xerte technical developers Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right? This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that. -----Original Message----- From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 13 March 2013 11:30 To: <mailto:xerte-dev at lists.nottingham.ac.uk> xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php Hi Pat Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT... If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id Until we start session in upload.php though we can't tell if we are in firefox or using moodle.. I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present... Regards John Smith Learning Technologist School of Health and Life Sciences Sent from Samsung Galaxy SII "Pat @ Pgogy" < <mailto:xerte at pgogywebstuff.com> xerte at pgogywebstuff.com> wrote: Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before Pgogy Webstuff - <http://www.pgogywebstuff.com> http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 12 Mar 2013, at 21:20, "Smith, John" < <mailto:J.J.Smith at gcu.ac.uk> J.J.Smith at gcu.ac.uk> wrote: > Hi Ron, > > Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > [ronm at mitchellmedia.co.uk] > Sent: 12 March 2013 20:31 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication. > > So I guess this is either session related or a js clash? > > Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue. > > I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too. > > Cheers > Ron > > -----Original Message----- > From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk > [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron > Mitchell > Sent: 12 March 2013 20:17 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi John > Alistair reported that it was happening with Chrome and IE. I'm not sure what browser Simon was using but I tested via IE9 and was able to reproduce. But... > > I'm almost hesitant to mention this... > > I'd updated my own install which worked fine so I started thinking about what the differences are and apart from server differences a key difference is that the Techdis installs are using Moodle for authentication. I switched the xot install to guest and still got the problem. I then removed the integration path via management, logged back in and was able to upload ok. I then switched back to Moodle authentication and put the integration path back in and was still able to upload. So intermittent results at the moment but it does seem like it could be session related. I'm only online until about 9pm tonight but will test further and again in the morning. > > Cheers > Ron > > -----Original Message----- > From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk > [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, > John > Sent: 12 March 2013 19:56 > To: <mailto:xerte-dev at lists.nottingham.ac.uk> xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > Hi Ron > > Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash... > > I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else... > > Regards > > John Smith > Learning Technologist > School of Health and Life Sciences > > Sent from Samsung Galaxy SII > > > > Ron Mitchell < <mailto:ronm at mitchellmedia.co.uk> ronm at mitchellmedia.co.uk> wrote: > > > Hi > sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas? > Ron > > From: <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> xerte-dev-bounces at lists.nottingham.ac.uk > [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian > Tenney > Sent: 11 March 2013 16:18 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff. > > > > I've added some alerts for now so you can see what gets tripped, we > can take these out later, and I've commited the wizard with these in , > > > > listener.onComplete = function(file:FileReference <file:///\\%5C%5CFileReference> ):Void { > > > > Alert.show("Upload successful"); > > > > --etc-- > > > > } > > > > > > listener.onHTTPError = function(file:FileReference <file:///\\%5C%5CFileReference> ):Void { > > > > Alert.show("Upload failed: HTTPError"); > > > > --etc-- > > > > } > > > > listener.onIOError = function(file:FileReference <file:///\\%5C%5CFileReference> ):Void { > > > > Alert.show("Upload failed: IOError"); > > > > --etc-- > > > > } > > listener.onSecurityError = function(file:FileReference <file:///\\%5C%5CFileReference> , > errorString:String):Void { > > > > Alert.show("Upload failed: Security Error"); > > > > --etc-- > > > > } > > > > -----Original Message----- > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > Sent: 11 March 2013 15:42 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Are you using FileReference class? This code snippet suggests you can > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA > with var strData:String = StringUtil.trim(evt.data); > > > > > > > > private function init():void { > > fileRef = new FileReference(); > > fileRef.addEventListener(Event.SELECT, fileRef_select); > > fileRef.addEventListener(Event.COMPLETE, > fileRef_complete); > > fileRef.addEventListener(IOErrorEvent.IO_ERROR, > fileRef_ioError); > > > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, > fileRef_uploadCompleteData); > > > > urlReq = new URLRequest(); > > urlReq.url = > " <http://localhost:8300/fileref/uploader.cfm> http://localhost:8300/fileref/uploader.cfm"; > > } > > > > private function > fileRef_uploadCompleteData(evt:DataEvent):void { > > var strData:String = StringUtil.trim(evt.data); > > var vars:URLVariables = new URLVariables(strData); > > Alert.show(vars.fileName, "fileName"); > > } > > > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 3:19 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example... > > > > At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 2:32 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > If I try and upload php files, onComplete still fires... > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: 11 March 2013 14:27 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hold on, I'll see if I can get the events to trip, > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 14:20 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Yeah, it's the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: Monday, March 11, 2013 1:57 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > No way to receive whether the upload was successful or not? > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:48 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > I'm not sure you can do much with that class, it's just a black box. > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 13:33 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Perhaps it should just feedback error codes, and the flash class translates them... > > > > Regards, > > > > John Smith > > Learning Technologist > > School of Health & Life Sciences > > Glasgow Caledonian University > > > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Julian Tenney > > Sent: Monday, March 11, 2013 1:21 PM > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl. > > > > -----Original Message----- > > From: > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@ list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list > s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> mailto:xerte-dev-bounces at lists.nottingham.ac.uk] > On Behalf Of Smith, John > > Sent: 11 March 2013 12:45 > > To: For Xerte technical developers > > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php > > > > Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed... > > > > > > > > > > > > > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. > <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html _______________________________________________ > Xerte-dev mailing list > <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk > <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk > <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > _______________________________________________ > Xerte-dev mailing list > <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk > <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > Glasgow Caledonian University is a registered Scottish charity, number > SC021474 > > Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. > <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6 > 219,en.html > > Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1 > 5691,en.html > > _______________________________________________ > Xerte-dev mailing list > <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk > <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an > attachment may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with > the University of Nottingham may be monitored as permitted by UK legislation. _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,e n.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691, en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,e n.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691, en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,e n.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691, en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,e n.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691, en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,e n.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691, en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,e n.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691, en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,e n.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en .html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691, en.html> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e n.html _______________________________________________ Xerte-dev mailing list <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/115235d9/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 30072 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/115235d9/attachment-0002.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 34026 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/115235d9/attachment-0003.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg Type: image/jpeg Size: 8559 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/115235d9/attachment-0001.jpg> From Fay.Cross at nottingham.ac.uk Wed Mar 27 11:33:56 2013 From: Fay.Cross at nottingham.ac.uk (Fay Cross) Date: Wed, 27 Mar 2013 11:33:56 +0000 Subject: [Xerte-dev] Connector Menu - bug in wizard In-Reply-To: <9e05woaqgk3k79dpg34dq0pp.1363847919675@email.android.com> References: <9e05woaqgk3k79dpg34dq0pp.1363847919675@email.android.com> Message-ID: <A44245E8C549494D9561A9727B89EEC80C3719B645@EXCHANGE1.ad.nottingham.ac.uk> Something strange is happening when I use Last Entry / First Entry on the Connector Menu page. When I select pages from these drop downs, then swap to edit another page and then go back to the menu page in the wizard it always changes what I selected initially to the page before it. It always previews correctly. From Fay.Cross at nottingham.ac.uk Wed Mar 27 17:17:22 2013 From: Fay.Cross at nottingham.ac.uk (Fay Cross) Date: Wed, 27 Mar 2013 17:17:22 +0000 Subject: [Xerte-dev] HTML5 Message-ID: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> Hello all As you should know the HTML5 work is nearly complete and there are only a couple of page types for me to complete before we can release a new version of Toolkits with the HTML5 interface as the default view. I have a few things that I could do with some help on before the release so if anyone can give me a hand with them or just give your opinions it would be much appreciated... 1. Exporting HTML projects: The files that would need to be in the zip would be more or less the same as for the Flash version but using the common_html5 and models_html5 folders instead of common/models. 2. Abbreviated link: Possibly something Ron can help with as I've noticed it's working on his install. Can abbreviated links be made to work e.g. www.nottingham.ac.uk/toolkits/play_html5_560 rather than using the full url? (Apologies Pat, I think you partly answered this for me previously but I can't find it) 3. Play / Preview links: a. Links in project properties, preview button in workspace and preview in wizard need to be updated to go to the HTML5 version. b. In the wizard should Ctrl-Click bring up the Flash version when clicking normally is changed to HTML5? c. Do you think there needs to be some browser detection that decides which version people see? The problem I can see with this is that if we start adding new features or pages to the HTML5 version then by sending them to the Flash version instead they may miss out on some content. Not many of the page types in the HTML5 version actually use HTML5 tags if that makes sense - probably just the handful where the canvas tag is used (textDrawing, charts etc.) so there might not be many instances where there will be problems if you're on an older browser anyway. 4. Page models: a. John - is the flickr page finished? b. Johnathan - I've emailed you off list about a few queries I've got with the connector pages, I hope this is ok - I didn't want to bother everyone else with them c. SCORM - this isn't working at the moment but I can't quite remember what's missing. I'll email with more details of what help I might need when I've looked back at it Thanks Fay -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130327/6a16a59d/attachment.html> From ronm at mitchellmedia.co.uk Wed Mar 27 17:57:13 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Wed, 27 Mar 2013 17:57:13 -0000 Subject: [Xerte-dev] Re: HTML5 In-Reply-To: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> References: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <01d601ce2b14$842a2d60$8c7e8820$@co.uk> Hi Fay firstly on behalf of the whole community thanks for all your hard work on all the HTML 5 conversions - fantastic stuff! A few comments/thoughts inline below... HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Fay Cross Sent: 27 March 2013 17:17 To: For Xerte technical developers Subject: [Xerte-dev] HTML5 Hello all As you should know the HTML5 work is nearly complete and there are only a couple of page types for me to complete before we can release a new version of Toolkits with the HTML5 interface as the default view. I have a few things that I could do with some help on before the release so if anyone can give me a hand with them or just give your opinions it would be much appreciated... 1. Exporting HTML projects: The files that would need to be in the zip would be more or less the same as for the Flash version but using the common_html5 and models_html5 folders instead of common/models. Would the easiest way to do this be to include an additional index page e.g. index_html5.htm Should there be a separate HTML5 only export option? HTML 5 export for vieing locally or importing into a VLE is certainly something people have been asking for 2. Abbreviated link: Possibly something Ron can help with as I've noticed it's working on his install. Can abbreviated links be made to work e.g. www.nottingham.ac.uk/toolkits/play_html5_560 rather than using the full url? (Apologies Pat, I think you partly answered this for me previously but I can't find it) I've attached a sample .htaccess with most of this included you will need to replace /xerte/ with whatever your xot folder is which you can probably check in your existing .htaccess and just add in the missing lines. However at least some of the rss links need further work which I posted to the list previously but no reply. The htaccess.conf in the setup folder needs updating too but to be honest I'm not sure how that works e.g. if it's updated during install but I don't think it is. 3. Play / Preview links: a. Links in project properties, preview button in workspace and preview in wizard need to be updated to go to the HTML5 version. Should this be a management option e.g. giving people control over what is the default and what is the Ctrl + Click option? b. In the wizard should Ctrl-Click bring up the Flash version when clicking normally is changed to HTML5? Yes I think so but see response to a. above c. Do you think there needs to be some browser detection that decides which version people see? The problem I can see with this is that if we start adding new features or pages to the HTML5 version then by sending them to the Flash version instead they may miss out on some content. Not many of the page types in the HTML5 version actually use HTML5 tags if that makes sense - probably just the handful where the canvas tag is used (textDrawing, charts etc.) so there might not be many instances where there will be problems if you're on an older browser anyway. Personally I think we need manual choice as well as browser detection e.g. even if browser detection is built in it should still be possible to share a link to view via flash and a separate link to view via HTML 5 4. Page models: a. John - is the flickr page finished? b. Johnathan - I've emailed you off list about a few queries I've got with the connector pages, I hope this is ok - I didn't want to bother everyone else with them c. SCORM - this isn't working at the moment but I can't quite remember what's missing. I'll email with more details of what help I might need when I've looked back at it Thanks Fay -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130327/3fea821b/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: .htaccess Type: application/octet-stream Size: 2921 bytes Desc: not available URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130327/3fea821b/attachment-0001.obj> From reijnders at tor.nl Wed Mar 27 19:18:56 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Wed, 27 Mar 2013 20:18:56 +0100 Subject: [Xerte-dev] Re: HTML5 In-Reply-To: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> References: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <51534620.6060705@tor.nl> Like Ron says... Great Job! I am working on SCORM. Tom Op 27-3-2013 18:17, Fay Cross schreef: > > Hello all > > As you should know the HTML5 work is nearly complete and there are > only a couple of page types for me to complete before we can release a > new version of Toolkits with the HTML5 interface as the default view. > I have a few things that I could do with some help on before the > release so if anyone can give me a hand with them or just give your > opinions it would be much appreciated... > > 1.Exporting HTML projects: > The files that would need to be in the zip would be more or less the > same as for the Flash version but using the common_html5 and > models_html5 folders instead of common/models. > > 2.Abbreviated link: > Possibly something Ron can help with as I've noticed it's working on > his install. Can abbreviated links be made to work e.g. > www.nottingham.ac.uk/toolkits/play_html5_560 rather than using the > full url? > (Apologies Pat, I think you partly answered this for me previously but > I can't find it) > > 3.Play / Preview links: > > a.Links in project properties, preview button in workspace and preview > in wizard need to be updated to go to the HTML5 version. > > b.In the wizard should Ctrl-Click bring up the Flash version when > clicking normally is changed to HTML5? > > c.Do you think there needs to be some browser detection that decides > which version people see? The problem I can see with this is that if > we start adding new features or pages to the HTML5 version then by > sending them to the Flash version instead they may miss out on some > content. Not many of the page types in the HTML5 version actually use > HTML5 tags if that makes sense -- probably just the handful where the > canvas tag is used (textDrawing, charts etc.) so there might not be > many instances where there will be problems if you're on an older > browser anyway. > > 4.Page models: > > a.John -- is the flickr page finished? > > b.Johnathan -- I've emailed you off list about a few queries I've got > with the connector pages, I hope this is ok -- I didn't want to bother > everyone else with them > > c.SCORM -- this isn't working at the moment but I can't quite remember > what's missing. I'll email with more details of what help I might > need when I've looked back at it > > Thanks > > Fay > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130327/b143a2aa/attachment.html> From d_b_burnett at hotmail.com Wed Mar 27 19:49:56 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Wed, 27 Mar 2013 15:49:56 -0400 Subject: [Xerte-dev] Re: HTML5 In-Reply-To: <51534620.6060705@tor.nl> References: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk>, <51534620.6060705@tor.nl> Message-ID: <BLU153-W1432DD6B6134D24270F086A7D10@phx.gbl> Ditto Fay!A Herculean task! Date: Wed, 27 Mar 2013 20:18:56 +0100 From: reijnders at tor.nl To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: HTML5 Like Ron says... Great Job! I am working on SCORM. Tom Op 27-3-2013 18:17, Fay Cross schreef: Hello all As you should know the HTML5 work is nearly complete and there are only a couple of page types for me to complete before we can release a new version of Toolkits with the HTML5 interface as the default view. I have a few things that I could do with some help on before the release so if anyone can give me a hand with them or just give your opinions it would be much appreciated... 1. Exporting HTML projects: The files that would need to be in the zip would be more or less the same as for the Flash version but using the common_html5 and models_html5 folders instead of common/models. 2. Abbreviated link: Possibly something Ron can help with as I?ve noticed it?s working on his install. Can abbreviated links be made to work e.g. www.nottingham.ac.uk/toolkits/play_html5_560 rather than using the full url? (Apologies Pat, I think you partly answered this for me previously but I can?t find it) 3. Play / Preview links: a. Links in project properties, preview button in workspace and preview in wizard need to be updated to go to the HTML5 version. b. In the wizard should Ctrl-Click bring up the Flash version when clicking normally is changed to HTML5? c. Do you think there needs to be some browser detection that decides which version people see? The problem I can see with this is that if we start adding new features or pages to the HTML5 version then by sending them to the Flash version instead they may miss out on some content. Not many of the page types in the HTML5 version actually use HTML5 tags if that makes sense ? probably just the handful where the canvas tag is used (textDrawing, charts etc.) so there might not be many instances where there will be problems if you?re on an older browser anyway. 4. Page models: a. John ? is the flickr page finished? b. Johnathan ? I?ve emailed you off list about a few queries I?ve got with the connector pages, I hope this is ok ? I didn?t want to bother everyone else with them c. SCORM ? this isn?t working at the moment but I can?t quite remember what?s missing. I?ll email with more details of what help I might need when I?ve looked back at it Thanks Fay _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130327/a930709c/attachment-0001.html> From d_b_burnett at hotmail.com Wed Mar 27 21:42:02 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Wed, 27 Mar 2013 17:42:02 -0400 Subject: [Xerte-dev] XOT Upload error In-Reply-To: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> References: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> Message-ID: <BLU153-W41FEB7AEC78F120F8EFF8FA7D10@phx.gbl> Just installed 2 days ago, so assume this was the latest version. Trying to upload 12Mb zip. I'm getting the "php reports the following error - " thingy and the upload simply stops at 35%. In .htacccess php_value upload_max_filesize 100Mphp_value post_max_size 100Mphp_value max_execution_time 300php_value memory_limit 100M and querying phpinfo says they are indeed set to those vals. ? Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130327/b7cf435a/attachment.html> From xerte at pgogywebstuff.com Wed Mar 27 22:42:30 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Wed, 27 Mar 2013 22:42:30 +0000 Subject: [Xerte-dev] Re: XOT Upload error In-Reply-To: <BLU153-W41FEB7AEC78F120F8EFF8FA7D10@phx.gbl> References: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> <BLU153-W41FEB7AEC78F120F8EFF8FA7D10@phx.gbl> Message-ID: <A71ED834-6826-4655-87DC-8395C04914C9@pgogywebstuff.com> Any more in the error than thingy? This is uploading in flash? Try on the media and quota page? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Mar 2013, at 21:42, Dave Burnett <d_b_burnett at hotmail.com> wrote: > Just installed 2 days ago, so assume this was the latest version. > > Trying to upload 12Mb zip. > > I'm getting the "php reports the following error - " thingy and the upload simply stops at 35%. > > In .htacccess > > php_value upload_max_filesize 100M > php_value post_max_size 100M > php_value max_execution_time 300 > php_value memory_limit 100M > > and querying phpinfo says they are indeed set to those vals. > > ? > > Dave > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130327/ee4d59eb/attachment.html> From d_b_burnett at hotmail.com Wed Mar 27 22:53:31 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Wed, 27 Mar 2013 18:53:31 -0400 Subject: [Xerte-dev] Re: XOT Upload error In-Reply-To: <A71ED834-6826-4655-87DC-8395C04914C9@pgogywebstuff.com> References: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com>, <BLU153-W41FEB7AEC78F120F8EFF8FA7D10@phx.gbl>, <A71ED834-6826-4655-87DC-8395C04914C9@pgogywebstuff.com> Message-ID: <BLU153-W43017A3ABABE4867C9D540A7D10@phx.gbl> It is the media and quota page.Same error as this I thinkhttp://lists.nottingham.ac.uk/pipermail/xerte/2012-January/012511.html From: xerte at pgogywebstuff.com Date: Wed, 27 Mar 2013 22:42:30 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error Any more in the error than thingy? This is uploading in flash? Try on the media and quota page? Pgogy Webstuff - http://www.pgogywebstuff.comMakers of web things of a fair to middling quality On 27 Mar 2013, at 21:42, Dave Burnett <d_b_burnett at hotmail.com> wrote: Just installed 2 days ago, so assume this was the latest version. Trying to upload 12Mb zip. I'm getting the "php reports the following error - " thingy and the upload simply stops at 35%. In .htacccess php_value upload_max_filesize 100Mphp_value post_max_size 100Mphp_value max_execution_time 300php_value memory_limit 100M and querying phpinfo says they are indeed set to those vals. ? Dave _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130327/d242d05d/attachment.html> From xerte at pgogywebstuff.com Wed Mar 27 23:09:12 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Wed, 27 Mar 2013 23:09:12 +0000 Subject: [Xerte-dev] Re: XOT Upload error In-Reply-To: <BLU153-W43017A3ABABE4867C9D540A7D10@phx.gbl> References: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com> <BLU153-W41FEB7AEC78F120F8EFF8FA7D10@phx.gbl> <A71ED834-6826-4655-87DC-8395C04914C9@pgogywebstuff.com> <BLU153-W43017A3ABABE4867C9D540A7D10@phx.gbl> Message-ID: <06CE855D-69D9-40BB-9705-EA9B1EA3377D@pgogywebstuff.com> Ok, edit website_code/php/properties/media_and_quota and set the iframe to be huge then try again Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Mar 2013, at 22:53, Dave Burnett <d_b_burnett at hotmail.com> wrote: > It is the media and quota page. > Same error as this I think > http://lists.nottingham.ac.uk/pipermail/xerte/2012-January/012511.html > > > From: xerte at pgogywebstuff.com > Date: Wed, 27 Mar 2013 22:42:30 +0000 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: XOT Upload error > > Any more in the error than thingy? > > This is uploading in flash? > > Try on the media and quota page? > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 27 Mar 2013, at 21:42, Dave Burnett <d_b_burnett at hotmail.com> wrote: > > Just installed 2 days ago, so assume this was the latest version. > > Trying to upload 12Mb zip. > > I'm getting the "php reports the following error - " thingy and the upload simply stops at 35%. > > In .htacccess > > php_value upload_max_filesize 100M > php_value post_max_size 100M > php_value max_execution_time 300 > php_value memory_limit 100M > > and querying phpinfo says they are indeed set to those vals. > > ? > > Dave > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130327/fe5038a4/attachment.html> From xerte at pgogywebstuff.com Wed Mar 27 23:21:30 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Wed, 27 Mar 2013 23:21:30 +0000 Subject: [Xerte-dev] Re: HTML5 In-Reply-To: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> References: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <149055EF-4905-4B0E-94A2-85496617FE24@pgogywebstuff.com> The quick question is do you want the html5 version to be a separate module or an option within the existing module? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Mar 2013, at 17:17, Fay Cross <Fay.Cross at nottingham.ac.uk> wrote: > Hello all > > As you should know the HTML5 work is nearly complete and there are only a couple of page types for me to complete before we can release a new version of Toolkits with the HTML5 interface as the default view. I have a few things that I could do with some help on before the release so if anyone can give me a hand with them or just give your opinions it would be much appreciated... > > 1. Exporting HTML projects: > The files that would need to be in the zip would be more or less the same as for the Flash version but using the common_html5 and models_html5 folders instead of common/models. > > 2. Abbreviated link: > Possibly something Ron can help with as I?ve noticed it?s working on his install. Can abbreviated links be made to work e.g. www.nottingham.ac.uk/toolkits/play_html5_560 rather than using the full url? > (Apologies Pat, I think you partly answered this for me previously but I can?t find it) > > 3. Play / Preview links: > a. Links in project properties, preview button in workspace and preview in wizard need to be updated to go to the HTML5 version. > b. In the wizard should Ctrl-Click bring up the Flash version when clicking normally is changed to HTML5? > c. Do you think there needs to be some browser detection that decides which version people see? The problem I can see with this is that if we start adding new features or pages to the HTML5 version then by sending them to the Flash version instead they may miss out on some content. Not many of the page types in the HTML5 version actually use HTML5 tags if that makes sense ? probably just the handful where the canvas tag is used (textDrawing, charts etc.) so there might not be many instances where there will be problems if you?re on an older browser anyway. > > 4. Page models: > a. John ? is the flickr page finished? > b. Johnathan ? I?ve emailed you off list about a few queries I?ve got with the connector pages, I hope this is ok ? I didn?t want to bother everyone else with them > c. SCORM ? this isn?t working at the moment but I can?t quite remember what?s missing. I?ll email with more details of what help I might need when I?ve looked back at it > > Thanks > Fay > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130327/0e2fc318/attachment-0001.html> From d_b_burnett at hotmail.com Wed Mar 27 23:20:52 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Wed, 27 Mar 2013 19:20:52 -0400 Subject: [Xerte-dev] Re: XOT Upload error In-Reply-To: <06CE855D-69D9-40BB-9705-EA9B1EA3377D@pgogywebstuff.com> References: <CABtG3=Uv4YvnrLfhffh2kf4pMu-Mr2zW3yYam_PctsSW4HOwuw@mail.gmail.com>, <BLU153-W41FEB7AEC78F120F8EFF8FA7D10@phx.gbl>, <A71ED834-6826-4655-87DC-8395C04914C9@pgogywebstuff.com>, <BLU153-W43017A3ABABE4867C9D540A7D10@phx.gbl>, <06CE855D-69D9-40BB-9705-EA9B1EA3377D@pgogywebstuff.com> Message-ID: <BLU153-W2757F6FDD15AB4961490F9A7D10@phx.gbl> media_and_quota_template.php?I can't see anything obvious that sets the iframe dimensions From: xerte at pgogywebstuff.com Date: Wed, 27 Mar 2013 23:09:12 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error Ok, edit website_code/php/properties/media_and_quota and set the iframe to be huge then try again Pgogy Webstuff - http://www.pgogywebstuff.comMakers of web things of a fair to middling quality On 27 Mar 2013, at 22:53, Dave Burnett <d_b_burnett at hotmail.com> wrote: It is the media and quota page.Same error as this I thinkhttp://lists.nottingham.ac.uk/pipermail/xerte/2012-January/012511.html From: xerte at pgogywebstuff.com Date: Wed, 27 Mar 2013 22:42:30 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error Any more in the error than thingy? This is uploading in flash? Try on the media and quota page? Pgogy Webstuff - http://www.pgogywebstuff.comMakers of web things of a fair to middling quality On 27 Mar 2013, at 21:42, Dave Burnett <d_b_burnett at hotmail.com> wrote: Just installed 2 days ago, so assume this was the latest version. Trying to upload 12Mb zip. I'm getting the "php reports the following error - " thingy and the upload simply stops at 35%. In .htacccess php_value upload_max_filesize 100Mphp_value post_max_size 100Mphp_value max_execution_time 300php_value memory_limit 100M and querying phpinfo says they are indeed set to those vals. ? Dave _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130327/6ee5a3f0/attachment.html> From Fay.Cross at nottingham.ac.uk Thu Mar 28 08:42:02 2013 From: Fay.Cross at nottingham.ac.uk (Fay Cross) Date: Thu, 28 Mar 2013 08:42:02 +0000 Subject: [Xerte-dev] Re: HTML5 In-Reply-To: <51534620.6060705@tor.nl> References: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> <51534620.6060705@tor.nl> Message-ID: <A44245E8C549494D9561A9727B89EEC80C3719B87A@EXCHANGE1.ad.nottingham.ac.uk> Thanks Tom. The quiz page already contains a bit where it looks at the scorm attribute (track first/last score) and calls a function in the main interface file (xenith.js) with this info and the score. I wasn't sure what to do with this info after that though. Let me know if you need any changes from me. Fay From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 27 March 2013 19:19 To: For Xerte technical developers Subject: [Xerte-dev] Re: HTML5 Like Ron says... Great Job! I am working on SCORM. Tom Op 27-3-2013 18:17, Fay Cross schreef: Hello all As you should know the HTML5 work is nearly complete and there are only a couple of page types for me to complete before we can release a new version of Toolkits with the HTML5 interface as the default view. I have a few things that I could do with some help on before the release so if anyone can give me a hand with them or just give your opinions it would be much appreciated... 1. Exporting HTML projects: The files that would need to be in the zip would be more or less the same as for the Flash version but using the common_html5 and models_html5 folders instead of common/models. 2. Abbreviated link: Possibly something Ron can help with as I've noticed it's working on his install. Can abbreviated links be made to work e.g. www.nottingham.ac.uk/toolkits/play_html5_560<http://www.nottingham.ac.uk/toolkits/play_html5_560> rather than using the full url? (Apologies Pat, I think you partly answered this for me previously but I can't find it) 3. Play / Preview links: a. Links in project properties, preview button in workspace and preview in wizard need to be updated to go to the HTML5 version. b. In the wizard should Ctrl-Click bring up the Flash version when clicking normally is changed to HTML5? c. Do you think there needs to be some browser detection that decides which version people see? The problem I can see with this is that if we start adding new features or pages to the HTML5 version then by sending them to the Flash version instead they may miss out on some content. Not many of the page types in the HTML5 version actually use HTML5 tags if that makes sense - probably just the handful where the canvas tag is used (textDrawing, charts etc.) so there might not be many instances where there will be problems if you're on an older browser anyway. 4. Page models: a. John - is the flickr page finished? b. Johnathan - I've emailed you off list about a few queries I've got with the connector pages, I hope this is ok - I didn't want to bother everyone else with them c. SCORM - this isn't working at the moment but I can't quite remember what's missing. I'll email with more details of what help I might need when I've looked back at it Thanks Fay _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/7611fefd/attachment.html> From Fay.Cross at nottingham.ac.uk Thu Mar 28 08:43:20 2013 From: Fay.Cross at nottingham.ac.uk (Fay Cross) Date: Thu, 28 Mar 2013 08:43:20 +0000 Subject: [Xerte-dev] Re: HTML5 In-Reply-To: <149055EF-4905-4B0E-94A2-85496617FE24@pgogywebstuff.com> References: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> <149055EF-4905-4B0E-94A2-85496617FE24@pgogywebstuff.com> Message-ID: <A44245E8C549494D9561A9727B89EEC80C3719B87C@EXCHANGE1.ad.nottingham.ac.uk> Umm sorry, remind me what you mean by that? I think an option within the existing module. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy Sent: 27 March 2013 23:22 To: For Xerte technical developers Subject: [Xerte-dev] Re: HTML5 The quick question is do you want the html5 version to be a separate module or an option within the existing module? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Mar 2013, at 17:17, Fay Cross <Fay.Cross at nottingham.ac.uk<mailto:Fay.Cross at nottingham.ac.uk>> wrote: Hello all As you should know the HTML5 work is nearly complete and there are only a couple of page types for me to complete before we can release a new version of Toolkits with the HTML5 interface as the default view. I have a few things that I could do with some help on before the release so if anyone can give me a hand with them or just give your opinions it would be much appreciated... 1. Exporting HTML projects: The files that would need to be in the zip would be more or less the same as for the Flash version but using the common_html5 and models_html5 folders instead of common/models. 2. Abbreviated link: Possibly something Ron can help with as I?ve noticed it?s working on his install. Can abbreviated links be made to work e.g. www.nottingham.ac.uk/toolkits/play_html5_560<http://www.nottingham.ac.uk/toolkits/play_html5_560> rather than using the full url? (Apologies Pat, I think you partly answered this for me previously but I can?t find it) 3. Play / Preview links: a. Links in project properties, preview button in workspace and preview in wizard need to be updated to go to the HTML5 version. b. In the wizard should Ctrl-Click bring up the Flash version when clicking normally is changed to HTML5? c. Do you think there needs to be some browser detection that decides which version people see? The problem I can see with this is that if we start adding new features or pages to the HTML5 version then by sending them to the Flash version instead they may miss out on some content. Not many of the page types in the HTML5 version actually use HTML5 tags if that makes sense ? probably just the handful where the canvas tag is used (textDrawing, charts etc.) so there might not be many instances where there will be problems if you?re on an older browser anyway. 4. Page models: a. John ? is the flickr page finished? b. Johnathan ? I?ve emailed you off list about a few queries I?ve got with the connector pages, I hope this is ok ? I didn?t want to bother everyone else with them c. SCORM ? this isn?t working at the moment but I can?t quite remember what?s missing. I?ll email with more details of what help I might need when I?ve looked back at it Thanks Fay _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/da2e7080/attachment-0001.html> From Fay.Cross at nottingham.ac.uk Thu Mar 28 08:51:57 2013 From: Fay.Cross at nottingham.ac.uk (Fay Cross) Date: Thu, 28 Mar 2013 08:51:57 +0000 Subject: [Xerte-dev] Re: HTML5 In-Reply-To: <01d601ce2b14$842a2d60$8c7e8820$@co.uk> References: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> <01d601ce2b14$842a2d60$8c7e8820$@co.uk> Message-ID: <A44245E8C549494D9561A9727B89EEC80C3719B885@EXCHANGE1.ad.nottingham.ac.uk> Thanks Ron Should there be a separate HTML5 only export option? That's what I assumed there would be but I suppose the files could just be added into the existing export with an extra index page Should this be a management option e.g. giving people control over what is the default and what is the Ctrl + Click option? I like that idea Personally I think we need manual choice as well as browser detection e.g. even if browser detection is built in it should still be possible to share a link to view via flash and a separate link to view via HTML 5 So there'd be 3 types of links then? One forcing to Flash, one forcing to HTML5 and one deciding for you? Is that going to confuse people as to what link they're sharing? I agree you need to be able to make manual choice too though. Thanks for files you sent - I'll have a look at them in a bit From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: 27 March 2013 17:57 To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: HTML5 Hi Fay firstly on behalf of the whole community thanks for all your hard work on all the HTML 5 conversions - fantastic stuff! A few comments/thoughts inline below... HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Fay Cross Sent: 27 March 2013 17:17 To: For Xerte technical developers Subject: [Xerte-dev] HTML5 Hello all As you should know the HTML5 work is nearly complete and there are only a couple of page types for me to complete before we can release a new version of Toolkits with the HTML5 interface as the default view. I have a few things that I could do with some help on before the release so if anyone can give me a hand with them or just give your opinions it would be much appreciated... 1. Exporting HTML projects: The files that would need to be in the zip would be more or less the same as for the Flash version but using the common_html5 and models_html5 folders instead of common/models. Would the easiest way to do this be to include an additional index page e.g. index_html5.htm Should there be a separate HTML5 only export option? HTML 5 export for vieing locally or importing into a VLE is certainly something people have been asking for 2. Abbreviated link: Possibly something Ron can help with as I've noticed it's working on his install. Can abbreviated links be made to work e.g. www.nottingham.ac.uk/toolkits/play_html5_560<http://www.nottingham.ac.uk/toolkits/play_html5_560> rather than using the full url? (Apologies Pat, I think you partly answered this for me previously but I can't find it) I've attached a sample .htaccess with most of this included you will need to replace /xerte/ with whatever your xot folder is which you can probably check in your existing .htaccess and just add in the missing lines. However at least some of the rss links need further work which I posted to the list previously but no reply. The htaccess.conf in the setup folder needs updating too but to be honest I'm not sure how that works e.g. if it's updated during install but I don't think it is. 3. Play / Preview links: a. Links in project properties, preview button in workspace and preview in wizard need to be updated to go to the HTML5 version. Should this be a management option e.g. giving people control over what is the default and what is the Ctrl + Click option? b. In the wizard should Ctrl-Click bring up the Flash version when clicking normally is changed to HTML5? Yes I think so but see response to a. above c. Do you think there needs to be some browser detection that decides which version people see? The problem I can see with this is that if we start adding new features or pages to the HTML5 version then by sending them to the Flash version instead they may miss out on some content. Not many of the page types in the HTML5 version actually use HTML5 tags if that makes sense - probably just the handful where the canvas tag is used (textDrawing, charts etc.) so there might not be many instances where there will be problems if you're on an older browser anyway. Personally I think we need manual choice as well as browser detection e.g. even if browser detection is built in it should still be possible to share a link to view via flash and a separate link to view via HTML 5 4. Page models: a. John - is the flickr page finished? b. Johnathan - I've emailed you off list about a few queries I've got with the connector pages, I hope this is ok - I didn't want to bother everyone else with them c. SCORM - this isn't working at the moment but I can't quite remember what's missing. I'll email with more details of what help I might need when I've looked back at it Thanks Fay -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/411487a7/attachment.html> From ronm at mitchellmedia.co.uk Thu Mar 28 09:11:52 2013 From: ronm at mitchellmedia.co.uk (Ron Mitchell) Date: Thu, 28 Mar 2013 09:11:52 -0000 Subject: [Xerte-dev] Re: HTML5 In-Reply-To: <A44245E8C549494D9561A9727B89EEC80C3719B885@EXCHANGE1.ad.nottingham.ac.uk> References: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> <01d601ce2b14$842a2d60$8c7e8820$@co.uk> <A44245E8C549494D9561A9727B89EEC80C3719B885@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <001f01ce2b94$4a465300$ded2f900$@co.uk> Personally I think we need manual choice as well as browser detection e.g. even if browser detection is built in it should still be possible to share a link to view via flash and a separate link to view via HTML 5 So there'd be 3 types of links then? One forcing to Flash, one forcing to HTML5 and one deciding for you? Is that going to confuse people as to what link they're sharing? I agree you need to be able to make manual choice too though. I think this kind of depends on the default e.g. right now we obviously have play.php for Flash and play_htm5.php for html 5 If play.php detected for Flash player and if not found reverts to html 5 then perhaps only two links needed like we have now. I guess if play.php becomes the html 5 view by default then the second link could be play_flash.php which still reverts to html 5 if flash player not found. Would that work? From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Fay Cross Sent: 28 March 2013 08:52 To: For Xerte technical developers Subject: [Xerte-dev] Re: HTML5 Thanks Ron Should there be a separate HTML5 only export option? That's what I assumed there would be but I suppose the files could just be added into the existing export with an extra index page Should this be a management option e.g. giving people control over what is the default and what is the Ctrl + Click option? I like that idea Personally I think we need manual choice as well as browser detection e.g. even if browser detection is built in it should still be possible to share a link to view via flash and a separate link to view via HTML 5 So there'd be 3 types of links then? One forcing to Flash, one forcing to HTML5 and one deciding for you? Is that going to confuse people as to what link they're sharing? I agree you need to be able to make manual choice too though. Thanks for files you sent - I'll have a look at them in a bit From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: 27 March 2013 17:57 To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: HTML5 Hi Fay firstly on behalf of the whole community thanks for all your hard work on all the HTML 5 conversions - fantastic stuff! A few comments/thoughts inline below... HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Fay Cross Sent: 27 March 2013 17:17 To: For Xerte technical developers Subject: [Xerte-dev] HTML5 Hello all As you should know the HTML5 work is nearly complete and there are only a couple of page types for me to complete before we can release a new version of Toolkits with the HTML5 interface as the default view. I have a few things that I could do with some help on before the release so if anyone can give me a hand with them or just give your opinions it would be much appreciated... 1. Exporting HTML projects: The files that would need to be in the zip would be more or less the same as for the Flash version but using the common_html5 and models_html5 folders instead of common/models. Would the easiest way to do this be to include an additional index page e.g. index_html5.htm Should there be a separate HTML5 only export option? HTML 5 export for vieing locally or importing into a VLE is certainly something people have been asking for 2. Abbreviated link: Possibly something Ron can help with as I've noticed it's working on his install. Can abbreviated links be made to work e.g. www.nottingham.ac.uk/toolkits/play_html5_560 rather than using the full url? (Apologies Pat, I think you partly answered this for me previously but I can't find it) I've attached a sample .htaccess with most of this included you will need to replace /xerte/ with whatever your xot folder is which you can probably check in your existing .htaccess and just add in the missing lines. However at least some of the rss links need further work which I posted to the list previously but no reply. The htaccess.conf in the setup folder needs updating too but to be honest I'm not sure how that works e.g. if it's updated during install but I don't think it is. 3. Play / Preview links: a. Links in project properties, preview button in workspace and preview in wizard need to be updated to go to the HTML5 version. Should this be a management option e.g. giving people control over what is the default and what is the Ctrl + Click option? b. In the wizard should Ctrl-Click bring up the Flash version when clicking normally is changed to HTML5? Yes I think so but see response to a. above c. Do you think there needs to be some browser detection that decides which version people see? The problem I can see with this is that if we start adding new features or pages to the HTML5 version then by sending them to the Flash version instead they may miss out on some content. Not many of the page types in the HTML5 version actually use HTML5 tags if that makes sense - probably just the handful where the canvas tag is used (textDrawing, charts etc.) so there might not be many instances where there will be problems if you're on an older browser anyway. Personally I think we need manual choice as well as browser detection e.g. even if browser detection is built in it should still be possible to share a link to view via flash and a separate link to view via HTML 5 4. Page models: a. John - is the flickr page finished? b. Johnathan - I've emailed you off list about a few queries I've got with the connector pages, I hope this is ok - I didn't want to bother everyone else with them c. SCORM - this isn't working at the moment but I can't quite remember what's missing. I'll email with more details of what help I might need when I've looked back at it Thanks Fay -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/fe6d6247/attachment-0001.html> From reijnders at tor.nl Thu Mar 28 09:30:00 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Thu, 28 Mar 2013 10:30:00 +0100 Subject: [Xerte-dev] Audio Player controls show up in Youtube page Message-ID: <51540D98.6040906@tor.nl> If you have an audio file playing on a page, the player controls ALSO show up in any youtube page following that page. It's working correctly in HTML5. Seems like some state variable in XMLEngine I assume. -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 From Julian.Tenney at nottingham.ac.uk Thu Mar 28 09:48:55 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Thu, 28 Mar 2013 09:48:55 +0000 Subject: [Xerte-dev] Re: Audio Player controls show up in Youtube page In-Reply-To: <51540D98.6040906@tor.nl> References: <51540D98.6040906@tor.nl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4EF09666@EXCHANGE1.ad.nottingham.ac.uk> You mean if you use narration? The controller aren't killed by a youtube page? Whn it's the next page - or when it's any future page? -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 28 March 2013 09:30 To: For Xerte technical developers Subject: [Xerte-dev] Audio Player controls show up in Youtube page If you have an audio file playing on a page, the player controls ALSO show up in any youtube page following that page. It's working correctly in HTML5. Seems like some state variable in XMLEngine I assume. -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From Julian.Tenney at nottingham.ac.uk Thu Mar 28 09:51:01 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Thu, 28 Mar 2013 09:51:01 +0000 Subject: [Xerte-dev] Re: HTML5 In-Reply-To: <001f01ce2b94$4a465300$ded2f900$@co.uk> References: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> <01d601ce2b14$842a2d60$8c7e8820$@co.uk> <A44245E8C549494D9561A9727B89EEC80C3719B885@EXCHANGE1.ad.nottingham.ac.uk> <001f01ce2b94$4a465300$ded2f900$@co.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4EF0966B@EXCHANGE1.ad.nottingham.ac.uk> play_560 for example should always play the flash version, because that was the version it was designed in / for. We should use a new URL for the play_html5 version. It's up to people to decide whether to leave existing material as is, doing what it always has done, or whether to switch the links over. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: 28 March 2013 09:12 To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: HTML5 Personally I think we need manual choice as well as browser detection e.g. even if browser detection is built in it should still be possible to share a link to view via flash and a separate link to view via HTML 5 So there'd be 3 types of links then? One forcing to Flash, one forcing to HTML5 and one deciding for you? Is that going to confuse people as to what link they're sharing? I agree you need to be able to make manual choice too though. I think this kind of depends on the default e.g. right now we obviously have play.php for Flash and play_htm5.php for html 5 If play.php detected for Flash player and if not found reverts to html 5 then perhaps only two links needed like we have now. I guess if play.php becomes the html 5 view by default then the second link could be play_flash.php which still reverts to html 5 if flash player not found. Would that work? From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Fay Cross Sent: 28 March 2013 08:52 To: For Xerte technical developers Subject: [Xerte-dev] Re: HTML5 Thanks Ron Should there be a separate HTML5 only export option? That's what I assumed there would be but I suppose the files could just be added into the existing export with an extra index page Should this be a management option e.g. giving people control over what is the default and what is the Ctrl + Click option? I like that idea Personally I think we need manual choice as well as browser detection e.g. even if browser detection is built in it should still be possible to share a link to view via flash and a separate link to view via HTML 5 So there'd be 3 types of links then? One forcing to Flash, one forcing to HTML5 and one deciding for you? Is that going to confuse people as to what link they're sharing? I agree you need to be able to make manual choice too though. Thanks for files you sent - I'll have a look at them in a bit From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell Sent: 27 March 2013 17:57 To: 'For Xerte technical developers' Subject: [Xerte-dev] Re: HTML5 Hi Fay firstly on behalf of the whole community thanks for all your hard work on all the HTML 5 conversions - fantastic stuff! A few comments/thoughts inline below... HTH Ron From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Fay Cross Sent: 27 March 2013 17:17 To: For Xerte technical developers Subject: [Xerte-dev] HTML5 Hello all As you should know the HTML5 work is nearly complete and there are only a couple of page types for me to complete before we can release a new version of Toolkits with the HTML5 interface as the default view. I have a few things that I could do with some help on before the release so if anyone can give me a hand with them or just give your opinions it would be much appreciated... 1. Exporting HTML projects: The files that would need to be in the zip would be more or less the same as for the Flash version but using the common_html5 and models_html5 folders instead of common/models. Would the easiest way to do this be to include an additional index page e.g. index_html5.htm Should there be a separate HTML5 only export option? HTML 5 export for vieing locally or importing into a VLE is certainly something people have been asking for 2. Abbreviated link: Possibly something Ron can help with as I've noticed it's working on his install. Can abbreviated links be made to work e.g. www.nottingham.ac.uk/toolkits/play_html5_560<http://www.nottingham.ac.uk/toolkits/play_html5_560> rather than using the full url? (Apologies Pat, I think you partly answered this for me previously but I can't find it) I've attached a sample .htaccess with most of this included you will need to replace /xerte/ with whatever your xot folder is which you can probably check in your existing .htaccess and just add in the missing lines. However at least some of the rss links need further work which I posted to the list previously but no reply. The htaccess.conf in the setup folder needs updating too but to be honest I'm not sure how that works e.g. if it's updated during install but I don't think it is. 3. Play / Preview links: a. Links in project properties, preview button in workspace and preview in wizard need to be updated to go to the HTML5 version. Should this be a management option e.g. giving people control over what is the default and what is the Ctrl + Click option? b. In the wizard should Ctrl-Click bring up the Flash version when clicking normally is changed to HTML5? Yes I think so but see response to a. above c. Do you think there needs to be some browser detection that decides which version people see? The problem I can see with this is that if we start adding new features or pages to the HTML5 version then by sending them to the Flash version instead they may miss out on some content. Not many of the page types in the HTML5 version actually use HTML5 tags if that makes sense - probably just the handful where the canvas tag is used (textDrawing, charts etc.) so there might not be many instances where there will be problems if you're on an older browser anyway. Personally I think we need manual choice as well as browser detection e.g. even if browser detection is built in it should still be possible to share a link to view via flash and a separate link to view via HTML 5 4. Page models: a. John - is the flickr page finished? b. Johnathan - I've emailed you off list about a few queries I've got with the connector pages, I hope this is ok - I didn't want to bother everyone else with them c. SCORM - this isn't working at the moment but I can't quite remember what's missing. I'll email with more details of what help I might need when I've looked back at it Thanks Fay -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/8ed838b4/attachment-0001.html> From reijnders at tor.nl Thu Mar 28 10:16:50 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Thu, 28 Mar 2013 11:16:50 +0100 Subject: [Xerte-dev] Re: Audio Player controls show up in Youtube page In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4EF09666@EXCHANGE1.ad.nottingham.ac.uk> References: <51540D98.6040906@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF09666@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <51541892.5040601@tor.nl> When you used narration on a previous page the controls show up in the youtube page. The youtube page itself has no narration set. So 1. LO - Text Without Narration - Youtube without narration --> controls don't show, like expected Op 28-3-2013 10:48, Julian Tenney schreef: 2. LO - Text With Narration - Youtube without narration --> controls show Tom > You mean if you use narration? The controller aren't killed by a youtube page? Whn it's the next page - or when it's any future page? > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders > Sent: 28 March 2013 09:30 > To: For Xerte technical developers > Subject: [Xerte-dev] Audio Player controls show up in Youtube page > > If you have an audio file playing on a page, the player controls ALSO show up in any youtube page following that page. > > It's working correctly in HTML5. Seems like some state variable in XMLEngine I assume. > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 From J.J.Smith at gcu.ac.uk Thu Mar 28 10:35:00 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Thu, 28 Mar 2013 10:35:00 +0000 Subject: [Xerte-dev] Re: HTML5 In-Reply-To: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> References: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247FC74E6B@ITSEMBXCLUS.enterprise.gcal.ac.uk> Hi Fay, I works per se but needs 3 ajax requests from memory so can be a little flaky. I haven't really looked at it to be honest since you fixed the duplicate button problem. I have some time tomorrow though so will try to take another look to see if I can do anything to make it more reliable and make the user experience a little better. Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Fay Cross Sent: Wednesday, March 27, 2013 5:17 PM To: For Xerte technical developers Subject: [Xerte-dev] HTML5 Hello all As you should know the HTML5 work is nearly complete and there are only a couple of page types for me to complete before we can release a new version of Toolkits with the HTML5 interface as the default view. I have a few things that I could do with some help on before the release so if anyone can give me a hand with them or just give your opinions it would be much appreciated... 1. Exporting HTML projects: The files that would need to be in the zip would be more or less the same as for the Flash version but using the common_html5 and models_html5 folders instead of common/models. 2. Abbreviated link: Possibly something Ron can help with as I've noticed it's working on his install. Can abbreviated links be made to work e.g. www.nottingham.ac.uk/toolkits/play_html5_560<http://www.nottingham.ac.uk/toolkits/play_html5_560> rather than using the full url? (Apologies Pat, I think you partly answered this for me previously but I can't find it) 3. Play / Preview links: a. Links in project properties, preview button in workspace and preview in wizard need to be updated to go to the HTML5 version. b. In the wizard should Ctrl-Click bring up the Flash version when clicking normally is changed to HTML5? c. Do you think there needs to be some browser detection that decides which version people see? The problem I can see with this is that if we start adding new features or pages to the HTML5 version then by sending them to the Flash version instead they may miss out on some content. Not many of the page types in the HTML5 version actually use HTML5 tags if that makes sense - probably just the handful where the canvas tag is used (textDrawing, charts etc.) so there might not be many instances where there will be problems if you're on an older browser anyway. 4. Page models: a. John - is the flickr page finished? b. Johnathan - I've emailed you off list about a few queries I've got with the connector pages, I hope this is ok - I didn't want to bother everyone else with them c. SCORM - this isn't working at the moment but I can't quite remember what's missing. I'll email with more details of what help I might need when I've looked back at it Thanks Fay Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/9baa0348/attachment.html> From Fay.Cross at nottingham.ac.uk Thu Mar 28 11:29:38 2013 From: Fay.Cross at nottingham.ac.uk (Fay Cross) Date: Thu, 28 Mar 2013 11:29:38 +0000 Subject: [Xerte-dev] Re: HTML5 In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247FC74E6B@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> <EE0B2AFFDB88B34AA864E00CE98914C2247FC74E6B@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <A44245E8C549494D9561A9727B89EEC80C3719B9ED@EXCHANGE1.ad.nottingham.ac.uk> Great, thanks From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John Sent: 28 March 2013 10:35 To: For Xerte technical developers Subject: [Xerte-dev] Re: HTML5 Hi Fay, I works per se but needs 3 ajax requests from memory so can be a little flaky. I haven't really looked at it to be honest since you fixed the duplicate button problem. I have some time tomorrow though so will try to take another look to see if I can do anything to make it more reliable and make the user experience a little better. Regards, John Smith Learning Technologist School of Health & Life Sciences Glasgow Caledonian University From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Fay Cross Sent: Wednesday, March 27, 2013 5:17 PM To: For Xerte technical developers Subject: [Xerte-dev] HTML5 Hello all As you should know the HTML5 work is nearly complete and there are only a couple of page types for me to complete before we can release a new version of Toolkits with the HTML5 interface as the default view. I have a few things that I could do with some help on before the release so if anyone can give me a hand with them or just give your opinions it would be much appreciated... 1. Exporting HTML projects: The files that would need to be in the zip would be more or less the same as for the Flash version but using the common_html5 and models_html5 folders instead of common/models. 2. Abbreviated link: Possibly something Ron can help with as I've noticed it's working on his install. Can abbreviated links be made to work e.g. www.nottingham.ac.uk/toolkits/play_html5_560<http://www.nottingham.ac.uk/toolkits/play_html5_560> rather than using the full url? (Apologies Pat, I think you partly answered this for me previously but I can't find it) 3. Play / Preview links: a. Links in project properties, preview button in workspace and preview in wizard need to be updated to go to the HTML5 version. b. In the wizard should Ctrl-Click bring up the Flash version when clicking normally is changed to HTML5? c. Do you think there needs to be some browser detection that decides which version people see? The problem I can see with this is that if we start adding new features or pages to the HTML5 version then by sending them to the Flash version instead they may miss out on some content. Not many of the page types in the HTML5 version actually use HTML5 tags if that makes sense - probably just the handful where the canvas tag is used (textDrawing, charts etc.) so there might not be many instances where there will be problems if you're on an older browser anyway. 4. Page models: a. John - is the flickr page finished? b. Johnathan - I've emailed you off list about a few queries I've got with the connector pages, I hope this is ok - I didn't want to bother everyone else with them c. SCORM - this isn't working at the moment but I can't quite remember what's missing. I'll email with more details of what help I might need when I've looked back at it Thanks Fay Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/30efcb60/attachment-0001.html> From reijnders at tor.nl Thu Mar 28 11:45:42 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Thu, 28 Mar 2013 12:45:42 +0100 Subject: [Xerte-dev] SCORM GetValue/SetValue Message-ID: <51542D66.2070601@tor.nl> Julian, I know you can use _level0.GetValue and level0.SetValue in .rlmscripts, but how does that work? How and where is level0.SetValue defined and how does it know to call the javascript SetValue function. I would have expected a definition of SetValue somewhere in the engine that calls callJS(SetValue... or something similar, but I can't find anything in the Engine. What I want, is to change the FRAMEWORK.OpenPage and FRAMEWORK.ClosePage to track entry and exits of pages using scorm or tin can (or nothing, in that case iy would call some empty functions, like the previewer is doing now for the scorm tracking. Tom -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 From Julian.Tenney at nottingham.ac.uk Thu Mar 28 12:30:55 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Thu, 28 Mar 2013 12:30:55 +0000 Subject: [Xerte-dev] Re: SCORM GetValue/SetValue In-Reply-To: <51542D66.2070601@tor.nl> References: <51542D66.2070601@tor.nl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4EF09798@EXCHANGE1.ad.nottingham.ac.uk> The functions are defined in MainPreloader.swf You call _level0.get / setValue(), which does the ExternalInterface.call(jsfunctions) stuff. The initialise and quit are done automatically by the web page, so developers only have to worry about get / set values. What you suggest should be easy enough: add something to the FRAMEWORK.prototype functions to track stuff if tracking is turned on... J -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 28 March 2013 11:46 To: For Xerte technical developers Subject: [Xerte-dev] SCORM GetValue/SetValue Julian, I know you can use _level0.GetValue and level0.SetValue in .rlmscripts, but how does that work? How and where is level0.SetValue defined and how does it know to call the javascript SetValue function. I would have expected a definition of SetValue somewhere in the engine that calls callJS(SetValue... or something similar, but I can't find anything in the Engine. What I want, is to change the FRAMEWORK.OpenPage and FRAMEWORK.ClosePage to track entry and exits of pages using scorm or tin can (or nothing, in that case iy would call some empty functions, like the previewer is doing now for the scorm tracking. Tom -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From reijnders at tor.nl Thu Mar 28 12:43:33 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Thu, 28 Mar 2013 13:43:33 +0100 Subject: [Xerte-dev] Re: SCORM GetValue/SetValue In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4EF09798@EXCHANGE1.ad.nottingham.ac.uk> References: <51542D66.2070601@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF09798@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <51543AF5.8020304@tor.nl> MainPreloader... I knew I had seen it somewhere ;-) Op 28-3-2013 13:30, Julian Tenney schreef: > The functions are defined in MainPreloader.swf > > You call _level0.get / setValue(), which does the ExternalInterface.call(jsfunctions) stuff. The initialise and quit are done automatically by the web page, so developers only have to worry about get / set values. > > What you suggest should be easy enough: add something to the FRAMEWORK.prototype functions to track stuff if tracking is turned on... > > J > > -----Original Message----- > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders > Sent: 28 March 2013 11:46 > To: For Xerte technical developers > Subject: [Xerte-dev] SCORM GetValue/SetValue > > Julian, > > I know you can use _level0.GetValue and level0.SetValue in .rlmscripts, but how does that work? How and where is level0.SetValue defined and how does it know to call the javascript SetValue function. > > I would have expected a definition of SetValue somewhere in the engine that calls callJS(SetValue... or something similar, but I can't find anything in the Engine. > > What I want, is to change the FRAMEWORK.OpenPage and FRAMEWORK.ClosePage to track entry and exits of pages using scorm or tin can (or nothing, in that case iy would call some empty functions, like the previewer is doing now for the scorm tracking. > > Tom > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 From Julian.Tenney at nottingham.ac.uk Thu Mar 28 14:37:21 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Thu, 28 Mar 2013 14:37:21 +0000 Subject: [Xerte-dev] Re: HTML5 In-Reply-To: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> References: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4EF0986D@EXCHANGE1.ad.nottingham.ac.uk> Brilliant. 1. Exporting seems to cause people a lot of problems, but I guess they do seem to use it (rightly or wrongly). I'd prefer to have options to export the various types of zip for either html5 or flash, I think. I have no idea how hard this is to do? I'd love to drop this functionality because it just seems to cause a lot of unnecessary problems, I'm not sure people really need to export content as much as they do - but there are some valid reasons to do it, so I suppose we're stuck with it. Tom adapted the original exporting code, would this be something that is easy for Tom to look at? Or reassure me that I can adapt your code easily to use different paths / folders etc? 2. The play_html5_1234 is a good idea, yes, for consistency. On installs where this works, does the play_html5.php?template_id= work as well? 3. Yes, everything should default to the html5 output. Peer review needs a new URL as well. CTRL-Click can launch the flash version instead from the wizard. I'm not sure we need browser detection: people should use the URL they built it for; however, we should probably put something in place for older browsers to say 'upgrade your browser' or similar? I'm guessing the paths are easy to amend in the php? What else do we need to look at before we can release this? This morning we tentatively agreed to have it all ready for FRIDAY 26th APRIL. Do we need a list of open issues that need resolving before the release? I'm thinking of the Firefox security thing in particular, though it sounds like you're getting close John? Also the thing with the buttons staying greyed out that appeared recently? If Tom's SCORM work isn't ready by then, I'm not sure it's a big problem? I've made a titanpad here for a list of things to do: http://titanpad.com/xottwopointoh. I want to concentrate on finishing existing work, rather than starting anything new just now, but please add any bugs to it as well, and we'll fix as many as we can. An aside, is it worth starting to think about when / where we do another AGM? If we do it outside of teaching time, we can do it in rooms here at no cost. Maybe sometime in July? I'm off next week, but will have some time after that to help out with getting this finished, Julian From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Fay Cross Sent: 27 March 2013 17:17 To: For Xerte technical developers Subject: [Xerte-dev] HTML5 Hello all As you should know the HTML5 work is nearly complete and there are only a couple of page types for me to complete before we can release a new version of Toolkits with the HTML5 interface as the default view. I have a few things that I could do with some help on before the release so if anyone can give me a hand with them or just give your opinions it would be much appreciated... 1. Exporting HTML projects: The files that would need to be in the zip would be more or less the same as for the Flash version but using the common_html5 and models_html5 folders instead of common/models. 2. Abbreviated link: Possibly something Ron can help with as I've noticed it's working on his install. Can abbreviated links be made to work e.g. www.nottingham.ac.uk/toolkits/play_html5_560<http://www.nottingham.ac.uk/toolkits/play_html5_560> rather than using the full url? (Apologies Pat, I think you partly answered this for me previously but I can't find it) 3. Play / Preview links: a. Links in project properties, preview button in workspace and preview in wizard need to be updated to go to the HTML5 version. b. In the wizard should Ctrl-Click bring up the Flash version when clicking normally is changed to HTML5? c. Do you think there needs to be some browser detection that decides which version people see? The problem I can see with this is that if we start adding new features or pages to the HTML5 version then by sending them to the Flash version instead they may miss out on some content. Not many of the page types in the HTML5 version actually use HTML5 tags if that makes sense - probably just the handful where the canvas tag is used (textDrawing, charts etc.) so there might not be many instances where there will be problems if you're on an older browser anyway. 4. Page models: a. John - is the flickr page finished? b. Johnathan - I've emailed you off list about a few queries I've got with the connector pages, I hope this is ok - I didn't want to bother everyone else with them c. SCORM - this isn't working at the moment but I can't quite remember what's missing. I'll email with more details of what help I might need when I've looked back at it Thanks Fay -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/5af9e688/attachment-0001.html> From Fay.Cross at nottingham.ac.uk Thu Mar 28 14:53:14 2013 From: Fay.Cross at nottingham.ac.uk (Fay Cross) Date: Thu, 28 Mar 2013 14:53:14 +0000 Subject: [Xerte-dev] Re: HTML5 In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4EF0986D@EXCHANGE1.ad.nottingham.ac.uk> References: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4EF0986D@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <A44245E8C549494D9561A9727B89EEC80C3719BB62@EXCHANGE1.ad.nottingham.ac.uk> At the moment pages that use the canvas tag (which doesn't work in IE8 for example) already give a message that your browser doesn't fully support this file type. Maybe all we need to do then is just add a link pointing to the html5 version to the 'install Flash' message you already get if you try to view the Flash link without it. I can probably come to the AGM if it's before the end of June but I'm unlikely to be here from July onwards... From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney Sent: 28 March 2013 14:37 To: For Xerte technical developers Subject: [Xerte-dev] Re: HTML5 Brilliant. 1. Exporting seems to cause people a lot of problems, but I guess they do seem to use it (rightly or wrongly). I'd prefer to have options to export the various types of zip for either html5 or flash, I think. I have no idea how hard this is to do? I'd love to drop this functionality because it just seems to cause a lot of unnecessary problems, I'm not sure people really need to export content as much as they do - but there are some valid reasons to do it, so I suppose we're stuck with it. Tom adapted the original exporting code, would this be something that is easy for Tom to look at? Or reassure me that I can adapt your code easily to use different paths / folders etc? 2. The play_html5_1234 is a good idea, yes, for consistency. On installs where this works, does the play_html5.php?template_id= work as well? 3. Yes, everything should default to the html5 output. Peer review needs a new URL as well. CTRL-Click can launch the flash version instead from the wizard. I'm not sure we need browser detection: people should use the URL they built it for; however, we should probably put something in place for older browsers to say 'upgrade your browser' or similar? I'm guessing the paths are easy to amend in the php? What else do we need to look at before we can release this? This morning we tentatively agreed to have it all ready for FRIDAY 26th APRIL. Do we need a list of open issues that need resolving before the release? I'm thinking of the Firefox security thing in particular, though it sounds like you're getting close John? Also the thing with the buttons staying greyed out that appeared recently? If Tom's SCORM work isn't ready by then, I'm not sure it's a big problem? I've made a titanpad here for a list of things to do: http://titanpad.com/xottwopointoh. I want to concentrate on finishing existing work, rather than starting anything new just now, but please add any bugs to it as well, and we'll fix as many as we can. An aside, is it worth starting to think about when / where we do another AGM? If we do it outside of teaching time, we can do it in rooms here at no cost. Maybe sometime in July? I'm off next week, but will have some time after that to help out with getting this finished, Julian From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Fay Cross Sent: 27 March 2013 17:17 To: For Xerte technical developers Subject: [Xerte-dev] HTML5 Hello all As you should know the HTML5 work is nearly complete and there are only a couple of page types for me to complete before we can release a new version of Toolkits with the HTML5 interface as the default view. I have a few things that I could do with some help on before the release so if anyone can give me a hand with them or just give your opinions it would be much appreciated... 1. Exporting HTML projects: The files that would need to be in the zip would be more or less the same as for the Flash version but using the common_html5 and models_html5 folders instead of common/models. 2. Abbreviated link: Possibly something Ron can help with as I've noticed it's working on his install. Can abbreviated links be made to work e.g. www.nottingham.ac.uk/toolkits/play_html5_560<http://www.nottingham.ac.uk/toolkits/play_html5_560> rather than using the full url? (Apologies Pat, I think you partly answered this for me previously but I can't find it) 3. Play / Preview links: a. Links in project properties, preview button in workspace and preview in wizard need to be updated to go to the HTML5 version. b. In the wizard should Ctrl-Click bring up the Flash version when clicking normally is changed to HTML5? c. Do you think there needs to be some browser detection that decides which version people see? The problem I can see with this is that if we start adding new features or pages to the HTML5 version then by sending them to the Flash version instead they may miss out on some content. Not many of the page types in the HTML5 version actually use HTML5 tags if that makes sense - probably just the handful where the canvas tag is used (textDrawing, charts etc.) so there might not be many instances where there will be problems if you're on an older browser anyway. 4. Page models: a. John - is the flickr page finished? b. Johnathan - I've emailed you off list about a few queries I've got with the connector pages, I hope this is ok - I didn't want to bother everyone else with them c. SCORM - this isn't working at the moment but I can't quite remember what's missing. I'll email with more details of what help I might need when I've looked back at it Thanks Fay -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/e4a6db4b/attachment.html> From xerte at pgogywebstuff.com Thu Mar 28 14:11:35 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Thu, 28 Mar 2013 14:11:35 +0000 Subject: [Xerte-dev] Re: HTML5 In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4EF0966B@EXCHANGE1.ad.nottingham.ac.uk> References: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> <01d601ce2b14$842a2d60$8c7e8820$@co.uk> <A44245E8C549494D9561A9727B89EEC80C3719B885@EXCHANGE1.ad.nottingham.ac.uk> <001f01ce2b94$4a465300$ded2f900$@co.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4EF0966B@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <42A963CC-92EC-4DE1-8EF6-6C234B35F337@pgogywebstuff.com> Ok, But we aren't just talking playing - we are also talking to export URLs and the scorm urls and the RSS feed urls and the syndicate urls. So, yeah, two play urls is a bit messy Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Mar 2013, at 09:51, Julian Tenney <Julian.Tenney at nottingham.ac.uk> wrote: > play_560 for example should always play the flash version, because that was the version it was designed in / for. We should use a new URL for the play_html5 version. It?s up to people to decide whether to leave existing material as is, doing what it always has done, or whether to switch the links over. > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > Sent: 28 March 2013 09:12 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: HTML5 > > Personally I think we need manual choice as well as browser detection e.g. even if browser detection is built in it should still be possible to share a link to view via flash and a separate link to view via HTML 5 > So there?d be 3 types of links then? One forcing to Flash, one forcing to HTML5 and one deciding for you? Is that going to confuse people as to what link they?re sharing? I agree you need to be able to make manual choice too though. > > I think this kind of depends on the default e.g. right now we obviously have play.php for Flash and play_htm5.php for html 5 > If play.php detected for Flash player and if not found reverts to html 5 then perhaps only two links needed like we have now. > I guess if play.php becomes the html 5 view by default then the second link could be play_flash.php which still reverts to html 5 if flash player not found. > > Would that work? > > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Fay Cross > Sent: 28 March 2013 08:52 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: HTML5 > > Thanks Ron > > > Should there be a separate HTML5 only export option? > That?s what I assumed there would be but I suppose the files could just be added into the existing export with an extra index page > > > Should this be a management option e.g. giving people control over what is the default and what is the Ctrl + Click option? > I like that idea > > > Personally I think we need manual choice as well as browser detection e.g. even if browser detection is built in it should still be possible to share a link to view via flash and a separate link to view via HTML 5 > So there?d be 3 types of links then? One forcing to Flash, one forcing to HTML5 and one deciding for you? Is that going to confuse people as to what link they?re sharing? I agree you need to be able to make manual choice too though. > > > Thanks for files you sent ? I?ll have a look at them in a bit > > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell > Sent: 27 March 2013 17:57 > To: 'For Xerte technical developers' > Subject: [Xerte-dev] Re: HTML5 > > Hi Fay > firstly on behalf of the whole community thanks for all your hard work on all the HTML 5 conversions - fantastic stuff! > > A few comments/thoughts inline below... > > HTH > Ron > > From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Fay Cross > Sent: 27 March 2013 17:17 > To: For Xerte technical developers > Subject: [Xerte-dev] HTML5 > > Hello all > > As you should know the HTML5 work is nearly complete and there are only a couple of page types for me to complete before we can release a new version of Toolkits with the HTML5 interface as the default view. I have a few things that I could do with some help on before the release so if anyone can give me a hand with them or just give your opinions it would be much appreciated... > > 1. Exporting HTML projects: > The files that would need to be in the zip would be more or less the same as for the Flash version but using the common_html5 and models_html5 folders instead of common/models. > Would the easiest way to do this be to include an additional index page e.g. index_html5.htm > Should there be a separate HTML5 only export option? > HTML 5 export for vieing locally or importing into a VLE is certainly something people have been asking for > > 2. Abbreviated link: > Possibly something Ron can help with as I?ve noticed it?s working on his install. Can abbreviated links be made to work e.g. www.nottingham.ac.uk/toolkits/play_html5_560 rather than using the full url? > (Apologies Pat, I think you partly answered this for me previously but I can?t find it) > I've attached a sample .htaccess with most of this included you will need to replace /xerte/ with whatever your xot folder is which you can probably check in your existing .htaccess and just add in the missing lines. However at least some of the rss links need further work which I posted to the list previously but no reply. > The htaccess.conf in the setup folder needs updating too but to be honest I'm not sure how that works e.g. if it's updated during install but I don't think it is. > > 3. Play / Preview links: > a. Links in project properties, preview button in workspace and preview in wizard need to be updated to go to the HTML5 version. > Should this be a management option e.g. giving people control over what is the default and what is the Ctrl + Click option? > b. In the wizard should Ctrl-Click bring up the Flash version when clicking normally is changed to HTML5? > Yes I think so but see response to a. above > c. Do you think there needs to be some browser detection that decides which version people see? The problem I can see with this is that if we start adding new features or pages to the HTML5 version then by sending them to the Flash version instead they may miss out on some content. Not many of the page types in the HTML5 version actually use HTML5 tags if that makes sense ? probably just the handful where the canvas tag is used (textDrawing, charts etc.) so there might not be many instances where there will be problems if you?re on an older browser anyway. > Personally I think we need manual choice as well as browser detection e.g. even if browser detection is built in it should still be possible to share a link to view via flash and a separate link to view via HTML 5 > > 4. Page models: > a. John ? is the flickr page finished? > b. Johnathan ? I?ve emailed you off list about a few queries I?ve got with the connector pages, I hope this is ok ? I didn?t want to bother everyone else with them > c. SCORM ? this isn?t working at the moment but I can?t quite remember what?s missing. I?ll email with more details of what help I might need when I?ve looked back at it > > Thanks > Fay > > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/6f091372/attachment-0001.html> From reijnders at tor.nl Thu Mar 28 15:05:45 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Thu, 28 Mar 2013 16:05:45 +0100 Subject: [Xerte-dev] Re: SCORM GetValue/SetValue In-Reply-To: <51543AF5.8020304@tor.nl> References: <51542D66.2070601@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF09798@EXCHANGE1.ad.nottingham.ac.uk> <51543AF5.8020304@tor.nl> Message-ID: <51545C49.5020204@tor.nl> Tht's working fine now, except for the first page after loading the LO. Apparently, the first page isn't opened with OpenPage. I can't figure our how this is done. Any pointers? Tom Op 28-3-2013 13:43, Tom Reijnders schreef: > MainPreloader... I knew I had seen it somewhere ;-) > > Op 28-3-2013 13:30, Julian Tenney schreef: >> The functions are defined in MainPreloader.swf >> >> You call _level0.get / setValue(), which does the >> ExternalInterface.call(jsfunctions) stuff. The initialise and quit >> are done automatically by the web page, so developers only have to >> worry about get / set values. >> >> What you suggest should be easy enough: add something to the >> FRAMEWORK.prototype functions to track stuff if tracking is turned on... >> >> J >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom >> Reijnders >> Sent: 28 March 2013 11:46 >> To: For Xerte technical developers >> Subject: [Xerte-dev] SCORM GetValue/SetValue >> >> Julian, >> >> I know you can use _level0.GetValue and level0.SetValue in >> .rlmscripts, but how does that work? How and where is level0.SetValue >> defined and how does it know to call the javascript SetValue function. >> >> I would have expected a definition of SetValue somewhere in the >> engine that calls callJS(SetValue... or something similar, but I >> can't find anything in the Engine. >> >> What I want, is to change the FRAMEWORK.OpenPage and >> FRAMEWORK.ClosePage to track entry and exits of pages using scorm or >> tin can (or nothing, in that case iy would call some empty functions, >> like the previewer is doing now for the scorm tracking. >> >> Tom >> >> -- >> -- >> >> Tom Reijnders >> TOR Informatica >> Chopinlaan 27 >> 5242HM Rosmalen >> Tel: 073 5226191 >> Fax: 073 5226196 >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> This message and any attachment are intended solely for the addressee >> and may contain confidential information. If you have received this >> message in error, please send it back to me, and immediately delete >> it. Please do not use, copy or disclose the information contained >> in this message or in any attachment. Any views or opinions >> expressed by the author of this email do not necessarily reflect the >> views of the University of Nottingham. >> >> This message has been checked for viruses but the contents of an >> attachment >> may still contain software viruses which could damage your computer >> system: >> you are advised to perform your own checks. Email communications with >> the >> University of Nottingham may be monitored as permitted by UK >> legislation. > -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 From Julian.Tenney at nottingham.ac.uk Thu Mar 28 15:14:32 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Thu, 28 Mar 2013 15:14:32 +0000 Subject: [Xerte-dev] Re: SCORM GetValue/SetValue In-Reply-To: <51545C49.5020204@tor.nl> References: <51542D66.2070601@tor.nl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF09798@EXCHANGE1.ad.nottingham.ac.uk> <51543AF5.8020304@tor.nl> <51545C49.5020204@tor.nl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4EF098A8@EXCHANGE1.ad.nottingham.ac.uk> I think it's just done by the parser. Can you use onInit, or add some code close to that in the engine? That fires once the initial parse is done, so page one will be up and running. -----Original Message----- From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders Sent: 28 March 2013 15:06 To: For Xerte technical developers Subject: [Xerte-dev] Re: SCORM GetValue/SetValue Tht's working fine now, except for the first page after loading the LO. Apparently, the first page isn't opened with OpenPage. I can't figure our how this is done. Any pointers? Tom Op 28-3-2013 13:43, Tom Reijnders schreef: > MainPreloader... I knew I had seen it somewhere ;-) > > Op 28-3-2013 13:30, Julian Tenney schreef: >> The functions are defined in MainPreloader.swf >> >> You call _level0.get / setValue(), which does the >> ExternalInterface.call(jsfunctions) stuff. The initialise and quit >> are done automatically by the web page, so developers only have to >> worry about get / set values. >> >> What you suggest should be easy enough: add something to the >> FRAMEWORK.prototype functions to track stuff if tracking is turned on... >> >> J >> >> -----Original Message----- >> From: xerte-dev-bounces at lists.nottingham.ac.uk >> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom >> Reijnders >> Sent: 28 March 2013 11:46 >> To: For Xerte technical developers >> Subject: [Xerte-dev] SCORM GetValue/SetValue >> >> Julian, >> >> I know you can use _level0.GetValue and level0.SetValue in >> .rlmscripts, but how does that work? How and where is level0.SetValue >> defined and how does it know to call the javascript SetValue function. >> >> I would have expected a definition of SetValue somewhere in the >> engine that calls callJS(SetValue... or something similar, but I >> can't find anything in the Engine. >> >> What I want, is to change the FRAMEWORK.OpenPage and >> FRAMEWORK.ClosePage to track entry and exits of pages using scorm or >> tin can (or nothing, in that case iy would call some empty functions, >> like the previewer is doing now for the scorm tracking. >> >> Tom >> >> -- >> -- >> >> Tom Reijnders >> TOR Informatica >> Chopinlaan 27 >> 5242HM Rosmalen >> Tel: 073 5226191 >> Fax: 073 5226196 >> >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> >> _______________________________________________ >> Xerte-dev mailing list >> Xerte-dev at lists.nottingham.ac.uk >> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev >> This message and any attachment are intended solely for the addressee >> and may contain confidential information. If you have received this >> message in error, please send it back to me, and immediately delete >> it. Please do not use, copy or disclose the information contained >> in this message or in any attachment. Any views or opinions >> expressed by the author of this email do not necessarily reflect the >> views of the University of Nottingham. >> >> This message has been checked for viruses but the contents of an >> attachment may still contain software viruses which could damage your >> computer >> system: >> you are advised to perform your own checks. Email communications with >> the University of Nottingham may be monitored as permitted by UK >> legislation. > -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev From d_b_burnett at hotmail.com Thu Mar 28 15:38:55 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Thu, 28 Mar 2013 11:38:55 -0400 Subject: [Xerte-dev] Visuals exposed? In-Reply-To: <51545C49.5020204@tor.nl> References: <51542D66.2070601@tor.nl>, <12C67A1EEC419342AF5E59DA31562C3F0C4EF09798@EXCHANGE1.ad.nottingham.ac.uk>, <51543AF5.8020304@tor.nl>, <51545C49.5020204@tor.nl> Message-ID: <BLU153-W216EE77B27297D149497B8A7D20@phx.gbl> Can I programmatically toggle visuals? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/6d6ef365/attachment.html> From Julian.Tenney at nottingham.ac.uk Thu Mar 28 15:48:11 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Thu, 28 Mar 2013 15:48:11 +0000 Subject: [Xerte-dev] Re: Visuals exposed? In-Reply-To: <BLU153-W216EE77B27297D149497B8A7D20@phx.gbl> References: <51542D66.2070601@tor.nl>, <12C67A1EEC419342AF5E59DA31562C3F0C4EF09798@EXCHANGE1.ad.nottingham.ac.uk>, <51543AF5.8020304@tor.nl>, <51545C49.5020204@tor.nl> <BLU153-W216EE77B27297D149497B8A7D20@phx.gbl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4EF098E9@EXCHANGE1.ad.nottingham.ac.uk> rootIcon.hideControls() but there's a bit more too it I think. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: 28 March 2013 15:39 To: For Xerte technical developers Subject: [Xerte-dev] Visuals exposed? Can I programmatically toggle visuals? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/aa194797/attachment.html> From reijnders at tor.nl Thu Mar 28 16:12:32 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Thu, 28 Mar 2013 17:12:32 +0100 Subject: [Xerte-dev] Re: Visuals exposed? In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4EF098E9@EXCHANGE1.ad.nottingham.ac.uk> References: <51542D66.2070601@tor.nl>, <12C67A1EEC419342AF5E59DA31562C3F0C4EF09798@EXCHANGE1.ad.nottingham.ac.uk>, <51543AF5.8020304@tor.nl>, <51545C49.5020204@tor.nl> <BLU153-W216EE77B27297D149497B8A7D20@phx.gbl> <12C67A1EEC419342AF5E59DA31562C3F0C4EF098E9@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <51546BF0.9020809@tor.nl> Do you have any particular visuals in mind? In the Xerte Desktop and the latest xot you can also set the 'visuals' attribute of the learning object to 2 Op 28-3-2013 16:48, Julian Tenney schreef: > > rootIcon.hideControls() but there's a bit more too it I think. > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Dave > Burnett > *Sent:* 28 March 2013 15:39 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Visuals exposed? > > Can I programmatically toggle visuals? > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/45148b95/attachment-0001.html> From reijnders at tor.nl Thu Mar 28 15:04:43 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Thu, 28 Mar 2013 16:04:43 +0100 Subject: [Xerte-dev] Re: HTML5 In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4EF0986D@EXCHANGE1.ad.nottingham.ac.uk> References: <A44245E8C549494D9561A9727B89EEC80C3719B815@EXCHANGE1.ad.nottingham.ac.uk> <12C67A1EEC419342AF5E59DA31562C3F0C4EF0986D@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <51545C0B.5050500@tor.nl> Op 28-3-2013 15:37, Julian Tenney schreef: > > Brilliant. > > 1.Exporting seems to cause people a lot of problems, but I guess they > do seem to use it (rightly or wrongly). I'd prefer to have options to > export the various types of zip for either html5 or flash, I think. I > have no idea how hard this is to do? I'd love to drop this > functionality because it just seems to cause a lot of unnecessary > problems, I'm not sure people really need to export content as much as > they do -- but there are some valid reasons to do it, so I suppose > we're stuck with it. Tom adapted the original exporting code, would > this be something that is easy for Tom to look at? Or reassure me that > I can adapt your code easily to use different paths / folders etc? > I'll look into this. I need to anyways, because of SCORM. > 2.The play_html5_1234 is a good idea, yes, for consistency. On > installs where this works, does the play_html5.php?template_id=work as > well? > yes the other URL will work as well. > > 3.Yes, everything should default to the html5 output. Peer review > needs a new URL as well. CTRL-Click can launch the flash version > instead from the wizard. I'm not sure we need browser detection: > people should use the URL they built it for; however, we should > probably put something in place for older browsers to say 'upgrade > your browser' or similar? I'm guessing the paths are easy to amend in > the php? > > What else do we need to look at before we can release this? This > morning we tentatively agreed to have it all ready for *FRIDAY 26^th > APRIL. *Do we need a list of open issues that need resolving before > the release? I'm thinking of the Firefox security thing in particular, > though it sounds like you're getting close John? Also the thing with > the buttons staying greyed out that appeared recently? If Tom's SCORM > work isn't ready by then, I'm not sure it's a big problem? > No, I don't think SCORM is a show stopper (but I'll do my utmost!) > I've made a titanpad here for a list of things to do: > http://titanpad.com/xottwopointoh. I want to concentrate on finishing > existing work, rather than starting anything new just now, but please > add any bugs to it as well, and we'll fix as many as we can. > > An aside, is it worth starting to think about when / where we do > another AGM? If we do it outside of teaching time, we can do it in > rooms here at no cost. Maybe sometime in July? > > I'm off next week, but will have some time after that to help out with > getting this finished, > > Julian > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Fay Cross > *Sent:* 27 March 2013 17:17 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] HTML5 > > Hello all > > As you should know the HTML5 work is nearly complete and there are > only a couple of page types for me to complete before we can release a > new version of Toolkits with the HTML5 interface as the default view. > I have a few things that I could do with some help on before the > release so if anyone can give me a hand with them or just give your > opinions it would be much appreciated... > > 1.Exporting HTML projects: > The files that would need to be in the zip would be more or less the > same as for the Flash version but using the common_html5 and > models_html5 folders instead of common/models. > > 2.Abbreviated link: > Possibly something Ron can help with as I've noticed it's working on > his install. Can abbreviated links be made to work e.g. > www.nottingham.ac.uk/toolkits/play_html5_560 > <http://www.nottingham.ac.uk/toolkits/play_html5_560> rather than > using the full url? > (Apologies Pat, I think you partly answered this for me previously but > I can't find it) > > 3.Play / Preview links: > > a.Links in project properties, preview button in workspace and preview > in wizard need to be updated to go to the HTML5 version. > > b.In the wizard should Ctrl-Click bring up the Flash version when > clicking normally is changed to HTML5? > > c.Do you think there needs to be some browser detection that decides > which version people see? The problem I can see with this is that if > we start adding new features or pages to the HTML5 version then by > sending them to the Flash version instead they may miss out on some > content. Not many of the page types in the HTML5 version actually use > HTML5 tags if that makes sense -- probably just the handful where the > canvas tag is used (textDrawing, charts etc.) so there might not be > many instances where there will be problems if you're on an older > browser anyway. > > 4.Page models: > > a.John -- is the flickr page finished? > > b.Johnathan -- I've emailed you off list about a few queries I've got > with the connector pages, I hope this is ok -- I didn't want to bother > everyone else with them > > c.SCORM -- this isn't working at the moment but I can't quite remember > what's missing. I'll email with more details of what help I might > need when I've looked back at it > > Thanks > > Fay > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/9a1b0c8d/attachment.html> From d_b_burnett at hotmail.com Thu Mar 28 16:53:42 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Thu, 28 Mar 2013 12:53:42 -0400 Subject: [Xerte-dev] Re: Visuals exposed? In-Reply-To: <51546BF0.9020809@tor.nl> References: <51542D66.2070601@tor.nl>, , <12C67A1EEC419342AF5E59DA31562C3F0C4EF09798@EXCHANGE1.ad.nottingham.ac.uk>, , <51543AF5.8020304@tor.nl>, , <51545C49.5020204@tor.nl> <BLU153-W216EE77B27297D149497B8A7D20@phx.gbl>, <12C67A1EEC419342AF5E59DA31562C3F0C4EF098E9@EXCHANGE1.ad.nottingham.ac.uk>, <51546BF0.9020809@tor.nl> Message-ID: <BLU153-W5645316124EC3715C5300A7D20@phx.gbl> Hi Tom,I'm looking into the various approaches to custom skinning XOT at runtime.I guess if I set visuals to 0 I have a blank canvas to play with. Date: Thu, 28 Mar 2013 17:12:32 +0100 From: reijnders at tor.nl To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: Visuals exposed? Do you have any particular visuals in mind? In the Xerte Desktop and the latest xot you can also set the 'visuals' attribute of the learning object to 2 Op 28-3-2013 16:48, Julian Tenney schreef: rootIcon.hideControls() but there?s a bit more too it I think. From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett Sent: 28 March 2013 15:39 To: For Xerte technical developers Subject: [Xerte-dev] Visuals exposed? Can I programmatically toggle visuals? _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/026ecafe/attachment-0001.html> From xerte at pgogywebstuff.com Thu Mar 28 16:07:26 2013 From: xerte at pgogywebstuff.com (xerte at pgogywebstuff.com) Date: Thu, 28 Mar 2013 16:07:26 +0000 Subject: [Xerte-dev] Re: XOT Upload error In-Reply-To: <BLU153-W2757F6FDD15AB4961490F9A7D10@phx.gbl> Message-ID: <47f008034b82b3b27ab9ad2794a0c75bda4601f4@webmail.hosting.heartinternet.co.uk> My mistake properties.php in the root? https://code.google.com/p/xerteonlinetoolkits/source/browse/trunk/properties.php see the iframes at the top? Pgogy Webstuff http://www.pgogywebstuff.comMakers of Web things of a fair to middling quality ----- Original Message ----- From: "For Xerte technical developers" To:"For Xerte technical developers" Cc: Sent:Wed, 27 Mar 2013 19:20:52 -0400 Subject:[Xerte-dev] Re: XOT Upload error media_and_quota_template.php?I can't see anything obvious that sets the iframe dimensions? ------------------------- From: xerte at pgogywebstuff.com Date: Wed, 27 Mar 2013 23:09:12 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error Ok, edit website_code/php/properties/media_and_quota and set the iframe to be huge then try again Pgogy Webstuff - http://www.pgogywebstuff.com [1]Makers of web things of a fair to middling quality On 27 Mar 2013, at 22:53, Dave Burnett wrote: It is the media and quota page.Same error as this I thinkhttp://lists.nottingham.ac.uk/pipermail/xerte/2012-January/012511.html [3] ------------------------- From: xerte at pgogywebstuff.com [4] Date: Wed, 27 Mar 2013 22:42:30 +0000 To: xerte-dev at lists.nottingham.ac.uk [5] Subject: [Xerte-dev] Re: XOT Upload error Any more in the error than thingy? This is uploading in flash?? Try on the media and quota page? Pgogy Webstuff - http://www.pgogywebstuff.com [6]Makers of web things of a fair to middling quality On 27 Mar 2013, at 21:42, Dave Burnett wrote: Just installed ?2 days ago, so assume this was the latest version. Trying to upload 12Mb zip I'm getting the "php reports the following error - " thingy and the upload simply stops at 35%. In .htacccess php_value ?upload_max_filesize ?100Mphp_value ?post_max_size ?100Mphp_value ?max_execution_time ?300php_value ?memory_limit ?100M?and querying phpinfo says they are indeed set to those vals ? Dave _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk [8] http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev [9] _______________________________________________ Xerte-dev mailing list Xerte-dev at listsnottingham.ac.uk [10] http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev [11] _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk [12] http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev [13] _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Links: ------ [1] http://www.pgogywebstuff.com [2] mailto:d_b_burnett at hotmail.com [3] http://lists.nottingham.acuk/pipermail/xerte/2012-January/012511.html [4] mailto:xerte at pgogywebstuff.com [5] mailto:xerte-dev at lists.nottingham.ac.uk [6] http://wwwpgogywebstuff.com [7] mailto:d_b_burnett at hotmail.com [8] mailto:Xerte-dev at lists.nottingham.ac.uk [9] http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev [10] mailto:Xerte-dev at lists.nottingham.ac.uk [11] http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev [12] mailto:Xerte-dev at lists.nottingham.ac.uk [13] http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/a34e56f7/attachment.html> From d_b_burnett at hotmail.com Thu Mar 28 18:58:58 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Thu, 28 Mar 2013 14:58:58 -0400 Subject: [Xerte-dev] Re: XOT Upload error In-Reply-To: <47f008034b82b3b27ab9ad2794a0c75bda4601f4@webmail.hosting.heartinternet.co.uk> References: <BLU153-W2757F6FDD15AB4961490F9A7D10@phx.gbl>, <47f008034b82b3b27ab9ad2794a0c75bda4601f4@webmail.hosting.heartinternet.co.uk> Message-ID: <BLU153-W30BDFE8228D2B9BC18A341A7D20@phx.gbl> style="width:400px;height:400px; display:inline"> But not sure what that should do for me. Upon upload in Media quota area, Chrome pops a new window: PHP reports an error - Followed by the code of the properties.php page.The window runs down off the bottom of the page. The 12 Mb upload still dies at 34%.No error, the progress bar just disappear. From: xerte at pgogywebstuff.com To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 28 Mar 2013 16:07:26 +0000 Subject: [Xerte-dev] Re: XOT Upload error My mistake properties.php in the root https://code.google.com/p/xerteonlinetoolkits/source/browse/trunk/properties.php see the iframes at the top Pgogy Webstuff http://www.pgogywebstuff.comMakers of Web things of a fair to middling quality ----- Original Message ----- From: "For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk> To:"For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk> Cc: Sent:Wed, 27 Mar 2013 19:20:52 -0400 Subject:[Xerte-dev] Re: XOT Upload error media_and_quota_template.php?I can't see anything obvious that sets the iframe dimensions From: xerte at pgogywebstuff.com Date: Wed, 27 Mar 2013 23:09:12 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error Ok, edit website_code/php/properties/media_and_quota and set the iframe to be huge then try again Pgogy Webstuff - http://www.pgogywebstuff.comMakers of web things of a fair to middling quality On 27 Mar 2013, at 22:53, Dave Burnett <d_b_burnett at hotmail.com> wrote: It is the media and quota page.Same error as this I thinkhttp://lists.nottingham.ac.uk/pipermail/xerte/2012-January/012511.html From: xerte at pgogywebstuff.com Date: Wed, 27 Mar 2013 22:42:30 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error Any more in the error than thingy? This is uploading in flash? Try on the media and quota page? Pgogy Webstuff - http://www.pgogywebstuff.comMakers of web things of a fair to middling quality On 27 Mar 2013, at 21:42, Dave Burnett <d_b_burnett at hotmail.com> wrote: Just installed 2 days ago, so assume this was the latest version. Trying to upload 12Mb zip. I'm getting the "php reports the following error - " thingy and the upload simply stops at 35%. In .htacccess php_value upload_max_filesize 100Mphp_value post_max_size 100Mphp_value max_execution_time 300php_value memory_limit 100M and querying phpinfo says they are indeed set to those vals. ? Dave _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/5dd5d474/attachment.html> From reijnders at tor.nl Thu Mar 28 19:33:49 2013 From: reijnders at tor.nl (Tom Reijnders) Date: Thu, 28 Mar 2013 20:33:49 +0100 Subject: [Xerte-dev] Re: Visuals exposed? In-Reply-To: <BLU153-W5645316124EC3715C5300A7D20@phx.gbl> References: <51542D66.2070601@tor.nl>, , <12C67A1EEC419342AF5E59DA31562C3F0C4EF09798@EXCHANGE1.ad.nottingham.ac.uk>, , <51543AF5.8020304@tor.nl>, , <51545C49.5020204@tor.nl> <BLU153-W216EE77B27297D149497B8A7D20@phx.gbl>, <12C67A1EEC419342AF5E59DA31562C3F0C4EF098E9@EXCHANGE1.ad.nottingham.ac.uk>, <51546BF0.9020809@tor.nl> <BLU153-W5645316124EC3715C5300A7D20@phx.gbl> Message-ID: <51549B1D.50801@tor.nl> Correct. Op 28-3-2013 17:53, Dave Burnett schreef: > > Hi Tom, > I'm looking into the various approaches to custom skinning XOT at runtime. > I guess if I set visuals to 0 I have a blank canvas to play with. > > > ------------------------------------------------------------------------ > Date: Thu, 28 Mar 2013 17:12:32 +0100 > From: reijnders at tor.nl > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: Visuals exposed? > > Do you have any particular visuals in mind? > > In the Xerte Desktop and the latest xot you can also set the 'visuals' > attribute of the learning object to 2 > > > Op 28-3-2013 16:48, Julian Tenney schreef: > > rootIcon.hideControls() but there's a bit more too it I think. > > *From:*xerte-dev-bounces at lists.nottingham.ac.uk > <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of > *Dave Burnett > *Sent:* 28 March 2013 15:39 > *To:* For Xerte technical developers > *Subject:* [Xerte-dev] Visuals exposed? > > Can I programmatically toggle visuals? > > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > -- > -- > > Tom Reijnders > TOR Informatica > Chopinlaan 27 > 5242HM Rosmalen > Tel: 073 5226191 > Fax: 073 5226196 > > > > > > _______________________________________________ Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -- -- Tom Reijnders TOR Informatica Chopinlaan 27 5242HM Rosmalen Tel: 073 5226191 Fax: 073 5226196 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/133737cf/attachment-0001.html> From xerte at pgogywebstuff.com Thu Mar 28 20:08:50 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Thu, 28 Mar 2013 20:08:50 +0000 Subject: [Xerte-dev] Re: XOT Upload error In-Reply-To: <BLU153-W30BDFE8228D2B9BC18A341A7D20@phx.gbl> References: <BLU153-W2757F6FDD15AB4961490F9A7D10@phx.gbl> <47f008034b82b3b27ab9ad2794a0c75bda4601f4@webmail.hosting.heartinternet.co.uk> <BLU153-W30BDFE8228D2B9BC18A341A7D20@phx.gbl> Message-ID: <830620FF-7E73-4876-A881-D76F74F5D8BB@pgogywebstuff.com> Remove the hash from the src in the iframe code....... Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Mar 2013, at 18:58, Dave Burnett <d_b_burnett at hotmail.com> wrote: > style="width:400px;height:400px; display:inline"> > > But not sure what that should do for me. > > Upon upload in Media quota area, Chrome pops a new window: > > PHP reports an error - > > Followed by the code of the properties.php page. > The window runs down off the bottom of the page. > > > The 12 Mb upload still dies at 34%. > No error, the progress bar just disappear. > > > From: xerte at pgogywebstuff.com > To: xerte-dev at lists.nottingham.ac.uk > Date: Thu, 28 Mar 2013 16:07:26 +0000 > Subject: [Xerte-dev] Re: XOT Upload error > > My mistake > > properties.php in the root > > https://code.google.com/p/xerteonlinetoolkits/source/browse/trunk/properties.php > > see the iframes at the top > > Pgogy Webstuff http://www.pgogywebstuff.com > Makers of Web things of a fair to middling quality > > > ----- Original Message ----- > From: > "For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk> > > To: > "For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk> > Cc: > > Sent: > Wed, 27 Mar 2013 19:20:52 -0400 > Subject: > [Xerte-dev] Re: XOT Upload error > > > > > media_and_quota_template.php? > I can't see anything obvious that sets the iframe dimensions > > From: xerte at pgogywebstuff.com > Date: Wed, 27 Mar 2013 23:09:12 +0000 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: XOT Upload error > > Ok, edit website_code/php/properties/media_and_quota and set the iframe to be huge then try again > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 27 Mar 2013, at 22:53, Dave Burnett <d_b_burnett at hotmail.com> wrote: > > It is the media and quota page. > Same error as this I think > http://lists.nottingham.ac.uk/pipermail/xerte/2012-January/012511.html > > > From: xerte at pgogywebstuff.com > Date: Wed, 27 Mar 2013 22:42:30 +0000 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: XOT Upload error > > Any more in the error than thingy? > > This is uploading in flash? > > Try on the media and quota page? > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 27 Mar 2013, at 21:42, Dave Burnett <d_b_burnett at hotmail.com> wrote: > > Just installed 2 days ago, so assume this was the latest version. > > Trying to upload 12Mb zip. > > I'm getting the "php reports the following error - " thingy and the upload simply stops at 35%. > > In .htacccess > > php_value upload_max_filesize 100M > php_value post_max_size 100M > php_value max_execution_time 300 > php_value memory_limit 100M > > and querying phpinfo says they are indeed set to those vals. > > ? > > Dave > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/733322cf/attachment.html> From d_b_burnett at hotmail.com Thu Mar 28 20:46:13 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Thu, 28 Mar 2013 16:46:13 -0400 Subject: [Xerte-dev] Re: XOT Upload error In-Reply-To: <830620FF-7E73-4876-A881-D76F74F5D8BB@pgogywebstuff.com> References: <BLU153-W2757F6FDD15AB4961490F9A7D10@phx.gbl>, <47f008034b82b3b27ab9ad2794a0c75bda4601f4@webmail.hosting.heartinternet.co.uk>, <BLU153-W30BDFE8228D2B9BC18A341A7D20@phx.gbl>, <830620FF-7E73-4876-A881-D76F74F5D8BB@pgogywebstuff.com> Message-ID: <BLU153-W489FEF4C03CB34A07A8875A7D20@phx.gbl> Thanks Pat. The host server is resetting the connection.Probably a file size limit on the AJAX upload.I can FTP whatever I like. But which parameter stopped the PHP error message? From: xerte at pgogywebstuff.com Date: Thu, 28 Mar 2013 20:08:50 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error Remove the hash from the src in the iframe code....... Pgogy Webstuff - http://www.pgogywebstuff.comMakers of web things of a fair to middling quality On 28 Mar 2013, at 18:58, Dave Burnett <d_b_burnett at hotmail.com> wrote: style="width:400px;height:400px; display:inline"> But not sure what that should do for me. Upon upload in Media quota area, Chrome pops a new window: PHP reports an error - Followed by the code of the properties.php page.The window runs down off the bottom of the page. The 12 Mb upload still dies at 34%.No error, the progress bar just disappear. From: xerte at pgogywebstuff.com To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 28 Mar 2013 16:07:26 +0000 Subject: [Xerte-dev] Re: XOT Upload error My mistake properties.php in the root https://code.google.com/p/xerteonlinetoolkits/source/browse/trunk/properties.php see the iframes at the top Pgogy Webstuff http://www.pgogywebstuff.comMakers of Web things of a fair to middling quality ----- Original Message ----- From: "For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk> To:"For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk> Cc: Sent:Wed, 27 Mar 2013 19:20:52 -0400 Subject:[Xerte-dev] Re: XOT Upload error media_and_quota_template.php?I can't see anything obvious that sets the iframe dimensions From: xerte at pgogywebstuff.com Date: Wed, 27 Mar 2013 23:09:12 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error Ok, edit website_code/php/properties/media_and_quota and set the iframe to be huge then try again Pgogy Webstuff - http://www.pgogywebstuff.comMakers of web things of a fair to middling quality On 27 Mar 2013, at 22:53, Dave Burnett <d_b_burnett at hotmail.com> wrote: It is the media and quota page.Same error as this I thinkhttp://lists.nottingham.ac.uk/pipermail/xerte/2012-January/012511.html From: xerte at pgogywebstuff.com Date: Wed, 27 Mar 2013 22:42:30 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error Any more in the error than thingy? This is uploading in flash? Try on the media and quota page? Pgogy Webstuff - http://www.pgogywebstuff.comMakers of web things of a fair to middling quality On 27 Mar 2013, at 21:42, Dave Burnett <d_b_burnett at hotmail.com> wrote: Just installed 2 days ago, so assume this was the latest version. Trying to upload 12Mb zip. I'm getting the "php reports the following error - " thingy and the upload simply stops at 35%. In .htacccess php_value upload_max_filesize 100Mphp_value post_max_size 100Mphp_value max_execution_time 300php_value memory_limit 100M and querying phpinfo says they are indeed set to those vals. ? Dave _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/7ab59c22/attachment-0001.html> From xerte at pgogywebstuff.com Thu Mar 28 20:59:05 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Thu, 28 Mar 2013 20:59:05 +0000 Subject: [Xerte-dev] Re: XOT Upload error In-Reply-To: <BLU153-W489FEF4C03CB34A07A8875A7D20@phx.gbl> References: <BLU153-W2757F6FDD15AB4961490F9A7D10@phx.gbl> <47f008034b82b3b27ab9ad2794a0c75bda4601f4@webmail.hosting.heartinternet.co.uk> <BLU153-W30BDFE8228D2B9BC18A341A7D20@phx.gbl> <830620FF-7E73-4876-A881-D76F74F5D8BB@pgogywebstuff.com> <BLU153-W489FEF4C03CB34A07A8875A7D20@phx.gbl> Message-ID: <5C392E88-E02D-43A1-8D10-45F07AA46451@pgogywebstuff.com> If you are using htaccess to bypass settings you might need to add the htaccess to the properties folder? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Mar 2013, at 20:46, Dave Burnett <d_b_burnett at hotmail.com> wrote: > Thanks Pat. > > The host server is resetting the connection. > Probably a file size limit on the AJAX upload. > I can FTP whatever I like. > > But which parameter stopped the PHP error message? > > From: xerte at pgogywebstuff.com > Date: Thu, 28 Mar 2013 20:08:50 +0000 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: XOT Upload error > > Remove the hash from the src in the iframe code....... > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 28 Mar 2013, at 18:58, Dave Burnett <d_b_burnett at hotmail.com> wrote: > > style="width:400px;height:400px; display:inline"> > > But not sure what that should do for me. > > Upon upload in Media quota area, Chrome pops a new window: > > PHP reports an error - > > Followed by the code of the properties.php page. > The window runs down off the bottom of the page. > > > The 12 Mb upload still dies at 34%. > No error, the progress bar just disappear. > > > From: xerte at pgogywebstuff.com > To: xerte-dev at lists.nottingham.ac.uk > Date: Thu, 28 Mar 2013 16:07:26 +0000 > Subject: [Xerte-dev] Re: XOT Upload error > > My mistake > > properties.php in the root > > https://code.google.com/p/xerteonlinetoolkits/source/browse/trunk/properties.php > > see the iframes at the top > > Pgogy Webstuff http://www.pgogywebstuff.com > Makers of Web things of a fair to middling quality > > > ----- Original Message ----- > From: > "For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk> > > To: > "For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk> > Cc: > > Sent: > Wed, 27 Mar 2013 19:20:52 -0400 > Subject: > [Xerte-dev] Re: XOT Upload error > > > > > media_and_quota_template.php? > I can't see anything obvious that sets the iframe dimensions > > From: xerte at pgogywebstuff.com > Date: Wed, 27 Mar 2013 23:09:12 +0000 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: XOT Upload error > > Ok, edit website_code/php/properties/media_and_quota and set the iframe to be huge then try again > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 27 Mar 2013, at 22:53, Dave Burnett <d_b_burnett at hotmail.com> wrote: > > It is the media and quota page. > Same error as this I think > http://lists.nottingham.ac.uk/pipermail/xerte/2012-January/012511.html > > > From: xerte at pgogywebstuff.com > Date: Wed, 27 Mar 2013 22:42:30 +0000 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: XOT Upload error > > Any more in the error than thingy? > > This is uploading in flash? > > Try on the media and quota page? > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 27 Mar 2013, at 21:42, Dave Burnett <d_b_burnett at hotmail.com> wrote: > > Just installed 2 days ago, so assume this was the latest version. > > Trying to upload 12Mb zip. > > I'm getting the "php reports the following error - " thingy and the upload simply stops at 35%. > > In .htacccess > > php_value upload_max_filesize 100M > php_value post_max_size 100M > php_value max_execution_time 300 > php_value memory_limit 100M > > and querying phpinfo says they are indeed set to those vals. > > ? > > Dave > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/5442e6db/attachment.html> From d_b_burnett at hotmail.com Thu Mar 28 21:00:05 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Thu, 28 Mar 2013 17:00:05 -0400 Subject: [Xerte-dev] Re: XOT Upload error In-Reply-To: <BLU153-W489FEF4C03CB34A07A8875A7D20@phx.gbl> References: <BLU153-W2757F6FDD15AB4961490F9A7D10@phx.gbl>, , <47f008034b82b3b27ab9ad2794a0c75bda4601f4@webmail.hosting.heartinternet.co.uk>, , <BLU153-W30BDFE8228D2B9BC18A341A7D20@phx.gbl>, , <830620FF-7E73-4876-A881-D76F74F5D8BB@pgogywebstuff.com>, <BLU153-W489FEF4C03CB34A07A8875A7D20@phx.gbl> Message-ID: <BLU153-W964C47708E50516D6BA27A7D20@phx.gbl> OK, so it's the hashtag that causes the error.Just for the archives, what does the hashtag in src do?Can I remove it? From: d_b_burnett at hotmail.com To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 28 Mar 2013 16:46:13 -0400 Subject: [Xerte-dev] Re: XOT Upload error Thanks Pat. The host server is resetting the connection.Probably a file size limit on the AJAX upload.I can FTP whatever I like. But which parameter stopped the PHP error message? From: xerte at pgogywebstuff.com Date: Thu, 28 Mar 2013 20:08:50 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error Remove the hash from the src in the iframe code....... Pgogy Webstuff - http://www.pgogywebstuff.comMakers of web things of a fair to middling quality On 28 Mar 2013, at 18:58, Dave Burnett <d_b_burnett at hotmail.com> wrote: style="width:400px;height:400px; display:inline"> But not sure what that should do for me. Upon upload in Media quota area, Chrome pops a new window: PHP reports an error - Followed by the code of the properties.php page.The window runs down off the bottom of the page. The 12 Mb upload still dies at 34%.No error, the progress bar just disappear. From: xerte at pgogywebstuff.com To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 28 Mar 2013 16:07:26 +0000 Subject: [Xerte-dev] Re: XOT Upload error My mistake properties.php in the root https://code.google.com/p/xerteonlinetoolkits/source/browse/trunk/properties.php see the iframes at the top Pgogy Webstuff http://www.pgogywebstuff.comMakers of Web things of a fair to middling quality ----- Original Message ----- From: "For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk> To:"For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk> Cc: Sent:Wed, 27 Mar 2013 19:20:52 -0400 Subject:[Xerte-dev] Re: XOT Upload error media_and_quota_template.php?I can't see anything obvious that sets the iframe dimensions From: xerte at pgogywebstuff.com Date: Wed, 27 Mar 2013 23:09:12 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error Ok, edit website_code/php/properties/media_and_quota and set the iframe to be huge then try again Pgogy Webstuff - http://www.pgogywebstuff.comMakers of web things of a fair to middling quality On 27 Mar 2013, at 22:53, Dave Burnett <d_b_burnett at hotmail.com> wrote: It is the media and quota page.Same error as this I thinkhttp://lists.nottingham.ac.uk/pipermail/xerte/2012-January/012511.html From: xerte at pgogywebstuff.com Date: Wed, 27 Mar 2013 22:42:30 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error Any more in the error than thingy? This is uploading in flash? Try on the media and quota page? Pgogy Webstuff - http://www.pgogywebstuff.comMakers of web things of a fair to middling quality On 27 Mar 2013, at 21:42, Dave Burnett <d_b_burnett at hotmail.com> wrote: Just installed 2 days ago, so assume this was the latest version. Trying to upload 12Mb zip. I'm getting the "php reports the following error - " thingy and the upload simply stops at 35%. In .htacccess php_value upload_max_filesize 100Mphp_value post_max_size 100Mphp_value max_execution_time 300php_value memory_limit 100M and querying phpinfo says they are indeed set to those vals. ? Dave _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/4648d898/attachment-0001.html> From d_b_burnett at hotmail.com Thu Mar 28 21:11:23 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Thu, 28 Mar 2013 17:11:23 -0400 Subject: [Xerte-dev] Re: XOT Upload error In-Reply-To: <5C392E88-E02D-43A1-8D10-45F07AA46451@pgogywebstuff.com> References: <BLU153-W2757F6FDD15AB4961490F9A7D10@phx.gbl>, <47f008034b82b3b27ab9ad2794a0c75bda4601f4@webmail.hosting.heartinternet.co.uk>, <BLU153-W30BDFE8228D2B9BC18A341A7D20@phx.gbl>, <830620FF-7E73-4876-A881-D76F74F5D8BB@pgogywebstuff.com>, <BLU153-W489FEF4C03CB34A07A8875A7D20@phx.gbl>, <5C392E88-E02D-43A1-8D10-45F07AA46451@pgogywebstuff.com> Message-ID: <BLU153-W71922C9F699F08922F0A9A7D20@phx.gbl> After changing htaccess in root I rerun phpinfo and it reflects my changes to the parameters.Doesn't that mean the server is seeing them? From: xerte at pgogywebstuff.com Date: Thu, 28 Mar 2013 20:59:05 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error If you are using htaccess to bypass settings you might need to add the htaccess to the properties folder? Pgogy Webstuff - http://www.pgogywebstuff.comMakers of web things of a fair to middling quality On 28 Mar 2013, at 20:46, Dave Burnett <d_b_burnett at hotmail.com> wrote: Thanks Pat. The host server is resetting the connection.Probably a file size limit on the AJAX upload.I can FTP whatever I like. But which parameter stopped the PHP error message? From: xerte at pgogywebstuff.com Date: Thu, 28 Mar 2013 20:08:50 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error Remove the hash from the src in the iframe code....... Pgogy Webstuff - http://www.pgogywebstuff.comMakers of web things of a fair to middling quality On 28 Mar 2013, at 18:58, Dave Burnett <d_b_burnett at hotmail.com> wrote: style="width:400px;height:400px; display:inline"> But not sure what that should do for me. Upon upload in Media quota area, Chrome pops a new window: PHP reports an error - Followed by the code of the properties.php page.The window runs down off the bottom of the page. The 12 Mb upload still dies at 34%.No error, the progress bar just disappear. From: xerte at pgogywebstuff.com To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 28 Mar 2013 16:07:26 +0000 Subject: [Xerte-dev] Re: XOT Upload error My mistake properties.php in the root https://code.google.com/p/xerteonlinetoolkits/source/browse/trunk/properties.php see the iframes at the top Pgogy Webstuff http://www.pgogywebstuff.comMakers of Web things of a fair to middling quality ----- Original Message ----- From: "For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk> To:"For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk> Cc: Sent:Wed, 27 Mar 2013 19:20:52 -0400 Subject:[Xerte-dev] Re: XOT Upload error media_and_quota_template.php?I can't see anything obvious that sets the iframe dimensions From: xerte at pgogywebstuff.com Date: Wed, 27 Mar 2013 23:09:12 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error Ok, edit website_code/php/properties/media_and_quota and set the iframe to be huge then try again Pgogy Webstuff - http://www.pgogywebstuff.comMakers of web things of a fair to middling quality On 27 Mar 2013, at 22:53, Dave Burnett <d_b_burnett at hotmail.com> wrote: It is the media and quota page.Same error as this I thinkhttp://lists.nottingham.ac.uk/pipermail/xerte/2012-January/012511.html From: xerte at pgogywebstuff.com Date: Wed, 27 Mar 2013 22:42:30 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error Any more in the error than thingy? This is uploading in flash? Try on the media and quota page? Pgogy Webstuff - http://www.pgogywebstuff.comMakers of web things of a fair to middling quality On 27 Mar 2013, at 21:42, Dave Burnett <d_b_burnett at hotmail.com> wrote: Just installed 2 days ago, so assume this was the latest version. Trying to upload 12Mb zip. I'm getting the "php reports the following error - " thingy and the upload simply stops at 35%. In .htacccess php_value upload_max_filesize 100Mphp_value post_max_size 100Mphp_value max_execution_time 300php_value memory_limit 100M and querying phpinfo says they are indeed set to those vals. ? Dave _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/c9d146a3/attachment.html> From d_b_burnett at hotmail.com Thu Mar 28 21:11:23 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Thu, 28 Mar 2013 17:11:23 -0400 Subject: [Xerte-dev] Re: XOT Upload error In-Reply-To: <5C392E88-E02D-43A1-8D10-45F07AA46451@pgogywebstuff.com> References: <BLU153-W2757F6FDD15AB4961490F9A7D10@phx.gbl>, <47f008034b82b3b27ab9ad2794a0c75bda4601f4@webmail.hosting.heartinternet.co.uk>, <BLU153-W30BDFE8228D2B9BC18A341A7D20@phx.gbl>, <830620FF-7E73-4876-A881-D76F74F5D8BB@pgogywebstuff.com>, <BLU153-W489FEF4C03CB34A07A8875A7D20@phx.gbl>, <5C392E88-E02D-43A1-8D10-45F07AA46451@pgogywebstuff.com> Message-ID: <BLU153-W71922C9F699F08922F0A9A7D20@phx.gbl> After changing htaccess in root I rerun phpinfo and it reflects my changes to the parameters.Doesn't that mean the server is seeing them? From: xerte at pgogywebstuff.com Date: Thu, 28 Mar 2013 20:59:05 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error If you are using htaccess to bypass settings you might need to add the htaccess to the properties folder? Pgogy Webstuff - http://www.pgogywebstuff.comMakers of web things of a fair to middling quality On 28 Mar 2013, at 20:46, Dave Burnett <d_b_burnett at hotmail.com> wrote: Thanks Pat. The host server is resetting the connection.Probably a file size limit on the AJAX upload.I can FTP whatever I like. But which parameter stopped the PHP error message? From: xerte at pgogywebstuff.com Date: Thu, 28 Mar 2013 20:08:50 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error Remove the hash from the src in the iframe code....... Pgogy Webstuff - http://www.pgogywebstuff.comMakers of web things of a fair to middling quality On 28 Mar 2013, at 18:58, Dave Burnett <d_b_burnett at hotmail.com> wrote: style="width:400px;height:400px; display:inline"> But not sure what that should do for me. Upon upload in Media quota area, Chrome pops a new window: PHP reports an error - Followed by the code of the properties.php page.The window runs down off the bottom of the page. The 12 Mb upload still dies at 34%.No error, the progress bar just disappear. From: xerte at pgogywebstuff.com To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 28 Mar 2013 16:07:26 +0000 Subject: [Xerte-dev] Re: XOT Upload error My mistake properties.php in the root https://code.google.com/p/xerteonlinetoolkits/source/browse/trunk/properties.php see the iframes at the top Pgogy Webstuff http://www.pgogywebstuff.comMakers of Web things of a fair to middling quality ----- Original Message ----- From: "For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk> To:"For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk> Cc: Sent:Wed, 27 Mar 2013 19:20:52 -0400 Subject:[Xerte-dev] Re: XOT Upload error media_and_quota_template.php?I can't see anything obvious that sets the iframe dimensions From: xerte at pgogywebstuff.com Date: Wed, 27 Mar 2013 23:09:12 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error Ok, edit website_code/php/properties/media_and_quota and set the iframe to be huge then try again Pgogy Webstuff - http://www.pgogywebstuff.comMakers of web things of a fair to middling quality On 27 Mar 2013, at 22:53, Dave Burnett <d_b_burnett at hotmail.com> wrote: It is the media and quota page.Same error as this I thinkhttp://lists.nottingham.ac.uk/pipermail/xerte/2012-January/012511.html From: xerte at pgogywebstuff.com Date: Wed, 27 Mar 2013 22:42:30 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error Any more in the error than thingy? This is uploading in flash? Try on the media and quota page? Pgogy Webstuff - http://www.pgogywebstuff.comMakers of web things of a fair to middling quality On 27 Mar 2013, at 21:42, Dave Burnett <d_b_burnett at hotmail.com> wrote: Just installed 2 days ago, so assume this was the latest version. Trying to upload 12Mb zip. I'm getting the "php reports the following error - " thingy and the upload simply stops at 35%. In .htacccess php_value upload_max_filesize 100Mphp_value post_max_size 100Mphp_value max_execution_time 300php_value memory_limit 100M and querying phpinfo says they are indeed set to those vals. ? Dave _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/c9d146a3/attachment-0003.html> From J.J.Smith at gcu.ac.uk Thu Mar 28 21:48:20 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Thu, 28 Mar 2013 21:48:20 +0000 Subject: [Xerte-dev] Re: XOT Upload error In-Reply-To: <BLU153-W964C47708E50516D6BA27A7D20@phx.gbl> References: <BLU153-W2757F6FDD15AB4961490F9A7D10@phx.gbl>, , <47f008034b82b3b27ab9ad2794a0c75bda4601f4@webmail.hosting.heartinternet.co.uk>, , <BLU153-W30BDFE8228D2B9BC18A341A7D20@phx.gbl>, , <830620FF-7E73-4876-A881-D76F74F5D8BB@pgogywebstuff.com>, <BLU153-W489FEF4C03CB34A07A8875A7D20@phx.gbl>, <BLU153-W964C47708E50516D6BA27A7D20@phx.gbl> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247FD60E5C@ITSEMBXCLUS.enterprise.gcal.ac.uk> You shouldn't use src="#" in iframes any longer - you should use src="about:blank" for an empty iframe... Regards, John Smith | Learning Technologist Room A251, Govan Mbeki Building | School of Health & Life Sciences | Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA ________________________________________ From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett [d_b_burnett at hotmail.com] Sent: 28 March 2013 21:00 To: For Xerte technical developers Subject: [Xerte-dev] Re: XOT Upload error OK, so it's the hashtag that causes the error. Just for the archives, what does the hashtag in src do? Can I remove it? ________________________________ From: d_b_burnett at hotmail.com To: xerte-dev at lists.nottingham.ac.uk Date: Thu, 28 Mar 2013 16:46:13 -0400 Subject: [Xerte-dev] Re: XOT Upload error Thanks Pat. The host server is resetting the connection. Probably a file size limit on the AJAX upload. I can FTP whatever I like. But which parameter stopped the PHP error message? ________________________________ From: xerte at pgogywebstuff.com Date: Thu, 28 Mar 2013 20:08:50 +0000 To: xerte-dev at lists.nottingham.ac.uk Subject: [Xerte-dev] Re: XOT Upload error Remove the hash from the src in the iframe code....... Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Mar 2013, at 18:58, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: style="width:400px;height:400px; display:inline"> But not sure what that should do for me. Upon upload in Media quota area, Chrome pops a new window: PHP reports an error - Followed by the code of the properties.php page. The window runs down off the bottom of the page. The 12 Mb upload still dies at 34%. No error, the progress bar just disappear. ________________________________ From: xerte at pgogywebstuff.com<mailto:xerte at pgogywebstuff.com> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Date: Thu, 28 Mar 2013 16:07:26 +0000 Subject: [Xerte-dev] Re: XOT Upload error My mistake properties.php in the root https://code.google.com/p/xerteonlinetoolkits/source/browse/trunk/properties.php see the iframes at the top Pgogy Webstuff http://www.pgogywebstuff.com Makers of Web things of a fair to middling quality ----- Original Message ----- From: "For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk>> To: "For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk>> Cc: Sent: Wed, 27 Mar 2013 19:20:52 -0400 Subject: [Xerte-dev] Re: XOT Upload error media_and_quota_template.php? I can't see anything obvious that sets the iframe dimensions ________________________________ From: xerte at pgogywebstuff.com<mailto:xerte at pgogywebstuff.com> Date: Wed, 27 Mar 2013 23:09:12 +0000 To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: XOT Upload error Ok, edit website_code/php/properties/media_and_quota and set the iframe to be huge then try again Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Mar 2013, at 22:53, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: It is the media and quota page. Same error as this I think http://lists.nottingham.ac.uk/pipermail/xerte/2012-January/012511.html ________________________________ From: xerte at pgogywebstuff.com<mailto:xerte at pgogywebstuff.com> Date: Wed, 27 Mar 2013 22:42:30 +0000 To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: XOT Upload error Any more in the error than thingy? This is uploading in flash? Try on the media and quota page? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Mar 2013, at 21:42, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: Just installed 2 days ago, so assume this was the latest version. Trying to upload 12Mb zip. I'm getting the "php reports the following error - " thingy and the upload simply stops at 35%. In .htacccess php_value upload_max_filesize 100M php_value post_max_size 100M php_value max_execution_time 300 php_value memory_limit 100M and querying phpinfo says they are indeed set to those vals. ? Dave _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html From d_b_burnett at hotmail.com Thu Mar 28 21:55:45 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Thu, 28 Mar 2013 17:55:45 -0400 Subject: [Xerte-dev] Re: XOT Upload error In-Reply-To: <EE0B2AFFDB88B34AA864E00CE98914C2247FD60E5C@ITSEMBXCLUS.enterprise.gcal.ac.uk> References: <BLU153-W2757F6FDD15AB4961490F9A7D10@phx.gbl>, , , <47f008034b82b3b27ab9ad2794a0c75bda4601f4@webmail.hosting.heartinternet.co.uk>, , , <BLU153-W30BDFE8228D2B9BC18A341A7D20@phx.gbl>, , , <830620FF-7E73-4876-A881-D76F74F5D8BB@pgogywebstuff.com>, , <BLU153-W489FEF4C03CB34A07A8875A7D20@phx.gbl>, , <BLU153-W964C47708E50516D6BA27A7D20@phx.gbl>, <EE0B2AFFDB88B34AA864E00CE98914C2247FD60E5C@ITSEMBXCLUS.enterprise.gcal.ac.uk> Message-ID: <BLU153-W15E2FC82379328DC8E4BB6A7D20@phx.gbl> Cheers Pat and John.No more error. > From: J.J.Smith at gcu.ac.uk > To: xerte-dev at lists.nottingham.ac.uk > Date: Thu, 28 Mar 2013 21:48:20 +0000 > Subject: [Xerte-dev] Re: XOT Upload error > > You shouldn't use src="#" in iframes any longer - you should use src="about:blank" for an empty iframe... > > Regards, > > John Smith | Learning Technologist > Room A251, Govan Mbeki Building | School of Health & Life Sciences | Glasgow Caledonian University > Cowcaddens Road | Glasgow | G4 0BA > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett [d_b_burnett at hotmail.com] > Sent: 28 March 2013 21:00 > To: For Xerte technical developers > Subject: [Xerte-dev] Re: XOT Upload error > > OK, so it's the hashtag that causes the error. > Just for the archives, what does the hashtag in src do? > Can I remove it? > > ________________________________ > From: d_b_burnett at hotmail.com > To: xerte-dev at lists.nottingham.ac.uk > Date: Thu, 28 Mar 2013 16:46:13 -0400 > Subject: [Xerte-dev] Re: XOT Upload error > > Thanks Pat. > > The host server is resetting the connection. > Probably a file size limit on the AJAX upload. > I can FTP whatever I like. > > But which parameter stopped the PHP error message? > > ________________________________ > From: xerte at pgogywebstuff.com > Date: Thu, 28 Mar 2013 20:08:50 +0000 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: XOT Upload error > > Remove the hash from the src in the iframe code....... > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 28 Mar 2013, at 18:58, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: > > style="width:400px;height:400px; display:inline"> > > But not sure what that should do for me. > > Upon upload in Media quota area, Chrome pops a new window: > > PHP reports an error - > > Followed by the code of the properties.php page. > The window runs down off the bottom of the page. > > > The 12 Mb upload still dies at 34%. > No error, the progress bar just disappear. > > > ________________________________ > From: xerte at pgogywebstuff.com<mailto:xerte at pgogywebstuff.com> > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> > Date: Thu, 28 Mar 2013 16:07:26 +0000 > Subject: [Xerte-dev] Re: XOT Upload error > > My mistake > > properties.php in the root > > https://code.google.com/p/xerteonlinetoolkits/source/browse/trunk/properties.php > > see the iframes at the top > > Pgogy Webstuff http://www.pgogywebstuff.com > Makers of Web things of a fair to middling quality > > > ----- Original Message ----- > From: > "For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk>> > > To: > "For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk>> > Cc: > > Sent: > Wed, 27 Mar 2013 19:20:52 -0400 > Subject: > [Xerte-dev] Re: XOT Upload error > > > > > media_and_quota_template.php? > I can't see anything obvious that sets the iframe dimensions > > ________________________________ > From: xerte at pgogywebstuff.com<mailto:xerte at pgogywebstuff.com> > Date: Wed, 27 Mar 2013 23:09:12 +0000 > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> > Subject: [Xerte-dev] Re: XOT Upload error > > Ok, edit website_code/php/properties/media_and_quota and set the iframe to be huge then try again > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 27 Mar 2013, at 22:53, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: > > It is the media and quota page. > Same error as this I think > http://lists.nottingham.ac.uk/pipermail/xerte/2012-January/012511.html > > > ________________________________ > From: xerte at pgogywebstuff.com<mailto:xerte at pgogywebstuff.com> > Date: Wed, 27 Mar 2013 22:42:30 +0000 > To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> > Subject: [Xerte-dev] Re: XOT Upload error > > Any more in the error than thingy? > > This is uploading in flash? > > Try on the media and quota page? > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 27 Mar 2013, at 21:42, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: > > Just installed 2 days ago, so assume this was the latest version. > > Trying to upload 12Mb zip. > > I'm getting the "php reports the following error - " thingy and the upload simply stops at 35%. > > In .htacccess > > php_value upload_max_filesize 100M > php_value post_max_size 100M > php_value max_execution_time 300 > php_value memory_limit 100M > > and querying phpinfo says they are indeed set to those vals. > > ? > > Dave > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > Glasgow Caledonian University is a registered Scottish charity, number SC021474 > > Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html > > Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/87b3886e/attachment-0001.html> From d_b_burnett at hotmail.com Thu Mar 28 22:46:46 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Thu, 28 Mar 2013 18:46:46 -0400 Subject: [Xerte-dev] XOT feature In-Reply-To: <51549B1D.50801@tor.nl> References: <51542D66.2070601@tor.nl>, , , <12C67A1EEC419342AF5E59DA31562C3F0C4EF09798@EXCHANGE1.ad.nottingham.ac.uk>, , , <51543AF5.8020304@tor.nl>, ,,<51545C49.5020204@tor.nl> <BLU153-W216EE77B27297D149497B8A7D20@phx.gbl>, , <12C67A1EEC419342AF5E59DA31562C3F0C4EF098E9@EXCHANGE1.ad.nottingham.ac.uk>, , <51546BF0.9020809@tor.nl> <BLU153-W5645316124EC3715C5300A7D20@phx.gbl>,<51549B1D.50801@tor.nl> Message-ID: <BLU153-W33A7312157C3405351839CA7D20@phx.gbl> Notice if I hit the Publish button I only get the Flash style link -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/b0fbaf6d/attachment.html> From Julian.Tenney at nottingham.ac.uk Thu Mar 28 22:53:49 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Thu, 28 Mar 2013 22:53:49 +0000 Subject: [Xerte-dev] Re: XOT feature In-Reply-To: <BLU153-W33A7312157C3405351839CA7D20@phx.gbl> References: <51542D66.2070601@tor.nl>, , , <12C67A1EEC419342AF5E59DA31562C3F0C4EF09798@EXCHANGE1.ad.nottingham.ac.uk>, , , <51543AF5.8020304@tor.nl>, ,,<51545C49.5020204@tor.nl> <BLU153-W216EE77B27297D149497B8A7D20@phx.gbl>, , <12C67A1EEC419342AF5E59DA31562C3F0C4EF098E9@EXCHANGE1.ad.nottingham.ac.uk>, , <51546BF0.9020809@tor.nl> <BLU153-W5645316124EC3715C5300A7D20@phx.gbl>, <51549B1D.50801@tor.nl>, <BLU153-W33A7312157C3405351839CA7D20@phx.gbl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4F6829EC@EXCHANGE1.ad.nottingham.ac.uk> at the moment... ________________________________________ From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett [d_b_burnett at hotmail.com] Sent: 28 March 2013 22:46 To: For Xerte technical developers Subject: [Xerte-dev] XOT feature Notice if I hit the Publish button I only get the Flash style link From d_b_burnett at hotmail.com Thu Mar 28 23:01:27 2013 From: d_b_burnett at hotmail.com (Dave Burnett) Date: Thu, 28 Mar 2013 19:01:27 -0400 Subject: [Xerte-dev] Re: XOT feature In-Reply-To: <12C67A1EEC419342AF5E59DA31562C3F0C4F6829EC@EXCHANGE1.ad.nottingham.ac.uk> References: <51542D66.2070601@tor.nl>, , , , <12C67A1EEC419342AF5E59DA31562C3F0C4EF09798@EXCHANGE1.ad.nottingham.ac.uk>, , , , <51543AF5.8020304@tor.nl>, , , <51545C49.5020204@tor.nl>, <BLU153-W216EE77B27297D149497B8A7D20@phx.gbl>, , , <12C67A1EEC419342AF5E59DA31562C3F0C4EF098E9@EXCHANGE1.ad.nottingham.ac.uk>, , , <51546BF0.9020809@tor.nl>, <BLU153-W5645316124EC3715C5300A7D20@phx.gbl>, <51549B1D.50801@tor.nl>, , <BLU153-W33A7312157C3405351839CA7D20@phx.gbl>, <12C67A1EEC419342AF5E59DA31562C3F0C4F6829EC@EXCHANGE1.ad.nottingham.ac.uk> Message-ID: <BLU153-W40E611936A10DBD03F4C77A7D20@phx.gbl> Both are in the Properties > Project area. > From: Julian.Tenney at nottingham.ac.uk > To: xerte-dev at lists.nottingham.ac.uk > Date: Thu, 28 Mar 2013 22:53:49 +0000 > Subject: [Xerte-dev] Re: XOT feature > > at the moment... > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett [d_b_burnett at hotmail.com] > Sent: 28 March 2013 22:46 > To: For Xerte technical developers > Subject: [Xerte-dev] XOT feature > > Notice if I hit the Publish button I only get the Flash style link > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/4ef4484e/attachment.html> From Julian.Tenney at nottingham.ac.uk Thu Mar 28 23:02:21 2013 From: Julian.Tenney at nottingham.ac.uk (Julian Tenney) Date: Thu, 28 Mar 2013 23:02:21 +0000 Subject: [Xerte-dev] Re: XOT feature In-Reply-To: <BLU153-W40E611936A10DBD03F4C77A7D20@phx.gbl> References: <51542D66.2070601@tor.nl>, , , , <12C67A1EEC419342AF5E59DA31562C3F0C4EF09798@EXCHANGE1.ad.nottingham.ac.uk>, , , , <51543AF5.8020304@tor.nl>, , , <51545C49.5020204@tor.nl>, <BLU153-W216EE77B27297D149497B8A7D20@phx.gbl>, , , <12C67A1EEC419342AF5E59DA31562C3F0C4EF098E9@EXCHANGE1.ad.nottingham.ac.uk>, , , <51546BF0.9020809@tor.nl>, <BLU153-W5645316124EC3715C5300A7D20@phx.gbl>, <51549B1D.50801@tor.nl>, , <BLU153-W33A7312157C3405351839CA7D20@phx.gbl>, <12C67A1EEC419342AF5E59DA31562C3F0C4F6829EC@EXCHANGE1.ad.nottingham.ac.uk>, <BLU153-W40E611936A10DBD03F4C77A7D20@phx.gbl> Message-ID: <12C67A1EEC419342AF5E59DA31562C3F0C4F6829F1@EXCHANGE1.ad.nottingham.ac.uk> they will be changed soon to include the html5 options ________________________________________ From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett [d_b_burnett at hotmail.com] Sent: 28 March 2013 23:01 To: For Xerte technical developers Subject: [Xerte-dev] Re: XOT feature Both are in the Properties > Project area. > From: Julian.Tenney at nottingham.ac.uk > To: xerte-dev at lists.nottingham.ac.uk > Date: Thu, 28 Mar 2013 22:53:49 +0000 > Subject: [Xerte-dev] Re: XOT feature > > at the moment... > ________________________________________ > From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett [d_b_burnett at hotmail.com] > Sent: 28 March 2013 22:46 > To: For Xerte technical developers > Subject: [Xerte-dev] XOT feature > > Notice if I hit the Publish button I only get the Flash style link > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham. > > This message has been checked for viruses but the contents of an attachment > may still contain software viruses which could damage your computer system: > you are advised to perform your own checks. Email communications with the > University of Nottingham may be monitored as permitted by UK legislation. From xerte at pgogywebstuff.com Thu Mar 28 23:34:13 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Thu, 28 Mar 2013 23:34:13 +0000 Subject: [Xerte-dev] Re: XOT Upload error In-Reply-To: <BLU153-W964C47708E50516D6BA27A7D20@phx.gbl> References: <BLU153-W2757F6FDD15AB4961490F9A7D10@phx.gbl> <47f008034b82b3b27ab9ad2794a0c75bda4601f4@webmail.hosting.heartinternet.co.uk> <BLU153-W30BDFE8228D2B9BC18A341A7D20@phx.gbl> <830620FF-7E73-4876-A881-D76F74F5D8BB@pgogywebstuff.com> <BLU153-W489FEF4C03CB34A07A8875A7D20@phx.gbl> <BLU153-W964C47708E50516D6BA27A7D20@phx.gbl> Message-ID: <37FAA48A-9A1A-4CC6-B697-655B2032BE9B@pgogywebstuff.com> I emailed about two weeks ago suggesting some one removed it from the svn..... Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Mar 2013, at 21:00, Dave Burnett <d_b_burnett at hotmail.com> wrote: > OK, so it's the hashtag that causes the error. > Just for the archives, what does the hashtag in src do? > Can I remove it? > > From: d_b_burnett at hotmail.com > To: xerte-dev at lists.nottingham.ac.uk > Date: Thu, 28 Mar 2013 16:46:13 -0400 > Subject: [Xerte-dev] Re: XOT Upload error > > Thanks Pat. > > The host server is resetting the connection. > Probably a file size limit on the AJAX upload. > I can FTP whatever I like. > > But which parameter stopped the PHP error message? > > From: xerte at pgogywebstuff.com > Date: Thu, 28 Mar 2013 20:08:50 +0000 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: XOT Upload error > > Remove the hash from the src in the iframe code....... > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 28 Mar 2013, at 18:58, Dave Burnett <d_b_burnett at hotmail.com> wrote: > > style="width:400px;height:400px; display:inline"> > > But not sure what that should do for me. > > Upon upload in Media quota area, Chrome pops a new window: > > PHP reports an error - > > Followed by the code of the properties.php page. > The window runs down off the bottom of the page. > > > The 12 Mb upload still dies at 34%. > No error, the progress bar just disappear. > > > From: xerte at pgogywebstuff.com > To: xerte-dev at lists.nottingham.ac.uk > Date: Thu, 28 Mar 2013 16:07:26 +0000 > Subject: [Xerte-dev] Re: XOT Upload error > > My mistake > > properties.php in the root > > https://code.google.com/p/xerteonlinetoolkits/source/browse/trunk/properties.php > > see the iframes at the top > > Pgogy Webstuff http://www.pgogywebstuff.com > Makers of Web things of a fair to middling quality > > > ----- Original Message ----- > From: > "For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk> > > To: > "For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk> > Cc: > > Sent: > Wed, 27 Mar 2013 19:20:52 -0400 > Subject: > [Xerte-dev] Re: XOT Upload error > > > > > media_and_quota_template.php? > I can't see anything obvious that sets the iframe dimensions > > From: xerte at pgogywebstuff.com > Date: Wed, 27 Mar 2013 23:09:12 +0000 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: XOT Upload error > > Ok, edit website_code/php/properties/media_and_quota and set the iframe to be huge then try again > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 27 Mar 2013, at 22:53, Dave Burnett <d_b_burnett at hotmail.com> wrote: > > It is the media and quota page. > Same error as this I think > http://lists.nottingham.ac.uk/pipermail/xerte/2012-January/012511.html > > > From: xerte at pgogywebstuff.com > Date: Wed, 27 Mar 2013 22:42:30 +0000 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: XOT Upload error > > Any more in the error than thingy? > > This is uploading in flash? > > Try on the media and quota page? > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 27 Mar 2013, at 21:42, Dave Burnett <d_b_burnett at hotmail.com> wrote: > > Just installed 2 days ago, so assume this was the latest version. > > Trying to upload 12Mb zip. > > I'm getting the "php reports the following error - " thingy and the upload simply stops at 35%. > > In .htacccess > > php_value upload_max_filesize 100M > php_value post_max_size 100M > php_value max_execution_time 300 > php_value memory_limit 100M > > and querying phpinfo says they are indeed set to those vals. > > ? > > Dave > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/f3758db0/attachment-0001.html> From xerte at pgogywebstuff.com Thu Mar 28 23:34:55 2013 From: xerte at pgogywebstuff.com (Pat @ Pgogy) Date: Thu, 28 Mar 2013 23:34:55 +0000 Subject: [Xerte-dev] Re: XOT Upload error In-Reply-To: <BLU153-W71922C9F699F08922F0A9A7D20@phx.gbl> References: <BLU153-W2757F6FDD15AB4961490F9A7D10@phx.gbl> <47f008034b82b3b27ab9ad2794a0c75bda4601f4@webmail.hosting.heartinternet.co.uk> <BLU153-W30BDFE8228D2B9BC18A341A7D20@phx.gbl> <830620FF-7E73-4876-A881-D76F74F5D8BB@pgogywebstuff.com> <BLU153-W489FEF4C03CB34A07A8875A7D20@phx.gbl> <5C392E88-E02D-43A1-8D10-45F07AA46451@pgogywebstuff.com> <BLU153-W71922C9F699F08922F0A9A7D20@phx.gbl> Message-ID: <251D5DDD-2FB5-4B94-A12A-ED52CB532C91@pgogywebstuff.com> Htaccess can apply per folder or per site, I think Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Mar 2013, at 21:11, Dave Burnett <d_b_burnett at hotmail.com> wrote: > After changing htaccess in root I rerun phpinfo and it reflects my changes to the parameters. > Doesn't that mean the server is seeing them? > > From: xerte at pgogywebstuff.com > Date: Thu, 28 Mar 2013 20:59:05 +0000 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: XOT Upload error > > If you are using htaccess to bypass settings you might need to add the htaccess to the properties folder? > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 28 Mar 2013, at 20:46, Dave Burnett <d_b_burnett at hotmail.com> wrote: > > Thanks Pat. > > The host server is resetting the connection. > Probably a file size limit on the AJAX upload. > I can FTP whatever I like. > > But which parameter stopped the PHP error message? > > From: xerte at pgogywebstuff.com > Date: Thu, 28 Mar 2013 20:08:50 +0000 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: XOT Upload error > > Remove the hash from the src in the iframe code....... > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 28 Mar 2013, at 18:58, Dave Burnett <d_b_burnett at hotmail.com> wrote: > > style="width:400px;height:400px; display:inline"> > > But not sure what that should do for me. > > Upon upload in Media quota area, Chrome pops a new window: > > PHP reports an error - > > Followed by the code of the properties.php page. > The window runs down off the bottom of the page. > > > The 12 Mb upload still dies at 34%. > No error, the progress bar just disappear. > > > From: xerte at pgogywebstuff.com > To: xerte-dev at lists.nottingham.ac.uk > Date: Thu, 28 Mar 2013 16:07:26 +0000 > Subject: [Xerte-dev] Re: XOT Upload error > > My mistake > > properties.php in the root > > https://code.google.com/p/xerteonlinetoolkits/source/browse/trunk/properties.php > > see the iframes at the top > > Pgogy Webstuff http://www.pgogywebstuff.com > Makers of Web things of a fair to middling quality > > > ----- Original Message ----- > From: > "For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk> > > To: > "For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk> > Cc: > > Sent: > Wed, 27 Mar 2013 19:20:52 -0400 > Subject: > [Xerte-dev] Re: XOT Upload error > > > > > media_and_quota_template.php? > I can't see anything obvious that sets the iframe dimensions > > From: xerte at pgogywebstuff.com > Date: Wed, 27 Mar 2013 23:09:12 +0000 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: XOT Upload error > > Ok, edit website_code/php/properties/media_and_quota and set the iframe to be huge then try again > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 27 Mar 2013, at 22:53, Dave Burnett <d_b_burnett at hotmail.com> wrote: > > It is the media and quota page. > Same error as this I think > http://lists.nottingham.ac.uk/pipermail/xerte/2012-January/012511.html > > > From: xerte at pgogywebstuff.com > Date: Wed, 27 Mar 2013 22:42:30 +0000 > To: xerte-dev at lists.nottingham.ac.uk > Subject: [Xerte-dev] Re: XOT Upload error > > Any more in the error than thingy? > > This is uploading in flash? > > Try on the media and quota page? > > Pgogy Webstuff - http://www.pgogywebstuff.com > Makers of web things of a fair to middling quality > > On 27 Mar 2013, at 21:42, Dave Burnett <d_b_burnett at hotmail.com> wrote: > > Just installed 2 days ago, so assume this was the latest version. > > Trying to upload 12Mb zip. > > I'm getting the "php reports the following error - " thingy and the upload simply stops at 35%. > > In .htacccess > > php_value upload_max_filesize 100M > php_value post_max_size 100M > php_value max_execution_time 300 > php_value memory_limit 100M > > and querying phpinfo says they are indeed set to those vals. > > ? > > Dave > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > > _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev > > > > _______________________________________________ > Xerte-dev mailing list > Xerte-dev at lists.nottingham.ac.uk > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130328/138fc68c/attachment.html> From J.J.Smith at gcu.ac.uk Fri Mar 29 09:39:50 2013 From: J.J.Smith at gcu.ac.uk (Smith, John) Date: Fri, 29 Mar 2013 09:39:50 +0000 Subject: [Xerte-dev] Re: XOT Upload error & iframe embed fix In-Reply-To: <37FAA48A-9A1A-4CC6-B697-655B2032BE9B@pgogywebstuff.com> References: <BLU153-W2757F6FDD15AB4961490F9A7D10@phx.gbl> <47f008034b82b3b27ab9ad2794a0c75bda4601f4@webmail.hosting.heartinternet.co.uk> <BLU153-W30BDFE8228D2B9BC18A341A7D20@phx.gbl> <830620FF-7E73-4876-A881-D76F74F5D8BB@pgogywebstuff.com> <BLU153-W489FEF4C03CB34A07A8875A7D20@phx.gbl> <BLU153-W964C47708E50516D6BA27A7D20@phx.gbl>, <37FAA48A-9A1A-4CC6-B697-655B2032BE9B@pgogywebstuff.com> Message-ID: <EE0B2AFFDB88B34AA864E00CE98914C2247FD60E5E@ITSEMBXCLUS.enterprise.gcal.ac.uk> Hi, Have now fixed this # src issue in SVN and also the extra </> that was appearing in the embed code... Regards, John Smith | Learning Technologist Room A251, Govan Mbeki Building | School of Health & Life Sciences | Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA ________________________________________ From: xerte-dev-bounces at lists.nottingham.ac.uk [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy [xerte at pgogywebstuff.com] Sent: 28 March 2013 23:34 To: For Xerte technical developers Subject: [Xerte-dev] Re: XOT Upload error I emailed about two weeks ago suggesting some one removed it from the svn..... Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Mar 2013, at 21:00, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: OK, so it's the hashtag that causes the error. Just for the archives, what does the hashtag in src do? Can I remove it? ________________________________ From: d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Date: Thu, 28 Mar 2013 16:46:13 -0400 Subject: [Xerte-dev] Re: XOT Upload error Thanks Pat. The host server is resetting the connection. Probably a file size limit on the AJAX upload. I can FTP whatever I like. But which parameter stopped the PHP error message? ________________________________ From: xerte at pgogywebstuff.com<mailto:xerte at pgogywebstuff.com> Date: Thu, 28 Mar 2013 20:08:50 +0000 To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: XOT Upload error Remove the hash from the src in the iframe code....... Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 28 Mar 2013, at 18:58, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: style="width:400px;height:400px; display:inline"> But not sure what that should do for me. Upon upload in Media quota area, Chrome pops a new window: PHP reports an error - Followed by the code of the properties.php page. The window runs down off the bottom of the page. The 12 Mb upload still dies at 34%. No error, the progress bar just disappear. ________________________________ From: xerte at pgogywebstuff.com<mailto:xerte at pgogywebstuff.com> To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Date: Thu, 28 Mar 2013 16:07:26 +0000 Subject: [Xerte-dev] Re: XOT Upload error My mistake properties.php in the root https://code.google.com/p/xerteonlinetoolkits/source/browse/trunk/properties.php see the iframes at the top Pgogy Webstuff http://www.pgogywebstuff.com Makers of Web things of a fair to middling quality ----- Original Message ----- From: "For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk>> To: "For Xerte technical developers" <xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk>> Cc: Sent: Wed, 27 Mar 2013 19:20:52 -0400 Subject: [Xerte-dev] Re: XOT Upload error media_and_quota_template.php? I can't see anything obvious that sets the iframe dimensions ________________________________ From: xerte at pgogywebstuff.com<mailto:xerte at pgogywebstuff.com> Date: Wed, 27 Mar 2013 23:09:12 +0000 To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: XOT Upload error Ok, edit website_code/php/properties/media_and_quota and set the iframe to be huge then try again Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Mar 2013, at 22:53, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: It is the media and quota page. Same error as this I think http://lists.nottingham.ac.uk/pipermail/xerte/2012-January/012511.html ________________________________ From: xerte at pgogywebstuff.com<mailto:xerte at pgogywebstuff.com> Date: Wed, 27 Mar 2013 22:42:30 +0000 To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk> Subject: [Xerte-dev] Re: XOT Upload error Any more in the error than thingy? This is uploading in flash? Try on the media and quota page? Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of a fair to middling quality On 27 Mar 2013, at 21:42, Dave Burnett <d_b_burnett at hotmail.com<mailto:d_b_burnett at hotmail.com>> wrote: Just installed 2 days ago, so assume this was the latest version. Trying to upload 12Mb zip. I'm getting the "php reports the following error - " thingy and the upload simply stops at 35%. In .htacccess php_value upload_max_filesize 100M php_value post_max_size 100M php_value max_execution_time 300 php_value memory_limit 100M and querying phpinfo says they are indeed set to those vals. ? Dave _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev _______________________________________________ Xerte-dev mailing list Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev Glasgow Caledonian University is a registered Scottish charity, number SC021474 Winner: Times Higher Education?s Widening Participation Initiative of the Year 2009 and Herald Society?s Education Initiative of the Year 2009. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html Winner: Times Higher Education?s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners. http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html