[Xerte] Toolkits - random suggestions/changes (feedback frominstall)

Patrick Lockley Patrick.Lockley at nottingham.ac.uk
Wed Dec 3 16:51:20 GMT 2008


Hi David,

Apologies if the annoucement didn't make it clear - if you have a
working install - you don't need to re run setup.

The only modifications where to some PHP and the templates themselves. 

We'll work on a more thorough installer / upgrader with the new
versions.

We found out this week the error with the user table request, dropping
lines 118 - 143 of page2.php resolves the problem. I checked this code
with our MYSQL admin guy and he said what I had done should work on most
servers - so it was there with best intentions / to make it easier for
people who wouldn't know what to put. Again, I'll look to fix this in
the next installer.

I'd prefer not to tell people what to rename demo.txt to be, as then any
one with an installer might now what its called on other people's
servers.

The code looks ok to me from here. As long as people have distinct
session ids and login ids, that is enough.

I agree re your points on the installer.

Thanks for the feedback.

Pat

-----Original Message-----
From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of David Goodwin
Sent: 03 December 2008 16:24
To: Xerte at lists.nottingham.ac.uk
Subject: [Xerte] Toolkits - random suggestions/changes (feedback
frominstall)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,


When ever I run 'setup/page2.php' I run into SQL problems -- as a
suggestion, could you change the basic.sql file to add some "DROP TABLE
IF EXISTS ...." (so there is no "duplicate key exists" errors when
trying to insert the same data into a table), and it won't therefore
fail to create a table that already exists...

So if the script is run twice (after encountering a problem) it doesn't
fail.

In my situation, the MySQL user I enter on page1 has rights to create a
database etc - but DOESN'T have rights to connect to the 'mysql'
database.... therefore page2(?) fails when it tries to query the mysql
table to find out access permissions.


I also make the following changes to 'demo.php' (which is renamed to
login.php - it would be helpful if the final setup page said what to
rename demo.txt to) :

- --- demo.txt	2008-11-28 14:26:56.000000000 +0000
+++ login.php	2008-12-03 15:58:37.000000000 +0000
@@ -18,7 +18,7 @@

 	$_SESSION['firstname'] = "Guest";
 				
- -	$x = rand(1,10) * rand(1,10);
+	//$x = rand(1,10) * rand(1,10);

 	$_SESSION['surname'] = $x;

@@ -28,7 +28,7 @@

 	$mysql_id=database_connect("index.php database connect
success","index.php database connect fail");			

- -	$_SESSION['login_ldap'] = "Guest" . $x;
+	$_SESSION['login_ldap'] = "GuestUser";

 	if(check_if_first_time($_SESSION['login_ldap'])){

@@ -59,4 +59,4 @@
 	echo file_get_contents($site->website_code_path .
"management_bottom");	

 ?>
- -			
\ No newline at end of file
+			

And then configure Apache to require authentication for login.php. Is
this an acceptable means of securing Xerte so only authenticated users
can create new stuff?)



Finally, I'd suggest you change /index.php so that :

a) If the setup directory exists, it redirects you to it
b) If config.php exists, and setup directory exists it aborts with some
useful error message telling the administrator to delete the directory
as it shouldn't be there (this would presumably be a security flaw if
left accessible?)

Thanks
David.

- --
 David Goodwin                          Pale Purple Limited
 Office: 0845 0046746                   Mobile: 07792380669
 http://www.palepurple.co.uk            Company No: 5580814
 'Business Web Application Development and Training in PHP'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJNrKN/ISo3RF5V6YRAjhqAJ4g8UF9A4qZ1/tmrDUFEjDt0GyqLACeKjnc
/7Uj/O6wPnFD2Ibmul1tZFY=
=KapY
-----END PGP SIGNATURE-----
_______________________________________________
Xerte mailing list
Xerte at lists.nottingham.ac.uk
http://lists.nottingham.ac.uk/mailman/listinfo/xerte


More information about the Xerte mailing list