101

Re: shoutbox_pun - a punbb shoutbox

We will watch your development, helliax smile.

102

Re: shoutbox_pun - a punbb shoutbox

helliax wrote:

I've managed to implement username links, but I'm trying to figure out the best way to go about tying it to an option, so it can be turned on and off through the forum settings.

Right now, the link is generated in the javascript. Specifically, the getHTMLFromMessage() function in shoutbox-pun.js. So in other words, I can't access the PHP config values directly. One way I figure I can do it, is to create a hidden <input /> that has the value, and grab that value from javascript. But that seems really hackish. Does anyone have any suggestions, or just other mods to check out, to see how they did it?

I forked andrew's project so I can work on it without messing up his project, so you can look at the code I have now: https://github.com/helliax/shoutbox_pun. Preferably, all my major changes will get turned into options, so we end up with one mod instead of two with just minor differences.

Why not add the option in the XML output in data.php? getShouts could have an additional <options> bit.

Please feel free to submit a pull request once the changes are done

Re: shoutbox_pun - a punbb shoutbox

Brilliant Kushi!

104

Re: shoutbox_pun - a punbb shoutbox

What Kushi has done?

105

Re: shoutbox_pun - a punbb shoutbox

ams wrote:
helliax wrote:

I've managed to implement username links, but I'm trying to figure out the best way to go about tying it to an option, so it can be turned on and off through the forum settings.

Right now, the link is generated in the javascript. Specifically, the getHTMLFromMessage() function in shoutbox-pun.js. So in other words, I can't access the PHP config values directly. One way I figure I can do it, is to create a hidden <input /> that has the value, and grab that value from javascript. But that seems really hackish. Does anyone have any suggestions, or just other mods to check out, to see how they did it?

I forked andrew's project so I can work on it without messing up his project, so you can look at the code I have now: https://github.com/helliax/shoutbox_pun. Preferably, all my major changes will get turned into options, so we end up with one mod instead of two with just minor differences.

Why not add the option in the XML output in data.php? getShouts could have an additional <options> bit.

Please feel free to submit a pull request once the changes are done

This is sort of so obvious now I don't know why I didn't think of it immediately at the time. Thanks!

106 (edited by helliax 2013-05-16 22:01)

Re: shoutbox_pun - a punbb shoutbox

Question regarding csrf token (this sounds related to Francisco FR's problem)

Right now, when you leave the shoutbox open long enough, it'll eventually "crash" and stop working, due to a CSRF token mismatch. The reason this is happening is because a static CSRF token is being compared to one that gets generated on each poll and each new message (so basically, every 1.6 seconds). In simpler terms, each time it checks for new shouts or adds a new one, it'll check these two tokens, and eventually the static one will lag behind, and mismatch.

The comparison's in data.php on line 26:

$_GET['csrf_token'] != generate_form_token('./extensions/shoutbox_pun/data.php')

I understand that the reason for this is to help prevent cross-site attacks, and in this specific case, prevent bad people from posting shouts to your shoutbox without your permission. Does anyone have any idea on how to get around this? It looks like one solution is to regenerate the static token before it expires, but the token is generated via php code, and only gets called on page refresh. The alternative is to remove the check.

This problem also occurs with base PunBB functions, like modifying settings in the admin panel. The site gets around it by prompting you to confirm your action. I haven't looked at the code, but I imagine during this time, they regenerate the token, and then the action passes the check and goes through. But we can't do that with shouts, unless we force a page refresh every ~30 minutes.

Would be totally grateful for any help on this. Thanks!

107

Re: shoutbox_pun - a punbb shoutbox

Yes, I've noticed this. Part of me thinks it perhaps should be tied in with some better handling and a 'timeout' - I don't like the idea of people hitting the server forever just from leaving the browser window open.

I think a fix would be to pass back a new CSRF token in the XML, perhaps each time, and update this with javascript in the DOM. This should solve the problem.

I'm not sure what your plan/workflow is but it'd be really useful for the project for you to pass these fixes you're making back as pull requests on github

Thanks
Andy

Re: shoutbox_pun - a punbb shoutbox

http://i.imgur.com/AQD1TXd.png

Not work

109 (edited by ams 2014-09-14 11:05)

Re: shoutbox_pun - a punbb shoutbox

There's an update with fixes to a few bugs and a few minor improvements

There's 1 security fix and 1 breaking change (previous shouted links will look funny)

110

Re: shoutbox_pun - a punbb shoutbox

It would be nice if you can hook it up somewhere after the announcement div. I could not find an appropriate one. People might get lazy scrolling down to the bottom to see the shoutbox, not to mention if the site has too many subs.

111

Re: shoutbox_pun - a punbb shoutbox

There's an option in settings to put it at the top of the board