I agree; the CSRF token isn't the right solution. But I think this is a pretty easy to implement feature that I probably even can provide a patch for. Unless you have something in the works for something like this for 1.3 already.
2 2007-11-02 13:29
Topic: Lost updates (2 replies, posted in Feature requests)
In (a bit) lieu of preventing CSRF attacks, I thought the same procedure might be used to prevent the "lost update" in PunBB. Well, the common "lost update" isn't really present, but what happens is that in the timespan between person A has read a thread, formulated a reply and clicked "Submit", the thread might have gotten anything from one to 100 new replies. I'm thinking that the CSRF token can be used in some way to prevent this by telling the user that the thread has had replies the user started formulating a response and thus present the user with those replies along with his or her respone.
I think this is a nice feature to have, because I see too many times on (not only PunBB-based) forums that people submit a reply someone else has already submitted, asks a question that has already been answered in the same thread or simply just screws up a "Let's create a story by replying to this thread with two words each" thread. I haven't completely wrapped my head around how the CSRF token can be utilized to fix this problem or exactly how the technical details are going to look like, but it shouldn't be too hard to fix nonetheless.
If we don't think about CSRF, a simple timestamp in a hidden field would do. The timestamp can be hashed and even employed as an ETag in the response, so User Agents and intermediaries (like proxy servers) more easilly can cache threads and such. Here's a simple and dumb implementation:
Request code:
<?php
function get_etag($thread_id) {
$latest_date = get_date_of_the_last_post_in_thread($thread_id);
return md5($latest_date);
}
?>
<input type="hidden" name="etag" value="<?php get_etag($thread_id = 1234) ?>" />
Response code:
<?php
if ($_GET['etag'] != get_etag($thread_id)) {
echo 'There has been replies in this thread since you started writing yours. Please read them and click submit again if your reply is still valid and relevant (or whatever).';
// display all replies or just the new ones
} else {
// save the reply in the database and redirect back to the thread like usual.
}
?>
3 2007-07-06 09:57
Topic: GoPHP5! (0 replies, posted in Feature requests)
I hope PunBB can join the GoPHP5 initiative so the worldwide PHP developer community can stop developing on PHP4 and give the ISP's a good incentive to upgrade to PHP5.
4 2007-05-27 13:48
Re: For All Those Using Dreamhost (11 replies, posted in PunBB 1.2 troubleshooting)
Okay, looking forward to seeing how it'll work.
5 2007-05-26 01:42
Re: For All Those Using Dreamhost (11 replies, posted in PunBB 1.2 troubleshooting)
Good to see that it's planned. I could provide a patch that implemented it, if I could just receive instructions on how to contribute it. And I agree that modifying $_GET is a hack.
6 2007-05-24 09:40
Re: For All Those Using Dreamhost (11 replies, posted in PunBB 1.2 troubleshooting)
Because of the overhead in doing an HTTP request, how about modifying the extern.php script so that it can be included via file system more easilly (as well as over HTTP)? What needs to be done is declaring variables (in the top of the file, preferably) and then initializing them based on either $_GET[] or other variables (or a keyed array) defined outside of extern.php. This way, extern.php can be included like this:
$extern_params = array(
"action" => "new",
"show" => 8,
"fid" => array(8, 9, 10, 11)
);
include("./forum/extern.php");
Then extern.php can check if $extern_params exists and if it does, get the values from it instead of from the $_GET[] array. Should be an easy fix and I would love to provide the code myself, but I don't know how to contribute.
7 2007-04-17 08:34
Topic: The Inner Circle: World of Warcraft guild forum (1 replies, posted in PunBB 1.2 show off)
My World of Warcraft guild, The Inner Circle, uses PunBB as its forum software, because it's the best forum software available!
8 2007-04-01 02:45
Re: Bug in default templates (6 replies, posted in PunBB 1.2 bug reports)
Paul, I just posted the example and the idea itself because I found it neat to be able to process and produce PunBB templates in an XML ecosystem, for example with XSLT. I don't have a particular uncatered-for use case up my sleeve at this very instance, so it's hard to argument for this feature's inclusion. If it's hard to implement, then by all means don't.
9 2007-03-30 10:01
Re: Bug in default templates (6 replies, posted in PunBB 1.2 bug reports)
Oh, looking at those templates, I see that the PunBB element syntax has moved from <tag> to <!-- tag -->. I'm not sure that's an improvement. An even better and more XML-esque option would be to introduce a namespace in the XML and use elements and attributes in that namespace instead. The main PunBB template would then look like this:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:pun="http://punbb.org/2007/ns" pun:attr="local">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<pun:fragment id="head" />
</head>
<body>
<div pun:attr="page">
<div id="pun-head" class="a-section a-all">
<pun:fragment id="skip" />
<pun:fragment id="title" />
<pun:fragment id="navlinks" />
</div>
<div id="pun-intro" class="a-section a-all">
<pun:fragment id="visit" />
<pun:fragment id="crumbs" />
</div>
<pun:fragment id="announcement" />
<div class="divider"><hr /></div>
<pun:fragment id="main" />
<div class="divider"><hr /></div>
<pun:fragment id="stats" />
<div id="pun-foot" class="a-section a-all">
<pun:fragment id="crumbs" />
<pun:fragment id="about" />
</div>
<pun:fragment id="debug" />
</div>
</body>
</html>
It's a bit harder to parse for the PunBB parser, but since the templates doesn't change very often, this can be done on a when-changed-basis, so it doesn't have to hurt performance. What it gives is templates that are truly well-formed XML and thus can survive and be used in an XML ecosystem without any problems.
Let me hear what you think and if you've thought about this at all!
10 2007-03-30 09:43
Re: Bug in default templates (6 replies, posted in PunBB 1.2 bug reports)
Ah, voila! Excellent!
11 2007-03-29 14:06
Topic: Bug in default templates (6 replies, posted in PunBB 1.2 bug reports)
PunBB has a minor bug in the default XHTML templates. The 'html' element is missing the required 'xmlns' attribute. The HTML Validator doesn't report on this, because it has some XML limitations, mostly because it validates based on the XHTML 1.0 DTD, which doesn't notice the missing 'xmlns' attribute.
In the upcoming version of the W3C HTML Validator, it will be able to notice the missing 'xmlns' attribute and thus render all existing PunBB installations "invalid". Read more about that here. Thus I would suggest to include the 'xmlns' attribute in the default templates.
I'd also vote for inclusion of the 'xml:lang' and 'lang' attributes, so the used language in the forums is specified (if that information is available somewhere, that is).
12 2007-02-21 10:24
Re: Rss Button (12 replies, posted in Feature requests)
Yea, that's one way of visualizing it. It looks like a website, though, which are only one of many ways to create an Atom client. Many clients are desktop-applications that you use like regular e-mail clients, and they can visualize it in many different ways. But I think you get the idea now. Declaring the relationship between the posts makes it possible to follow the relationship back and forth, collect more data and do all sorts of cool stuff with it.
13 2007-02-12 20:49
Re: Rss Button (12 replies, posted in Feature requests)
The point of having the relationship between original posts and replies explicitly asserted with Atom Threading Extension is so that feed readers can thread the replies beneath a post correctly, even if the post has already been read. It can be useful when the topic has slipped the user's mind and a reply comes ticking in; he might want to look at the original post again, which he can if the feed reader knows which post the reply he's looking at is a reply to. Without ATE, that's not possible.
With threaded discussions, ATE is even more useful, but it has its benefits in flat discussions as those performed n PunBB as well. FYI, that RFC is as stable as it can get. It has its own RFC number (4685), which makes it "final" in the IETF. I don't have any statistics on how widely supported it is, but the more feeds that incorporate it, the more likely it is that we'll see feed readers implementing it as well. Being able to thread posts and replies is a much wanted feature in feed readers, so I assume that we'll see implementations popping up in the near future.
14 2007-02-12 16:41
Re: Rss Button (12 replies, posted in Feature requests)
True, but the Atom Threading Extension gives a way to relate original posts and replies to each other, instead of just listing them all as a flat feed of (seemingly) unrelated entries.
15 2007-02-12 11:44
Re: Rss Button (12 replies, posted in Feature requests)
Looks lovely, guardian34! Could I ask you guys to have a swift look at Atom Threading Extensions as well? That would make it very well into a forum feed like this!
16 2007-02-12 11:31
Re: Feedback wanted on URL rewriting thing (124 replies, posted in PunBB 1.2 discussion)
We have this already in subversion. It still needs a bit of polish, but it's there.
What do you have in Subversion?
/posts/id
or
/posts/post_name_or_slug
?
17 2007-02-08 13:26
Re: Feedback wanted on URL rewriting thing (124 replies, posted in PunBB 1.2 discussion)
There are so many articles covering the fact that Cool URIs don't change, canonical URIs are more search-engine friendly, they are more user friendly and even more cachable (most web caches ignores resources with query parameters) that I won't repeat them here.
I love that PunBB is implementing more "static" URIs in 1.3, but for future versions, it should include a "slug" field in the database for all GET-able resources (forums, posts, etc) so that they can be requested with this slug instead of the ID. You'd need a separate field in the database for it, plus a sanitizing function that washes away all icky characters so the final slug is URI-friendly and readable. Such a function can be found in this WordPress plugin.
Please consider this! It would bring the already great forum to new hights compared to other (rubbish) forum software!
18 2007-02-08 13:14
Re: .htacces? (11 replies, posted in Programming)
Yea, the weird thing about it, guardian34, is that searching directly and yourself takes orders of magnitude less time than registering and posting on a forum, then waiting for the answer by pressing F5 continuosly in the browser. I'm lost as to why people don't just search for themselves.
19 2007-02-08 11:11
Re: css and crap (9 replies, posted in Programming)
can't you just put the image as a background-image on the element, and then use 'background-position: right top' or something similar to right-align it? That way, it will be right-aligned no matter the size of the containing element.
20 2007-02-08 11:07
Re: 3 column layout help! (15 replies, posted in Programming)
I can warmly recommend this A List Apart article which has some nice tricks for multicolumn layouts, plus tons of references to other techniques.
21 2007-02-08 11:06
Re: How would I be able to do this in CSS? (3 replies, posted in Programming)
What I'd advise you to do, is to reference a PHP script as your stylesheet instead of a static CSS file. With some mod_rewrite magic, you could even name the file '.css'. Then you can just do whatever you want in the PHP code as long as you do 'header("Content-Type: text/css; charset=iso-8859-1");' and only output CSS code from the file.
22 2007-02-08 10:38
Re: Rss Button (12 replies, posted in Feature requests)
What about providing an Atom feed instead of RSS? Considering that the code PunBB produces is very neat and semantic (X)HTML, it would benefit from being syndicated in a format that embraces XML like Atom and not mangles it up in CDATA sections or escaped mess like RSS.
I might even write this myself, when I think of it. I'll poke a bit around. Where do I ask questions for development on PunBB itself if I have any problems I need help with?
23 2007-02-08 10:35
Re: Beautiful auth API, for better integration (2 replies, posted in Feature requests)
Great that it's in the works. A couple of things you may investigate in while adding this, is using the Atom Publishing Protocol as the public posting API and OpenID for authentication. It would open up the possibilities of PunBB quite a lot and make it interoperable with a lot of software to come.