You are not logged in. Please login or register.
PunBB Forums → PunBB 1.2 modifications, plugins and integrations → Allow users to put widgets on profile pages
It would be cool if you could allow users to put widgets on their profile pages.
Would that be at all possible? Where should I start?
Is it as simple as adding a new field to the database + input form + call on profile view?
It would be cool if you could allow users to put widgets on their profile pages.
Would that be at all possible? Where should I start?
Is it as simple as adding a new field to the database + input form + call on profile view?
If you mean widgets as HTML codes, then it should be ok to do..
a new field to the database + input form + call on profile view? you will have to make it not parsed like regular posts and thus may contain HTML.
Of course, allowing arbitrary HTML is a huge security risk.
OK, is there a way to solve that security risk? How do others do it?
I'm not exactly sure what you mean by widgets, so I can't really answer your question 
I'm not a big widget user myself, so I only have a vague idea. I mean this stuff.
For example, there's a Digg widget, you get this code to put into a regular html page:
<script type="text/javascript" src="http://digg.com/tools/widgetjs"></script>
<script type="text/javascript" src="http://digg.com/tools/services?endPoint=/stories/popular&type=javascript&callback=diggwb&count=10"></script>I'd like to give users of my site the option to include these things, and RSS feeds etc., in their profile page.
I would not allow arbitrary javascript under any circumstances.
Smartys, I understand the safety concerns, but how do other sites do this? Are "widgets" always a security problem? Is it impossible to do right or are you just against widgets?
There's apparently a lot of debate on this issue:
FAQ: Widget Security
Yahoo Widgets Security Updates
I have to study up on widgets etc., but it seems a necessary part of where the web is going. You have to be able to syndicate/distribute parts of your site to other sites and let feeds, widgets, embedded video etc. from other sites into your site. Are there ways to do that with PunBB? Plugins perhaps?
BTW, PunBB's profile page is extremely old skool, with that list of IM providers and other things that just look silly. The profile section need a lot of customization to bring it closer to current users' expectations. Thame^'s profile picture upload is a great improvement. Allowing users to add widgets or RSS feeds from their blogs to their profile pages could really help bring the PunBB profile section up to date.
The security issue is that instead of adding a widget any user can add a javascript orany other executable script on which content you do not have any control. Therefore, it would be very easy to add a script to exploit potential security holes of your host
I understand that !! Sigh...
Others are doing it. Are there ways to solve the security issues? How does Facebook reduce the risks of Facebook apps? Could there be a smart way to achieve the same result without really opening it up? Would allowing users to add an RSS feed to their profile (with a little help from SimplePie) necessarily cause the same problems?
The savest would be to have no website at all of course.
the problem is not facebook securing its widget but the possibility to add a a fake widget to your site. You would have to check that the code added by users is a genuine facebook widget code for example. You would have to check the validity and integrity of each code added by the users. But to do so you have to know the code structure of each widget that your users may add.
BTW, PunBB's profile page is extremely old skool, with that list of IM providers and other things that just look silly. The profile section need a lot of customization to bring it closer to current users' expectations. Thame^'s profile picture upload is a great improvement. Allowing users to add widgets or RSS feeds from their blogs to their profile pages could really help bring the PunBB profile section up to date.
It's an O.S forum. You have the option, (and code), to do with it as you will. What you expect and what most require may be two very different things. Personally, I'd detest the profile page if it contained all the crap required, by default, to allow users to enter all the annoying contact/link details some of them wish to enter. They aren't needed. Period. If you want to add them, modify the code. What is already available is quite enough for most. The beauty of PunBB is the fact that it doesn't contain all the crud and bells and whistles that a lot of other forum software does. If you want shiny things and buttons to drool at, there are other forums available with all that useless bumph within the default install.
... It's an O.S forum. You have the option, (and code), to do with it as you will. What you expect and what most require may be two very different things. Personally, I'd detest the profile page if it contained all the crap required, by default, to allow users to enter all the annoying contact/link details some of them wish to enter. They aren't needed. Period. If you want to add them, modify the code. What is already available is quite enough for most. The beauty of PunBB is the fact that it doesn't contain all the crud and bells and whistles that a lot of other forum software does. If you want shiny things and buttons to drool at, there are other forums available with all that useless bumph within the default install.
PunBB has a lot of crud and bells and whistles that I'm currently trying to strip out of the code, like the obsolete IM networks clogging up the users table and "avatars", signatures, ability for users to change skins, etc. The interface for editing account info/profile is overly complicated, with meaningless menu items like "Essentials" and "Personality" - what does that mean?
Yes, I am modifying the code. That's why I asked this question, under the section Modifications. I'm stripping down the profile page to the bare minimum; picture, full name, email link. Widgets could theoretically be a way to keep the profile page simple and let users add stuff from outside as they see necessary. That is, if there are ways to make it safe and prevent it from becoming a mess.
the problem is not facebook securing its widget but the possibility to add a a fake widget to your site. You would have to check that the code added by users is a genuine facebook widget code for example. You would have to check the validity and integrity of each code added by the users. But to do so you have to know the code structure of each widget that your users may add.
OK, that makes sense. Forget about widgets then, but what about letting users add an RSS feed to their outside blog to their profile? That should be possible in combination with SimplePie, right? The user would only have to upload one line of php code and it should be possible to check they're not uploading anything else.
I'm not a coder, but I have a general idea how this could work. I want to try some things when I have time. Any suggestions/warnings are very welcome.
I understand that !! Sigh...
Others are doing it. Are there ways to solve the security issues? How does Facebook reduce the risks of Facebook apps? Could there be a smart way to achieve the same result without really opening it up? Would allowing users to add an RSS feed to their profile (with a little help from SimplePie) necessarily cause the same problems?
The savest would be to have no website at all of course.
http://wiki.developers.facebook.com/index.php/FBML
http://wiki.developers.facebook.com/index.php/FBJS
So in theory any Javascript should be safe, since it can't access information like document.cookie.
The best way I see is to have a predefined list of 'widgets' that users can select to add.
But it's overall a silly idea. If you need stuff like this, get a blog, not a forum profile.
... But it's overall a silly idea. If you need stuff like this, get a blog, not a forum profile.
Profile pages are the center of activity in the new generation of social networking sites. Blogs are not designed to sign up lots of members that all get their own profile page. That's why I made PunBB the central registration system for my site, because it's designed for lots of users and has profile pages. I'm just trying to figure out how I can bring the profile page more in line with what users have come to expect in 2007.
Profile pages are the center of activity in the new generation of social networking sites. [emphasis mine]
One issue is that PunBB is forum software, not social networking software. You of course are free to modify PunBB to give it the feel and functionality of a social networking site, but you might be better served seeking out a PHP project aimed specifically at a social networking site.
I tend to agree with pogenwurst. Forum functionality is really geared to organising topics with the details of posters being somewhat secondary and even, where guest posting is enbabled, totally irrelevant. When you think about it a forum will function perfectly without user profiles at all. Social Networking is a different thing alltogether with the system being centered around user identity. I'm not sure its a good idea to try and turn one into the other.
The problem with all these PHP scripts is that they all think they're the center of the universe. To get the functionality I need, I'm already trying to stitch scripts together: PunBB for forum, Wordpress for blog, some script I bought for event/RSVP, etc.
Templating and language systems make combining scripts really hard, beyond the obvious issues like integrating registration. PunBB is now the center of my site. I managed to get PunBB's registration working with some of my other scripts.
I don't want to turn my site into a full-fledged social networking site. The social networking scripts I've tried were all very inflexible. I want to keep my profile pages extremely basic. PunBB already has all I need for a basic profile page, it's just organized in a non-standard, overly complicated way with unnecessary elements like the obsolete IM list.
So I'm not asking for expansion of PunBB's profile pages! My question was about widgets or ways to let users put RSS feeds on their profile page.
The wave of the near future will probably be portable profiles (and blogs) that you can "plug in" to other sites. See also Profilebuilder.
PunBB Forums → PunBB 1.2 modifications, plugins and integrations → Allow users to put widgets on profile pages
Powered by PunBB, supported by Informer Technologies, Inc.