SPIP commits

Subscribe to RSS feed

Security vulnerabilities found in SPIP version 1.9.2, SPIP 2.0 and SPIP 2.1

, , , ...

Hello,

The flaw on the version 1.9.2 is major (sql injection) and if you have a version 1.9.2 to SPIP, we strongly recommend to update to the version 1.9.2.k.

On versions 2.0 and 2.1, the impact on the site is less important (full path disclosure), but we recommend to update in 2.0.16 and 2.1.11.

In any case you always have the opportunity to protect rapidly your site (until its complete updated) by downloading the security screen version 1.0.5 (July 26, 2011), and dropping it in your config directory (see http://www.spip.net/en_article4201.html).

Feel free to use the various resources available to the community (http://boussole.spip.org) for assistance during this updated, in particular:
- Spip-user list http://listes.rezo.net/mailman/listinfo/spip
- English Spip-user list http://listes.rezo.net/mailman/listinfo/spip-en
- Forum http://forum.spip.org/
- IRC http://spip.net/irc


Warning:
-----------------------

Note that when the version 3.0 will be released, the support for the branch 1.9.2 will be abandoned.


How to update?
-----------------------

1. spip_loader.php:
If you have already installed spip_loader, go to the address
http://YOUR_SITE_URL/spip_loader.php to install SPIP 2.1.11

2. by copying the files:
SPIP 2.1.11 is available at http://files.spip.org/spip/stable/spip.zip
SPIP 2.0.16 is available at http://files.spip.org/spip/archives/SPIP-v2-0-16.zip
SPIP 1.9.2k is available at http://files.spip.org/spip/archives/SPIP-v1-9-2k.zip

3. SVN:
If you are in the 2.1 branch just do a
svn up svn://trac.rezo.net/spip/branches/spip-2.1
the version 2.1.11 is also available in the industry:
svn://trac.rezo.net/spip/branches/spip-2-stable/
and under the tag
svn://trac.rezo.net/spip/tags/spip-2.1.11/

Post Scriptum:
-----------------------

We remind everyone that the best way to report faults or suspected faults is to send an email to spip-team@rezo.net. This is what did Lawrence Esthieux (TEHTRI-Security) and we thank him.

source: http://www.spip-contrib.net


! #SPIP : Yet Another Vulnerability Corrected

, ,

spip 2.1.10 is out, and correct a vulnerability that enabled a connected author to disconnect the website from its database. I'm curious to see exactly how it can be precisely exploited wink

The original announce : http://www.spip-contrib.net/Mise-a-jour-de-securite-SPIP-2-1-10

What can we think about the recent succession of releases that correct such flaws ? I think this is a good thing, it's a sign that SPIP can interest some hackers and is not only for people who don't understand anything to PHP. And whatever SPIP has still less known security bugs than other best-know CMS, so there is still a lot of work to do !

! Important security patch for SPIP : please upgrade your version or install the security screen

, , ,

Hello,

the SPIP team (thank you again Arnault) have discovered a security hole in SPIP, allowing an injection of cross-site-scripting (XSS).

The error dating back more than five years (it was introduced October 8, 2005), it is clear that ALL versions of SPIP are affected.

To secure your site, simply update the file 404.html (and for some templates 401.html), located in the directory:
dist/ in SPIP version 1.9
squelettes-dist/ in SPIP version 2.0 or 2.1
extensions/dist_2007/ in the dev version
and also in your templates (ex. zpip)

If you have customized this template, the fix is simply to remove star and filter to transform the expression
#ENV*{erreur}|propre
into #ENV{erreur}.

We remind everyone that the best way to inform us of vulnerabilities is to send an email to spip-team@rezo.net.

Feel free to use the following means available to get help with this migration:
spip-user list: http://listes.rezo.net/mailman/listinfo/spip
The english list: http://listes.rezo.net/mailman/listinfo/spip-en
Forum: http://forum.spip.org/
irc: http://spip.net/irc


How to upgrade?

As usual, several possibilities for the update:

1. security screen: if you do not have time to do it now a full update, you can secure your site in two minutes by downloading the 1.0.1 version of the security screen, and copy it in config/
cf. http://www.spip.net/en_article4201.html

2. by spip_loader.php: If you installed spip_loader, go to the address http://YOUR_WEBSITE_URL/spip_loader.php to install SPIP 2.1.9

3. FTP: SPIP 2.1.9 is available at http://files.spip.org/spip/stable/

4. and of course by SVN, just do svn up

in the 2.1 branch: svn://trac.rezo.net/spip/branches/spip-2.1
in the stable branch: svn://trac.rezo.net/spip/branches/spip-2-stable/
on the tag: svn://trac.rezo.net/spip/tags/spip-2.1.9/

For older versions, we did a zip for 1.9.2j and 2.0.14 that can be found on http://files.spip.org/spip/archives/


-- news freely translated from the official announcement --

Howto : display the articles despite their status

, , ,

The loop ARTICLES returns by default the articles that are published and that are not "post-dated".

As the documentation says, you can force this restriction, with the criteria {statut} :

Basic usage of the criteria {statut}
criteria status of the articles
{statut=prepa}
{statut=prop}
{statut=publie}
{statut=refuse}
{statut=poubelle}
editing in progress
submitted for evaluation
published online (post-dated or not)
rejected
in the dubstin

{statut IN prop,prepa,publie,refuse,poubelle} returns every articles, post-dated or not.

You can also use advantageously the conditional filter :

{statut ?} indicates to SPIP not to take into account the status of the article :

<BOUCLE(ARTICLES){statut?}>
  // Articles that has been published, are in the dubstin, etc..
</BOUCLE>

Like this, it doesn't return the post-dated articles. The filter {tout} suppresses this restriction.

<BOUCLE(ARTICLES){statut?}{tout}>
  // Same result as above, plus the published-in-the-future articles
</BOUCLE>

SPIP 2.1 : Known incompatibilities

,

As with any major version change, updating to SPIP 2.1 involves some incompatibilities with previous versions. The necessary changes are easy to make:

  • In loops, the names of non-SPIP SQL tables need to be written exactly, respecting Upper/Lowercase lettering, and not in capital letters:
    Thus <BOUCLE_a(MyTable )..., and not <BOUCLE_a(MYTABLE)...,
    <BOUCLE_a(my_info)... instead of <BOUCLE_a(MY_INFO)....
  • The (already obsolete) filter |reduire_image is replaced by |image_reduire).
  • include_spip("inc/filtres_images"); needs to be added in php scripts which contain functions using image filters.
  • Use the updated files in the directory ecrire/url/ as a basis for writing customised URL scripts.
  • The pipeline creer_chaine_url is replaced by more specific pipelines: propres_creer_chaine_url, arbo_creer_chaine_url , ...
  • A brace stuck to a tag is now considered to be providing arguments to this tag.
    Example: in a style sheet: .rub_#ID_RUBRIQUE{font-size: 1.2em;} will not work
    you must separate the brace: .rub_#ID_RUBRIQUE {font-size: 1.2em;}.
    or use the full notation for the tag: .rub_[(# id_rubrique)]{font-size: 1.2em;}.
  • jQuery calls of the type $("input[@name=firstname]"), which were already obsolete in jQuery 1.3, no longer work with the version (1.4.2) used by SPIP 2.1. This must must now be written: $("input[name=firstname]").
  • The syntax #SET{variable,} will no longer work to define a variable as empty. Instead, #SET{variable,''} should be used.
  • For plugins, the empty declaration <fonctions></fonctions> in the file plugin.xml is no longer accepted.
  • To use a specific function of a plugin only if the plugin is activated (and if not, do nothing) you must now write: [(#BALISE|appliquer_filtre{specific_function})] instead of: [(#BALISE|specific_function)] which will generate an error.

LOGO_DOCUMENT : How to use it with SPIP 2.1

, , , ...

Changes beetween 2.0 and 2.1
until SPIP 2.0 in SPIP 2.1 and after
[(#LOGO_DOCUMENT|#URL_DOCUMENT)]
[(#LOGO_DOCUMENT|fichier)]
[(#LOGO_DOCUMENT|lien)]
[(#LOGO_DOCUMENT|left)]
[(#LOGO_DOCUMENT||image_reduire{80,60})]
[(#LOGO_RUBRIQUE||texte_script)]
[(#LOGO_DOCUMENT|left|image_reduire{80,60})]
[(#LOGO_DOCUMENT{80,60}|left)]
#LOGO_DOCUMENT{#URL_DOCUMENT}
#LOGO_DOCUMENT**
#LOGO_DOCUMENT*
#LOGO_DOCUMENT{left}
#LOGO_DOCUMENT{80,60}
#LOGO_RUBRIQUE{texte_script}
#LOGO_DOCUMENT{left,80,60}
#LOGO_DOCUMENT{80,60,left}
  • #LOGO_DOCUMENT** : The picture file name (ex. doc123.jpg)
  • #LOGO_DOCUMENT* : The relative url of the picture file name (ex. IMG/doc123.jpg)
  • #LOGO_DOCUMENT{left} : 'left' isn't a standard filter. It only modifies the position of the logo in the generated HTML code. It can be either 'left', 'right', 'top', 'bottom'. They can combine together (for ex. #LOGO_DOCUMENT{top,left})
  • #LOGO_RUBRIQUE{texte_script} : with this new form, double-pipes are not necessary for a standard filter
  • #LOGO_DOCUMENT{left,80,60,text_script} : arguments can be combined, the order doesn't matter. With one exception : the first number is the width of the generated picture, the second number is it's height. Of course, if there is only one number, this follow the comportement of 'image_reduire' : the height and width of the picture are both less than this number.

SPIP 2.1 has been released yesterday !

,

This year’s version is looking good! It has been extensively tested and has benefited from a wide range of unit tests to make the programming more secure. Version 2.1 takes a first step towards splitting SPIP’s functions into modules. The new directory, “extensions” is a sign of this. The plugins in this directory are enabled automatically when SPIP is installed and cannot be disabled. This opens the way for the creation of specific SPIP distributions.

The main improvements of version 2.1

-  Faster:

  • Better management of disk access
  • Caching of calculated paths
  • Improvements and extension of the virtual SQL Server

-  More secure:

  • Sha256 on passwords and actions
  • Checking of the correct behaviour of .htaccess files
  • Automatic detection of SPIP updates

-  Better appearance:

  • Integration (as an extension) of the plugin "porte_plume" which helps with the editing of text fields and offers a preview while editing.
  • A GUI which is lighter and more elegant.
  • The editing area accepts graphical themes (such as those of the plugin "themes_interface_privee").
  • Better management of the size of text fields (conditional sizing).
  • Management (completely configurable) PNG24 transparency for MSIE6 on the public site.
  • New interface for managing plugins.
  • Updated procedures for backing up and restoring a site’s database.
  • Handling of URLs with accented characters by setting _TRANSLITTERER_URL to “false” (check the server configuration).

-  More up-to-date:

  • Compatibility with PHP 5.3.
  • jQuery updated to version 1.4.2.
  • Integration of pclzip version 2.8.2.

-  Slimmer:

  • A first set of core features have become “extensions”: compressor (js, css, html), porte-plume (toolbar), filters for images and colours (image processing), safehtml (security for forums and petitions), support for older browsers (via IE7.js).

-  More extensible:

  • New entry points for plugins.
  • New interface for managing of plugins with an associated directory (ecrire/plugins).
  • Plugins can be installed in one or more other directories if defined by the constant _DIR_PLUGINS_SUPP (makes pooling - mutualisation - easier).
  • The online help can be extended to include customised sections with automatic management of their translations.

-  Better structured:

  • Implementation of an authentication API.
  • Improvement of the LDAP interface.
  • A recasting of the notification API.
  • Standardisation of the #LOGO_ tags: parameters are now passed between braces and "double pipes" become obsolete (but still functional).
  • New tags and functions: #BOUTON_ACTION, |balise_img, |couleur_luminance (similar to |couleur_saturation but acting on the luminous intensity of the color).
  • Dynamic tags (of the type #FORMULAIRE_) can now work with values that are only calculated during compilation.

-  Easier to debug:

  • Improved debugger is now able to indicate the faulty line in a template.
  • Debugger now gives information on the exact location of the possible misuse of dynamic tags.
  • The debugger API is more flexible (more ways of calling it and customising it).
  • Improved include mode (?var_mode=inclure) which shows the various inclusions (integration with the Skeleditor plugin to overload and edit templates online).
  • Possibility of overloading the spip_log() function.

-  More geek:

  • Compiler provides better separation between the phraser and the abstraction hierarchy, thus allowing for new syntax (for the brave).
  • Reappearance of a complete and adjustable de-compiler for creating and testing new syntax.
Original Article: http://www.spip.net/en_article4729.html

[15196] SPIP uses sha256 instead of md5

Great news ! Passwords are better protected with this stronger encryption algorithm.

Tip of the day : see every errors in SPIP

,

found on irc (#spip on freenode) :

<marcimat> you have to puts initialisations in your php.ini or in your mes_options.php to see all errors :
<marcimat> error_reporting(E_ALL^E_NOTICE);
<marcimat> ini_set ("display_errors", "On");
<marcimat> define('SPIP_ERREUR_REPORT',E_ALL^E_NOTICE);
<marcimat> define('SPIP_ERREUR_REPORT_INCLUDE_PLUGINS',E_ALL^E_NOTICE);
<marcimat> you can also install the php xdebug librairie

Read more...

Howto combine two loops with "anti-doublons"

, ,

The documentation of {doublons} explains how this criterion, like {unique}, enables you to exclude some elements from the results of a query. However, {doublons} can do much more than that : like {unique}, it stores in an array the results from successive loops. But, with {doublons}, this array can be re-used later in another loop, thanks to a special criterion : {!doublons} (named "anti-doublons") Example : BOUCLE2 displays in a chronological order the titles of the articles that are either tagged with the keyword number 2, OR that has been writen by the author number 1.
<BOUCLE0(ARTICLES){id_mot=2}{doublons A} />
<BOUCLE1(ARTICLES){id_auteur=1}{doublons A} />
<BOUCLE2(ARTICLES){par date}{!doublons A}>#TITRE<br></BOUCLE2>

[11582] Howto redefine a single function

, ,

This commit introduced a functionality that is used everywhere, especially with CVT forms :

Every functions xxx_yyy_zzz() can be defined in a unique file xxx/yyy.php.

Application in CVT : formulaires_yyy_charger(), formulaires_yyy_verifier(), and formulaires_yyy_traiter() can be defined in a unique file formulaires/yyy.php (which uses the template formulaires/yyy.html)

What I've discovered is that the functions can be independently overwritten by the same function defined in xxx/yyy/zzz.php !

Used with the function search path, this can be really usefull when you want to override a general plugin (such as Agenda).

Read more...

[13993] several arguments in #INCLURE or #MODELE

, , ,

#INCLURE and #MODELE accept several parameters : the syntax used for it was #INCLURE(a){b}{c}. This syntax has been introduced in spip1.9.1. We can also read on the official documentation :


Models are not restricted to shortcuts within the text of articles. They can also be called from within a template by using the tag #MODELE{model} or [(#MODELE{model}{p1=thing,p2=whatsit}{p3=etc}|filter...)]. But this is less new, because it is equivalent to a (static) inclusion of another template (already made possible by the tag #INCLURE).

However it was quite buggy and not really homogeneous. For ex. a few abnormal differences were found between #MODELE{my_model, ..} and #INCLURE(fond=modeles/my_model){..}. Now, the codes with parenteses and/or several braces delimited blocks are considered as deprecated : You should write instead #INCLURE{a,b,c} and #MODELE{a,b,c}. The old syntax is still accepted. Ex.:
#INCLURE(fond=inc-header){type=test}{env}
#INCURE{fond=inc-header, type=test, env}
#MODELE{img,lien=article5,class=logo,align=left,lien_class=important}
You can also calculate these parameters with other static content (like tags, #MODELE and #INCLURE) :
#INCLURE{fond=inc-[(#ENV{skel}|secu)]}
#MODELE{img,lien=article5,class=logo_#LANG_LEFT,align=#LANG_LEFT}
Parentheses, brakets and filters can also be used to display elements only where #INCLURE returns a content : Ex. :
[Lastest articles in the feed #FEED_TITLE : 
  <ul>
  (#INCLURE{fond=rss-read, url=#FEED_URL, date=#DATE}|extract_post_titles)
  </ul>
]
Edit : The first argument of an INCLURE can be calculated. The common syntax indicates that filters require parentheses. But, for reason of compatibility, the following simplified syntax is accepted :
[(#INCLURE{#CHEMIN{spip_style.css}|url_absolue_css}|compacte_css)]

Read more...

Creating custom tags for SPIP

, , , ...

On its blog, Thomas Sutton describes how to create your own static SPIP tags.

The SPIP template language has two constructions: loops (which determine the objects to be “output”) and tags (which actually output particular values). The reasonably simple syntax of tags — most look like ”#THE_TAG” — belies their power and flexibility and the ease with which we can use them to extend SPIP with additional features and integrate it with other PHP-based packages.

It's post is really well documented. I love the way Thomas precisely explains how all this stuff really works !

So I advise you to read the complete post on it's website : http://passingcuriosity.com.

height and width of embedded documents

,

The doc model accepts two arguments, 'hauteur' (height) and 'largeur' (width).
They will reduce the size of the visual.

in your articles, use
<docxx|largeur=150>

and for the templates
#MODELE{doc,id_document,largeur=150}

Read more...

The latest filters and pipelines for programmers

, , , ...

The SPIP team is really active and improve it regularly.
Here is a list of new functions that can help you develop plugins :

supprimer_objets_lies ( array($type, $id) ) :
Type : pipeline
Removes the objects of plugins linked to core objects (used when these core objects are deleted)

// http://doc.spip.org/@action_editer_message_post_supprimer
function action_editer_message_post_supprimer($id_message) {
        sql_delete("spip_messages", "id_message=".sql_quote($id_message));
        sql_delete("spip_auteurs_messages", "id_message=".sql_quote($id_message));
        pipeline('supprimer_objets_lies',array(
                array('type'=>'message','id'=>$id_message)
        ));
}


optimiser_sansref ($table, $id, $sel) :
This pipeline is called in genie/optimiser.php
It completes the removal process of orphelin objects.
(dead links between tables, that results from the suppression of articles, authors, etc)

example :
/**
 * Optimizes the database by removing orphelins forums
 *
 * @param int $n
 * @return int
 */
function forum_optimiser_base_disparus ($n){
       # detect forums that are linked to an id_rubrique that doesn't exist anymore
       $res = sql_select("forum.id_forum AS id",
                       "spip_forum AS forum
                       LEFT JOIN spip_rubriques AS rubriques
                         ON forum.id_rubrique=rubriques.id_rubrique",
                       "rubriques.id_rubrique IS NULL
                        AND forum.id_rubrique>0");

       $n+= optimiser_sansref ('spip_forum', 'id_forum', $res);
       
...
       
       return $n;
}



filtre_lien_ou_expose ($url, $text, $on=false, $class="", $title="", $rel="") :
This filter creates a link or a tag <strong class='on'>
note : class, title and rel are optional
usage ; [(#URL|lien_ou_expose{texte,condition_selection_on,class,title,rel})]
example : [(#GET{self}|parametre_url{type,public}|lien_ou_expose{<:onglet_messages_publics:>,#ENV{type,public}|=={public}})]


filtre_balise_img ($img, $alt="", $class="") :
This filter creates an <img> tag
usage : [(#CHEMIN{monimage.png}|balise_img)]
(the opposite of filtre_fichier())


filtre_icone ($link, $text, $template_name, $align="", $function="", $class="") :
This filter is a shortcut for creating icons in the templates of the private area
usage : [(#URL|icone{text,template_name,align,function,class})]

test_plugin_actif ('prefix_of_the_plugin') :
This function tests if a plugin is activated and returns a boolean.

[13583] LOGO_GROUPE

[13583] adds a logo to keyword groups

Read more...

Top 20 most used SPIP plugins (and a few more)

, , ,

This is not a fresh news, but I've just read a mail that Pat sent on SPIP-ZONE.

It give the complete records of the most used plugins, at the begining of October.
It have been calculated with the websites declared on spip.net and some other sites.

Thanks Pat for your job !

So, ladies and gentlemen, the top 20 most used plugins are :
- cfg (821)
- thickbox1 (735)
- couteau_suisse (731)
- barretypoenrichie (633)
- forms (624)
- spiplistes (503)
- crayons (501)
- wcalendar (474)
- agenda (473)
- player (453)
- sitemap (443)
- accesrestreint (360)
- rechercheetendue (281)
- corbeille (261)
- typoenluminee (252)
- article_pdf (237)
- actijour (212)
- balisesession (190)
- gestiondocuments (168)
- enviar_email (160)
- boutonstexte (149)

.. Do you want to see more ? Just read the complete article smile

Read more...

[13480] Search for a complete expression between quotes

With this commit, SPIP can search an expression composed of a group of words.

EX.:
2.0 SPIP
will return anything that contains 'SPIP' and '2.0' in any order

"2.0 SPIP"
will return anything that contains exactly this expression

! SPIP2.0 (and SPIP1.92f) released

, , ,

For more details :
http://www.spip.net/fr_article3784.html

A little changelog for SPIP2.0 :
- Translation in asturiano, Burmese, Khmer (Kampuchean), Indonesian, Swedish
- Unified private interface using AJAX
- Programming interface for SQL Server (MySQL, Postgres, SQLite)
- New forms for use on the site in public and private area
- Improved interface for documents and forums (documents joints possible)
- Access to several databases from a single skeleton
- Models and pagination in AJAX by simply adding a new criterion
- Hierarchical URLs (like: http://www.example.com/sector/section1/subsection2/article_name)
- Automatic compaction of CSS and javascript files
- Amelioration of the filter system and automatic installer
- And more...

Modifications between 1.9.2e of 13 September 2008 (svn [12624])
and 1.9.2f of 10 December 2008 (svn [13443]):

- Correction of a spelling error in the language list
- Correction of the criteria {par multi titre} in MySQL 5 and utf-8 (alphabetical sorting correct even with accented characters)
- Correction of the RSS of del.icio.us
- Unification of the calculation of the date of publication (now in php) in case of time lag between php and sql
- Optimization of SQL (use of the MySQL requests cache)
- Protection of redirects urls (not < or ")
- Corrections of Ukrainian
- Fix of a security problem

Howto avoid the automatic compression of your scripts ?

, ,

SPIP is fantastic because it can automatically merge and compress the css and javascript files.

But sometimes it can crash our scripts (especially if some parameters are stored inside). To solve it, just change, in your template, the type of your script. Instead of "text/javascript" use "application/javascript"

<script type="application/javascript">'.$gmap_script.'</script> <script type="application/javascript" src="'._DIR_PLUGIN_GEOMAP.'js/customControls.js"></script>';

[13008] Creation of an API for footnotes

, ,

Until now, all the treatment of footnotes was included in inc/texte.php.
This commit creates a separate file, inc/note.php, dedicaced to them.

Consequence : it's possible for a plugin to customize the code generated for footnotes

Read more...

[13014] Howto make an action executable inside the public area ?

, , ,

Until now, it was impossible if the arguments where passed in the url.

[12798], however, made it possible with a POST : The 4th arg of generer_url_action forces the production of an URL executable in the public area, even if it should use a POST (it's also the case for redirige_par_entete).

With this commit, an additional boolean parameter, $public, has been added to some functions to make them work in the public area : generer_form_action, and securiser_action_auteur

What does SPIP do (with or without plugins) ?

, , ,



Drag the map to navigate inside the functionnalities.
This mind map will be translated soon.

The original version on MindMeister is available here :
http://www.mindmeister.com/maps/show_public/11093093

Here is a printable version in PDF (A3 format) :
SPIP___fonctionnalites_(natives_ou_par_plugin).pdf

A small list of code tips for SPIP

, ,

Howto detect if a plugin is activated :
1. PHP : if (defined('_DIR_PLUGIN_XXX')){ /* My action for this plugin */ }
2. SPIP1.9.2 : [(#EVAL{DIR_PLUGIN_PREFIX}|?{' ',”}) My action for this plugin ]
3. SPIP2.0 : [(#PLUGIN{XXX}) My action for this plugin ]

Howto do not display the admin toolbar in the public area :
Put at the first line (with #CACHE) : [(#HTTP_HEADER{Content-type: text/html[; charset=(#CHARSET)]})]

Howto replace any text with an image :
[(#REM|=={''}|?{My beautifull text}|image_typo{police=Victor.ttf,taille=14,largeur=150})]

Howto directly link an element :
<a href="#URL_ARTICLE{54}">Link</a>

Howto get the articles that are tagged with a keyword :
Instead of using the keword id, you can directly refere to it's value :
<BOUCLE(ARTICLES){titre_mot=we love America}>#TITRE</BOUCLE>

And you :
Which are the best code tips that you use ?

[12429] Use whatever url you like !

,

Don't use generer_url_{article, auteur, breve, mot, rubique, site} : these functions are obsolete, and should be replaced by the unique function
generer_url_entite($id='', $entity='', $args='', $anchor='', private='', $type='')

For example, generer_url_entite($id, 'article', $arg, $anchor) replaces generer_url_article($id, $arg, $anchor).

But what makes the difference ?

The 5th argument determinates if the generated url is private ou not, whatever the context (if it's for ex. called from a filter or a plugin in the private area).

But more important, the 6th argument specifies the url type you want to produce : it overwrites the global variable type_urls ! Now you can mix every form of url (arbo, html, libres, page, propres, propres2, propres_qs, and standard) !


Whoow !

Read more...

[12416] Parameters in the multilingual chains

,

A chain can use arguments like this :
<:chaine{argument1=texte,argument2=#BALISE}:>


The more complex operation is
<:module:chaine{argument1=texte,argument2=#BALISE}|filtre1{texte,#BALISE}|filtre2:>


I don't know what to do with that wink

Read more...

[12640] New filter image_format

, ,

"New" filter |image_format{} :
it saves the image in the chosen format, and keeps its transparency ; in fact it's a shortcut for the "transparency" option that has just added ARNO* ([12638]) to the filter |image_aplatir{}

Example :
in inc-head.html, |image_format{ico} for the favicon

Note : image_aplatir corresponds to the following definition :
function image_aplatir($im, $format='jpg', $color='000000', $quality=NULL, $transparency=false) 

$im : the image itself
$format : the format to generate
$color : the background color that normaly replaces the alpha layout
$quality : see below
$transparency : Should the result image keep the transparency of the orginal, when possible (gif, png, ico)

image_aplatir normaly replaces the alpha layout by a specified color ($color). It can be used to change the format or the compression of an image. For such usage, it's also possible to maintain the transparency with the last parameter.

$quality is used like this :
- For the jpg format, it correspond to the compression level (85 by default)
- for the gif format, it correspond to the number of colors of the palette (128 by default)
- for png pictures, $quality corresponds to the number of colors of the palette or, if equal to 0, to a truecolor image(default value)

Read more...

! SPIP1.9.2e is coming out !

Hi !

The changeset [12624] introduces the release 1.9.2e
You can download it here : http://www.spip.net/spip-dev/DISTRIB/SPIP-v1-9-2e.zip

This version includes some minor corrections since the latest release (*) :
  • Regular expressions are now compatible with PHP5.2.6 (This is THE main correction)
  • Correction of the highlight of the result for queries with two words (or more)
  • Cgular expressions are now compatible with PHP5.2.6 (This is THE main correction)
  • Correction of the highlight of the result for queries with two words (or more)
  • Correction of the indexation of the forums
  • Every message can be indexed individually, instead of the complete thread
  • Correction of a small bug that appeared in the private area when several keywords are used, separated by commas.

(*) See the previous announce :
http://archives.rezo.net/spip-en.mbox/200801.mbox/%3cfniv4s$cta$1@ger.gmane.org%3e

[12400] favicons inside !

, ,

SPIP 2.0 supports favicons (.ico extension) : it integrates a part of phpThumb, by James Heinrich (available at http://phpthumb.sourceforge.net ).

Application : the favicon can be dynamically calculated and is compatible with IE6 and other modern browsers like Firefox
The filter to use : |image_aplatir{ico}

It is already used in the default distribution :

dist/auteurs.html :
<INCLURE{fond=inc-head}{favicon=#LOGO_AUTEUR} /> 

dist/inc_head.html :
[<link rel="shortcut icon" href="(#ENV*{favicon}
        |sinon{#CHEMIN{favicon.ico}}
        |sinon{#LOGO_SITE_SPIP}
                |image_passe_partout{32,32}
                |image_recadre{32,32,center}
                |image_aplatir{ico}|extraire_attribut{src}
        |sinon{#CHEMIN{spip.ico}})" type="image/x-icon" />]


[Howto] Control of the uploaded picture size

,

You can limit the size of the uploaded pictures with the constants (in mes_options.php) :
define('_IMG_MAX_SIZE', 0); # size in Kb
define('_IMG_MAX_WIDTH', 0); # width in pixels 
define('_IMG_MAX_HEIGHT', 0); # height in pixels

For documents it's :
define('_DOC_MAX_SIZE', 0); # size in Kb

If the limitations are not respected, the upload is aborted and an error message is displayed

[11922] Customize the keyword box in the private area

, , ,

With this commit, some keyword groups can be displayed/hidden in specific sections.
The customization can be done with autoriser_xxx_editermots($action,$what,$id,$who,$opts.
$opts contains the id of the concerned keyword group, and also the fields of this group that can be displayed.
By default, the function only checks if the author is authorized to this group.

No, I don't like like SPIP (or try to hide it wink

config/mes_options.php
<?php

  @define('_SPIP_SCRIPT', 'joomla.php');
  @define('_HEADER_COMPOSED_BY', "Composed-By: JOOMLA");
  $GLOBALS['spip_header_silencieux'] = 1;
  $GLOBALS['cookie_prefix'] = "joomla";

?>

joomla.php :
<?php

  @define('_DIR_RESTREINT_ABS', 'private/');
  include_once _DIR_RESTREINT_ABS.'inc_version.php';

  // And the rest of spip.php

?>

Result => http://tech-nova.fr/lacigale/joomla.php?rubrique37

shame on me ! bigsmile

How does the login form really works ?

The login process seems to be quite mysterious, but thanks to the developper toolbar and Firebug you can see it completly naked :-)

The screencast is here : http://screencast.com/t/eiiGjNt7

So it works like this :
- The action is the same url (and the form can display errors).
- The form initially contains several hidden values that will make the submit action more secure.
- When the focus is set to the password field, the form verifies that the encryption parameters are OK, and indicates it with a brown padlock.
- Before been submitted, the password is encrypted into two md5+salt values, and the non-encrypted password field is erased : Therefore the password is never directly sent to the server, so it can't be catched by a bad guy. That makes the login form really secure !
- Finally, the server calculates the md5+salt values of the password in database. It compares these values to the encrypted received values. If the values match, the password that has been submitted is correct. Elsewhere it's bad and SPIP returns to the login form with an error.



Enjoy !

The parameter "var_mode" detailled

, ,

4 values can be used :

  • ?var_mode=preview : enables to display an article without publishing it.
  • ?var_mode=calcul : refreshes the cache
  • ?var_mode=recalcul : regenerates the templates and refreshes the cache
  • ?var_mode=debug : shows informations relating to the page calculation


Generally you must be authenticated to use these parameters. The debug mode is accessible to admins only.

Plugins : My list

Nagigate throught this concept map :


A full screen version of the interactive map is available here :
http://tech-nova.fr/blog/carte-flash-plugins.html

You can download a screenshot here :
(jpeg, 1.8Mb)


[11355] Overwrite a criteria for a specific loop only

, ,

For exemple, the function critere_AUTEURS_recherche_dist() overwrites the criteria recherche for the loop AUTEURS only. The priority order is :
  1. critere_TABLE_nomcrit()
  2. critere_TABLE_nomcrit_dist()
  3. critere_nomcrit()
  4. critere_nomcrit_dist()

[11440] SQL views in the API

, , ,

3 new functions enable to create and delete views for PG, SQlite and MySQL :
  • sql_get_select() : same arguments as sql_select() but returns the query without evaluating it
  • sql_create_view($view_name, $select_request) : creates the view $view_name for the select request $select_request.
  • sql_drop_view($view_name) : drops the view.
/!\ Warning ! Yous must give an explicit name to every field prefixed with a table name or an alias. Elsewhere SQLite won't be able to read the view (which contains 'a.titre' instead of 'titre'). Example :
$sel = sql_get_select(
          array(
            'id_article'=>'id_article', 
            'titre'=>'titre'
          ),
          'spip_articles'); 
echo "requete select : $sel<br />"; 
sql_create_view('vue_nom', $sel);

$res = sql_select(array('id_article', 'titre'),'vue_nom',,,,'10');
if ($res){
   while ($r = sql_fetch($res)){
      echo "*" . $r['id_article'] . " - " . $r['titre'] . "<br />";
   }
}

sql_drop_view('vue_nom');

[11435] MySQL views can be used in SPIP loops

, , ,

SQL views are known to be used like tables. They enable to : - mask the schema complexity ( -> simplification of queries) - give access to a limited number of fields ( -> security) - manipulate calculated fields (sum(), max(), avg(), ..) Now you can avoid writing complexe loops by using views : Example :
mysql> create view v AS 
         SELECT a.titre,a.id_article,b.id_rubrique,b.titre AS titre_rub 
         FROM spip_articles AS a 
         LEFT JOIN spip_rubriques AS b ON(a.id_rubrique=b.id_rubrique)
         WHERE b.titre REGEXP '^A'
         ORDER BY a.titre DESC;
template :
<BOUCLE_n(V)>
 <div>#TITRE : #TITRE_RUB</div>
</BOUCLE_n>
SPIP implements this for MySQL and sqlite (for sqlite you must explicit the name of the fields used in the view) Fantastic, no ? (PS.: note that views do not improve the performance of your queries, so use them sparingly)

[11415] 3 new filters for boolean operators

, , , ...

These filters are 'et', 'ou', and 'xou' (for 'and', 'not', and 'xor').
They work like |?{' ',} :

each filter returns a space char if the condition is verified, elsewhere it returns an empty string



For example this PHP code
if ($a=='testA' OR ($b=='testB' AND $c=='testC')) {echo "OK";}

Can be translated in a template like this :
[(#A|=={testA} 
    |ou{[(#B|=={testB}
            |et{[(#C|=={testC})]})]}) OK ]

Or better
[(#B|=={testB} 
    |et{[(#C|=={testC})] 
    |ou{[(#A|=={testA})]}) OK ]

[11400] A more secure import from old SPIP versions

, , ,

This commit introduces a lot of things that make the import really secure :

  1. Create a set of tables with the old structure and a prefix not used
  2. Import data inside
  3. Update
  4. copy data to the actual site

Of course it's a beginning, a lot of things should be done :

  • Make this functionnality possible for older stable versions ([11402] for 1.8)
  • Verify that the temporary prefix isn't used
  • Interpolate between different versions for partial imports
  • Use a reload over timeout during the copy ([11402])
  • Also import plugins tables (if possible)


! INCLURE and {doublons}

, , ,

{doublons} arrays can be transmitted to included templates. #ENV can also transmit them.

These sentences are corrects :
[(#INCLURE{fond=toto}{doublons})]
<INCLURE{fond=toto}{doublons} />
spip.php?page=article&id_article=3&doublons[articles]=1,2,89,12&doublons[documents]=15,12

Note that the {doublons} are transmitted from the main template to the included one. But it's not possible to transmit the information from the included template : Especially <INCLURE /> isn't always calculated at the same time that the main template - For this reason and to keep a coherent behavior, #INCLURE keeps the same restriction for {doublons}

Example :
-------------

 <INCLURE(other_template.html){delais=0}{doublons} />
 other_template.html : 
 BOUCLE(ARTICLES){doublons}{par hasard}{0,1}

Every hit to the main template (generally cached) returns a random article that hasn't been manipulated before.


commit : http://trac.rezo.net/trac/spip/changeset/11390
announce : http://thread.gmane.org/gmane.comp.web.spip.devel/46926

What is a SPIP pipeline ? It's a hook

, ,

During the normal execution of several commands, call-outs are made to optional scripts that allow a developer to add functionality or checking. Typically, the hooks allow for a command to change the values of function arguments before any other call, and allow for a post-processing treatment that will always change the function result.

Exemple :
function prefix_treatment($flow) {
   /* add something to the flow */
   $flow .= 'This is some html code';
   return $flow;
}


plugin.xml defines the implemented hooks with a list of <pipeline> tags:
<pipeline>
 <nom>point_entree</nom>
 <action>fonction</action>
 <inclure>fichier.php</inclure>
</pipeline>


  • <nom> : name of the hook (from a list defined in ecrire/inc_version.php)
  • <action> : function name without it's prefix
  • <inclure> : file name that defines the previous function. It's name must be prefix_action


(src : http://doc.spip.org/@Tuto-Se-servir-des-points-d-entree)

Howto use an array in a template ?

, , , ...

Arrays are really usefull when you have to manipulate the same elements several times.

A new tag has been introduced with the version 1.92 :

#ARRAY{key1,value1,key2,value2...} allows the creation of a variable length table (useful for constructing a table for a #SET and/or for use with a dynamic "IN" criterion )


Short but an exemple should be helpfull..

Here is an exemple extracted from the plugin SpipBB
#SET{modos,#ARRAY}
<BOUCLE_modo_art(AUTEURS){id_article}>
   #SET{
      modos,
      #GET{modos}
        |array_merge{#ARRAY{#COMPTEUR_BOUCLE,#ID_AUTEUR}}
   }
</BOUCLE_modo_art>

<BOUCLE_art_rub(ARTICLES){id_article}>
   <BOUCLE_rub_admin(AUTEURS_RUBRIQUES)
                    {id_auteur !IN #GET{modos}}
                    {id_rubrique=#ID_RUBRIQUE}>
      <BOUCLE_aut_admin(AUTEURS){id_auteur}>
         #SET{
            modos,
            #GET{modos}
              |array_merge{#ARRAY{#COMPTEUR_BOUCLE,#_aut_admin:ID_AUTEUR}}
         }
      </BOUCLE_aut_admin>
   </BOUCLE_rub_admin>
</BOUCLE_art_rub>


  1. An empty table is created
  2. #ARRAY{#COMPTEUR_BOUCLE,#ID_AUTEUR} creates an array containing the author's id at an index that isn't used yet.
    The standard PHP function array_merge() finally does it's job : this value is now stored on the last index of the array 'modos'.
  3. Another loop completes this array with the other authors of articles that are in the same section.


Note that the PHP function is used as a filter : it's possible because it's first argument is the array to manipulate.

Of course all this can be done with PHP code inside the template. The advantage of using the tag #ARRAY is that your template is better managed by the cache.

[11355] overwrite a criterion for a specific loop only

, ,

For exemple critere_AUTEURS_recherche_dist() will overwrite the criterion recherche for the loops over AUTEURS. The priority order is :
  1. critere_TABLE_nomcrit
  2. critere_TABLE_nomcrit_dist
  3. critere_nomcrit
  4. critere_nomcrit_dist

Easter egg on the private area

, ,

"You can even create a specific template in the private area.
For exemple, this template

/squelette/prive/editer/article-23.html

is used to edit articles which are in the section number 23 (and it's subsections)
(works also to display them)"

from http://thread.gmane.org/gmane.comp.web.spip.devel/46774/focus=46786

! Custom fields are directly interpreted

, , ,

With the revision [11350], any custom field can directly be used in templates with the tags #FOO and #EDIT{foo} (with the plugin "crayons" [fr])
You don't have to change inc/modifier or specify the structure of the table : the core directly manages them.

However the private interface actually doesn't integrate these fields. You have to custom it with hooks.

(from http://thread.gmane.org/gmane.comp.web.spip.devel/46774)

[11350] any table field creates its specific tag

, , ,

The value of any field 'foo' can be displayed in your templates with #FOO -- Even if this is a field of the 'official' tables. Much more, this value can be edited in the public area with an inline content editor (actually it's still not possible in the private area) :
  • sql_showtable() is used to describe the fields (that's better than the corresponding php descriptor in tables_principales, etc..)
  • inc/modifier now uses a list of private fields (instead of a fixed list of public fields)

[11341] The form name in #ACTION_FORMULAIRE{page, formulaire}

, ,

A template formulaire/foo.html can contain another template with #INCLUDE - which can refer to it with #ACTION_FORMULAIRE{#SELF, foo}

[11289] Ajax without coding in SPIP

, , , ...

<INCLURE{fond=fond/ajax}{fond_ajax=mon_fond}{id_truc=xx}..>

includes the template and ajaxifies all it's links.

By default, the javascript variable "ajaxbloc_selecteur" is used. It transforms into ajax call each link that corresponds to the jquery selector '.pagination a,a.ajax'.

An ajax call refreshes the template's result by restauring it's #ENV, plus some parameters in the url.
When a refresh occurs, the bloc's opacity is changed to 50% and it's class to 'loading' (this div is automatically created)
The loaded part is cached on the browser with javascript. It also can be preloaded by adding the class 'preload' to the corresponding links.

That's all !

(src : http://thread.gmane.org/gmane.comp.web.spip.devel/46569)

Optimizing your SPIP server

, ,

It's in fact usefull for every website.
Here is what I do :

- Expires header and Etag :
I add this to http.conf :

# cache
ExpiresActive On
ExpiresDefault A300
ExpiresByType image/x-icon A2592000
ExpiresByType application/x-javascript A2592000
ExpiresByType text/css A2592000
ExpiresByType image/gif A604800
ExpiresByType image/png A604800
ExpiresByType image/jpeg A604800
ExpiresByType text/plain A604800
ExpiresByType application/x-shockwave-flash A604800
ExpiresByType video/x-flv A604800
ExpiresByType application/pdf A604800
ExpiresByType text/html A300
# Etags est mal calcule, donc
FileETag MTime Size

- Compression :
I use a custom .htaccess combined with php (in squelettes/css):

AddHandler application/x-httpd-php .css
php_value auto_prepend_file gzip-css.php
php_flag zlib.output_compression On

the code of gzip-css.php :
<?php
@ob_start ("ob_gzhandler");
header("Content-type: text/css; charset: UTF-8");
header("Cache-Control: must-revalidate");
$offset = 60 * 60 ;
$ExpStr = "Expires: " .
gmdate("D, d M Y H:i:s",
time() + $offset) . " GMT";
header($ExpStr);
?>

I do the same operation for javascript files (I change the header to "application/x-javascript" of course)

- I compact every CSS files in one file by using the same code of dist/squery.js.html
(of course only for one media wink

#CACHE{3600*100,cache-client}
#HTTP_HEADER{Content-Type: text/css; charset=iso-8859-15}
#HTTP_HEADER{Vary: Accept-Encoding}
#INCLURE{css/zero.js}
#INCLURE{css/typo.js}
#INCLURE{css/forums.js}
#INCLURE{css/documents.js}
#INCLURE{habillage.css}
#INCLURE{spip-style.css}

What optimisations do you practice ?