Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Messages - Arantor
1216
Archived fixes / Re: Language strings not being loaded properly in error log
« on March 21st, 2013, 06:09 AM »
I can't reproduce, very likely this is related to the various changes in the language caching - and it works properly as far as I can ascertain.
1217
Features / X-Content-Security-Policy
« on March 21st, 2013, 04:39 AM »
https://developer.mozilla.org/en-US/docs/Security/CSP/Using_Content_Security_Policy
I already implemented X-Frame-Options for security, but CSP is much more hardcore.
The idea is that you restrict the acceptable sources for content that can be included. You can limit where scripts can be included from (e.g. forcing the scripts to run only from the main site/subdomains, or accepted third parties), plus you can limit where images can be included from.
I love the idea, but I'm wary of implementing this in core because we have acceptable third party sources. In our case, we typically want to allow main includes from the main domain, images from anywhere, movies and so on from acceptable domains (e.g. auto embedding), scripts from the main domain and specific CDNs.
This is all doable, but it makes the potential header very large (though that's possible to mitigate by being careful about what's included where, e.g. not worrying about auto-embed in places where we don't handle bbc parsing where movies would be meaningful, e.g. news) which is a per-page thing :/
But it is a useful method for mitigating injections from unexpected sources and can limit clickjacking and so on.
I already implemented X-Frame-Options for security, but CSP is much more hardcore.
The idea is that you restrict the acceptable sources for content that can be included. You can limit where scripts can be included from (e.g. forcing the scripts to run only from the main site/subdomains, or accepted third parties), plus you can limit where images can be included from.
I love the idea, but I'm wary of implementing this in core because we have acceptable third party sources. In our case, we typically want to allow main includes from the main domain, images from anywhere, movies and so on from acceptable domains (e.g. auto embedding), scripts from the main domain and specific CDNs.
This is all doable, but it makes the potential header very large (though that's possible to mitigate by being careful about what's included where, e.g. not worrying about auto-embed in places where we don't handle bbc parsing where movies would be meaningful, e.g. news) which is a per-page thing :/
But it is a useful method for mitigating injections from unexpected sources and can limit clickjacking and so on.
1218
Features / Re: New revs
« on March 21st, 2013, 02:53 AM »
(14 modified, 1 added, 30KB)
Revision: 2013[1]
Author: arantor
Date: 21 March 2013 01:50:45
Message:
! Minor accuracy fixes and a couple of legacy strings, including English UK translation. (Help language file)
! We don't want no raw >, thanks. (Help, Notifications language files)
! Profile / Show Posts (and Topics) now shows like count for displayed posts. (Profile-View.php, Profile.template.php)
! Profile areas will disregard board-access permissions when a user is viewing their own posts. There is no reason for a user not to be able to see their own posts - they wrote them, after all. But if possible, the posts will not be linked to, and the user shouldn't have permissions for those boards anyway. (Profile-View.php, Profile.template.php)
! Users can now select to ignore another user directly from thread view. Not AJAXively, sorry, but not bad. (Display.php, Profile-Modify.php, index language file)
! There is no good reason to embed the main site into a frame or iframe on another domain. SSI should not be included, of course, because cross-origin requests could conceivably be made there legitimately. (QueryString.php)
! phpinfo() displayed in admin panel. I'm inclined to think some of the superglobal values should be pruned because they are meaningless in that specific context (e.g. URL used to get to the page) (Admin.php, ManageServer.php, Admin.template.php, Admin language file)
----
Modified : /trunk/Sources/Admin.php
Modified : /trunk/Sources/Display.php
Modified : /trunk/Sources/ManageServer.php
Modified : /trunk/Sources/Profile-Modify.php
Modified : /trunk/Sources/Profile-View.php
Modified : /trunk/Sources/QueryString.php
Modified : /trunk/Themes/default/Admin.template.php
Modified : /trunk/Themes/default/Profile.template.php
Modified : /trunk/Themes/default/languages/Admin.english.php
Added : /trunk/Themes/default/languages/Help.english-uk.php
Modified : /trunk/Themes/default/languages/Help.english.php
Modified : /trunk/Themes/default/languages/Help.french.php
Modified : /trunk/Themes/default/languages/Notifications.english.php
Modified : /trunk/Themes/default/languages/Notifications.french.php
Modified : /trunk/Themes/default/languages/index.english.php
Revision: 2013[1]
Author: arantor
Date: 21 March 2013 01:50:45
Message:
! Minor accuracy fixes and a couple of legacy strings, including English UK translation. (Help language file)
! We don't want no raw >, thanks. (Help, Notifications language files)
! Profile / Show Posts (and Topics) now shows like count for displayed posts. (Profile-View.php, Profile.template.php)
! Profile areas will disregard board-access permissions when a user is viewing their own posts. There is no reason for a user not to be able to see their own posts - they wrote them, after all. But if possible, the posts will not be linked to, and the user shouldn't have permissions for those boards anyway. (Profile-View.php, Profile.template.php)
! Users can now select to ignore another user directly from thread view. Not AJAXively, sorry, but not bad. (Display.php, Profile-Modify.php, index language file)
! There is no good reason to embed the main site into a frame or iframe on another domain. SSI should not be included, of course, because cross-origin requests could conceivably be made there legitimately. (QueryString.php)
! phpinfo() displayed in admin panel. I'm inclined to think some of the superglobal values should be pruned because they are meaningless in that specific context (e.g. URL used to get to the page) (Admin.php, ManageServer.php, Admin.template.php, Admin language file)
----
Modified : /trunk/Sources/Admin.php
Modified : /trunk/Sources/Display.php
Modified : /trunk/Sources/ManageServer.php
Modified : /trunk/Sources/Profile-Modify.php
Modified : /trunk/Sources/Profile-View.php
Modified : /trunk/Sources/QueryString.php
Modified : /trunk/Themes/default/Admin.template.php
Modified : /trunk/Themes/default/Profile.template.php
Modified : /trunk/Themes/default/languages/Admin.english.php
Added : /trunk/Themes/default/languages/Help.english-uk.php
Modified : /trunk/Themes/default/languages/Help.english.php
Modified : /trunk/Themes/default/languages/Help.french.php
Modified : /trunk/Themes/default/languages/Notifications.english.php
Modified : /trunk/Themes/default/languages/Notifications.french.php
Modified : /trunk/Themes/default/languages/index.english.php
| 1. | I got no lyrics for this year, haven't heard a 'new' song I like yet. |
1219
Off-topic / HAPPY BIRTHDAY NAO!
« on March 21st, 2013, 01:45 AM »1220
Features / Re: Miscellaneous/WIP screenshots
« on March 21st, 2013, 01:44 AM »
OK, so here's what I have thus far. You have no idea how much swearing went into this part and I welched on using regexps because I'm not quite proficient enough to do exactly what I want with them :(
But it works and I'll probably commit it in this form at some point.
But it works and I'll probably commit it in this form at some point.
1221
Features / Re: Miscellaneous/WIP screenshots
« on March 20th, 2013, 03:02 PM »
That is much more difficult than it sounds to do since the nice menu is my code - everything else is just reformatted phpinfo(), pulling the logo out is a fun find-the-table-tag exercise, but I'll see what I can do when I get home.
Getting this far took two hours >_<
Getting this far took two hours >_<
1222
Features / Re: Miscellaneous/WIP screenshots
« on March 20th, 2013, 05:17 AM »
Also, my other project for the evening: a phpinfo() page in the admin panel. This has proved surprisingly intractable because phpinfo() vomits a lot of its own markup and its own formatting - and there's no way around that. So there's some 'creative interpretation' going on.
More still to do but it's definitely improving compared to the first time I just dumped phpinfo() into the page (it broke a lot of other stuff, I was most surprised)
More still to do but it's definitely improving compared to the first time I just dumped phpinfo() into the page (it broke a lot of other stuff, I was most surprised)
1223
Features / Re: Miscellaneous/WIP screenshots
« on March 20th, 2013, 04:19 AM »
They cannot edit or delete it, since if they can't enter the board, they automatically have zero permissions to do anything with it anyway - and no buttons are displayed for that eventuality.
1224
Features / Miscellaneous/WIP screenshots
« on March 20th, 2013, 03:51 AM »
I did start posting this stuff in New Revs as and when it happened, but in the meantime, here's some things I've been working on.
The first is a collection of two things in the show posts/show topics area. Firstly, likes are now shown for the posts there. I may add this to other areas too, but one step at a time.
Secondly, and perhaps more interestingly, I've set it up now so that you can always see your own posts. This is a small thing but potentially important - there are a ton of posts on sm.org I can't see any more. Even though they're mine, I can't see them - because I don't have access in the relevant boards to see my own posts. So I've modified the permissions checking - if the person viewing posts is a true admin, or it's the user looking at their own posts, the gloves are off - no checking at all is performed on permissions. There's no need for it - I see no reason why you shouldn't be able to see your own posts at all times, after all, you wrote them!
What I have done though is tweaked it - if the board is no longer visible to you, the title is not linked. Topic privacy... there's no sane way I can do that in profile view, so that will remain linked, but we'll see how big a deal that turns out to be in practice, I'm not convinced it will be a huge issue.
The second picture is much simpler; leveraging the ignore user facility, except with a handy-dandy link for it. Couldn't think of better icons so reused the thumb-up/thumb-down motif, like in Ancient Rome. Thumbs down for good bye!
I'm not yet ready to commit this, there's other stuff I want to do first, but I thought I'd share in the meantime.
The first is a collection of two things in the show posts/show topics area. Firstly, likes are now shown for the posts there. I may add this to other areas too, but one step at a time.
Secondly, and perhaps more interestingly, I've set it up now so that you can always see your own posts. This is a small thing but potentially important - there are a ton of posts on sm.org I can't see any more. Even though they're mine, I can't see them - because I don't have access in the relevant boards to see my own posts. So I've modified the permissions checking - if the person viewing posts is a true admin, or it's the user looking at their own posts, the gloves are off - no checking at all is performed on permissions. There's no need for it - I see no reason why you shouldn't be able to see your own posts at all times, after all, you wrote them!
What I have done though is tweaked it - if the board is no longer visible to you, the title is not linked. Topic privacy... there's no sane way I can do that in profile view, so that will remain linked, but we'll see how big a deal that turns out to be in practice, I'm not convinced it will be a huge issue.
The second picture is much simpler; leveraging the ignore user facility, except with a handy-dandy link for it. Couldn't think of better icons so reused the thumb-up/thumb-down motif, like in Ancient Rome. Thumbs down for good bye!
I'm not yet ready to commit this, there's other stuff I want to do first, but I thought I'd share in the meantime.
1225
Bug reports / Post action mini-menu is misaligned after expanding an ignore member's post
« on March 20th, 2013, 03:43 AM »
Phew. Title says it all.
Get someone on your ignore list, then their post will be hidden from you. If you then press the magic 'show me their post' button, you'll see the post, but the mini menu of actions (like delete, report, warn) will be misaligned and you will not be able to use anything on it.
Not sure why this is happening and it took me enough time just to remember how to add things to the menus anyway. >_<
Also, there's no way to inject a per-message value into the user's mini-menu? I've added an 'ignore' option to the mini menu, and left the message id as a way to return back to the post (since it's not AJAXive and even if it was, messing around with the post (or potentially any other post of the newly-ignored user) is going to be fragile)[1]
But since I can't seem to put a per-post value into the user mini menu, I've put it in the per-post mini menu for now, which is how I found the bug.
Get someone on your ignore list, then their post will be hidden from you. If you then press the magic 'show me their post' button, you'll see the post, but the mini menu of actions (like delete, report, warn) will be misaligned and you will not be able to use anything on it.
Not sure why this is happening and it took me enough time just to remember how to add things to the menus anyway. >_<
Also, there's no way to inject a per-message value into the user's mini-menu? I've added an 'ignore' option to the mini menu, and left the message id as a way to return back to the post (since it's not AJAXive and even if it was, messing around with the post (or potentially any other post of the newly-ignored user) is going to be fragile)[1]
But since I can't seem to put a per-post value into the user mini menu, I've put it in the per-post mini menu for now, which is how I found the bug.
| 1. | Fetching a complete new post, maybe not so bad. But there's no way to just request an entire single post like that, e.g. how you might for AJAX quick reply. |
1226
Features / Re: New revs
« on March 19th, 2013, 09:12 PM »
(4 added, 2 modified, 4KB)
Revision: 2011[1]
Author: arantor
Date: 19 March 2013 20:07:45
Message:
! Spacinazi. (Agreement.english.php)
! Proper conjugation is *so* important, don't you think? (Errors.english.php)
! More English UK translations but that's enough for now. (Admin, Agreement, EmailTemplates, Errors language files)
----
Added : /trunk/Themes/default/languages/Admin.english-uk.php
Added : /trunk/Themes/default/languages/Agreement.english-uk.php
Modified : /trunk/Themes/default/languages/Agreement.english.php
Added : /trunk/Themes/default/languages/EmailTemplates.english-uk.php
Added : /trunk/Themes/default/languages/Errors.english-uk.php
Modified : /trunk/Themes/default/languages/Errors.english.php
Revision: 2011[1]
Author: arantor
Date: 19 March 2013 20:07:45
Message:
! Spacinazi. (Agreement.english.php)
! Proper conjugation is *so* important, don't you think? (Errors.english.php)
! More English UK translations but that's enough for now. (Admin, Agreement, EmailTemplates, Errors language files)
----
Added : /trunk/Themes/default/languages/Admin.english-uk.php
Added : /trunk/Themes/default/languages/Agreement.english-uk.php
Modified : /trunk/Themes/default/languages/Agreement.english.php
Added : /trunk/Themes/default/languages/EmailTemplates.english-uk.php
Added : /trunk/Themes/default/languages/Errors.english-uk.php
Modified : /trunk/Themes/default/languages/Errors.english.php
| 1. | It's a long road down the river deep and wild, Every twist and turn a wonder-dale, It's a scary ride we'd give anything to take, Let yourself bleed, Leave a footprint on every island you see... Ghost River - Nightwish's "Imaginaerum". Fantastic album. |
1227
The Pub / Re: Spell checker
« on March 19th, 2013, 07:47 PM »Yeah, but did you learn French at school? For 8 years..? I'd say this doesn't compare
I only worry about my accent. I can make a video of myself if you'd like -- just to see how horrible it is!! :lol:
how fun... :^^;:
1228
The Pub / Re: Language editing inside Wedge
« on March 19th, 2013, 07:45 PM »So, it's converting newlines to br's.
The registration page for French has each paragraph separated by two line breaks. Which is what's in Agreement.french.php. parse_bbc has precisely squat to do with dealing with line breaks. The extra line break is introduced by the editor component when it un_preparses the brs back into line breaks so there are now 3 line breaks.
Thus, you have to choose between a HTML string (English version), or a BBC one (French version)... Which one do we get..? I vote for BBC.
If you want the bbc version, look to the English one because that's the 'correct' one. Look at the source for every post - you will not find newlines in general bbcode, because that's how it's always been done. Even down to how the news item does its thing - the newline is the separator between items, with the actual item having had nl2br conversion.
And parse_bbc adheres - it does no such conversion of newlines to bbc. I am not entirely sure why it is done this way around but it is how it has always been.
1229
The Pub / Re: Spell checker
« on March 19th, 2013, 05:28 PM »
Your English is better than my French - and your English is better than the English of most people in this country. I really wouldn't worry about it :)