Textpattern Forum

You are not logged in. Register | Login | Help

#21 2010-06-05 12:50:03

redbot
Plugin Author
Registered: 2006-02-14
Posts: 1,396

Re: bot_image_upload: upload, sort, edit, show images in ‘write' tab

Gocom wrote:

I did small changes to the source…

Thank you Jukka that’s great! I really appreciate it!

I need to study some of your your changes carefully as I’m not an expert programmer. Ok, probably I’m not a programmer at all ;) but the suggestions I understood till now are really useful.

One thing I’d like to point out is I noticed you used the new ‘pluggable_ui’. That’s really cool Jukka but the problem is I started to write this plugin for myself and I needed txp 4.0.8 compatibility. That’s also the reason why some of the Jquery selectors are so convoluted at times (4.2 added more ids and classes to the interface). So maybe I should fix the last bugs for the plugin in its actual form for those who need backward compatibility and then start to work on a new version only for 4.2. What do you say? Sounds correct?

Below are my comments after a quick look at your proposed changes and a brief testing

Fixed SQL injections.

Interesting. Two questions: Care to expain exactly what changed and why? I’m really ignorant in matter of security so I’d like to know more. Maybe it has to do with this change:
From

if ($step == 'edit' && $article_id) 

to

if($step == 'edit' && !empty($article_id))

Sadly I can’t understand in what their results may differ :(
Second. Taking for granted that it is always a good thing to write secure code I don’t understand why, in this case, should I care too much. AFAIK one must be logged in to use the plugin, so should I assume a site administrator would want to hack his own site?

Moved the CSS to stylesheets (<style> block).

That’s great. It’s lot tidier (but incompatible with 4.0.8)

Moved Javascript, and CSS, into <head> section.

Same as above

Embedded images to the plugin’s PHP (base64_encoded).

Really cool. However, how you achieved it is a complete mistery to me …I think I need to study it a little more ;)
(strange thing is I can see only the ‘delete’ icon , not the ‘edit’ one – it behaves like it doesen’t exist)

Removed escaping from the JavaScript (PHP doesn’t parse invalid variables).

Hey thanks for the tip! Never thought about it.

Add PHP support for multiple images. It nolonger throws out an error. Tho, I didn’t update the JS to work with multiple images.

Ok – but now thumbnail generation doesn’t seem to work for already saved articles – they show no image at all. Must investigate…

Checks if the image has thumbnail. If not, shows the full sized image (only PHP).

Ok

Removed globals that were set in every context.
Centralized preference variables.

Genius!

P.S. Just out of curiosity, why do you think my email is a ‘web trap’? Should I change it with another one?

aswihart wrote:

The issue persists though if I’m logged in as a “Staff Writer” rather than Publisher and trying to add images uploaded by another user.

Well spotted! I would have never noticed it

Is that the way Textpattern works (can’t use other authors’ images in your article)?

Not quite, it was only marginally a user level issue. I was targeting the thumbnail as a img but a staff writer has only an img because he can’t edit other autors images. Anyway it’s fixed now.

When I’ll have some free time (I hope soon)) I will release the new version wich should fix all the bugs found till now and incorporate some of Jukka’s suggestions while still keeping 4.08 compatibility.
Thank you again for your precious help

sacripant wrote:

…I looked, and ….

Well spotted sacripant! I’ll see if its the case to deal with it in the plugin code or simply mention it in the help and suggest a manual change as you did

Last edited by redbot (2010-06-05 13:06:36)

Offline

#22 2010-06-05 16:28:18

Gocom
Developer
Registered: 2006-07-14
Posts: 4,410
Website

Re: bot_image_upload: upload, sort, edit, show images in ‘write' tab

Redbot, here’s some answers to your thoughts :-)

redbot wrote:

One thing I’d like to point out is I noticed you used the new ‘pluggable_ui’.

I did not. head_end callback isn’t part of pluggable_ui toolset. Head_end was introduced in 4.0.7. Head_end is also the reason why most of my plugins require 4.0.7 or newer.

Fixed SQL injections. […] Care to expain exactly what changed and why?

I did doSlash() the values used in SQL queries and changed the other to fetch() which gives smaller code footprint.

Sadly I can’t understand in what their results may differ :(

It’s not different. Empty check if the variable is empty (empty meaning zero, false, null etc). I just tend to use it nowdays.

That’s great. It’s lot tidier (but incompatible with 4.0.8)

In compatible with 4.0.8. head_end callback was introduced in 4.0.7.

Ok – but now thumbnail generation doesn’t seem to work for already saved articles – they show no image at all.

I didn’t update the JS. It’s not compatible. And I might have messed something.

P.S. Just out of curiosity, why do you think my email is a ‘web trap’? Should I change it with another one?

Because you are like ninja ;) …and the web prefix. With a trap I mean spam holder, thing that you would use to register accounts and never really use. Heh.

Last edited by Gocom (2010-06-05 17:11:27)


Rah-plugins | What? I’m a little confused… again :-) <txp:is_god />

Offline

#23 2010-06-05 17:48:53

masa
Member
From: Reykjavik, Iceland
Registered: 2005-11-25
Posts: 1,079

Re: bot_image_upload: upload, sort, edit, show images in ‘write' tab

I’ve been playing around with this interesting plugin, but I’m having problems under Txp 4.0.8:  the Choose image link doesn’t trigger anything when clicked. (All seems to work fine under 4.2.0.)

Suspecting a conflict I turned off all other plugins, but still nothing – any ideas?

Offline

#24 2010-06-05 17:51:30

redbot
Plugin Author
Registered: 2006-02-14
Posts: 1,396

Re: bot_image_upload: upload, sort, edit, show images in ‘write' tab

Gocom wrote:

…I did not. head_end callback isn’t part of pluggable_ui toolset. Head_end was introduced in 4.0.7. Head_end is also the reason why most of my plugins require 4.0.7 or newer.

Doh! That’s really great news. Finally I can have a clean, human readable code, thanks!

I did doSlash() the values used in SQL queries and changed the other to fetch() which gives smaller code footprint.

That’s ok. But – I’m asking again for learning purpose – do you think it is possible to perform SQL injections if you are not logged in to txp?

One last thing. I like your way of embedding images and I’m sure this will come very handy once I learn some more but in this case I’m more inclined to avoid this, so that one can easily replace the default icons. Or I’m missing something again?

That’s all. Thank you again Jukka, you really taught me something useful!

Last edited by redbot (2010-06-05 18:06:03)

Offline

#25 2010-06-05 18:28:18

redbot
Plugin Author
Registered: 2006-02-14
Posts: 1,396

Re: bot_image_upload: upload, sort, edit, show images in ‘write' tab

masa wrote:

I’ve been playing around with this interesting plugin, but I’m having problems under Txp 4.0.8:  the Choose image link doesn’t trigger anything when clicked. (All seems to work fine under 4.2.0.)
Suspecting a conflict I turned off all other plugins, but still nothing – any ideas?

Mhm… The only thing I could think is that maybe you have a jquery version pre 1.3.2. Is it the case?

Last edited by redbot (2010-06-05 18:28:37)

Offline

#26 2010-06-05 18:51:18

Gocom
Developer
Registered: 2006-07-14
Posts: 4,410
Website

Re: bot_image_upload: upload, sort, edit, show images in ‘write' tab

redbot wrote:

That’s ok. But – I’m asking again for learning purpose – do you think it is possible to perform SQL injections if you are not logged in to txp?

No, but it will just cause errors if author uses character that should be escaped. Plugins are loaded after login check process, thus bot_image_upload isn’t active at that point. But the code is still loaded on public side, because the plugin is set to be admin/public. But that’s not an issue if the code is all good. That’s also partly why I removed the globals as they were active on public side.

One last thing. I like your way of embedding images and I’m sure this will come very handy once I learn some more but in this case I’m more inclined to avoid this, so that one can easily replace the default icons. Or I’m missing something again?

In that case you could add if file_exist() check so you don’t have to bundle the images with zip along the plugin. Makes the installation much easier, tho sacrifices bit space, memory and performance.

if(file_exist( $img_path. '/bot_image_delete.gif'))
	$uri = ihu . '/bot_image_delete.gif'; /* note 'ihu' is just example. Tho, it's in the current development build */
else 
	$uri = hu . '/?bot_image_img=delete';

If you are going to support only the latest browsers (no IE7 etc) you could also embed the images in the CSS. CSS supports base64 encoded data URI scheme.

That’s all. Thank you again Jukka, you really taught me something useful!

No problem :-) Happy to contribute.

Last edited by Gocom (2010-06-05 18:53:13)


Rah-plugins | What? I’m a little confused… again :-) <txp:is_god />

Offline

#27 2010-06-05 22:14:46

masa
Member
From: Reykjavik, Iceland
Registered: 2005-11-25
Posts: 1,079

Re: bot_image_upload: upload, sort, edit, show images in ‘write' tab

redbot wrote:

Mhm… The only thing I could think is that maybe you have a jquery version pre 1.3.2. Is it the case?

Perfect, all working now – thank you very much!

I had 1.2.6 since I tend to leave things as they were originally installed.

Offline

#28 2010-06-30 18:01:52

THE BLUE DRAGON
Member
From: Israel
Registered: 2007-11-16
Posts: 542
Website

Re: bot_image_upload: upload, sort, edit, show images in ‘write' tab

Another great plugin! thank you =)

I made some changes to it:
1. removed the loading after each click because it was not letting me to use the features of “ebl-image-edit” plugin.
(// avoid FOUC when clicking links and submits)
when I was clicking on each link of EBL it was showing the loading image and when after it disappear nothing was happen.

2. I moved the checkbox to the left side right before the ID# and changed it to radio-button.
and I unhide the regular checkbox on the right for it letting the users to delete/change things.

3. It is really cool that you can manipulate iframes :)
but I don’t think it’s good to hide something really important as the top message, so for me I unhide it.
In Remora the message does comes with a fade background on top of it (dropshadow) so you can just disable it.
iframe.find("#messagepane").css({"background-image": "none"});

4. Remove the “Add” text near each checkbox and move it to it’s own title on top
iframe.find("#list th:nth-child(9)").after("<th>$bot_add_image_text</th>");

5. “fpx_image_import” plugin creates a table with the id of “list”,
so you need to change each “#list” into “#list:first”.
yes I know it’s have nothing to do with your plugin and:
a. it’ an old plugin.
b. it’s wrong to use the same id for 2 elements.
but it will be easier to change your plugin for others who may use that old plugin.

EDIT: and this change did helped me too.

Last edited by THE BLUE DRAGON (2010-06-30 18:05:23)

Offline

#29 2010-06-30 19:16:06

redbot
Plugin Author
Registered: 2006-02-14
Posts: 1,396

Re: bot_image_upload: upload, sort, edit, show images in ‘write' tab

Hi,
before answering your post let me say that this plugin its just a proof of concept in its current state.
I’m planning to release version 2 for weeks but really can’t find the time, though in my development copy I think I’ve fixed all issues found till now (and cleaned code a lot – thanks to Jukka’s help).
Here are my thoughts:

Another great plugin! thank you =)

Thanks!

1. removed the loading after each click because it was not letting me to use the features of “ebl-image-edit” plugin.
(// avoid FOUC when clicking links and submits)
when I was clicking on each link of EBL it was showing the loading image and when after it disappear nothing was happen.

Compatibility with other image plugins is one of the major issues. I still have to investigate this.

2. I moved the checkbox to the left side right before the ID# and changed it to radio-button.
and I unhide the regular checkbox on the right for it letting the users to delete/change things.

This is ok. I highly encourage plugins customization depending on specific site needs (and I won’t create a preferences page – it isn’t worth the effort).
Remember to unhide iframe.find("#withselected").parent().hide(); too!

3. … In Remora the message does comes with a fade background on top of it (dropshadow) so you can just disable it.

I have already fixed remora compatibility issues in v. 2 (hiding #messagepane completely)

I hope to release it shortly but I realize I’m not too reliable these days.

Last edited by redbot (2010-07-02 14:33:55)

Offline

#30 2010-07-04 18:28:11

redbot
Plugin Author
Registered: 2006-02-14
Posts: 1,396

Re: bot_image_upload: upload, sort, edit, show images in ‘write' tab

Version 0.3 is out.
It should fix all bugs found til now and, thanks to the help of Jukka, the code is now a lot more cleaner and elegant.
Also, images are embedded directly in the plugin (though you can still change them modifying the plugins css)
The only thing which is still lacking is multiple image management because I’m still unsure I want to add this functionality.
The fact is this would involve more js to load and more issues to solve. Just think to where thumbnails should be placed, given that there could be one or one hundred.
I know a comma separated list of image ids is a common setting but – when I need a gallery – I rather prefer to use an ad hoc custom field instead of the article image field. However I’ll see if in a remote future I’ll add this.

Changelog:

Jukka:

  • Fixed SQL injections.
  • Moved CSS to stylesheets.
  • Moved Javascript, and CSS, into head section.
  • Embedded images to the plugin’s PHP (base64_encoded).
  • Removed escaping from the JavaScript.
  • Checks if the image has thumbnail. If not, shows the full sized image.

me:

  • Fixed ‘login in iframe’ issue
  • Fixed issue when ‘author’ column is missing
  • Fixed thumbnail issue when logged as “Staff Writer”
  • Usability improvement: save button is now removed from iframe and placed in a more convenient place
  • Compatible with ebl-image-edit
  • jbx_multiple_image_upload its hidden in the plugin’s interface (but continues to work normally in the ‘images’ tab) – multiple upload doesen’t make sense untill the plugin works for single images.
  • Fixed ie issues with checkboxes
  • A few visual tweaks

Gocom
Thanks again for the help. I incorporated almost all your code with the exception of the multiple-image part as I explained before.
Also, I changed a little your coding style in a more familiar way for me (Just minor things like curly brackets for ‘if’ statements).
A last thing, some posts before I said some changes you suggested weren’t working. Well not really, there were only some small typos.
Ah, anoter last thing ;-) I moved the call to bot_image_img() inside if(txpinterface == 'admin') and changed links in css accordingly.
I think that’s because you were thinking this was an admin+client plugin while it actually is admin only.

aswihart/sacripant/THE BLUE DRAGON
Thanks for the suggestions. some of which I’ve adopted.
As for the ‘radio vs checkbox’ issue I decided to keep the checkboxes (of course you are encouraged to change it if you prefer).
That’s because it is true that radios are more semantical but in this case I think checkboxes increase usability: an average user wants the ability to check and uncheck an image at his will, and this isn’t possible with radios where at least one item must be checked.
I did not found the time to check for fpx_image_import compatibility (I prefer jbx_multiple_image_upload these days), anyway it seems you have already found and posted a working solution so I won’t consider it a priority.

Download from first post.

Last edited by redbot (2012-01-04 18:58:52)

Offline

Board footer

Powered by FluxBB