Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#49 2015-03-13 09:34:00

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,293
Website GitHub

Re: smd_access_keys: secure, limited access to content

johnstephens wrote #288985:

Internal error “BLOB/TEXT column ‘ip’ can’t have a default value”.

That’s my bad coding, sorry. Recent MySQL versions are often stricter by default on catching my sloppy mistakes and throwing them out. I’ll get an update prepared, thanks for the report.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#50 2015-03-13 20:20:48

johnstephens
Plugin Author
From: Woodbridge, VA
Registered: 2008-06-01
Posts: 999
Website

Re: smd_access_keys: secure, limited access to content

Howdy, Stef!

Do you have any ideas how I might begin to troubleshoot this?

<txp:smd_access_key trigger="___" url='<txp:permlink/>'/> -> Textpattern Error: Field ‘ip’ doesn’t have a default value while parsing form ___ on page ___

The access key is generated on the page, but it isn’t being added to the table at ?event=smd_akey, and (unsurprisingly) the access URL doesn’t trigger my smd_access_protect block.

Since “ip” isn’t a legitimate attribute of the smd_access_key tag, I think the error message must be talking about the “ip” field that is part of the “smd_akeys” table. (I tried adding an empty “ip” attribute anyway, and the error remained.)

I’m not sure what to try next, and I would be grateful for any suggestion you might have!

Thank you in advance!

Last edited by johnstephens (2015-03-13 20:21:24)

Offline

#51 2015-03-13 20:48:29

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,293
Website GitHub

Re: smd_access_keys: secure, limited access to content

johnstephens wrote #289034:

Field ‘ip’ doesn’t have a default value

That’s to do with the fact the table wasn’t installed properly. I’ve put up a new version but if you’re not comfortable using the .php file (you’d need to run it from the plugin cache folder or use ied_plugin_composer), you could either:

a) hack your current copy by removing NOT NULL default '' from the ‘ip’ field in the smd_akey_table_install function, or

b) edit the table directly in phpMyAdmin and remove the default value and NOT NULL checkbox.

The success or otherwise of option (b) depends on whether the table was installed properly or not first time round. Is this an existing install that you’re upgrading (i.e. has data in it already) or a new one? If it’s new, you can make the changes to the plugin code, delete the smd_akey table and then next time you visit the smd_access_key panel it’ll reinstall it for you with the correct configuration.

If you need a hand with anything, just yell. If I get a moment tonight I’ll test the new version and compile it up for you. Hope that helps.

Last edited by Bloke (2015-03-13 21:39:47)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#52 2015-03-14 03:08:13

johnstephens
Plugin Author
From: Woodbridge, VA
Registered: 2008-06-01
Posts: 999
Website

Re: smd_access_keys: secure, limited access to content

Thank you, Stef!

I compiled it from the command line using zem_tpl.php, and installed v0.12 (after deleting v0.11, and its bunk database table). This clears up two out of three of the problems I had:

  1. No more error message!
  2. The access keys table is now getting populated when I load a page that generates an access key. Yay!

Unfortunately, using the access key URLs is still failing to trigger my smd_access_protect block, and the akeys table shows no access attempts after using access URLs repeatedly.

Here’s the code I have:

<txp:smd_access_protect trigger="___">

  <!-- SECRET ACCESS STUFF HERE -->

  <txp:else/>

  <txp:smd_if_access_error>

    <txp:smd_access_error
      break="br"
      item="code, message"/>

  </txp:smd_if_access_error>

</txp:smd_access_protect>

Is there anything obviously amiss with my code? Or my brain?

Thanks again for your guidance, Stef!

Offline

#53 2015-03-14 03:17:16

johnstephens
Plugin Author
From: Woodbridge, VA
Registered: 2008-06-01
Posts: 999
Website

Re: smd_access_keys: secure, limited access to content

Oh, to answer your question: For smd_access_keys, this is a new installation—but the site has been running on Textpattern for several years (always the latest stable version).

Would it make a difference if I used ied_plugin_composer or the plugin cache instead of generating the plugin’s installation file using php (as I have)?

Last edited by johnstephens (2015-03-14 15:39:18)

Offline

#54 2015-03-15 00:18:40

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,293
Website GitHub

Re: smd_access_keys: secure, limited access to content

johnstephens wrote #289042:

I compiled it from the command line

That’s fine. It’d be no different if done from plugin composer, or run form cache.

using the access key URLs is still failing to trigger my smd_access_protect block, and the akeys table shows no access attempts after using access URLs repeatedly.

Drat. Ok firstly, the fact that the access attempts aren’t increasing is kind of expected if the smd_access_protect isn’t triggering, because matching one of those is what causes the counter to increase. The question is why it’s not matching.

Nothing obviously awry with your code. Must admit I’ve never tried three underscores as a trigger (guess it’d work), but assume that’s just you redacting the actual trigger value. You could try adding force="1" to your tag, but I don’t think that’ll help in this case as that just governs how strict it is over allowing other parts of the page to be visible.

A few things to check:

  1. Are you generating the key from the admin side panel and copying it from the success message that pops up, or from the public side tag? Not that it matters as it does the same thing, I’m just curious in case there’s some corner case I need to look at.
  2. It’s very picky about the URL, so double check that the key you generate exactly matches the URL of the resource in question. Trailing slashes can scupper things.
  3. Is it an article you are protecting or a section? If a section, you may need to add section_mode="1" to your tags. Note that you (stupidly) can’t set this from the admin panel right now so you’ll need to generate your keys from the front-side tag if this is the case.
  4. Make sure the page/article you want to protect is Live :-)
  5. What error message do you see from your smd_access_error block? Anything at all that might give a clue what’s going on? What happens if you remove the conditional? Does it show an error then?

Bit stumped. It should work so it might just be a case of tweaking the key generation to suit your intended environment. If you want me to take a look at your setup directly, feel free to mail me a login or something.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#55 2015-03-15 03:01:30

johnstephens
Plugin Author
From: Woodbridge, VA
Registered: 2008-06-01
Posts: 999
Website

Re: smd_access_keys: secure, limited access to content

Thank you, Stef! Here are my findings:

  1. I am a fool.
  2. v0.12 works flawlessly, as far as I can tell.

More specifically, my smd_access_protect block was nested in another conditional, and for the article in question that conditional was returning false. Using the URL to trigger smd_access_protect did not work because a totally separate condition wasn’t satisfied.

I am so sorry for frittering away your time on this, Stef! I found my mistake after going through all of your suggestions and checking everything else, and I did have to use force="1" in the end.

Thank you so much!

Edit: Fix typo.

Last edited by johnstephens (2015-03-15 13:29:41)

Offline

#56 2015-03-15 08:24:35

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,293
Website GitHub

Re: smd_access_keys: secure, limited access to content

johnstephens wrote #289068:

v0.12 works flawlessly, as far as I can tell.

Excellent, thanks for the report, and glad it works for you. I’ll package up an official release as soon as I can. Sorry for the dodgy code in the first place.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#57 2015-03-17 13:42:34

Dragondz
Moderator
From: Algérie
Registered: 2005-06-12
Posts: 1,534
Website GitHub Twitter

Re: smd_access_keys: secure, limited access to content

Hum sorry for bothering!

I am working on a website whene i display a link (smd_access) after payment, it works like expected (link is generated after checking the payment is maid) the link is dynamically generated by code and it s ok, but if i refresh the page, another link is generated! is there a simple way to avoid that?

I thinked on storing the user id and article id and the generated key in a table and test on that table! is this a correct idea? or there is something easier?

Offline

#58 2015-03-17 17:51:37

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,293
Website GitHub

Re: smd_access_keys: secure, limited access to content

Dragondz wrote #289143:

if i refresh the page, another link is generated! is there a simple way to avoid that?

That’s a very valid situation, and something the plugin should be able to do. So now it does :-) Thanks for the idea.

If you look at Example 4 in the plugin help (I haven’t updated the Github help yet, I’ll do it next) that gives you a bare bones approach to doing this kind of thing. But please take note of the caveats and warnings littered throughout the example and the new strength tag attribute. If you ever reuse a salt or a secret value for anything other than a single person’s transaction, you’ll be potentially compromising the security of all the keys you’ve ever given out.

On that note, I’ve also taken the opportunity to give the plugin a much-needed boost in the security department. It now defaults to using cryptographically secure functions to create the system-generated secret key and salt, which are infinitely better than md5() and uniqid() used previously. If the crypto functions aren’t available in your version of PHP, it’ll fall back on the boring old functionality.

Please test and let me know how you get on, and if it can be improved at all.

P.S. I’m presuming you have plugin composer or can compile the plugin from the command line as there’s no .txt file yet. Just yell if you need a compiled version and I’ll see what I can do.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#59 2015-03-18 09:13:40

Dragondz
Moderator
From: Algérie
Registered: 2005-06-12
Posts: 1,534
Website GitHub Twitter

Re: smd_access_keys: secure, limited access to content

Big thanks to you Stef like always you are a chief!

Hope someday i will come to england to take a thea with you ;)

The plugin Really hard to install it from the php file but i succeeded, if anyone else had the same problem here what going on:

I first uploaded the php file to ied_plugin_composer and activated it, the plugin activated but the db table havent been created! and i cant delete it because if the db table doesnt exists it cant be deleted! (then you must delete it using phpmyadmin!)

The solution i found is install it in another txp install (upload the php file to ied_plugin_composer) dont activate it then export the file to a txt fomat, and install that txt into the textpattern plugin like usually!! ouuuf.

There is no textpack with it? but that s not a big deal.

I will t ry your example, it report the result but the description seems perfect for my case.

Cheers.

Offline

#60 2015-03-18 09:42:18

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,293
Website GitHub

Re: smd_access_keys: secure, limited access to content

Dragondz wrote #289176:

The plugin Really hard to install it from the php file

Sorry about that. I’ll bundle one up for you when I get a chance. Unfortunately my computer is being repartitioned this morning so I can use the C drive, but don’t have access to my data on D right now.

I first uploaded the php file to ied_plugin_composer and activated it, the plugin activated but the db table havent been created!

That’s odd, which version of plugin composer are you using? I thought I’d fixed all such issues. You may have to make sure that the post-install actions checkbox is set so the composer will actually run the installation/upgrade script. For safety, so you don’t overwrite anything while testing (because, out of the box, the composer is primarily a tool for building and testing plugins) it’s not automatic, unless you have set it to perform such actions via the composer’s prefs.

The solution i found is install it in another txp install (upload the php file to ied_plugin_composer) dont activate it then export the file to a txt fomat, and install that txt into the textpattern plugin like usually!! ouuuf. There is no textpack with it? but that s not a big deal.

Good trick, which would normally work. But you’re right that the Textpack won’t be exported unless you do two additional things:

  1. Set the Textpack prefix in plugin composer to match the plugin string prefix (which in this case is smd_akey). When you do that, the strings should immediately be populated, although there are a few that aren’t mentioned explicitly by name (the ones in the prefs) so they may be missing. At any time after you’ve added the prefix to plugin composer, you can always copy the Textpack block from the plugin source code and paste it into your Languages panel to manually install the strings. When you then revisit the plugin edit panel in composer, you’ll see all strings including “warning” ones that aren’t explicitly referenced in the code. I might see if I can improve things in this regard, perhaps by including an explicit reference in the code’s comments.
  2. Choose Textpack language(s) at the bottom before exporting. The plugin only has English strings at the moment. Feel free to send in any translations :-)

Hope that helps.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

Board footer

Powered by FluxBB