Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#85 2013-11-05 04:55:31

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Eventual forum upgrade plan

ruud wrote:

Repeating the topic title in each post is a waste of space. The topic title is already visible in the page title and in the breadcrumbs.

We’ve done this.

The links at the bottom of each post: There’s a “|” missing between Edit and Quote.

This has been corrected.

Where did the “Move” link go?

Its a hack. FluxBB doesn’t support individual post moving, and it neither has a plugins system, so. We would have to migrate back to PunBB to get plugins and shit.

Is it possible to move these links to the top of the post, where the post number is?

The links don’t actually take any space. Those and the offline/online status are in an different block under the post. Its not possible to move those since FluxBB doesn’t have theme partials, or views; just template wrappers.

Is it necessary to show that a user is a member? Non-members cannot post, so al posters are members.

We can’t really differentiate between account statuses. Only way to change anything is either CSS or JS.

Is it necessary to show that an IP is logged?

That is only shown to admins. FluxBB 1.2.x shows the IP address, 1.5.x shows IP in a tooltip when hovering over that link.

User ranking (lambda and such) and number of posts are the same thing. The same thing applies to registration date as well. All three are indications of how trustworthy a user is. No point in showing all three. I’d leave just the ranking as it is in the current forums.

There is no way of removing these without parsing the page, let’s say, using JavaScript and checking the text nodes one by one. PunBB would allow modifying this information through vt_row_pre_post_contacts_merge callback event.

Compared to the old forum, “known languages” is missing. Is that because we assume that all users speak english?

FluxBB doesn’t have “known languages”. There is field for it in the profile, but its not shown anywhere.

The “real name” is missing as well, which I don’t mind. Because then I don’t have to choose between the real name and the forum name when replying :)

FluxBB neither shows real name. There is field for it in the profile, but its not shown anywhere.

Offline

#86 2013-11-05 05:51:32

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Eventual forum upgrade plan

In addition to extensions (that even supports overriding the BBcode parser), PunBB also would offer layout that doesn’t use any tables: we wouldn’t have to hide columns, but can style them any way we want. They also have ID selectors for categories, forums etc. which would make adding icons and such easier.

Last edited by Gocom (2013-11-05 05:55:52)

Offline

#87 2013-11-05 08:12:34

philwareham
Core designer
From: Haslemere, Surrey, UK
Registered: 2009-06-11
Posts: 3,564
Website GitHub Mastodon

Re: Eventual forum upgrade plan

Moving to punBB now would mean starting the theming from scratch again, since they don’t share too much in common any more. Each of the forums has it’s own pros and cons, I don’t think the trouble of moving to punBB is worth it at this point.

Once fluxBB 2 and punBB next are out, we can re-evaluate – I reckon that’ll be around the same time as Textpattern 5 ;)

Offline

#88 2013-11-05 09:40:00

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Eventual forum upgrade plan

philwareham wrote:

Moving to punBB now would mean starting the theming from scratch again, since they don’t share too much in common any more. Each of the forums has it’s own pros and cons, I don’t think the trouble of moving to punBB is worth it at this point.

What pros exactly does FluxBB have compared to PunBB? XSS vulnerabilities? Passwords that aren’t salted? Passwords that are used as session IDs, encrypted with site wide key? No real CSRF tokens?

  • PunBB salts passwords.
  • PunBB has had CSRF tokens for ages.
  • PunBB has never had those XSS vulnerabilities FluxBB has. E.g. here.
  • FluxBB does some fixes after PunBB, e.g. this.

Additionally PunBB offers extensions and better templates; we could actual provide those meta tags and Textile through plugins rather than hacks. Now, both are vulnerable to:

  • Replay attacks; session never changes. Both expire on expiration date, but you can’t invalidate the login session itself without changing your password; they both cloud easily fix this by storing the expiration date in the database. Additionally FluxBB doesn’t tie expiration date and password together, so even if you change password, I can use your old session’s expiration timestamp and extend your session to year. PunBB does lock in password and expiration date.
  • PunBB too stores password in the session cookie, doesn’t protect the value with key, but uses the salt which is unique to the user rather than to the site.

But, PunBB allows changing all of those with extensions. You can override the login system, hash generation – everything.

Last edited by Gocom (2013-11-05 09:42:16)

Offline

#89 2013-11-05 09:53:38

philwareham
Core designer
From: Haslemere, Surrey, UK
Registered: 2009-06-11
Posts: 3,564
Website GitHub Mastodon

Re: Eventual forum upgrade plan

So what are you saying, you want to now scrap FluxBB and all the hours of work we have put into theming it?

Offline

#90 2013-11-05 10:10:01

philwareham
Core designer
From: Haslemere, Surrey, UK
Registered: 2009-06-11
Posts: 3,564
Website GitHub Mastodon

Re: Eventual forum upgrade plan

Besides, punBB future development is pretty much dead at this point (one developer working on it, occasionally) – nearly 2 years since last release. So don’t expect more of those nice features to appear any time soon.

Offline

#91 2013-11-05 10:45:50

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Eventual forum upgrade plan

philwareham wrote:

So what are you saying, you want to now scrap FluxBB and all the hours of work we have put into theming it?

It’s not like we would start from square one. But maintaining FluxBB can become a pain. Each release I will have to re-patch it, unless someone else wants to.

Besides, punBB future development is pretty much dead at this point (one developer working on it, occasionally) – nearly 2 years since last release. So don’t expect more of those nice features to appear any time soon.

Sure, but I wouldn’t make raw commit activity a real measurement. FluxBB’s commits consist of fixes to issues that have never gotten to PunBB. It would be nice if PunBB’s development was active and they didn’t write commit messages in Russian, but its pretty hard to commit tons of fixes, when there is nothing to fix or reported as an issue.

PunBB guys either fixed XSS issues when they backported from FluxBB, or FluxBB somehow got rid of sanitisation, or forked from point before sanitiation was added. This file has XSS vulnerabilities, this one doesn’t. PunBB 2008, FluxBB 2010. Or salting; PunBB salted passwords in 2008, while FluxBB uses raw sha1.

These all are probably because of FluxBB forking from old branch and never backported these changes, but these aren’t necessarily a good sign.

Offline

#92 2013-11-05 11:19:02

philwareham
Core designer
From: Haslemere, Surrey, UK
Registered: 2009-06-11
Posts: 3,564
Website GitHub Mastodon

Re: Eventual forum upgrade plan

I understand your concerns, but I’d still like to wait and see where development goes on both before potentially jumping ship. FluxBB is good enough for right now – not perfect by any stretch of the imagination, but that’s just the way it is.

Offline

#93 2013-11-05 19:29:57

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Eventual forum upgrade plan

A few years ago this forum used PunBB. We switched to FluxBB because it was considered to be better then. Even security-wise, IIRC. Interesting to read that this has changed.

Btw. Thanks for the elaborate responses to the things I mentioned. Much appreciated.

Offline

#94 2013-11-06 05:23:21

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,091
Website GitHub Mastodon Twitter

Re: Eventual forum upgrade plan

There’s another issue which is the mods to manage the database. Especially the User management one which helps us delete 1000s of (possibly bot registered) users/month (I just deleted 1800).


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#95 2013-11-06 06:11:12

mrdale
Member
From: Walla Walla
Registered: 2004-11-19
Posts: 2,215
Website

Re: Eventual forum upgrade plan

I guess security is a critical issue with forums, since we’re all posting our credit card information in our signatures. Maybe we can find a system that has triple opt-in or one that salt AND peppers passwords. I’d even opt for the dreaded Worcestershire option just to make sure. Our words are just THAT important.

Offline

#96 2013-11-06 06:30:25

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Eventual forum upgrade plan

Those that are affect by rainbow tables, also use the same password for other services.

Last edited by Gocom (2013-11-06 06:33:16)

Offline

Board footer

Powered by FluxBB