June 15, 2007 - We switched to WikkaWiki
WikkaWiki includes most of the changes that I incorporated into
WakkaWiki from the original
WakkaWiki site (including my
PageDeleteHandler, and they gave me credit! Woohoo!). So most of the following does not apply anymore, but I'm keeping it here for a historical record. I may want to add some of these to
WikkaWiki, in particular the
TrustedSitesHack since that allows us to keep the wiki open to comments or editing without requiring login, to some degree.
On November 9, 2007 we started getting some vandalism, where new accounts were created automatically and then used to edit multiple pages. So I re-implemented the
TrustedSitesHack, and I'm going to look into the changes for the next version of
WikkaWiki. If I have time and they haven't done this yet, I may try to write a challenge/response registration tool.
- allow the use of graphics simply by pasting in the link. The change is almost identical to the one made for WakkaWiki (see ImageHack), but the file is now "libs/Wakka.class.php". I did not add the !! notation back in.
- redid the TrustedSitesHack, with one additional modification to restrict new registrations to the trusted network.
Old Notes applicable to WakkaWiki
If you are using Mozilla or Netscape 7
Bug 206897∞ may interfere with scrolling. You can shut off double-click editing in
UserSettings to get around it.
This is the page where I keep track of the changes I have made to the wakka software. When the next version of
WakkaWiki comes out if they have not made similar changes I will have to reintegrate my changes with the new version, but the original developers are working on other projects.
To Do
- Switch to UniWakka? This would involve redoing a lot of the changes below, if they are not solved in UniWakka
- Remove the "&" from the link matching grep pattern, to allow for links that contain an ampersand. Better, convert the "&" into the hex code.
- Add "click and comment" buttons to insert boilerplate text (grammatical error notations, grades, grading rubrick, etc.)
- add "save and continue" button
- add UserGuide link to header
- Repair minor damage done when I commented out the requirement that the username be a wikiname - this also bypassed the check that the username not be blank (but that can only happen once per wiki).
- Fix RCI login all over again. RUCS seems to have tightened up the PHP settings so it does not expose the PHP_AUTH_USER and password anymore. This is a good thing, but it breaks the previous changes I made. If there is some way to use PHP to check the LDAP server for login rather than it's own mysql tables, that would be more appropriate and would not require using ".htaccess" (solving the problem of students not being able to log in). I can also try using the method described in http://pl.php.net/features.http-auth∞ to make php ask for the passwords, but I don't know if this links to RCI/Eden passwords the same way .htaccess can.
- http://www.wakkawiki.de/ReferrerSpamming∞ - this may take care of the next point. Even Better completely disable the referrer feature, eliminate the referrrer link etc. It's really not needed and only attracts spammers.
- A bug - type in any nonsense in the URL, and you can create a page that is difficult to deal with. This has been used to create spam pages at http://www.wakkawiki.com/∞ . The page and edit handlers should do some simple checking for a valid WikiWord prior to allowing page creation (currently this is done by the formatter, which adds the "?" after a WikiWord). Or it should be completely disallowed, since it allows the possible creation of a bot to randomly generate urls and create pages. Only allowing creation by following a local link (check the referrer?) would make it harder to create a bot.
- Check login stuff - are logins being remembered from one wakka site to another on a different server? (e.g., teachx to RCI)? maybe my imagination.
- Change login stuff to store a token rather than a password in the cookie. Passwords in cookies are bad.
- Change the tab character (this is coming soon in wakka-0.1.3, it may be best to wait for that)
- Edit robots.txt to limit searches (do not follow /edit links - not very important if the .htaccess file is used for password protection, since that blocks search sites too). Problem - Rewrite Mode blocks the robots.txt file! Problem 2 - robots.txt is ignored in user directories and subdirectories. Try doing the same in a Meta tag.
- Add a formatting cheat sheet to the edit page.
- Change the need to have a tab before a numbered list? -also coming in 0.1.3
- In setup script, try to force http: to https: if this will use NetIDs. See https://www.rci.rutgers.edu/ssl/index.php∞ for options in forcing https usage.
- Change .htaccess file to optionally allow non-rci accounts too, and require https access (can I do that there?)
- Change "setup" script to ask for an admin username and write it to the config file.
- Change setup script to add more default pages like the UserGuide.
- Figure out how to get new RCI/Eden users to the UserSettings screen the first time they arrive. Or maybe not — without clicking UserSettings, your name shows as your IP address, and clicking UserSettings is the logical way of setting your name so people should do it eventually on their own.
- Maybe a better idea - undo the alterations I made to the login functions in wakka.php, and create a new UserSettings action that does the basic authentication through php, rather than using .htaccess, if possible.
much longer term
A spellcheck action
A calendar action --
http://www.wakkawiki.com/WakkaCalendar∞
Make it skinnable by reading alternate css (new handler? new action? new approach?)
To fix the broken css and images
If you don't use the url rewriting in the .htaccess file, the css, icon images and some php-generated links break unless you make the following changes. This is necessary for distribution on RCI, since the .htaccess file would need to be edited for each user, and that's not practical.
In actions/header.php
<?php
$message =
$this->
GetMessage();
$user =
$this->
GetUser();
// I added the following
$site_base =
$this->
GetConfigValue("base_url");
if ( substr_count($site_base,
'wakka.php?wakka=') >
0 )
$site_base =
substr($site_base,
0,
-16);
?>
Within the HTML I added:
<base href=
"<?php echo $site_base ?>" />
and changed the stylesheet to be a relative URL:
<link rel=
"stylesheet" type=
"text/css" href=
"css/wakka.css" />
And at the top of the page I changed the
link to create the search
for the page title, changing
TextSearch?phrase
to
TextSearch<?php
if (!
$this->
config["rewrite_mode"])
{
echo "&";
}
else
{
echo "?";
} ?>phrase
Likewise in actions/footer.php I changed the xml graphic to be a relative URL.
finally, in handlers/page/revisions.php
replace
<?php
$output .=
"<td> <a href=\"".
$this->
href("show").
"?time=".
urlencode($page["time"]).
"\">".
$page["time"].
"</a></td>";
?>
with
<?php
if (!
$this->
config["rewrite_mode"]) {
$output .=
"<td> <a href=\"".
$this->
href("show").
"&time=".
urlencode($page["time"]).
"\">".
$page["time"].
"</a></td>";
}
else
{
$output .=
"<td> <a href=\"".
$this->
href("show").
"?time=".
urlencode($page["time"]).
"\">".
$page["time"].
"</a></td>";
}
?>Javascript and other insecure link fixes
I made the security changes from
http://www.wakkawiki.com/LinkFormattingFix∞
Double Double-quote insecurity
It was possible to insert xhtml or other escaped code using double double-quotes. This has been stopped by changing
formatters/wakka.php line 101 to
return htmlspecialchars($matches[1]);
More changes along this line might be necessary, with htmlspecialchars() being used or (url encoding) any time text is passed straight through the formatter (urls into a link, for example).
Images
Without the double double-quotes bug you can't sneak in images, so I also modified the regexp pattern matching in formatters/wakka.php to include !! url !! for including images. More testing needs to be done, and I might change this before it is active on the site.
I changed the main wakka.php Link() function to check for images, making the !! url !! mostly unnecessary. It may still be useful for images uploaded to the server, so for now it stays. Links will now change to an image if it ends with .jpg, .gif, or .png, and if you use the [[forced link]] method, the extra text becomes the "alt" tag.
Pseudo Administrative Access
The hacks listed here give certain users the ability to change the Access Control for any page. I used the second version listed, which required less editing and is probably more efficient.
WakkaWiki:PsudoAdminUser∞
Allow regular word usernames
Changed action/header.php and action/footer.php to use Format("[[".$owner."]]") to force link in the event that it is not a
WikiWord.
In action/usersettings.php
-- Hello, Link($user["name"]) ?>!
++ Hello, Format("[[".$user["name"]."]]") ?>!
Commented out check for WikiName
also added the "[[".$user["name"]."]]" to actions/latestusers.php (that I think I copied in turn from the
WakkaWiki site where it is called the "Last Known users" action).
Log in automatically from .htaccess info (basic auth)
rewrote actions/usersettings.php to display different form on first access if username/password are known but user is not in database (instead of login/create account form).
added one line to wakka.php Run() function to login from $_SERVER["PHP_AUTH_USER"], and altered
SetUser() to use session cookies if $_SERVER[] variables are set.
A problem remains for when a user "logs in" with an RCI username, and they are not in the wakka database - they do not really get logged in to wakka until they click
UserSettings and submit their e-mail address. I cannot redirect them to the
UserSettings page because the same instructions that do the redirect also display the page, causing an infinite loop, but then it is probably not necessary since if they want to set their name, they will naturally gravitate to the
UserSettings, and the "@" (formerly "§") access level is redundant when using the .htaccess file.
Another problem crops up when a user jumps from the Tiki on RCI, since it seems to use the same PHP mechanism for login, but not in the same way. We end up with the user apparently "logged in" but with junk info, and going back to Tiki from here leaves you logged in with the username "Array".
Preview Warning
Added an id="previewwarn" tag to the word "preview" in handlers/page/edit.php so you can now do funny things with it through the style sheet. I made it fixed so it never leaves the screen.
Default Pages
Changed setup/install.php to create a default
SandBox page and a
WakkaFormatting page, added links to those pages to the home page.
Access Control
Changed the "§" symbol to "@" to represent registered users in Access Control Lists, because it is much easier to type and is standard ASCII.
Page Deletion
Created a
PageDeleteHandler which permanently and instantly deletes a page and all comments on it.
Cookie and Session Names
Changed the cookie and session names to make them more unique to the particular installation of wakka, by appending the mysql_user name $this->config["mysql_user"]."name", $this->config["mysql_user"]."password" for cookies, and $this->config["mysql_user"]."user" for the session. This helps avoid conflicts with multiple instances of wakka on the same server, and with other php scripts on the same server that use the same cookie and session names.
Double-Click Editing
Moved the "ondblclick" javascript handler from the <body> tag to a new <div> tag, in order to avoid the Mozilla bug that triggers a double-click when scrolling
Bug 206897∞
Trusted Sites anti-spam measure
Created a
TrustedSitesHack that optionally prevents people who are not logged in from editing any page, even if the ACL is set to "*" unless they are coming from a "trusted" domain which defaults to the domain of the web server.
Disabled referrer logging
Removed the link to the "Referrer" handler from footer.php, and commented out the call to "
LogReferrers()" in wakka.php. Referrer logging was used by spammers to get their site listed on any wakka, simply by visiting it.
There are no comments on this page. [Add comment]