Releases: trongate/trongate-framework
Added Cross-Site Request Forgery (CSRF) Protection
RELAX! This update does not add any breaking changes.
I received a few requests to add some kind of protection against cross-site request forgery. This is a type of attack that happens when somebody from another site submits forms to one of your own endpoints.
Now, you can have all of this working out of the box. You don't have to change what you're doing at all. For the record, here's how it works.
When you close a form with form_close(), Trongate will now do more than just create a closing form tag - it will also generate a hidden form field named 'csrf_token'. Provided your submit button has a name of 'submit', Trongate will automatically make sure the csrf_token can be validated against the user's session ID. All of the magic happens inside the engine folder.
To summerise:
- In order to activate csrf protection, simply do the following two things (you're probably already doing them!):
1). use the form_close() method to close your forms.
2). make sure the submit button on your form has a name of 'submit'.
Do those two things and CSRF protection will be enabled for you automatically!
By the way, if you have followed any of my tutorials or any of the docs then you should automatically be producing code that will activate CSRF protection. So, there's no need to change how you work. Just make sure your engine folder is up to date and you'll be good to go.
Cheers!
DC
Added New Starter Template
Trongate is good and fast when it comes to the business of building admin panels. However, when it comes to building entirely unique designs things start to get a little bit slow. This update introduces a new 'starter' template, complete with an app.js file and an app.css file.
With our new starter template, we now have the ability to quickly build sites that have entirely custom designs. Better still, we now have the ability to use the code generator and use generated code within our custom designs. So, all of the things that we've come to expect from the admin panel, such as; pop up calendars, side nav menus, modals and so on, are now all available for any design that you like.
I look forward to posting some tutorials on this soon, perhaps on YouTube. In the the meantime, I hope you enjoy the new feature.
Correction to Validation Helper
This version introduces a fix to our form validation helper. Thanks to Claudia for raising this. We also had a good suggestion from Andrew Suares added here. This one allows you to optionally declare a variable type as an optional second argument. Refer to docs for segment() method for details.
v1.3.3027
We have a new, alternative form validation technique protocol. Our existing 'pipe' method is good and it works. That system will remain and function as normal. However, sometimes - when setting form validation rules - they can run off the page (because the lines of syntax are so long) and that can be an irritation. Now, you can set your validation rules by building a PHP array. The end result is an alternative syntax that is a little bit more compact that what we've been using up until now. Please refer to the documentation for full instructions. It's explained on the 'Form Handling' section.
This update also fixes a minor glitch on TrongateCSS that was causing textarea fonts to look slightly rubbish. Keep in mind, the Desktop App will only update the engine folder. So, to get the latest version of Trongate CSS on an existing site, you may have to take a trip to GitHub and 'pluck out' the latest trongate.css file from the Trongate current framework.
There will also be a YouTube video, showing you how this new validation works.
Pre-Launch v1.3.3026
This update brings a range of improvements to the token security system for Trongate. The trongate_security module has been simplified. The trongate_tokens module has been vastly improved. Full details are to be found on the online docs.
PLEASE NOTE: We are STILL pre-launch so expect bugs and more tweaks over the next two to three weeks. If you are using Trongate with a commercial, high-priority project then I it may be worth NOT upgrading and waiting until we have a 'post launch' version of the framework out. Once again, this is pre-launch - expect bugs. It's normal. Enjoy!
Pre-Launch v1.3.3025
This is the pre-launch version of the Trongate framework. Expect lots of bug fixes over this next two to three weeks.
The V1 Point Infinity Update - Scroll down to 'assets' to get the desktop app
This is a major update. The main changes here are; we now have the ability to have different admin panel themes. Also, there are a couple of syntax tweaks (detailed below). Finally, we now have our own CSS and JavaScript libraries. So, no more third party libraries! This is something I'm very excited about because not only has it given Trongate a massive performance boost. It has also given us the ability to enjoy industry leading levels of stability. This is because we are no longer at the mercy of somebody else's rewrite schedule.
A full video walkthrough of everything you need to know can be found here: https://youtu.be/5GARWIgb0mU.
TWO SYNTAX CHANGES
//fetching variables from URL
OLD: $name = $this->url->segment(3);
NEW: $name = segment(3);
//fetching posted variables
OLD: $name = $this->input('name', true);
NEW: $name = post('name', true);
I hope you enjoy this update. Full docs expected in about 2 to 3 weeks time.
Macho love,
DC
PS - The desktop app can be downloaded from the links below. At the moment, I just have Mac and Linux. I expect to have Windows added within the next 24 hours.
Fixed typo and a little rewiring of the model
Here we have a typo correction and also a little rewiring of how the model fetches the table name. The latter should mean that the model can fetch correct table names, without actively declaring them - even in scenarios where we are using custom routing. It's just a little bit faster and a little bit better. No big deal.
Fixed typo and a little rewiring of the model
Here we have a typo correction and also a little rewiring of how the model fetches the table name. The latter should mean that the model can fetch correct table names, without actively declaring them - even in scenarios where we are using custom routing. It's just a little bit faster and a little bit better. No big deal.
SECURITY PATCH AND OTHER TWEAKS! Severity: "Bad but not catastrophic"
This update introduces a range of tweaks and corrections - two of which are important.
THE IMPORTANT TWEAKS THAT YOU NEED TO KNOW ABOUT:
-
There is a method (function) on Core.php by the name of draw_error_page(). This function was lacking a die(); statement. Not having a die() statement on draw_error_page() means that it would have been possible to have PHP code continuing to run, even after an error page had been displayed. The die() statement has now been added.
-
On the Trongate_tokens module there was a method called clean(). This method deletes all from Trongate tokens then finishes with an echo "cleaned"; statement. The method does not get called anywhere and it's actually a left over from a very late night coding session. So, I have removed this. I apologise.
The two errors (which have now been fixed) are classed as "Bad but not catastrophic".
I have investigated some worst case scenarios, with the help of Simon and Jake. Our findings are that somebody who knew what they were doing would be able to add records into the Trongate users table. This is alarming. However, since Trongate authentication and authorisation depends on a network of at least two other database tables (all with appropriate keys) being linked together and since trongate_users has no password column, it means that any malicious database insertion into that table would be benign.
I remind you that Trongate uses PDO from top to bottom which makes SQL injection virtually impossible (I have to say 'virtually' in case there is some hypothetically undiscovered method that I'm not aware of). So, as bad as this error was, it's not catastrophic.
With the second error, the ultimate worst case scenario would be that somebody who knew what they are doing could continually log users out by clearing the tokens table. Again, this is a bad error, however, since it does not expose any credentials and since it does not allow admin rights, it also has to be classed as 'bad but not catastrophic'.
Many thanks to Jake Castelli and Simon Field for identifying these bugs and for helping in coming up with solutions along with a "worst case scenario" assessment.
OTHER TWEAKS
There are a few other tweaks that have been carried out. We have a pull request from Tim Lalev who successfully identified something that wasn't being called. Thank you, Tim.
There's also an '=null' declaration on Trongate tokens that was not required. That has gone.
Finally, Jake identified an unused view file on the Comments module.
- RECOMMENDATIONS *
- Make sure your Trongate engine is updated to v1.3.3018 or higher.
- Manually replace your Trongate_tokens module with a latest version (available from Github at: https://github.com/davidjconnelly/trongate-framework)
THANK YOU TROOPS, FOR YOUR EXCELLENT WORK AND FOR HELPING TO KEEP THE TRONGATE FRAMEWORK SAFE!!!