From c11c874a5ebc9409ab405f6fe0b95a80643bcb2b Mon Sep 17 00:00:00 2001 From: Vladimir Panteleev Date: Mon, 5 Mar 2018 08:46:31 +0000 Subject: [PATCH 1/5] Add .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..50ebc807 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/hashover/comments/ From f986549be5b8aa0a9a5934ea919cd02dabbfd177 Mon Sep 17 00:00:00 2001 From: Vladimir Panteleev Date: Mon, 5 Mar 2018 09:30:44 +0000 Subject: [PATCH 2/5] Move secrets configuration out of code and into ini file with template Previously, users needed to edit the secrets.php file before they could use HashOver. This requirement posed a number of problems, such as a needlessly-complicated upgrade procedure. This commit moves the configuration to an .ini file in the config/ directory. A secrets.ini is not included - instead, there is a secrets.ini.sample file, which users can copy to secrets.ini before editing. This allows simpler upgrades by means of a 'git pull' or 'tar xf ...'. The .ini file format was chosen as it is directly supported by the PHP core (as INI support is needed by PHP itself to read php.ini), allows comments (unlike JSON), and has a simple and obvious syntax. Moving the file to be edited away from backend/classes/ and into config/ also makes it more discoverable. --- .gitignore | 1 + hashover/backend/classes/secrets.php | 36 +++++++++++++++------------ hashover/backend/classes/settings.php | 2 ++ hashover/backend/classes/setup.php | 6 ++--- hashover/config/secrets.ini.sample | 25 +++++++++++++++++++ 5 files changed, 51 insertions(+), 19 deletions(-) create mode 100644 hashover/config/secrets.ini.sample diff --git a/.gitignore b/.gitignore index 50ebc807..25f99142 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /hashover/comments/ +/hashover/config/secrets.ini diff --git a/hashover/backend/classes/secrets.php b/hashover/backend/classes/secrets.php index 8ce3777f..7744ebfb 100644 --- a/hashover/backend/classes/secrets.php +++ b/hashover/backend/classes/secrets.php @@ -7,22 +7,6 @@ // This applies worldwide. If this is not legally possible, I grant any // entity the right to use this work for any purpose, without any // conditions, unless such conditions are required by law. -// -//-------------------- -// -// IMPORTANT NOTICE: -// -// To retain your settings and maintain proper functionality, when -// downloading or otherwise upgrading to a new version of HashOver it -// is important that you preserve this file, unless directed otherwise. -// -// It is also important to choose UNIQUE values for the encryption key, -// admin name, and admin password, as not doing so puts HashOver at -// risk of being hijacked. Allowing someone to delete comments and/or -// edit existing comments to post spam, impersonate you or your -// visitors in order to push some sort of agenda/propaganda, to defame -// you or your visitors, or to imply endorsement of some product(s), -// service(s), and/or political ideology. class Secrets @@ -38,4 +22,24 @@ class Secrets // Login password to gain admin rights (case-sensitive) protected $adminPassword = 'passwd'; + + protected function getSecretConfigPath() { + return dirname(dirname(__DIR__)) . '/config/secrets.ini'; + } + + function __construct() { + $config_file_name = $this->getSecretConfigPath(); + if (!file_exists($config_file_name)) { + throw new \Exception (sprintf ( + 'Please create the file %s (using secrets.ini.sample as a template)', + $config_file_name + )); + } + + $arr = parse_ini_file($config_file_name); + $this->notificationEmail = $arr['notification-email']; + $this->encryptionKey = $arr['encryption-key']; + $this->adminName = $arr['admin-name']; + $this->adminPassword = $arr['admin-password']; + } } diff --git a/hashover/backend/classes/settings.php b/hashover/backend/classes/settings.php index 04cce887..7d4f8a5d 100644 --- a/hashover/backend/classes/settings.php +++ b/hashover/backend/classes/settings.php @@ -137,6 +137,8 @@ class Settings extends Secrets public function __construct () { + parent::__construct(); + // Theme path $this->themePath = 'themes/' . $this->theme; diff --git a/hashover/backend/classes/setup.php b/hashover/backend/classes/setup.php index 855a504a..f70e5c65 100644 --- a/hashover/backend/classes/setup.php +++ b/hashover/backend/classes/setup.php @@ -111,7 +111,7 @@ public function __construct (array $usage) if ($this->notificationEmail === 'example@example.com') { throw new \Exception (sprintf ( 'You must use a UNIQUE notification e-mail in %s', - $this->getBackendPath ('classes/settings.php') + $this->getSecretConfigPath() )); } @@ -119,7 +119,7 @@ public function __construct (array $usage) if ($this->encryptionKey === '8CharKey') { throw new \Exception (sprintf ( 'You must use a UNIQUE encryption key in %s', - $this->getBackendPath ('classes/settings.php') + $this->getSecretConfigPath() )); } @@ -127,7 +127,7 @@ public function __construct (array $usage) if ($this->adminPassword === 'password') { throw new \Exception (sprintf ( 'You must use a UNIQUE admin password in %s', - $this->getBackendPath ('classes/settings.php') + $this->getSecretConfigPath() )); } diff --git a/hashover/config/secrets.ini.sample b/hashover/config/secrets.ini.sample new file mode 100644 index 00000000..06968e02 --- /dev/null +++ b/hashover/config/secrets.ini.sample @@ -0,0 +1,25 @@ +; IMPORTANT NOTICE: +; +; To retain your settings and maintain proper functionality, when +; downloading or otherwise upgrading to a new version of HashOver it +; is important that you preserve this file, unless directed otherwise. +; +; It is also important to choose UNIQUE values for the encryption key, +; admin name, and admin password, as not doing so puts HashOver at +; risk of being hijacked. Allowing someone to delete comments and/or +; edit existing comments to post spam, impersonate you or your +; visitors in order to push some sort of agenda/propaganda, to defame +; you or your visitors, or to imply endorsement of some product(s), +; service(s), and/or political ideology. + +; E-mail for notification of new comments +notification-email = example@example.com + +; Unique encryption key (case-sensitive) +encryption-key = 8CharKey + +; Login name to gain admin rights (case-sensitive) +admin-name = admin + +; Login password to gain admin rights (case-sensitive) +admin-password = passwd From eb680055ced4e8163f4ab85fca9e973bfa5b711a Mon Sep 17 00:00:00 2001 From: Vladimir Panteleev Date: Mon, 5 Mar 2018 09:53:07 +0000 Subject: [PATCH 3/5] Fix error message for saving settings in admin interface --- hashover/admin/views/settings/index.php | 2 +- hashover/config/settings.json | 51 ------------------------- 2 files changed, 1 insertion(+), 52 deletions(-) delete mode 100644 hashover/config/settings.json diff --git a/hashover/admin/views/settings/index.php b/hashover/admin/views/settings/index.php index 86828e7a..f66bf452 100644 --- a/hashover/admin/views/settings/index.php +++ b/hashover/admin/views/settings/index.php @@ -411,7 +411,7 @@ function settings_array (Setup $setup) $submitted = true; } else { // Set submission indicators - $title = 'Failed to Settings!'; + $title = 'Failed to save Settings!'; } } diff --git a/hashover/config/settings.json b/hashover/config/settings.json deleted file mode 100644 index d77b96e5..00000000 --- a/hashover/config/settings.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "language": "auto", - "theme": "default", - "uses-moderation": false, - "pends-user-edits": false, - "data-format": "xml", - "default-name": "Anonymous", - "allows-images": true, - "allows-login": true, - "allows-likes": true, - "allows-dislikes": false, - "uses-ajax": true, - "collapses-interface": false, - "collapses-comments": true, - "collapse-limit": 3, - "reply-mode": "thread", - "stream-depth": 3, - "popularity-threshold": 5, - "popularity-limit": 2, - "uses-markdown": true, - "server-timezone": "America\/Los_Angeles", - "uses-user-timezone": true, - "uses-short-dates": true, - "time-format": "g:ia", - "date-format": "m\/d\/Y", - "displays-title": true, - "form-position": "top", - "uses-auto-login": true, - "shows-reply-count": true, - "count-includes-deleted": true, - "icon-mode": "image", - "icon-size": 45, - "image-format": "png", - "uses-labels": false, - "uses-cancel-buttons": true, - "appends-css": true, - "appends-rss": true, - "login-method": "defaultLogin", - "sets-cookies": true, - "secure-cookies": false, - "stores-ip-address": false, - "allows-user-replies": false, - "noreply-email": "noreply@example.com", - "spam-batabase": "remote", - "spam-check-modes": "php", - "gravatar-force": false, - "gravatar-default": "custom", - "minifies-javascript": false, - "minify-level": 4, - "allow-local-metadata": false -} From 22e702f8e7f585e33830d531a2a2ec52bbfba307 Mon Sep 17 00:00:00 2001 From: Vladimir Panteleev Date: Mon, 5 Mar 2018 09:58:38 +0000 Subject: [PATCH 4/5] settings.php: Allow getAbsolutePath to work for non-existing files This fixes failing to save the configuration in the administration interface when the configuration files are missing. --- hashover/backend/classes/settings.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/hashover/backend/classes/settings.php b/hashover/backend/classes/settings.php index 7d4f8a5d..f2b743d0 100644 --- a/hashover/backend/classes/settings.php +++ b/hashover/backend/classes/settings.php @@ -194,10 +194,13 @@ function isHTTPS () return false; } - // Returns a server-side absolute file path + // Given a path relative to the HashOver root directory, + // returns the server-side absolute file path public function getAbsolutePath ($file) { - return realpath ($this->rootDirectory . '/' . trim ($file, '/')); + // NB: Not using realpath() here to allow working with paths not + // pointing to existing files, and to avoid unnecessary symlink resolution. + return $this->rootDirectory . '/' . trim ($file, '/'); } // Returns a client-side path for a file within the HashOver root From 177df21a70f04f4530509ba205abe1dde52736fc Mon Sep 17 00:00:00 2001 From: Vladimir Panteleev Date: Mon, 5 Mar 2018 09:56:37 +0000 Subject: [PATCH 5/5] Delete JSON configuration files As of the previous commit, it is no longer necessary to include them in the distribution - in their absence, HashOver will use the default values, and the administration interface will create them when saving the configuration for the first time. --- .gitignore | 3 +++ hashover/config/blocklist.json | 1 - hashover/config/ignored-queries.json | 1 - 3 files changed, 3 insertions(+), 2 deletions(-) delete mode 100644 hashover/config/blocklist.json delete mode 100644 hashover/config/ignored-queries.json diff --git a/.gitignore b/.gitignore index 25f99142..7dab78d4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,5 @@ /hashover/comments/ /hashover/config/secrets.ini +/hashover/config/blocklist.json +/hashover/config/ignored-queries.json +/hashover/config/settings.json diff --git a/hashover/config/blocklist.json b/hashover/config/blocklist.json deleted file mode 100644 index 0637a088..00000000 --- a/hashover/config/blocklist.json +++ /dev/null @@ -1 +0,0 @@ -[] \ No newline at end of file diff --git a/hashover/config/ignored-queries.json b/hashover/config/ignored-queries.json deleted file mode 100644 index 0637a088..00000000 --- a/hashover/config/ignored-queries.json +++ /dev/null @@ -1 +0,0 @@ -[] \ No newline at end of file