MyBB & Coppermine Integration MyBB & Coppermine Integration
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

MyBB & Coppermine Integration

Started by Auriel Kitsu, April 14, 2014, 03:51:28 AM

Previous topic - Next topic

0 Members and 3 Guests are viewing this topic.

Auriel Kitsu

Let me start out by saying the two systems are already bridged successfully. You have no idea what a miracle that is.

I have or had a straight up kind of guy who offered to do the integrating of MyBB1.6.12 as the "Front End" of Coppermine 1.5.28 as a favour.

Unfortunately his real-life has taken over all of his time and our site has pretty much been on hold since last hearing from him on 03-31-2014, 09:04 PM. I can see that he's logging on and checking his site but he hasn't responded to any of my requests for a heads-up on when or if he's going to be able to finish the job. I make no assumptions about what is going on in his life but I don't appreciate not taking 30 seconds to tell me that he hasn't got time and I should look elsewhere for support.

Is anybody interested in taking over?

I have the following plugins unzipped and ready to be FTP'd into their respective locations on the site. I have no idea which of the plugins is supposed to be installed first. I'm only guessing that it should be Wrapper.

If somebody knows for sure what order these plugins are supposed to be installed in, that information would be most useful about now. If somebody could help with tweaking the HTML and pHp code in order to prepare for the plugin installations I could really use your help too. Don't be shy. I know when I'm in over my head and that is now. I seriously need help with this.

Cpg.MyBB.Wrapper
http://goo.gl/OSJq6h

Wrapper Tutorial
The tutorial assumes a level of knowledge about both MyBB and Coppermine that I don't have. I'd only gotten to Step 2 before coming to a full stop. You could say I have "Sixth Sense" about when I'm about to do something that is stupid and or is going to cause me pain.
http://www.communityplugins.com/forum/showthread.php?tid=15

cpmFetch
http://goo.gl/qxVzbX

cpmUserLink
http://goo.gl/BmLmQo

This is the site in question...
Summerland Engineering Society
http://summerlandengineering.org/

Coppermine Picture Gallery
http://summerlandengineering.org/cmg/login.php

I can create an account for you just let me know if and when please.

Auriel
"The opposite of poverty is not wealth; the opposite of poverty is justice." ~Bryan Stevenson

gmc

Appears you are looking for some freelance help?
Perhaps better to post on Freelance board (or request your thread be moved by an admin...)

Freelance board is at: http://forum.coppermine-gallery.net/index.php/board,30.0.html
Read the first thread for guidelines: http://forum.coppermine-gallery.net/index.php/topic,8170.0.html

Assuming that is what you are looking for - information on budget, timeframe is helpful for those that may respond.

Questions on how to do things can certainly be posted here and answered for free - but you appear to be asking for someone to do the work on your site directly. (and several of the items related more to MyBB than  Coppermine).
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money

Auriel Kitsu

My mistake :o


I've never joined a Free Software community where the only way somebody would help you was if they were being paid.


I suppose I have no choice but to  do as you say.


Auriel
"The opposite of poverty is not wealth; the opposite of poverty is justice." ~Bryan Stevenson

gmc

We are more than happy to help you support your gallery...
The line between 'free support' and 'freelance' is typically when you want the work done for you.

All you have there for CPG appears to be installing CPMFetch - and I would be happy to answer any questions here (for free) to assist you in doing that...

The remainder is MyBB customizations... I would have to spend time reading that products documentation.. I did take the time to read through all the info you posted and the referenced links - and it doesn't appear to be too much...

(Note the changes MyBB asks you to make to Coppermine defeats some of the protections Coppermine has added with respect to global variables ($_GET, $_POST, $_COOKIE). Their wrapper should make use of Inspekt to obtain those variables in a CPG environment in my opinion at least.)

Hope that clarifies... and if I mis-interpreted what you wanted, my apologies..
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money

Auriel Kitsu

Thank for taking the time to read my message Greg. I wasn't aware of the issue with the code opening vulnerabilities that Coppermine had closed. I'm fairly certain that the code monkey that put it together isn't going to want to hear that kind of information from me. I feel like I'm between a rock and a harder place.

Anyway, the coppermine community culture is a lot difference from any of the Free Software communities that I've been apart of and unless I don't have a choice like now I'm not going to be very active here.

I've posted my request in the Freelance section since that is the way things are done here.

Warmest regards,

Auriel
"The opposite of poverty is not wealth; the opposite of poverty is justice." ~Bryan Stevenson

Auriel Kitsu

Oh Greg? I still don't know which plugin should go in what order and what preparation beyond the Bridging needs to be done.
"The opposite of poverty is not wealth; the opposite of poverty is justice." ~Bryan Stevenson

gmc

Quote from: Auriel Kitsu on April 15, 2014, 04:04:29 AM
I wasn't aware of the issue with the code opening vulnerabilities that Coppermine had closed. I'm fairly certain that the code monkey that put it together isn't going to want to hear that kind of information from me. I feel like I'm between a rock and a harder place.
Understand, but you should be aware at least... The risk is less if you do not have PHP's 'register globals' turned on in your sites PHP config... CPG 'cages' all superglobals via a package called Inspekt, and provides code to retrieve them with validation of the type and content of the data.

Quote
Anyway, the coppermine community culture is a lot difference from any of the Free Software communities that I've been apart of and unless I don't have a choice like now I'm not going to be very active here.
Hopefully you will change your mind.  Many of us here donate hundreds (some easily thousands) of hours to coding and helping others. A very small percentage is handled as 'freelance' requests - again typically when someone wants work done for then rather than help doing it themselves...

Quote
I still don't know which plugin should go in what order and what preparation beyond the Bridging needs to be done.
From reading what you provided, I would say doing the wrapper next is fine - a plugin for cpg and for mybb, as well as the file updates in the tutorial you posted.
CPMFetch should be installed in CPG before installing cpmUserLink in mybb.
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money

Auriel Kitsu

Thank you for the taking the time to give me a thoughtful reply Greg. I promise to stick around and try and make myself useful after I've become more familiar with Coppermine. This is only the second installation I've done and the first one that I've tried to modify for any reason. My biggest problem is that the guy (Offered to pay him the same as I've done here) that wrote the MyBB/Coppermine Wrapper suddenly stopped talking to me and won't tell me why. He started doing the installation of the plugins and then just stopped and won't answer me, won't tell me if I've done something to offend him or what? I don't want to jump the gun but it's really got me worried. He has complete access to my domain right now and I don't know what he is up to.


Auriel
"The opposite of poverty is not wealth; the opposite of poverty is justice." ~Bryan Stevenson

pavemen

I am not a "code monkey" and given how the integration works, the global variables are required to make MyBB work as it uses those objects upon it's initialization. MyBB code unsets the globals when it is done with them (depending on register_globals), though I suppose I could unset the copies of the variables I create as part of the MyBB side plugin. However the plugin system is launched after MyBB inits it's code and thus the globals are still required at that time.

Since there is no simple way to pass the Inspekt object to MyBB without editing the core files of that software this was the best solution.

BTW just to be fair, it's been a little bit of time yes since I have communicated with you, but I am in the middle of a divorce, bankruptcy, custody, working a 50+ hour full time job and running a side business while having my kids 4 days a week right now. Sorry if my freely offered code and tutorials are not being promptly supported.

As for me being on my site regularly, I am not. My browser has it as its homepage so it shows me visiting when I open up and move on right away.

Auriel Kitsu

I'm sorry you have taken offense at everything I've said.
For the record, "Code Monkey" is a term that my friends and I use to refer to anyone that is a programmer that isn't a BOSS. If you are a Boss then I'm sorry I didn't realize how important you are.

The main point is that it would have only taken you seconds to simply acknowledge that your private life was keeping you.

You earlier referred to "Real life" as if what goes on with people like me online isn't real. We all have problems. I'm on social security disability right now and for me after a lifetime of be self-sufficient and taking care of myself this is damn humiliating and difficult. I just lost $50 today because I couldn't get out of my apartment to my car. The fee for missing an appointment with the physical therapist without 24 hour advanced notice is $50. For me that's a lot of damn money. That's just one thing. I understand divorce. I had to walk away from a partner and 5 kids after coming home early from work a week before our 10th wedding anniversary to find her having sex with somebody. Happy fucking anniversary right? I'm just lucky I hadn't already given her the new car I bought her as an anniversary present. I'm also filing for bankruptcy and forgiveness on my student loans since I'm never going to have a job to pay them back.

But enough of this crap. I hate it when guys sit around picking at scabs and comparing whose wounds are worse than the other's. We both have a lot of baggage.

All I care about is having a secure, useful, effective website and you have the only package I could find. I repeat it wouldn't have taken you but a moment to tell me you were having problems instead of leaving me hanging for over a week. I'm not some self-important hard as that doesn't care about people having real problems. I was pissed off about you not telling me you were having problems. Are are we still going to work together or should I forget the entire thing?


"The opposite of poverty is not wealth; the opposite of poverty is justice." ~Bryan Stevenson

gmc

Pavemen,
On the technical side.. Reviewing the code, I understand you need to capture and pass some values to MyBB to allow it to work, but capturing all unsanitized $_COOKIE, $_GET, and $_POST data seems excessive... (the comments mention only $_COOKIE, but the code replacements have all 3 superglobals.)

An (admittedly quick high level) look at the MyBB code (not your plugins/wrapper) shows it copying all input vars into its own arrays.. Maybe (hopefully) it sanitizes it later...

As an alternative, I would suggest the modifications to CPG occur AFTER Inspekt creates its cage, and use the Inspekt functions to validate/extract only the keys required - saving those into a variable(s) you pass on.
I expect the list of expected variables is not a long one and would insure only intended variables are saved/passes.

I can certainly put together some sample code if you like.
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money

Auriel Kitsu

Thank you Greg,


If the three of us can pull this off I am going to owe both of you big time.


Thanks again for making the effort to reach out with such a generous spirit.


Auriel
"The opposite of poverty is not wealth; the opposite of poverty is justice." ~Bryan Stevenson

pavemen

When I have some more time I can work on it.  As it is i am spending more time than I have on replying to these threads.

As for MyBB, it sanitizes the variables it knows about and uses as part of the core code. Because the wrapper runs as a plugin on both platforms the timing of when the required data is available is not always optimum. As both platforms support plugins and thus an unknown/uncertain payload, I need to support the three superglobals and allow the known inputs to be validated automatically and then the extra stuff would have to be validated by the plugins or modifications themselves. It is impossible for a non-technical admin such as Auriel to know what payload objects are expected in order to sanitize them properly via custom code modifications. It is impossible for me to know what all inputs are expected, I can only make specific modifications for the specific plugins I am running and have reviewed to know what is valid input. (hope that all makes sense)

Basically I can only extract out the core code's expected inputs from the cage and anything else someone needs would not be supported and require modifications for existing plugins on a case-by-case basis. Then any new plugins added would require additional modification. Not feasible for most users.

It is standard practice for MyBB to recommend sanitizing input data that is modified or additional input before using or storing the data. As is the nature of plugins, you can not cover everything and bad code/coders exist.