Patch update FFCMS 2.0.4

Good day, dear reader and man in the street habrahabr! Over the past 2 weeks since my first publication here and on other thematic resources, we have managed to collect a fairly decent report about the system related to the messages about the need to improve both the system interfaces, the functionality and the quality of its code.
And today I am ready to present you with an update (patch) of FFCMS with version 2.0.4 , which includes corrections and developments related to your wishes.
I would like to thank all those who paid attention to FFCMS and contributed to the development of the free product - I am grateful to everyone for your feedback and pull-requests on github'e - you can set the direction of development and improve the system for your own and collective use.

1. Summary of the update

In total, quite a lot of rekvestov associated with improvements in the "friendliness" of the interfaces was taken - where the use of the interface was not convenient, and where it was not sufficiently functional. There were a lot of messages about the code, its style and quality - however, at the moment, only minor changes have been made, which do not significantly change the syntax of the API for invoking various methods and interaction models.
There were also quite a lot of requests related to the expansion of the system capabilities, with which I mostly agreed - the management of the site menu, user profiles and karma and other functionalities.
Many of the presentations in the admin panel of the system also needed processing, since their compactness and availability were rather low. There was also a need to manage the rules of the system modules on certain URIs using the graphical interface of the admin panel and not directly in the database.
The user interface of the system needed to be improved - in some places the user-site interaction interfaces were rather inconvenient and not very informative - the system for notifying users about changes on the site was significantly improved.
Not without the detection of XSS vulnerabilities (2pcs), for which I am grateful to the users - upon the detection of un-filtered incoming data, a full inspection of the entire code was carried out, but first things first!

2. Administrative Interface Improvements

The first thing that the administrator of a web resource falls to (webmaster or developer) is naturally the administrative control panel for the site and its content. I tried to make it as rational as possible - there are only 4 sections in the interaction area - whether it be system interactions or interactions with extensions (3 types).
I will briefly tell you about some changes in the administration panel using before and after images. I am grateful to dobriykot for messages about common visual flaws :

The inconvenience of the administrative interface was also completed by the user hermit931 associated with the checkbox, select and other elements, as a result of which selectize.js and switchable checkbox were added to the system:



Also, users reported a number of flaws and inconveniences on the FFCMS forum and in the feedback form, some of the changes are listed below (module routing management, system antivirus, additional fields in user profiles, news category management):





Other interfaces were also subject to changes to a greater or lesser extent.
')

3. XSS recognizability

More experienced users first of all undertook to check the interfaces for the possibility of carrying out XSS-attacks and users found this possibility, unfortunately or joy. As they say, a secure system is not the one in which the vulnerability was not found, but the one in which it was diligently searched for and not found.
The first vulnerability found is the lack of filtering in the text box of the response to userwall.post (user wall of messages -> responses). Actually the fact of detecting this vulnerability pushed me to check the filtering of all incoming user data, as a result I found 2 more vulnerable fields - one of them is the user's bookmarks (the header was not filtered) and one of the save options for the bookmark.
Later, users discovered another 1 vulnerability - a search form. However, this vulnerability was more dangerous than the above described. The fact is that the search parameters are passed to the pathway:

/ru/search/hello%20guys 

and the system has a standard template variable {{ system.uri }} , which takes the value of the current URI without regard to the language, NC, and other possible parameters for constructing URLs on the site. In the future, this variable is commonly used, including in the standard template for generating, for example, language switches:

  {% for langitem in system.languages %} <li><a href="{{ system.nolang_url }}/{{ langitem }}/{{ system.uri }}"><img class="flag flag-{{ langitem }}" src="{{ system.script_url }}/resource/flags/blank.gif" /></a></li> {% endfor %} 

As you may have guessed, by substituting the contents in the javascript URI, you could get the result of cross-scripting on the site:

 URL: /ru/test/"><script>alert("Hello, ffcms.ru!");</script> Result: <li><a href="/ru/test/"><script>alert("Hello, ffcms.ru!");</script>"><img src="" alt="" /></a> 

This vulnerability was eliminated due to the fact that the active user turned his attention to the vulnerability of the search form on the site, which was significantly more dangerous.

4. Small code style improvements.

Many users offered to significantly improve both the style of the code and its architecture in the direction of a particular paradigm. Indeed, in the future update (branch 2.1.xx) I plan to introduce the PSR-1 standard for the entire system code, but now I did not take this decision in view of the fact that the names of the system classes and methods can change significantly, which can make it difficult to develop extensions for systems for users who have just begun to study the system and its capabilities.
However, I did make some small changes that were recommended by users or I found it myself. So I tried to remove the repetition of the code (for example, the news component and the news module on the main one - now the second calls the first method without meaningless copying the code).
The same user claustrofob advised to implement the logic itself in the abstract singleton class using late static binding, so as not to drag and copy it in each of the heirs of this class pattern (why didn’t I do it right away, even though I remembered it many times ?!) . Now there is no need to pull the next implementation everywhere:

 protected static $instance = null; public static function getInstance() { if(is_null(self::$instance)) self::$instance = new self(); return self::$instance; } 

all you need to do is inherit \ engine \ singleton:

 class test extends \engine\singleton { } 

The initiation of system classes was also subject to significant changes. Previously, their initiation took place in different ways - it happened up to the introduction of logic into singleton, but it was decided to change the dynamic initiation of classes to a single standard method - init () for all classes. Now, it is much easier to monitor the system load logic than before, an example of unloading a configuration class:

 \engine\property::getInstance()->init(); 

In some places, I refused to use static variables and self :: in favor of the usual dynamics and $ this->. All static variables were named CONST in the class headers.

5. Other changes

As I noted earlier, the changes affected the user interface as well as some functional additions were introduced for the FFCMS system.
The changes affected the user notification algorithm for personal messages and friend requests (the User Identification component) as well as the opportunity to write a message to the user if they are not friends:

It also became possible to search for users by name, display user rating by the number of karma, and improve the performance of the “rating” system (karma) - it became possible to use it remotely by other extensions (which I have already successfully implemented in the forum component):

The system also introduced the ability to "disable" the site for users - the so-called "maintenance mod". The logic of the system router and the assignment of template variable paths for the work of the site in the subdirectories of the domain as well as a number of other useful system improvements have been redesigned.

6. References

Project website: ffcms.ru
Github'e release: ffcms 2.0.4
Release Information Online: Update 2.0.4
FFCMS extensions: FFCMS extensions catalog (everyone can register and add their extensions to our catalog)
Our wonderful forum: CMS Forum

7. Afterword

I am grateful to all those who report on the shortcomings and shortcomings of the project and are always glad to your feedback. I accept absolutely all constructive recommendations and advice on the development of this project.
Let me remind you that FFCMS is a free, open source project distributed under the GNU GPL v3 license. In my next post I will tell you how to write an extension for the FFCMS system.