Category: Resolved - Completed

Problem noticed here:
http://www.wiki-translation.com/tiki-view_forum_thread.php?forumId=2&comments_parentId=39

{img src=images/code.png}%%% {CODE()}
I'm trying to log in with my OpenID. I don't have a wiki-translation.com account yet.

After validating my OpenID, I'm taken to a Tiki page that prompts me to create a new account on wiki-translation.com to associate with my OpenID. I enter a username and password, but then get the following error:

Wrong registration code
{CODE}


__Duplicate of {wish id=2204}__

When a new user registered with anti-bot and user tracker for more user information getting error message that registration code is invalid.

Here are steps to reproduce the problem.

1) Setup user information tracker with couple of fields.
2) Go to registration page
3) Enter registration details and click 'register'
4) This will take you to new screen where user tracker information needs to be filled.
5) Once you fill the user tracker information and click 'Save'
6) You will get error message that registration code is invalid

Hello,

High-Tech Bridge Security Research Lab has discovered a security vulnerability in your product - Tiki Wiki CMS Groupware.

Developers can contact us by email advisory (at) htbridge.ch for details.

Preview: [http://www.htbridge.ch/advisory/xss_in_tiki_wiki_cms_groupware.html|http://www.htbridge.ch/advisory/xss_in_tiki_wiki_cms_groupware.html]

For any questions related to this notification email - please visit our General Information & Disclosure Policy page: http://www.htbridge.ch/advisory/disclosure_policy.html

See ((Screencast))

Hi,

After upgrading my web site from tiki 7.0 to 7.2, I've noticed that the non-parsed wiki feature in the wiki pages is not working correctly anymore.
Indeed, from the tests I've done, it seems that in case of multiple use of the non-parsed wiki feature on the same line, only the last one is taken into account.

For exemple, for the following wiki text, only the second ~np~--css~/np~ is taken into account, the first one not so the text is striked through.

***use the ~np~--css~/np~ option (ex: ~np~--css~/np~ test)

Regards,
Yannick

--------------------
Ticket update:

Note that the problem occurs mainly in fancytables.
I've enabled "Allow HTML" for the problematic pages. That also corrected the problem with non-parsed wiki syntax. (:eek:)

Hello,

Remark : The editing current page seems to crash if to many changes by cut are made (my page lost).

Object :

Change of option "check orthography" lead to system error when you save the page :

__SYSTEM ERROR

La table 'teawik-ld8-50s-new1.babl_words_fr' n'existe pas
__
The query was :
select `word` from `babl_words_fr` where `word`=? or `word`=?

Valeurs :

1. Table
2. table

The built query was likely :
select `word` from `babl_words_fr` where `word`='Table' or `word`='table'

Stacktrace :
* tiki-editpage.php : 0 -> {main}(array ( ))
*tiki-editpage.php : 853 -> spellcheckreplace(array ( ))
*lib\tikilib.php : 1659 -> spellcheckword(array ( ))
* lib\tikilib.php : 1704 -> spellcheck_word(array ( ))
* lib\bablotron.php : 44 -> word_exists(array ( ))
*lib\bablotron.php : 104 -> query(array ( ))
* lib\core\lib\TikiDb\Bridge.php : 29 -> query(array ( ))
*lib\core\lib\TikiDb\Pdo.php : 119 -> handleQueryError(array ( ))
*lib\core\lib\TikiDb.php : 150 -> handle(array ( ))

Add group watch to articles

This way we could also have all users informed about comunity news , etc. in tiki sites.

In fact, the best option would be what it's done with newsletters: subscribe that bunch of users from a group, and let them unsubscribe it they wish and when they wish, without admin action. But if no action is done, they all get the copy of the article at their email, etc.

I had tested this successfully in version 3.3, but now with the upgrade to version 4.0 it does not seem to work. Here are the steps to recreate the issue:

1. Set up a TikiWiki so that users need to be validated by an Admin prior to actually logging in.

2. Register as a new user and get the following message:

Your account request has been stored and will be activated by the admin as soon as possible.
You'll receive email notification once your account is activated.
Please do not attempt to login until you receive the email notification.

3. Log in as 'admin' and navigate to Users page of admin tools. Push the round green checkmark graphic which has a hover display that says "Validate user: junkman". It sends me to this URL:

http://www.mywebsite.info/tiki-login_validate.php?user=junkman&pass=n

On that page the site returns a simple dialog box that says "Invalid username or password". Who's username & password? The Admin's?

At this point it wants to redirect me to the home page and I cannot get these new users validated.

When you try to edit and rename the group in Administration->Groups appears the following error message:

An error occured in a database query!

Context:
File tiki-admingroups.php
Url tiki-admingroups.php
Query:
insert into `tiki_group_inclusion`(`groupName`,`includeGroup`) values(?,?)
Values:
0 G_Communication
1 Registered
Message:

Built query was probably:
insert into `tiki_group_inclusion`(`groupName`,`includeGroup`) values('G_Communication','Registered')

_____________________________________________________________________

Step to reproduce:

Create a Group G.
{
Assign to this group some user
Assign to this group a default
}
Rename the Group G into G'
_____________________________________________________________________

Notes:

I checked the security flag because where there's a DB error could be there a SQL security issue.

This is an alternative to full WYSIWYG.

Wiki parser does some things. To get Javascript WYSIWYG, you would have to rewrite and maintain in javascript.

It re-uses existing features and has less chance of What you Saw Was Not What You Got.

Clicking Preview is a great way to see what you will get. But it's slow and it makes you loose your cursor position.

How about having a button to open a second browser window which refresh every 5 seconds (configurable) the content of the wiki edit box?

Lots of people now have large screens so they could put this side-by-side (or however they want it)

With the option HTMLdiff, you could in quasi real time not just see what you will get, but also see the colored diff. (cool!) So before you save, you know what you are about to delete.

((WYSIWYG-ish wiki))

When I was testing various CMS/Wikis for a project, I ran across a module for another (Joomla or Drupal, can't remember which) CMS which allowed a user role or group to automatically generate a personal page, an image gallery, a weblog and any type of content page. It would be extremely useful for my project, but one of the few things missing from Tikiwiki (which is why I am implementing Tikiwiki, it has all of the other features I need in one install).

In the current (r22100 or so) trunk, the switch-theme module (or url tiki-switch_theme.php) only works for logged-in users. This is a regression from just a few days ago. Anonymous users need to be able to change the theme, for example at the themes demo site.

The switch-theme module appears to work without error but when the page refreshes, the theme hasn't changed.

I'm not sure of the revision when this started, but anon can change theme in my install of exported files dated Oct. 3 (approximately r21960), but by Oct. 6 in my updated trunk (approximately r22000), it's no longer possible.

When trying to create a new page with apostrophe in page name, the wysiwyg editor does not load

A user registered with an apostroph ' in their username (e.g. "Tes't") will not be able to use some feature of TikiWiki.

For example:
They will be able to select a forum, but after that, all that is displayed is the name of the forum, the "new topic" and "list forum" buttons (depending on permissions, of course), and the breadcrumb forum-navigation. The rest of the page (tiki-view_forum.php?forumid=X) is blank, no header/footer or any menus are displayed.

This __is__ dependant on the rights/permissions of the user in question, SubAdmins and Admins will see the full, expected forum page, regardless of apostrophes in their name (at least with my config, YMMV).

Another problem exists in regards to all JavaScript that uses the name of the user, for example the "tiki-my_tiki.php" page of the user, were JavaScript is used to expand Tabs (e.g. clicking "My Infos" will not work). This is due to JS using ' as string-delimeters, and not escaping any ' within the users name.

---

May be that the sole cause of all the problems lies within the JS-string-delimeter, but I'm no expert on the workings of TikiWiki, and the forum page breaks rather spectacularly when compared to the user profile page, which just doesn't work as expected.

Hi!

First: Thanks for this great project!

When you try to translate an article (by clicking on the small globe that is near the edit icon), it sends you to the wiki translation page, and content is empty, ie, it doesn't get the article's content to translate, and off course, even if it did so, the interface is not correct for article translation (it should have the same article interface, with heading and stuff).

I hasn't tried latest trunk, but bug is present on 5.1.

I tried to search for a similar bug already open (because of this forum thread: http://tikiwiki.org/tiki-view_forum_thread.php?forumId=13&comments_parentId=33126), but I found none, thus: I'm opening this open.

Thanks!

Some users don't want to understand the difference between "Page Name" and Link when creating an internal link.

This attached patch makes the Page Name field automatically fill in whenever the Link field is changed. The patch was made against tw 4.1.

I think it should be up for debate if both these fields are necessary. Many users of the WYSIWYG feature may be new to the concept of creating links. Less is simpler, and I vote for removing one of these fields.

P.S. Sorry about spamming the mailinglist with this request. Next time I will only submit patch here.

The "Tentative" status for a calendar event always reverts to "Confirmed" after it is saved.

As admin I view _article_, then click on the "Multilingual globe". This brings the translation page. At the bottom I select new language and press "Change language" button. All I receive is "Page not found" error.

When I click 'Save' on the 'Create/Edit Survey' page, it displays the 'Are you sure you want to leave this page?' warning.

If I click yes, no survey is created. If I click no, well, nothing happens.

Seen in Tiki 5.x and 6.x:

Events that have been canceled still appear in the list of upcoming events in the Upcoming Events module without any end-user notification that the event has been canceled.

Tiki should either:
* Not display canceled events in the module
or
* Display the event with a strikethru (or some other visual cue) to let end-users know that it is canceled.

lang/de/language.php causes a "Cannot modify header information" PHP error

We recently upgraded from Tiki-4.X to Tiki-5.X. We are running Tiki-5.3.

There seems to be a bug when trying to modify a user under the administration page (tiki-adminusers.php). When trying to click on a user, one is asked to confirm (which is a new workflow) and then taken to the Edit User page. However, when one tries to modify something (e.g. password, email address), you are asked to confirm again, but it never completes.

Here is a set of detailed steps to reproduce the problem:
# Go to admin users (tiki-adminusers.php)
# Click on user "demo"
# Click "Click here to confirm your action"
# Change email address from demo@demo.com to demo@demo.org
# Click "Save"
# Click "Click here to confirm your action"
* Nothing happens. The page address is "tiki-adminusers.php#", but it never changes from the confirm action page. "Go Back" does not work, but "Return to Home Page" does.

Please see:
http://www.seomoz.org/blog/canonical-url-tag-the-most-important-advancement-in-seo-practices-since-sitemaps

tiki-print.php -> tiki-index.php

In trackers, if you find a tracker item following a search, you have some parameters in the URL for item 6 of 70. The canonical format should be just the tracker item.

In blogs,
tiki-send_blog_post.php?postId=xyz
and
tiki-print_blog_post.php?postId=6079
should be:
tiki-view_blog_post.php?postId=xyz

In comments (on wiki pages for example), there is a bar:

Style: Sort: Threshold: Search:


This seems like clutter when there are only a few comments.


Suggestion:
Only have this bar if number of comments is high enough that a comment pagination is needed (ex.: 10)


Related:
{wish id=937}

((RoadMap)) shows "Fatal error: Call to undefined method TikiDate::getDate() in /home/tiki/public_html/lib/wiki-plugins/wikiplugin_countdown.php on line 60". This happens when using the COUNTDOWN plugin on PHP 5.1 and later due to a missing definition of getDate() in the lib/tikidate-php5.php TikiDate. The old TikiDate (lib/tikidate-pear-date.php) declared that function (via inheritance).

This was introduced in r14129 and widely exposed in r20047 on lib/tikidate.php.

Operations failed: 1 SQL queries. Display details.

During an upgrade, it is normal to have SQL failures resulting with Table already exists messages.

tiki
- --------------------------------------------------------
-- Database : Tiki
-- --------------------------------------------------------

DROP TABLE IF EXISTS `messu_messages`
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '- --------------------------------------------------------
-- Database : Tiki
-' at line 1

Detect browser language is not working to me (to luciash, in fact, in a site which I admin), in a recently upgraded site from 2.4 to 3.0.

This affects Tiki 3 to 7 and is a regression from Tiki 2.

To speedup this site, delete any login which:

1- has not voted in tracker ratings
2- has not submitted, modified or commented a tracker item
3- no tracker item is submitted to them

In short, all logins which are not useful here at the moment. Logins will be recreated here at their next login via InterTiki anyway...

While fine tuning our tikiwiki setup (1.9.7) on our internal test server tonight, in preparation of putting it out, I noticed that for both the forum and blog areas, the Anonymous group has the privilege to 'send blog post' via e-mail.

IMHO this is not good to have (DOS etc), so I would like to turn it off for the Anonymous group. Yet there is no easy way to do so.

User with Editor plus sheet edit permission tried to create a Tiki Sheet in v2.0RC4 -Arcturus-.

An error occured in a database query!

Context:
File tiki-sheets.php
Url tiki-sheets.php
Query:
INSERT INTO `tiki_sheets` ( `title`, `description`, `author` ) VALUES( ?, ?, ? )
Values:
0 testsheet
1 this is a test
2 NULL
Message:
Column 'author' cannot be null
Built query was probably:
INSERT INTO `tiki_sheets` ( `title`, `description`, `author` ) VALUES( 'testsheet', 'this is a test', NULL )

Email notification don't work except if "watch minor" is checked

Links to remove email notification messages come without hash (see below the live example from TikiFestNY)

http://tikiwiki.org/tiki-user_watches.php?hash=

{QUOTE()}
Edit article post: TikiFest NY by lindon at Tue 24 Nov. 2009 06:10 CET

View the article at:
http://tikiwiki.org/article179

If you don't want to receive these notifications follow this link:
http://tikiwiki.org/tiki-user_watches.php?hash=
__''Announcing the first ever TikiFest in New York City being held from January 14-18, 2010!''__

TikiFestNY is a big bug squash! The idea is to knock out as many bugs as possible and have as much fun as possible doing it. If a bug takes more than 30 minutes to fix, then we move on to the next one. Also, invites will be going out locally for an introduction to Tiki presentation on Saturday afternoon followed by refreshments. Hope lots of people can make it! Remote participation is also possible for those that can't. Find complete information at TikiFestNY.

%%%::__~~purple:{COUNTDOWN(enddate=>14-Jan-2010 locatetime=>off)} until TikiFestNY!{COUNTDOWN}~~__::

%%%::''__See you there!__''::
----------------------
{QUOTE}

This improvement in Tiki would be very welcome. After spammers add noise to your site (in one day, 10 comments to different places in your tiki from 10 different ip's!), it would be nice if there was the chance that the tiki admin can ban all those 10 ip's with a minimum number of clicks (besides removing many spam comments at once, which can be done already).

This is some possible way to add if (from the interface point of view):

{img src=img122}

Self explicative?
User selects multiple checkboxes, and clicks on some button below which sends all that information (those ip's from those comments) to fill admin banning data (storing the data already for the 10 ip's at once).
Alternatively, one by one, prefilling the interface one by one.

{img src=img123}

The error occurs when you delete a message in the inbox webmail

Fatal error: Call to undefined method Net_POP3::ixp() in /var/www/virtual/scpc.publinter.org/htdocs/tiki-webmail.php on line 286

saludos
Fran_gm

Forum last posts module gives the following Notice errors on top of tiki-objectpermissions.php page and messes up the font size of permissions list.

Notice: Undefined index: forumId in ../proposed/5.x/lib/core/lib/Perms.php on line 185

Notice: Undefined index: forumId in ../proposed/5.x/lib/core/lib/Perms.php on line 229

For every topic created you will get another 2 of those Notices.
When there are 100 forum topics not that hard to get you will need to scroll down 200 lines of notices just to edit a few permissions.

Reproduce:
Turn on feature forum
Asign forum last posts module
Create a forum and a topic


One of the notices i got is fixed in Revision 29138
Notice: Use of undefined constant ttz - assumed 'ttz' in ../proposed/5.x/lib/tikilib.php on line 7682

Should this be done with trackers with the new ((doc:Computed Tracker Field)) and deployed via the ((profile manager))?

It looks as though there is a Calendar import feature using CSV (tiki-calendar_import.php) however there are no options to export as CSV in tikiwiki 3.2. The only Calendar export option that I see is exporting to iCal (via tiki-calendar_export_ical.php) but that is not working for our group ([http://dev.tikiwiki.org/tiki-view_tracker_item.php?itemId=3152]).

Can Calendar export to CSV be possible?

We are running in a multi tiki environment on Windows Server 2003, tikwiki 3.2 and php 5.3.

I had TikiWiki v2.2 installed and running fine on my website.

I used cpanel + Fantastico to automatically upgrade from v2.0 to v3.0. I followed the Fantastico on-screen instructions and when the update had finished I clicked on the "View site" link and got the following error:
Fatal error: Cannot redeclare class Zend_Filter_Interface in /usr/lib/php/Zend/Filter/Interface.php on line 30

I tried to do a brand new install of TikiWiki on another website that has never had a previous version of TikiWiki on it using cpanel + Fantastico. I followed the on-screen instructions and when I clicked on the "View site" link I got the same fatal error message.

I then installed TikiWiki v3.0 on my Ubuntu v8.04 desktop localhost Apache2 server and it works fine.

Then I installed TikiWiki v3.0 on my Windows Vista Ultimate laptop localhost Apache2 server and it works fine.

Two local installations of TikiWiki v3.0 work fine. The two attempts at using cpanel + Fantastico on remote servers both yield the same fatal error. One website had a previously installed version of TikiWiki (v2.2). The other website had never had TikiWiki installed.

No matter if you disable feature_wiki_1like_redirection
it in the "Wiki" part of Administration Page

the engine always tries to show you a page name
similar to the one you asked for.

This bug is seen by our IE 8 clients. We are running Tiki 6.2 (clean install), on a Windows 2003 Server, Apache 2.2.16 w SSL, PHP 5.3.3, remote MySQL 5 database.

When our users are editing in the CKEditor WYSIWYG and try the File option in the toolbar there is a Javascript error for lib/jquery_tiki/tiki-jquery.js at line 808 char 4. What is happening after the error is thrown is that no new window is opened (as expected) but the File selection fields are now under the WYSIWYG Editor. This wouldnt be an issue, but there is no OK button to select the file so our users can not like to a file in the File Gallery.

If I try using the File option in FF then it opens a new window and I can select the file just fine.

Since IE is our corp standard our users need to be able to add files using that browser. Also, they had no problem in Tiki 5.x but that was a different WYSIWYG system.

Thanks,
Tim

A blank line out of a paragraph should not start a new paragraph (as in 4.2). If feature_wiki_paragraph_formatting_add_br is on, an empty line is created on top of the new paragraph.
It comes from lib/tikilib.php line 6838ff
} elseif (!$in_paragraph && !$contains_block) {
// If not in paragraph, first non-blank line; start a paragraph; if not start of div created by plugins
$data .= "<p>";
...

in the comment it is stated that the paragraph should only begin at first NON-BLANK line

The following error is observed in an installation of Tiki 7.1 which was some weeks earlier migrated from 6.3 via 7.0.

Environment:
* Apache 2.2.17
* mySQL 5.1.58
* PHP 5.3.8
* Fedora Linux 14
Bug:
* The forum list doesn't show the latest entries any more, although even anonymous users have rights to view the forum postings.
+
+ In particular, anonymous user are globally granted the permission __tiki_p_forum_read__. Nothing was changed in the permissions before the forum list stopped displaying latest entries.
+
+ Yet the only user who is presented with a forum list containing the latest entries is the installation's admin.
+
+
* Also, when visting the topics list of some forum, users are presented a list of the latest entries in that forum (below the list of threads), but when clicking on the links in the list of latest entries, they're taken to thread pages which miss every message except the message which started the respective thread.
+
+ This seems to show that the bug described here is not caused by wrongly granted permissions, because if anonymous users had no permission to read forum posts they would not even see the list of latest entries below a forum's topics list.
+
+
* Recently before the bug was noted, the comment feature (for wiki pages), the freetags feature, and the rating feature were activated, but they were not activate precisly before the forums list stopped working, so the issue may be caused by some finer grained change than simply activating some additional feature.
+
+ Could the issue possibly be related to freetagging single forum postings?
+
+
* After removing all object permissions for every single forum and resetting them, clearing caches, removing freetags from every forum posting, and removing unused freetags, the bug remains.
+
+
* The following forum posts on tiki.org are related to this bug report:
** https://tiki.org/tiki-view_forum_thread.php?comments_parentId=42333
** https://tiki.org/tiki-view_forum_thread.php?comments_parentId=42306
** https://tiki.org/tiki-view_forum_thread.php?comments_parentId=42325

Please see: ((Project Management)) and ((TrackerToGanttChart))

The inheritance of permissions between groups seems to be completely broken in trunk (r33152).

For example, when Registered includes the permissions of Anonymous, granting tiki_p_admin_wiki to Anonymous should allow Registered to admin wiki pages, but that doesn't work. The same thing happens with tiki_p_view and tiki_p_read_comments.

This was discussed in thread http://thread.gmane.org/gmane.comp.cms.tiki.devel/20101

This is a regression from r32118.

The group theme functionality no longer works in 5.x and 6.0.

To test:
*Set "each group can have its own theme" in Admin>Look&Feel>theme
*Admin>Groups, edit a group and try to set the default theme for a group.
*nothing happens.

*theme control - still working.
*user preferences - theme - still working.

If the user didn't change the value of the destination of the help system, it should be updated to what the default value is now.

Need to hunt down what all the previous values were (ex.: http://doc.tikiwiki.org/tiki-index.php?page=) and to update via sql

And for clean installs as well (of course)

However, if someone modified the default value, we don't touch.


Reminder to add a reset to default value in 3.0 (new admin panel should permit this)

Trackers are amazing.

However, how do you get data in & out?

As of now:
IN: you need to type in all the data.
OUT: workaround: change the number of items in a list and copy paste table to a spreasheet.

importing / exporting from .CSV would be much better.

Images could be tricky :-)

When running the installer on IIS the incorrect root path is detected. The directory tikiwiki is installed into is being stripped from the directory hierarchy.

The problem including the solution is referenced in the forum thread at http://tikiwiki.org/tiki-view_forum_thread.php?forumId=6&comments_parentId=26943&highlight=directory%20does%20not%20exist

This bug is tied to [http://example.com|http://dev.tikiwiki.org/tiki-view_tracker_item.php?itemId=1964&trackerId=5&show=view]

I have had various issues navigating my wiki seemingly because $base_url is not getting built correctly, or at all. The first of these issues happens at login where the user puts in a bad username or password. The redirect to the error page fails on Firefox and has a URL with doubled forward slashes after the domain because the $base_url is not getting passed. URLs get built as follows (where 'example.com' is my domain):

Firefox:
{img src=images/code.png}%%% {CODE()} http://example.com\/tiki-error.php?error=Invalid+username {CODE}

IE:
{img src=images/code.png}%%% {CODE()} http://example.com//tiki-error.php?error=Invalid+username {CODE}

This happens with relative URLs all over tikiwiki in my installation, which is a WAMP with virtualHost entries in the httpd.conf to resolve 2 distict domains on the same server.

On a new installation (clean DB), Tiki does not set the site's default language.

((doc:Site identity)) is great because it permits quite a bit of customization without modifying any files. Everything is cleanly kept in the database for easy upgrades.

However, it's not immediately easy to know which zone is for what. Top & bottom bar could have an edit button, so we can edit zones in context.

As an example, ((doc:Interactive translation)) is great because we are in context.

If we had this, we'd use it on http://dev.tikiwiki.org

The Trac Repository Browser:
http://trac.edgewall.org/wiki/TracBrowser

Let's coordinate here: ((Repository Browser)) and ((Code Review))

On the www.wiki-translation.com site, anonymous users can post comments but they have to go through a CAPTCHA test to prove that they are not a machine. In spite of that, several spam comments are being posted (selling viagra, sort of thing) each week, presumably by robots. I for one (Alain Désilets) can't believe that there are humans who actually do this manually.

I suspect that the problem is that spamming robots have become better at dealing with simple CAPTCHA tests like the one used in Tiki. The Tiki CAPTCHA test only uses numbers (no alpha chars), and the graphical distortion of those numbers is very minimal (the vertical alignment of the numbers is just perturbed slightly).

I might be worth it to update the CAPTCHA library used by Tiki, to provide a more difficult test.

XSS SECURITY ISSUE ::

This has been reported to Security Team.

Best Regards,
sschurtz (s.schurtz@infoserve.de)

Hi,
my name is Egidio Romano (aka EgiX) and I found a vulnerability
that could allow execution of arbitrary PHP code. I've sended
an e-mail to security(at)tikiwiki.org which explains this flaw.

Regards,
EgiX

There are two options in comment configuration page naming the same -- "Default number per page:".

It seems that they are on control of the same thing. I have to modify the both otherwise my setting will not be applied.
{img id="127"}

Hello,

there is a failure "XSS" persistent in Tiki Wiki 8.2. I'm reporting to security email now.

Regards,
Mario

Bugs & Wish list

Hi,
my name is Egidio Romano (aka EgiX) and I found a vulnerability that could allow execution of arbitrary PHP code.
I've sended an e-mail to security(at)tikiwiki.org which explains this flaw.

Regards,
EgiX

Discussed on wiki pages:
* ((Screencast))
* ((Copy-Pasting an image))

in debug mode (eg. when debugging ldap logins) many log entries are created at the same time so sorting by time is not sufficient to get the entries in their real order. Sorting by ID is better then.

Unfortunately sorting by ID leads to an unexpected result.

Looking at the code the problem can be fixed easily: The problem is that two tables are being joined (actionlog and actionlog_conf) and sorting by ID leads to sorting by actionlog_conf.id instead of actionlog.actionID.

Both needs to be fixed - in the SQL query the table for sorting must be added in the sort statement, in the template the columnname must be changed from Id to ActionId.

See patch.

The calendar in TW6.7 does not render correctly in IE8. It shows two months worth of dates instead of the expected single month when in month view. Week view and day view render correctly in IE8, though.

Also, amazingly, the same install of TW6.7 shows the dates of the month of March when viewed with IE8 and April (the current month) when viewed in IE9 and other major standards compliant browsers.

Hello.
Today I found an error in "tiki-editpage.php".
The error is on the Line 1092.

Have just upgraded from 4.3 to 6.7 and find Plugin Showpages is no longer producing output.

Looked at [http://doc.tiki.org/PluginShowpages] for inspiration and notice that the examples there do not seem to be functioning.

Suspect plugin Listpages now has --equivalent-- similar functionality. --but we have at least one other broken plugin (WantedPages), so want to ask if there is a wider issue here, please?--

Was using ~np~{SHOWPAGES(find=>FAQ_ display=>desc) /}~/np~ but I don't see how to simply display the page description with ListPages.

--Also is there an easy way to find all the pages within our wiki where ShowPages has been used so I can change them to Listpages??--

Thanks,

Martin

Updated 08May12. The issue with WantedPages is now felt to be a separate issue and I'll open a new ticket for that.

Have also now found new to v6 Mass Search & Replace tool within Wiki Admin which is great.

If I choose the field type "date and time" in tracker, I can't set a date before 1970 in the data entry even when I say "start date" 1940.

When context menus are unchecked from look and feel and you applay to "share a link to this file" icon, url for download is served without fileId and tiki returns "File has been deleted (404)"

Since Tiki10 the Tiki SMARTY Plugin, using the 'eval' option to simply display a smarty variable, no longer works because the underpinning smarty function.eval.php is no longer part of the Tiki distribution - the SMARTY Plugin code checks for the availability of function.eval.php in either lib/smarty/libs/plugins/ or the lib/smarty_tiki/ folders and gives an error message "Incorrect parameter"  if it is not found. Its removal is probably due to the move Smarty 3  but it is not clear whether there is Smarty 3 version of eval available. The Tiki 9 version of function.eval.php does not work in 10/11/trunk (gives fatal errors) so this doesn't give us a 'quick fix'.  

Solution needed to be able to 'eval' and display any smarty variable type not just strings

r46040

Uploading an image to a file gallery in dev.t.o (thorugh the icon "Choose or upload images" in the textarea toolbar, in case it matters) produces:

"Server I/O error"

It seems that the file gallery is set to use that flash file uploader.

To reproduce the issue:

1- Apply profile http://profiles.tikiwiki.org/Jailroot_Demonstration on trunk

2- Pick perspective "B"

3- Search for "contentA1". You find

A1 and B1 (OK)
A1 A2 A3 (Not OK)

tiki-listpages.php exhibits the proper behavior.

lib/tree/categ_admin_tree.php and categ_picker_tree.php use setFlipWithSign() from tiki-js.js. In trunk, as of r30612, this causes a JavaScript error:

setFlipWithSign is not defined
setFlipWithSign('categorizeid1');

And the category flip sign is unusable. The problem is setFlipWithSign() was removed in r30170.

I added a jscalendar field to a new tracker. On the item entry page, the calendar is drawn underneath the form.

Hello all.

Almost by chance I noticed a behavior which seems wrong regarding the LDAP authentication on TikiWiki 2.0. I'm not sure if it was already present in 1.9.11 but I don't think so. We migrated last week.

Regarding the TW configuration:

- authentication method is "Tiki+PEAR::Auth"
- users cannot register and cannot change password
- "Create user if not in Tiki?" is on
- "Create user if not in Auth?" is off
- "Just use Tiki auth for admin?" is on
- The LDAP auth configuration paramters are correct, the auth itself works well, as it worked in 1.9.11. When TW connects to the LDAP server (OpenLDAP 2.1.30) the authentication works as expected.

This means that a Tiki account is created when LDAP users login for the first time. As expected, in presence of such a user, TW connects to LDAP, authenticates, creates Tiki account and logs the user in (I have some doubts in this last item though). However, when users log in again after this, I would expect that authentication is still delegated completely to the LDAP and is not done through Tiki. Instead, I have confirmed by looking at my LDAP logs that when TW finds a Tiki account, it authenticates the user through Tiki and never connects to the LDAP. This is not the expected behavior, because it means that passwords are being stored on the TW database and actually used for authentication. As a consequence, when a user changes his password on the LDAP, this is not "seen" by TW.

I'm pretty sure this is not the intended behavior also because if I go to Admin Users, both the "edit user" and the "add user" boxes show the following:

"No password is required
Tikiwiki is configured to delegate the password managment to LDAP through PEAR Auth."

And actually, the "edit user" box also says "Warning: changing the username will require the user to change his password" which is a contradiction since the password should be managed by LDAP and my TW is configured to disallow users from being able to change their passwords.

Paulo

LDAPv2 is obsolete, and the use of LDAPv3 is now standard practice. In fact, the [http://www.openldap.org/faq/data/cache/822.html|latest releases of OpenLDAP don't even support LDAPv2 properly anymore]. However, PHP's ldap_connect() and PEAR::Auth [http://www.openldap.org/lists/openldap-software/200204/msg00046.html|default to LDAPv2].

The patch to use LDAPv3 is attached. It shouldn't be difficult to make the LDAP protocol version a configurable preference.

in file tiki-admin_include_login.php
if (isset($_REQUEST["auth_pear"])) {
check_ticket('admin-inc-login');
simple_set_toggle('auth_create_user_tiki');
............
....
.....
missing 2 lines below.
simple_set_value('auth_ldap_emailattr');
simple_set_value('auth_ldap_countryattr');

Missing database entries for ldap email and country

3.0 and 3.1

When the number of messages in the mailbox exceeds the number set to display (regardless of the number set to display) no pagination tool appears so it is impossible to see the rest of the messages.

This is for read or unread messages.

It's happening on my live site, and it is also found in a fresh 3.0 installation under MAMP on my local machine.

It's a show-stopper!

__UPDATE: a clue__

So in Look n Feel=> General Layout

I turned off "Hide pagination when there is only one page"

and went back to the mailbox. Now it's showing

"page 1/1"

So it's not showing pagination tools to see more messages because it has concluded it is already showing them ALL.

So something can't count or can't subtract or has the wrong rule.

Related:
[wish1887|Modules use should be restrictable with standard permissions]


Read from bottom up:

2008-05-27 00:46:33 Norrin_Rrr mmh
2008-05-27 00:45:57 prozaq you could probably modify that
2008-05-27 00:45:39 prozaq that displays all categories
2008-05-27 00:45:32 prozaq Norrin_Rrr: in 1.10 there is a module called "categories"
2008-05-27 00:41:25 Norrin_Rrr will try it
2008-05-27 00:41:16 Norrin_Rrr the example in the documentation says its for features not sections that s weird
2008-05-27 00:40:51 prozaq oh - yes I think so, but Ive never tried it
2008-05-27 00:40:34 prozaq beg your pardon?
2008-05-27 00:39:45 Norrin_Rrr the section parameter in the menu its to set wich section (wiki/cms/forums) will display the menu ?
2008-05-27 00:38:54 Norrin_Rrr that should be doable
2008-05-27 00:38:19 prozaq so you should be able to copy some of the code from the tiki-browse_categories pages
2008-05-27 00:34:38 Norrin_Rrr yes
2008-05-27 00:34:16 prozaq but isnät that when you are creating a module from scratch?
2008-05-27 00:34:07 Norrin_Rrr i am not sure but there seems a possibility for hacking ?
2008-05-27 00:33:44 Norrin_Rrr "So if you know about Smarty template editing you can use any Smarty tag in your user modules."
2008-05-27 00:33:05 Norrin_Rrr ah okay i am at the module documentation, and its seems there are some conditionals with TW1.10 for modules but unfortunatly none for specific category
2008-05-27 00:32:56 *** franck has left #tikiwikin
2008-05-27 00:29:43 *** kiilo_ has quit IRCn
2008-05-27 00:28:34 Suprano even more if you paste in in a formular :D
2008-05-27 00:28:15 Suprano hmmm copying 4mb text slows down the pc
2008-05-27 00:28:10 Norrin_Rrr and display a menu that gather the various item of this category
2008-05-27 00:27:59 prozaq marclaporte: earlier I posted a bug to the tracker item Bugs & Wish list on dev.tikiwiki.org but how do I post to the "All Bugs" section or the "Release 110 taged bugs" ? section
2008-05-27 00:27:38 Norrin_Rrr yes
2008-05-27 00:27:30 marclaporte the goal would be to show a certain module only if current item (page, etc) is in category X ?
2008-05-27 00:26:07 prozaq eek...
2008-05-27 00:25:45 Norrin_Rrr its seems it works for feature enabled on the site but not for category (?)
2008-05-27 00:25:16 Norrin_Rrr yep i have the doc about the menu under my nose but i don't understand the section parameter
2008-05-27 00:24:39 marclaporte hi prozaq
2008-05-27 00:24:24 prozaq marclaporte: hi
2008-05-27 00:24:19 prozaq but Iäm not sure a specific category would fall under that
2008-05-27 00:23:57 prozaq it seems that you can tell a module which "section" it should appear in
2008-05-27 00:22:37 Norrin_Rrr for now 1.9.9 but 1.10 soon i hope :)
2008-05-27 00:21:20 *** marclaporte has joined #tikiwikin
2008-05-27 00:20:45 prozaq which version are you using norrin?
2008-05-27 00:18:38 Norrin_Rrr i am not sure, a module with a menu would be nice
2008-05-27 00:18:08 prozaq a menu item or a module with menus?
2008-05-27 00:17:29 Norrin_Rrr and hello everybody ;)
2008-05-27 00:16:39 Norrin_Rrr Is it possible to show a menu only when a user reach an item belonging to a given category ?
2008-05-27 00:15:24 *** Norrin_Rrr has joined #tikiwikin







Sylvie has recently added some useful code in BRANCH-1-10 so we can use categories as conditions in templates (.tpl)

[http://dev.tikiwiki.org/Hello+World#To_do_something_specific_in_a_template_ex_tiki_tpl_conditional_to_the_current_item_being_in_a_category_Ex_different_header_picture_|related info in Hello World]

While digging through some html I found the following:

{CODE()}<div class="rbox-data"">{CODE}

the line in remarksbox.tpl is:

{CODE()}<div class="rbox-data{$remarksbox_highlight}"{if !empty($remarksbox_width)} style="width:{$remarksbox_width}{/if}">{CODE}

When the second if statement evaluates to false an extra double-quote is still output.

Contrary to TikiWiki documentation (and contrary to TikiWiki common sense) it is NOT possible in a 3.0 wiki (specifically http://jiamcatt.ourwiki.net) to assign any permissions to Newsletters. This means that NO ONE, other than Admins can even see the list of Newsletters, to say nothing of viewing past newsletters (the archives). This is unacceptable – and contrary to TikiWiki documentation.

JIAMCATT is the community of IT-oriented managers of language (translation and interpretation) services of major International organizations and European multilateral bodies. After a slow start about a year ago this community has now agreed to try to use a TikiWiki-based system. Within the past month (since several of the TikiWiki team participated in the JIAMCATT annual meeting in Ottawa, Canada early May 2009) close to 200 users have joined up.
One key aspect of the work of JIAMCATT are Working Groups. One of these has just started work. It’s tools include wiki pages in the two working languages (En + Fr), a discussion forum (consisting already of 13 topics), and – last but NOT least – a Newsletter to keep everyone abreast of developments. This feature, it now turns out doesn’t work in a very bad way: NO ONE, other than Admins can even see the list of Newsletters, to say nothing of viewing past newsletters (the archives). This is unacceptable – and contrary to TikiWiki documentation.

I expect this should be a simple fix for a TikiWiki insider (the feature existed at the time the documentation was written); albeit impossible for someone not intimate with the insides of this system.

Screen shots are attached. The first – now shows as the last – called “ButtonsAvail-inJiamcatt-ourwiki-net-Newsletter-admin.gif” shows the buttons seen by an Admin user when trying to do “Admin Newsletters”. The second, called “MissingButton-from-doc-tikiwiki-org.gif” shows the buttons in doc.tikiwiki.org in the http://doc.tikiwiki.org/Newsletters section in the http://doc.tikiwiki.org/tiki-index.php?page=Newsletter+Admin&bl=y page, under the segment titled “Changing Existing Newsletters”. The third screen shows you what a non-Admin user who should have access to view newsletters and archives of this Working Group, sees (file: “Empty list of newsletters for (nonAdmin) WG members.gif”).

Unless someone can provide a fix quickly, this group will abandon TikiWiki as its working tool.

omstefanov

templates/modules/mod-events.tpl uses mktime and under php5 it needs to have all arguments as integers.
Simple patch:

For the Google Adsense Module:

Google Adsense Client IDs are in the format pub-0123456789012345
Line 42 of mod-func-adsense.php sets this data input type to 'alpha'.
When the user tries to assign the module, the numbers get stripped from the client ID, which is a required field.

I changed 'alpha' to 'striptags' to allow an alpha-numeric entry and then Adsense output works correctly.

I have set feature_comment_moderation=y, so new comments are invisible until approval, but they are shown as new comments on the since_last_visit_new module. So if user clicks on this link they come to the page where the comment was made (currently only tested with blog comment, but should be the same with other comments), and don't see this new comment.
I've no idea if this also affects coming version 4, only working with v3.2

Tiki 1.9.8 ships with 94 modules. (excellent)


Need a "module manager"

Module should come with a screenshot or preview.

A page listing all modules with descriptions and parameters- grouped by feature.


currently, the "user modules" and "assigned modules" titles are very non-intuitive. Should say "custom modules" and "active modules"




However, all modules are listed at all times. Module listing should check for features which are activated. It would be easier on new Tiki admins. For example, if articles are deactivated, don't show me last_articles in tiki-admin_modules.php



Admin modules does not display titles of available modules or provide easy method for selecting unused modules, such as with a listbox. The missing information is not available unless a Tiki admin has system admin permissions.



Also, all possible parameters for the current module should be listed (or picked from a drop-down)
See:
[http://doc.tikiwiki.org/Module]



Related:
Plugins admin interface
http://dev.tikiwiki.org/tiki-view_tracker_item.php?itemId=502

When viewing a specific blog post (tiki-view_blog_post.php), users should be able to go to the NEXT / PREVIOUS post in the blog.

On the www.wiki-translation.com site, anonymous users can post comments but they have to go through a CAPTCHA test to prove that they are not a machine. In spite of that, several spam comments are being posted (selling viagra, sort of thing) each week, presumably by robots. I for one (Alain Désilets) can't believe that there are humans who actually do this manually.

I suspect that the problem is that spamming robots have become better at dealing with simple CAPTCHA tests like the one used in Tiki. The Tiki CAPTCHA test only uses numbers (no alpha chars), and the graphical distortion of those numbers is very minimal (the vertical alignment of the numbers is just perturbed slightly).

I might be worth it to update the CAPTCHA library used by Tiki, to provide a more difficult test.

When creating a newsletter item, both HTML and plain text versions are requested. The plain text information is empty if the newsletter is edited.

Sometimes, it is useful to attach files to a newsletter.

Alternatively, it could be a newsletter with a link to a file (a unique, very long URL, which provides access to the file without entering a password)

Once a language has been selected for a page there is no way to set it back to its original state with no language associated with it. This is not that big an issue, but once you select a language you are stuck with the multilingual menu item at the top of the page, even if there are no other translations available.

I think it is preferable to have a link on the top of the page only if there is an available translation for the page. Regardless, it is bad practice to allow a user to change something with no way of returning that something to its original state

When using OpenID + Registration CAPTCHA...
With Tiki 2.2...

I attempted to register using my OpenID:

#On the Login page, I entered my OpenID.
#My OpenID was validated and Tiki shows the page where I can either associate my OpenID with an existing Tiki account, or register as a new user.
#I completed the registration form (including the correct CAPTCHA), but Tiki keeps saying that the Anti-bot code was incorrect.

Additionally, the registration form presented with the OpenID __does not__:
*Display the password minimum requirements (such as number of characters).
*Allow for the selection of groups.


__Duplicate of {wish id=1505}__

When you edit a banning rule, that rule gets deleted (at least, from the list at the Banning interface in Tiki).

To reproduce:
* go to tiki-admin_banning.php
* add a rule for this ip "91.201.66.6" (real ip of spammers, btw) with the title "91.201.66.6_regular_spammers"
* Check all features
* Check the setting to activate the rule by dates
* Select the maximum possible time frame (btyw, this only allows selecting within the same year: reported by somebody else already in another bug report; see [bug3643])
* add some custom message
* save
* click at the title of your rule in order to have it open for edition again for you
* the rule is deleted from the list of rules, and the edit interface is empty

---
confirmed in two different tiksi from different servers... (btw, 5.x is also affected)

I would like to see a way to control how often I receive watch emails.

Situation 1 - DIGEST mode:
I would like to receive a single email each day that identifies every watched item that changed.

Situation 2 - TIMEFRAME mode:
If a page is changed by the same user within a preset timeframe, I only want to receive a single watch email. To avoid the "lost edit" issue, many users SAVE their wiki pages frequently (sometimes several times per hour). If I'm watching the page, I'll get TONS of emails. I'd rather get 1 email per user change per hour, for example.

It would be nice:

*to be able to see what is changed from the default value
*to be able to reset preferences to the default

All this, on a panel by panel

wiki page names, wiki page descriptions, etc should not only be indexed but the weight should be higher than text in the the wiki page.

Same logic should apply to all features.

{img src=show_image.php?id=93}

Preface: This is my first bug entered and I am also *very* new to TikiWiki.

With that disclaimer out of the way:

The problem is that the RSS calendar link at the bottom of the default install seems that it bypasses or overrides the security.

I had set up a restricted category and a restricted calendar tied to that category. I created a user with access and it worked fine. I logged in as a test user to make sure it was working correctly. I could see the public calendar and the public topics but not the restricted ones. I thought this is great.

Then, when I was not even logged in as any user, I clicked on the RSS feed at the bottom of the screen and guess what? It showed me all the contents of the restricted calendar and the public calendar, too.

Thanks.

If Tikiwiki 1.9.4 or 1.9.5 is installed in the wwwroot of a "real" subdomain that resides on its own (win)server (not an alias to a subfolder under the main-domain), then rsslib.php inserts an additional backslash after the domain-name.

Links of rss-feed then look like: ~~#FF0000: sub.domain.com\/tiki... ~~ and RSS feed gets obviously broken.

As a quick-fix for my site I resolved this in the file rsslib.php by deleting the string:
~~#FF0000: ~np~ .dirname( $urlarray["path"] ) ~/np~ ~~
in the variables:
~~#FF0000: $home, $img, $read, $cssStyleSheet, and $xslStyleSheet ~~
in order to get RSS-2.0 to work again.

Unfortunately I'm not any more a coder and don't know php good enough to fix this for everybody and contribute in the CVS (I did no more coding since turbo-pascal under DOS in the mid 90's, but at least still can read a little bit :-)

all the best,
Felix

PS: Thanks everybody here for this great software!!!

Tiki has a basic feature to generate slides from wiki page data. This permits to prepare slides collaboratively and makes them highly available/searchable/accessible.
http://doc.tikiwiki.org/Slideshow+User

However, the feature is not very exciting.

1- I do not want to rely on an external service to distribute my
slides. I want to put on my TikiWiki-powered sites. And I want them to
be searchable & accessible. An export to Flash is not ideal.

2- I want something standards-based to make sure I can use when I am
not using my computer (like at FOSDEM). Sure, Regis did an amazing
presentation at the last TikiFest, made with Keynote. But now, how to
share, mix and re-use?

3- I want a way to collaborate (when preparing) & share slide
information in an easier fashion.
a) I have done dozens of presentations. The collaborative process
using desktop tools is very inefficient. I remember a long night in a
hotel room in Tunis where we where collaborating over Skype to
fine-tune a presentation.

4- As Dogfood, I think these slides could help to
A) Make nicer tutorials/documentation
B) Promotional material on info.tikiwiki.org

5- Finally, I want something much nicer than what we have now. The
quality/design/features of S5 reloaded has nothing to be shy about
compared to Desktop apps:
http://www.netzgesta.de/S5/reloaded/advantages.php?id=sunny_gfx

Some goodies I look forward to using:
A- A second browser window which shows me a timer and some notes.
B- A special syntax to handle handouts.

6- Some of the concepts (ex.: image resizing depending on current
browser size) could be useful for Tiki in general.


Here is a proof of concept of
Wiki page:
http://trim.rclaporte.com/svn/slides/tiki-index.php?page=tests5reloaded
Slides:
http://trim.rclaporte.com/svn/slides/tiki-slides.php?page=tests5reloaded



Investigate:
http://meyerweb.com/eric/tools/s5/
http://www.netzgesta.de/S5/
http://en.wikipedia.org/wiki/S5_%28file_format%29
http://icant.co.uk/domslides/

Ideal:
Long-term collaboration/integration of one of these, or a similar open source project

Perhaps with ((jQuery))?

Clicking "Save" icon in toolbar doesn't work.

Some versions of the Tikiwiki documentation suggest that a watch does not report a change to a web page that has been designated as a "minor" change. That does not appear to be the case for Tikiwiki 1.9.2.

If you ask me, the ability for a wiki user to make a Minor edit without bothering the "Watcher" crowd is a great idea and makes for a better community wiki dynamic.

Error using Tiki 5.3 on a shared hosting (installed in …/httpdocs/tiki). This error does not occur with TikiWiki 4.1 on the same hosting (installed in …/httpdocs/tiki4).

When I try (as admin) to edit users in Tiki 5.3, I get these PHP errors:
PHP (5.2.9) ERROR (E_WARNING):
File: lib/smarty/libs/internals/core.get_include_path.php
Line: 34
Type: is_readable() [function.is-readable]: open_basedir restriction in effect. File(/lib/smarty_tiki//modifier.count.php) is not within the allowed path(s): (/var/www/vhosts/d-meeus.be/httpdocs:/tmp)
PHP (5.2.9) ERROR (E_WARNING):
File: lib/smarty/libs/internals/core.get_include_path.php
Line: 34
Type: is_readable() [function.is-readable]: open_basedir restriction in effect. File(/lib/smarty_tiki//compiler.icon.php) is not within the allowed path(s): (/var/www/vhosts/d-meeus.be/httpdocs:/tmp)
PHP (5.2.9) ERROR (E_WARNING):
File: lib/smarty/libs/internals/core.get_include_path.php
Line: 34
Type: is_readable() [function.is-readable]: open_basedir restriction in effect. File(/lib/smarty_tiki//block.icon.php) is not within the allowed path(s): (/var/www/vhosts/d-meeus.be/httpdocs:/tmp)
PHP (5.2.9) ERROR (E_WARNING):
File: lib/smarty/libs/internals/core.get_include_path.php
Line: 34
Type: is_readable() [function.is-readable]: open_basedir restriction in effect. File(/lib/smarty_tiki//modifier.ucwords.php) is not within the allowed path(s): (/var/www/vhosts/d-meeus.be/httpdocs:/tmp)

To me it seems that the open_basedir restriction is reasonable (my hosted Web space + /tmp). There seems to be a syntax error (beginning / before lib) inducing a confusion between /lib on the server and the …/httpdocs/tiki/lib folder in my installation. (By the way, I do not understand // in the path.)

I tried to read line 34 in core.get_include_path.php, but I am not a programmer and I cannot figure how to correct the syntax error. I do not know the value of all these variables at the moment the function is called.

Could somebody suggest a correction or a workaround?

I created a test environment with the following components:
Apache 2.2.10
PHP 5.2.8
MySQL 6.0.8 alpha

I was not able to get MySQL 5.1 working on my machine,
but I was abe to get 6.0.8alpha runnning smooth.

I checked out the latest code in TRUNK 15953
pointed Apache to the files.

I ran tiki-install.php without problems except the following 3 SQL problems
which I suppose is due to MySQL version 6.0.8alpha

As my SQL skills are not up to date...
Are there any solutions for these bug?

Do not propose, that version 6 of MySQL is not supported :-)

~np~CREATE TABLE tiki_banning (
banId int(12) NOT NULL auto_increment,
mode enum('user','ip') default NULL,
title varchar(200) default NULL,
ip1 char(3) default NULL,
ip2 char(3) default NULL,
ip3 char(3) default NULL,
ip4 char(3) default NULL,
user varchar(200) default '',
date_from timestamp(14) NOT NULL,
date_to timestamp(14) NOT NULL,
use_dates char(1) default NULL,
created int(14) default NULL,
message text,
PRIMARY KEY (banId)
) ENGINE=MyISAM AUTO_INCREMENT=1~/np~
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(14) NOT NULL,
date_to timestamp(14) NOT NULL,
use_dates char(1) default NUL' at line 10

~np~CREATE TABLE tiki_friendship_requests (
userFrom varchar(200) NOT NULL default '',
userTo varchar(200) NOT NULL default '',
tstamp timestamp(14) NOT NULL,
PRIMARY KEY (userFrom(120),userTo(120))
) ENGINE=MyISAM~/np~
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(14) NOT NULL,
PRIMARY KEY (userFrom(120),userTo(120))
) ENGINE=MyISAM' at line 4

~np~CREATE TABLE tiki_users_score (
user char(200) NOT NULL default '',
event_id char(200) NOT NULL default '',
expire int(14) NOT NULL default '0',
tstamp timestamp(14) NOT NULL,
PRIMARY KEY (user(110),event_id(110)),
KEY user (user(110),event_id(110),expire)
) ENGINE=MyISAM~/np~
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(14) NOT NULL,
PRIMARY KEY (user(110),event_id(110)),
KEY user (user(110),ev' at line 5

Installer is broken on 4.1 in Windows 2008 R2 with the environment described below. At least two of us have exactly the same problem, so the issue is not local to us.

At the bottom is someone else's description as taken off the Installer forum. My experience is exactly the same, except I am running MySQL 5.1.41 instead of 5.1.42.

A third party suggested it has something to do with directory or session permissions, or PHP configs. To test this, I uninstalled tw 4.1 and installed 3.4 in the same environment. 3.4 worked just fine. Then I upgraded to 4.1 over top of it and it reverted to previous bad behavior. So I believe it is a 4.x bug.

I've given this a high priority because the software is unusable if you can't install it, so you probably losing a lot of users.

Here's the other guy's description of the problem:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I am trying to preform a fresh install of TW4.1 on Windows Server 08 R2, IIS 7.5, PHP 5.2.12 and MySQL 5.1.42. However, after filling in the page for the database information to populate the database, I reach a page entitled

__Tiki Installer Security Precaution__

You are attempting to run the Tiki Installer. For your protection, this installer can be used only by a site administrator.

To verify that you are a site administrator, enter your database credentials (database username and password) here.

If you have forgotten your database credentials, find the directory where you have unpacked your Tiki and have a look inside the db folder into the local.php file.

I enter the 'root' account information and hit 'Validate and Continue'. But it takes me back to the 'Welcome' page. Now any link I hit Takes me to the validation page and I enter the correct user (root) account info and I'm sent back to the 'Welcome' page. The install doesn't want to continue.

If you want, check out www.nerdzone.net to see the site.

I think what's needed is a Gallery of "Tiki Sites in a Box". In other words, Tiki sites that are preconfigured to meet a particular kind of needs. The needs should be defined not in terms of features, but in terms of GOALS of the end user or organisation.

This could be a list of descriptions like this:

- I want a site to enable collaboration inside my organisation.
- I want a site to broadcast my ideas to the world and allow people to add to them and comment on them.
- I want a site that will act as an open knowledge base on a particular topic.
- etc...

Each of these could point to an example which would be a "fake" site that could act as a sandbox. People could go to this fake site, play around with it (but not reconfigure it), to see if it's what they are looking for.

This would allow easy single click configuration of Tiki. The user would simply click on one of the items in the Gallery, and the Tiki site would be configured accordingly.

One issue is: what happens if the user choose wrong and later wants to switch to a different model? I guess if no content has been created in the site it's fine, but what if content has already been created and that content is somewhat incompatible with the new model that the user is choosing?


Related:
*[tiki-view_tracker_item.php?itemId=1513|OpenSourceCMS type demo to test/develop and show off profiles]
*[http://info.tikiwiki.org/Use+Cases|Use Cases]

__Moving discussion of this wish to ((Profile Manager))__

Like many web applications, to install TikiWiki, you need to have already created your database (via phpMyAdmin or cPanel).

Maybe TikiWiki could handle this task using the mysql root/super user account?


Otherwise, maybe try via cPanel API if available (TRIM as well could try this)

PHP (5.3.3) ERROR (E_WARNING):
File: lib/tikidate-php5.php
Line: 174
Type: DateTime::setDate() expects parameter 2 to be long, string given

This started happening after I updated to the current subversion head and allowed the installer to upgrade the DB to UTF-8.

The symptom on the page is:

Created by admin. Last Modification: DateTime::__construct() [datetime.--construct]: Failed to parse time string (5) at position 0 (5): Unexpected character by mheller.

I have just migrated a Tiki from one server to another and ran into
UTF-8 Problems. The browser showed Umlauts as the dreaded diamonds with
question marks in them.

Both servers are fully utf-8 compliant as described in
http://tikiwiki.org/UTF-8

The big problem is that on the new server PDO is available while it
isn't on the old one. According to the mailing list PDO is not default,
but as far as I can see in the code PDO will be default, if available
and not set otherwise. Setting

$api_tiki='adodb';

in db/local.php fixes the special character problem.

The issue seems to be that PDO gives a silent fuc# about encodings and
just pumps everything to the database and back as you hand it to it.
Additionally PHP/PDO doesn't read your my.cnf and therefore doesn't know
which encoding to use.
A quick fix is telling PDO which encoding to use - line 39 in
db/tiki-db-pdo.php :

$dbTiki = new PDO("$db_tiki:$db_hoststring;dbname=$dbs_tiki",
$user_tiki, $pass_tiki,array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES
utf8"));

But I think that this is not safe to commit...
e.g. someone started with Tiki on MySQL 4.0 which used latin1 as
default, so all her tables are latin1. She upgrades MySQL to 5.1, but
doesn't change the Tiki database to default to utf-8 and hasn't
converted the database. Then the PDO-fix above will most probably
produce the same problem, just the other way around...

No idea, what to do actually, but wanting to raise awareness here!

This is a dangerous issue as people with utf-8 databases upgrading their
system or Tiki and switching automagically over to PDO will end up with
mixed stuff in their database: clean UTF-8 and double-byte
ansi-control-characters which MySQL converted to their right unicode
codepoints (freaky, hm? ;) ).

I hope, I was capable of describing the problem in a way that's
understandable....

In my installation, on some internal links that are represented in an absolute way, there is a backslash between the domain name and the first slash.

Eg when I try to login on http://mydomain.com/index.php, I get redirected to http://mydomain.com\/tiki-login.php, which the server cannot render.

Clean install of:
MS Windows Server 2003 SE SP2 on x86
Apache 2.2.10
MySQL 5.1.30
PHP 5.2.8
TikiWiki 2.2

Tiki resides directly in the DocumentRoot C:\tiki (as it is a dedicated server).

In tiki-setup.php, there is a line

{img src=images/code.png}%%% {CODE()} $tikiroot = dirname($_SERVER['PHP_SELF']); {CODE}

In the documentation of [http://www.php.net/dirname |((dirname))], they state that since PHP 4.3.0, dirname returns unexpected values. The example implies that on Windows dirname('/x') returns '\'.

Therefore, if you install Tiki in the DocumentRoot, _SERVER['PHP_SELF'] will be '/filename.php' and $tikiroot will be '\'.

Yahoo! now provides OpenID support for all Yahoo! IDs. However, I am unable to login to any Tiki by using my Yahoo! OpenID.

See http://tikiwiki.org/tiki-view_forum_thread.php?forumId=4&comments_parentId=28775

The goal is to have a USB key version of Tiki.

Possible uses:
#Easy testing on a Windows desktop
#Have a backup of your Tiki on your MP3 player
#etc


Possible partners:
http://www.easyphp.org/
http://portableapps.com/apps/development/xampp
http://www.uniformserver.com/

Click on "Delete my account" as user has no effect. The user has the permission "tiki_p_delete_account". A look into "tiki-user_preferences.php" shows, that the button "deleteaccount" is not handled.

TikiWiki 4.2

Tested with R26214. Delete-Button didn't work yet. Perhaps forget the upload?

1- User registers

2- System sends email (to validate user controls that email)

3- User clicks and is sent to tiki-login_validate.php?user=abc&pass=xyz


The admin should be able to override to send a wiki welcome page for new users or to user tracker form.

When using the __Versions__ plugin, Tiki incorrectly merges the first line of each "version" within the Version navigation bar. This causes problems when parsing wiki syntax for items that must begin at the start of the line (such as the numbering # syntax).


Example:

[http://tikiwiki.org/tiki-index.php?page=UserPagericks99&pagenum=2#Versions_plugin]

This broken numbered procedures, when Versions plugin is used to differentiate software versions (such as on doc.tw.o or ''Smarties'').

It is possible to watch for new articles here: tiki-user_watches.php

So why not add an "eye" in view articles and list articles?

Hello,

This flaw was found in the search page "TIKI WIKI," which allows XSS attacks when a User is an argument in the variable "words" with a code for XSS. The failure occurs on the search page when it tries to recover the value passed in the variable "words", the server tries to redirect to tags <a> some links in the value paced past. But the server does not check the value and allows the execution of JavaScript code with a code like this.

http://info.tiki.org/tiki-searchresults.php?searchLang=en&words=111%22%20onmouseout=%22alert%28document.cookie%29;//&search=Go


Vulnerable code in HTML code:
<span class="button"><a href="http://doc.tiki.org/tiki-searchresults.php?words=111" onmouseout="alert(document.cookie);//&where=wiki">Tiki Documentation</a></span> or
<span class="button"><a href="http://www.google.com/search?q=tikiwiki+111" onmouseout="alert(document.cookie);//">Search all over the Web with Google</a></span> or

<span class="button"><a href="http://www.google.com/search?q=site:tiki.org 111" onmouseout="alert(document.cookie);//">Search *.tiki.org with Google</a></span>

I could see how we can add an event "onmouseout" tag for <a> that allows javascript code execution.

Kind Regards,
Mario Gomes.

With version 2.2, normal and OpenID login enabled, and the modules "since_last_visit" and "since_last_visit_new", they don't reset when using OpenID login. When loging in with the normal login, those since last visit changes are reset.

When renaming a page with a slash in its title (e.G. 'Adresses/Something') into a pagename without a slash (e.G. 'Something')
ALL pages, which link to this page get its contents DELETED. I looked into the DB. The data-field is set to NULL.

The problem must lie in the ReEx of the rename_page function at wikilib.php. I'm not good enough at RegEx to fix by myself so i provide the faulty code-segment:

{img src=images/code.png}%%% {CODE()}

if (strstr($newName, " "))
$data = preg_replace("/(?<= |\n|\t|\r|\,|\;|^)$oldName(?= |\n|\t|\r|\,|\;|$)/", "((".$newName."))", $data);
else
$data = preg_replace("/(?<= |\n|\t|\r|\,|\;|^)$oldName(?= |\n|\t|\r|\,|\;|$)/", $newName, $data);
$data = preg_replace("/(?<=\(\()$oldName(?=\)\)|\|)/", $newName, $data);

.....

if ($is_wiki_page) {
$query = "update `tiki_pages` set `data`=?,`page_size`=? where `pageName`=?";
$this->query($query, array( $data,(int) strlen($data), $page));
{CODE}

Maybe there should be generelly a feathure that prevents characters in page titles that may cause problems like / oder &

See screeshot

In 1.9.x, Side-by-side diff is the default

Sometime in the history of 1.10 (around when WYSIWYG editor arrived I think), HTML diff became the default.

This appears to be more of an accident than a conscience choice.

Side-by-side should re-become the default.

Ever better, the admin should should what the site default it.

Even better, each user could override this value in their preferences.

wiki shows no preview in translate edit mode while in normal wiki page edit it's working fine

version: 3.0beta4 SVN
theme: darkroom
browser: FF3

steps to reproduce:
# enable multilingual features
# select translate from dropdown where "English" is
# set the language and pagename for new page serving as translation
# in the editing mode click preview

__problem __with Russian (and, as I understood, any non-English character language) wiki-links in CKE Editor (and plugins):
1. Let's create wiki page named "Фичи" (copy-paste, hope it'll be work)
2. Create page with any name e.g. test with wiki-link to a first page ("Фичи").
3. Link is broken. becouse on the stage of convertation from wiki-link to CKE URL something goes wrong and if You click on this link and choose "Edit Link" you'll see "tiki-index.php?page=Фичи"
3.1 Yes, link is broken:
Page not found
äøÃÂø
----
Hint: without WYSIWYG editor all will be ok. No broken links with any symbols.

__Why priority is high?__
-becouse we can't create ANY wiki-links from CKE-editor if wiki page named with non-Latin leters.

p.s.
double-checked here http://php.opensourcecms.com/scripts/details.php?scriptid=63
with WYSIWYG_6x profile.

tags: utf-8, russian, link, wiki

Please see ((workspace roadmap))

When watching a wiki page, emails send on change contain iso-8859-1 charset in their header, while the body is utf-8 encoded.
The result is that special characters like umlauts are not being displayed properly (without manually setting the character encoding in the mail client).

Detailed error:
In lib/notification/notificationemail.php for function sendWikiEmailNotification(..) exists for sending those notifications. This function then calls tiki_send_admin_mail(..) in lib/mail/maillib.php which then starts a new instance of Zend_Mail. At this point, the Zend_Mail constructor would need to be given the charset or it uses iso-8859-1 as default.
Since the whole procedure of sending the notification seems to be ignoring the charset settings of the general tiki settings, the constructor would need to be given "utf-8".

I guess the error, though, is that character encoding is not set at all during the process. This might have to do with the fact, that wiki notifications are sent another way then i.e. structure notifications. Someone with a clue needs to look into this, though.