Didn't see this anywhere.. Not a huge change but still appears to be a bug on my end..

When doing a forgot password, it sends you a link with forgot-password.php as the page and it doesn't exist. The file should be forgot_password.php

Its not a big issue, but line 138 is improper comparison because you are using a boolean comparison operator to compare a non boolean value.

instead of

if($salt === null)

should be

if(empty($salt) && $salt == null)

but

if($salt == null) is probably as much as you need for something as trivial as password hashing.

this being said, it is my opinion that the function should be rewritten as follows:

function generateHashMD5($plainText, $salt = false) {
if (!$salt || empty($salt))
{
    $salt = substr(md5(uniqid(rand(), true)), 0, 25);
    // Returns a 65-character hexadecimal string
    return $salt . sha1($salt . $plainText);
}
else
{
    $salt = substr($salt, 0, 25);
    // Returns a 65-character hexadecimal string
    return $salt . sha1($salt . $plainText);
}   
}

notice the second line of the function first checks if salt is false, OR if salt is empty. this prevents erroneous exclusion of salt in cases where an empty string was mistakenly passed to the function as $salt.

this is an effort to limit the occurence of weak salts. it is still possible to defeat this mechanism by passing in true as the second parameter, but that could be prevented by rewriting it as

if (!$salt || empty($salt) || $salt === true)

but its probably overkill since users of the software are unlikely to mess with these functions, but its possible they could mistakenly overwrite them in the login or registration pages

and is the incorrect comparison operator and should be avoided entirely as it has lower precendence to =,>,<,&&,|| etc.

all instances of and should be replaced with && while all instances of or should be replaced with double pipe ||

this can create problems when using and to create an expression between boolean values.

consider
http://stackoverflow.com/questions/2803321/and-vs-as-operator

New feature proposal.

What about changing the default method for how UserCake is currently dealing with forgotten passwords.

It's not an ideal user experience or security practice to email passwords to users, even if the password is only temporary. We can't assume that users will change their password, and it's just another step the user shouldn't have to worry about.

Once they click on the link, that should immediately take them to a screen that prompts them to reset their password.

Should UserFrosting have to stay consistent with UserCake on this issue, or would this be a candidate just for UserFrosting's roadmap?

A lot of the time, we're checking if UPDATE is successful by doing if ($stmt->rowCount() > 0). However, if you update a row with an identical value, this returns 0. This is fine for the most part, but in a few cases (like on user registration, when we set a user's primary group to its current value) we get an error when we shouldn't.
So, we need a better way to determine if these operations are 'successful' (and also try to decide what success actually means for these operations).

Two suggestions for the Site Settings page:

1.) Site URL: if a "/" is not included at the end of the URL, automatically append it (currently it returns an error and asks the user to manually add a "/"; this is how UserCake did it too.

2.) Errors: when errors appear at the top of the page, the user should "snap back" to the top of the page so that they can see the error message (example: when the error for not adding the "/" to your URL appeared for me I was scrolled down far enough that I never saw the error message and didn't realize it had appeared)

We need to formalize a "root" account, which is created upon installation, cannot be deleted, and cannot be modified by anyone except the root user.
This should be implemented as a special user account, rather than a special permission group. Thus, only one account can be assigned "root" status.
The root user should have access to every page, no matter what their permission settings are.

Everything worked smooth until login. When i am trying to login with admin account i am always being redirected to 404.php. It says:

You're already logged in!
Oops, looks like our database encountered an error.
We couldn't load your account. We'll try to get this fixed right away!

Can you pinpoint what is wrong......?

I'm trying to figure out how the email side of this project, and I imagine others will also be interested as well. I currently don't have any SMTP stuff installed my LAMP stack. I want to send the mail securely, and preferably piping through a 3rd party service like Mailgun or SendGrid. Mailgun provides 10,000 free emails/month, so I'm thinking of focusing on figuring out how to do that.

Any thoughts or tips. Is this a priority for anyone else? What are folks currently doing to get sendMail to work?

It would be a very powerful feature if we could implement a full-on authorization scheme, that can authorize specific users/groups for specific actions, under specific conditions. For example, we would want to be able to specify (from a configuration panel) something like:

user `x` can perform action `y` under condition `z`

Note that z could potentially be a very complex rule. Thus, it might be necessary to have a set of rules coded in PHP as functions, which could potentially require many different parameters. How can we implement this functionality cleanly, so that permissions can be added and removed through a front-end interface?

Dear Alex,

Thank you for your great work!

It would be awesome if the form on the registration page would remember valid fields on error. All inputs are cleared at the moment which is quite annoying for users. It seems that the POST variables are cleared somewhere in the user_create_user.php page but I can't figure out where and how to prevent it.

(i added a value='' in each form input field in Register.php for instance)

Best regards,
Seb

We can implicitly define a hierarchy for groups based on their permission settings. For example, "Root user can update/delete Admins, Admins can update/delete Moderators, Moderators can update/delete Users." This effectively sets up a hierarchy of groups.

But do we want something that makes this hierarchy formal or explicit somehow? Perhaps as an optional plugin?

This touches on #12 and #14 a bit but is there going to be any kind of structure here soon, i mean with the addition of people's work to the code base (on the end user's side not the repo) eg. @r3wt 's chat and my own person guild app, the directory is going to be huge here soon and to the point where a general user may just overlook the project because of this.

If we could implement some type of (H)MVC framework this would make it alot easier for the end user and for people looking to extend just a small part of the application rather then rewriting chunks on there own. Also this would make it easier to write modules/extension of the app while still using the original codebase rather then having 700 files in the root directory.

Hi. I`m new here. When try to install I get bellow message

Parse error: syntax error, unexpected '[' in /home/domainame/public_html/user/models/funcs.php on line 98

What is your advice. Sorry I not that knowledgeable in php. Thank you.

For the user drop down menu on the top right, you have this code:

 <a href="#" class="dropdown-toggle" data-toggle="dropdown" id="user_logged_in_name"></a>

and in each page you have some JS to load the header:

   $('.navbar').load('header.php', function() {
        $('#user_logged_in_name').html('<i class="fa fa-user"></i> ' + user['user_name'] + ' <b class="caret"></b>');
        $('.navitem-dashboard').addClass('active');
      });

Why do you not just display the username directly in the header with PHP like this?

 <a href="#" class="dropdown-toggle" data-toggle="dropdown" id="active_team_name"><i class="fa fa-users"></i> $loggedinuser->username <b class="caret"></b></a>

What do you guys think of changing the terminology from "permissions" to "groups"? It seems like it would make more sense and be a more flexible term. "Group" would imply that you can do more with them than simply assign permissions.

Ok, so the checkActionPermission is used to determine whether a given user can perform a given action in a given context. For example, "Alice can update users who belong to group "Queen's Men".

But, would it be useful to have an efficient inverse function, in other words something that could answer the question "Which users can Alice update?"

Maybe this is something that would be easier to do in Prolog or some other logic programming language.

Anyone want to host a demo site? I have a link at www.userfrosting.com/demo.html, but GitHub Pages doesn't do PHP/MySQL so we'd need an actual webserver to host.

I was wondering if its possible to consolidate the number of files in the release at least the front end type of sites. It will make it easier to develop off this platform and keeping things consistent.

hello, I would like to insert new fields in the registration form
or following tutorial http://usercake.com/docs.php # 12, and it does not work
Any help is much appreciated.

How would you suggest I remove the username and replace it with only the email? Is it possible to add this as a feature you can turn on/off?

Where are we at on this, what all do we need to finish up before this can happen i think everything is starting to look really good ^_^

So we don't have a page for tracking features could we setup a wiki page or something. At the moment what do we have planned if anything. Also maybe add a section for bugs and todo's to keep track of everything in one place.

I'd do this but I'm currently on mobile device and not near a computer xD.

Hey Guys,

I wanted to see all the hard work you guys are doing... however on a fresh install of butterflyknife, I get this error at this link: http://localhost/0.2.0/install/

Fatal error: Call to a member function prepare() on a non-object in C:\xampp\htdocs\0.2.0\models\db_functions.php on line 108

From what I've been reading, "free" certificates are trouble. I ended up buying a cheap $9/yr cert from Namecheap (who resells for Comodo) for my website, and installation went pretty smoothly.

As far as compatibility, there are a few places in the code base where "http" is hard-coded, notably logout.php. This can cause browsers to (rightfully) complain about "mixed content", so we should fix that to use the appropriate protocol for https versions of websites that implement UserFrosting.

This thread to track hhvm incompatibility. For now i will only fix them locally. in the future i may ask they we create a branch specifically for use with HHVM.

\nNotice: Undefined index: userAlerts in /usr/share/nginx/html/UserFrosting/install/install_alerts.php on line 42
\nFatal error: Uncaught exception 'BadMethodCallException' with message 'Call to a member function bind_param() on a non-object' in /usr/share/nginx/html/UserFrosting/models/class.user.php:48\nStack trace:\n#0 /usr/share/nginx/html/UserFrosting/process_login.php(129): loggedInUser->updateLastSignIn()\n#1 {main}
\nFatal error: Uncaught exception 'BadMethodCallException' with message 'Call to a member function bind_param() on a non-object' in /usr/share/nginx/html/UserFrosting/models/class.user.php:48\nStack trace:\n#0 /usr/share/nginx/html/UserFrosting/process_login.php(129): loggedInUser->updateLastSignIn()\n#1 {main}
\nFatal error: Uncaught exception 'BadMethodCallException' with message 'Call to a member function bind_param() on a non-object' in /usr/share/nginx/html/UserFrosting/models/class.user.php:48\nStack trace:\n#0 /usr/share/nginx/html/UserFrosting/process_login.php(129): loggedInUser->updateLastSignIn()\n#1 {main}
\nFatal error: Uncaught exception 'BadMethodCallException' with message 'Call to a member function bind_param() on a non-object' in /usr/share/nginx/html/UserFrosting/models/class.user.php:48\nStack trace:\n#0 /usr/share/nginx/html/UserFrosting/process_login.php(129): loggedInUser->updateLastSignIn()\n#1 {main}
\nFatal error: Uncaught exception 'BadMethodCallException' with message 'Call to a member function bind_param() on a non-object' in /usr/share/nginx/html/UserFrosting/models/class.user.php:48\nStack trace:\n#0 /usr/share/nginx/html/UserFrosting/process_login.php(129): loggedInUser->updateLastSignIn()\n#1 {main}
\nFatal error: Uncaught exception 'BadMethodCallException' with message 'Call to a member function bind_param() on a non-object' in /usr/share/nginx/html/UserFrosting/models/class.user.php:48\nStack trace:\n#0 /usr/share/nginx/html/UserFrosting/process_login.php(129): loggedInUser->updateLastSignIn()\n#1 {main}
\nFatal error: Uncaught exception 'BadMethodCallException' with message 'Call to a member function bind_param() on a non-object' in /usr/share/nginx/html/UserFrosting/models/class.user.php:48\nStack trace:\n#0 /usr/share/nginx/html/UserFrosting/process_login.php(129): loggedInUser->updateLastSignIn()\n#1 {main}
\nFatal error: Uncaught exception 'BadMethodCallException' with message 'Call to a member function bind_param() on a non-object' in /usr/share/nginx/html/UserFrosting/models/class.user.php:48\nStack trace:\n#0 /usr/share/nginx/html/UserFrosting/process_login.php(129): loggedInUser->updateLastSignIn()\n#1 {main}
\nFatal error: Uncaught exception 'BadMethodCallException' with message 'Call to a member function bind_param() on a non-object' in /usr/share/nginx/html/UserFrosting/models/class.user.php:48\nStack trace:\n#0 /usr/share/nginx/html/UserFrosting/process_login.php(129): loggedInUser->updateLastSignIn()\n#1 {main}

A question that has come up a number of times is, essentially, whether groups are mutually exclusive (i.e., can users belong to more than one group). Currently, they can, and I think we should keep it this way.

However, I am thinking of implementing a "primary" group feature, where a user can belong to multiple groups but one and only one of those groups is their "primary" group. This would be useful for things like customizing user menus. For example, a user could be part of both the "Users" group and the Admin" group, but their primary group would be set to "Admin". Thus, they'd automatically be shown the "Admin" menu on their sidebar.

Thoughts?

Hey Alex,

I was wondering if you created this JS yourself, or if you generated it somewhere. Reason I ask, is I really like the format for CRUD, and was looking to use it for another portion of my site.

Thanks

We should start including a update script in the dev branch for changes that way people dont have to do updates manually or start from scratch.

The question is how do we do this? do we setup a mini installer to make the changes and if code changes are made include them in a seperate folder maybe

zip_root/
/api/
/account/
/update/
/update/{installer_files_here}
/update/code_changes/
/update/code_changes/models/db_functions.php <-- changed file

then just drop and replace the old file with the new one and good to go?

I registered a domain! http://www.userfrosting.com/
I linked it up to the github Page for the project, which right now is basically just the old readme file. Anyone want to help with building it further? My idea is to break it into the following sections:

• Home/Getting Started
• Live Demo
• Examples
• Docs
• Sites that use UF
• Contributors

Hi guys. Like the script so far. But after testing and playing with it, I found that I couldnt edit users.

When I click the drop down box, and choose Edit User, I get the error:
Oops, looks like our server might have goofed. If you're an admin, please check the PHP error logs.

I check the logs, and nothing is showing up except a bunch of:
[Thu Jun 05 17:16:52 2014] [error] [client XX.XXX.XXX.XX] PHP Warning: date(): It is not safe to rely on the system's timezone settings. You are required to use the date.timezone setting or the date_default_timezone_set() function.

I even tried a fresh install to make sure it wasnt anything I messed up while playing with the code.

-sh-4.1$ php -v
PHP 5.4.29 (cli) (built: Jun 1 2014 19:30:18)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies
with the ionCube PHP Loader v4.4.1, Copyright (c) 2002-2013, by ionCube Ltd.

Whenever I login I get the following error message:

Fatal error: Call to a member function bind_param() on a non-object in public_html/UserFrosting/models/funcs.php on line 476

It also carries over on every page I try to access. It eventually goes away when my session times out.

Hey guys,

It would be great security wise if there was an auto-logout after X minutes of inactivity from the user.

On a side note, I am note so much of a security expert. To stop XSS attacks, UserFrosting sanitize the inputs with the "sanitize" function, is that enough or should I add function such as xss_clean.php that can be found here: https://gist.github.com/mbijon/1098477 ?

Thanks again for the good work!
Seb

Every time I try to do a password reset on my site, it sends the email and when I click on it, it takes me right back to the request a password reset page. Then if I enter my info again, it says there is already a pending reset.. I've went in and set it back to 0 and tried 4 or 5 times to reset a password.. It's an endless loop.

Is this a bug or is the password reset function something that isn't fully done yet and I just didn't see anything about it in the logs?
Or perhaps a bad install on my system?
I can provide you with a link, temp username and temp email if you would like to see it.

Should they be directly propagated to the front-end, or just logged with a generic "PHP error" propagated?

I know this is a silly question, but it has to be asked :(

Love the work you're doing... I'm just not sure how to start developing a site around this, given the amount of updates and the early stage of it.

I'm trying my best to avoid changing any of your files so I can update easily, but that becomes difficult... Any suggestions?

Seen you started working on these and i made some changes to the layout to be more like the users.php file for consistency across the app, this is what i came up with so far now alot but here it is: https://github.com/lilfade/UserFrosting/commit/49fa700bb663f0d011223e3e21f2ed8e90d04fa3

Delete function working: https://github.com/lilfade/UserFrosting/commit/f11d72f3d39edbea79e2d44600dacc1ce953d58c

create hacked together: https://github.com/lilfade/UserFrosting/commit/7fb2d6e28f06e1fe5b79f588c03386def9849e13

Pushed some more changes, still not done yet but lemme know what you guys think!

I was thinking of building a real time chat module for UserFrosting, based on a websocket chat module i've already built for my own project, but it occurs to me that some users would not be able to use said chat module, because it requires a long time running php websocketserver(use about 60mb memory in HHVM, unsure in php-fpm).

I'm opening this thread to gauge interest for such a module, and foster debate on specifications(ie, websockets only, fallback to ajax/comet, or configurable(ie, ajax only mode, websocket only mode, fallback mode)

the current module supports two commands:

It also should be noted, there are certain requirements to making the server work with SSL/TLS, since it must perform a post in https(http with TLS), but the upgrade must be able to occur over wss(websocket with TLS). i use nginx, but i assume this will work with apache as well.

using stunnel an TLS termination endpoint, you can use websockets over tls to communicate with stunnel, which forwards the unencrypted data to the websocket server's port in plain http for the handshake, then plain ws for the upgrade and all subsequent messages. you could think of stunnel like a proxy of sorts, since's php's underlying low level socket functions do not support decrypting ssl streams, and doing so in php would be trivial and a waste of resources. Some people will not agree with my approach, however it is the correct approach in my opinion. php is not designed to handle ssl and encryption, and stunnel can do this more efficiently than php could ever dream to. i opted for low level socket_* functions on the server to give the most flexibility and performance, but on the client side, sendmsg.php which is an ajax file used to broadcast a message to the chat we are using the stream functions to encode the message. we do not write directly to the socket server with javascript's send function as this is a security vulnerability(websockets do not pass session informaton except in the handshake).

instead, we post the message with ajax to sendmsg.php where we retrieve the username and private key required to write to the socket server, connect to the socket server, then send the json_encoded, hybi 10 encoded array containing (writekey,message,username,timestamp) to the server program, which decrypts it, stores it in the database then writes it to the f* functions to connect and write, and read interact with the server.

if you would like to see a demo of this server and test it out a bit, you can see my dev environment here: https://openex.info

ive tested in the latest versions of chrome, firefox, ie, and safari which all support websockets, and it works in each of these browsers.

if you encounter any problems or find a vulnerability, you can comment below as you wish. peace out userfrosters!

Downloaded the latest version of butterflyknife, created a new database. edited the db-settings.php file, and ran /install.

All tables created fine. Entered root account information, put in the token, pressed the button and I got two errors saying "The master account already exists!" on the Installation Complete screen. I checked the information in the database, everything looks fine.

I deleted the installed folder, visited the website (i.e. foobar.com/) and the home screen comes up. It then redirects me to http://foobar.com/localhost/account/dashboard_admin.php. I removed the localhost/ out of the URL in the browser, pressed enter, and it still redirects me back to http://foobar.com/localhost/account/dashboard_admin.php

Now when I visit foobar.com/ it still redirects me to http://foobar.com/localhost/account/dashboard_admin.php

I looked around in the MySQL configuration table and saw website_url as localhost/ and i changed it to foobar.com/
Now it goes to http://foobar.com/foobar.com/account/dashboard_admin.php

Changing the website_url information in the database to http://foobar.com did not fix it either. Still redirects to http://foobar.com/foobar.com/account/dashboard_admin.php

Hi Alex,

Would really appreciate if you can include the SMTP authentication along with the PHP Sendmail function.

Hi firstly I really like this project :-] I never used github so I hope this post is appropriate? There is some issues when installing butterfly knife, it runs through and adds the tables correctly once models/db-settings.php has been manually edited (should this be a step in the installation process itself?):

1 - it tells me to add root user key, but I cant, I get the following error when manually accessing http://mysite.dom/install/create_root_user.php

Warning: Cannot modify header information - headers already sent by (output started at /home/mysite/public_html/install/config.php:61) in /home/mysite/public_html/install/create_root_user.php on line 99

but it does actually create the root user correctly in the database, so then next issue

2 - root user is created but has primary-group-id set to 1 not 2 so is redirected to standard user login not admin dashboard, obviously easy to fix via phpmyadmin but just needs a small tweak in the install script I guess so set the correct user?

3 - Upon completion the models/config.php line 73 is still hardcoded to:

or define("SITE_ROOT", $url_prefix . "localhost/userfrosting/");

should install process take care of this and adjust it?

First at all: Thank you very much for your efforts, your work is much appreciated and extremely helpful to my current (first development) project.

Regarding suggestions:

1. While I read through some topics I read about your plans for function level security. I love that concept, but would freak out, if that concept could be brought down to the user level. Think about users that might want to share some specific but not all content with their "classmates". Enabling them creating "(home)work" (fields, docs, pages, posts,... whatever) and choose "followers" (or "friends" or complete usergroups or "just" their classmates,...) that may read/access that content/snippet (somehow like facebook allows targeting specific posts to specific users or groups).
2. Many if not most consumers of your solution will have precise ideas for their own design. While going the own way with the design, at least me as a beginner in php and mysql would "fear" any upcoming updates, even if those are eagerly awaited as it is not very clear (to me) how functions and design are seperated. A guide specifying some details about this or a "designless" set of files as alternative for those that want to integrate in their own templates but keep them maintainable would be a great advantage over any solution I have looked for so far.

Thanks again for the work you are doing here, I am confident, your approach will get a lot attention.

Best Regards
Frank

Howdy! I am using UserFrosting as a base for my home automation project. There are several groups for different reasons, such as viewing and editing certain code and alike. However, I am having some issues displaying something for just a certain group, and not all the ones below it.

Let me explain a bit more, because this is a probably a bit confusing.

The line of code:

if($loggedInUser->checkPermission(array(7))){

will show a menu item to group 7, which is the file editor in my case, but it will also display it to group 8,9,etc... I feel this has to do with the array part, but I am unable to work it out myself.

How would I go about showing a menu bit to a certain group, and only that group?

Cheers,
Jacob

Butterflyknife will give admins more fine-grained control over user authorization. However, this also means more "moving parts" and a greater chance of security failure. So, we need to carefully test the security of each API page, trying out different POST and GET requests from different types of accounts, as well as from a logged-out state. Any volunteers?

Include/Require files should be set based on the absolute path...When I created a new folder in the root directory I was running into issues.

Alex,
Thank you. I've found UserFrosting to be everything I need for user management, except for the ability to delegate user management within a group. This will allow for corporate accounts, for which there is one or more administrator that can create more admin and user accounts, but only within that corporate account. It could be quickly implemented with a "create group admin" page that nobody has access to (except the root user) that can 1) create a new group and 2) create an admin user and assign them to one of the existing groups. At that point, the existing admin functions that create/edit new users and admins would also have to be automatically assigned to that same group.

I'd be willing to help out, if you think this would be a useful addition.

Eric

First of all, thank you for all of this!

I'm trying to create additional pages and have them show up on the dashboard, displayed like the menu items currently in the dashboard (e.g. account settings).

Thanks again!

1 suggestion:
you should reorganize user cake like in a folder called admin all the admin things and in another one called scrips the logout script so that in the main folder you only have a login file and a hompage and any other files the user adds cause its really confusing

I'm sure I am doing something wrong here, but I've registered several accounts which appear to register correctly, but every time I try to login I get "Username or password is invalid" no matter if its an admin or new user account. How can I fix this? Thanks in advance.