This is really old code, there are many CMS that you could use which are newer, have more features; and are easier to use.

Another page renderer. I have yet to stabilise on a regular system for doing these with, as the result web technology is too old by the time another friend asks for a new one.
As this isn't the first “replace a website” project I have done, I did hold a proper interview to gather the actual requirements for this site, but have lost the documents in a hard-disk failure.

Documentation shipped with source bundle.

As stated this was an incomplete code base. Several external system interfaces where documented (specifically the template language). I haven't had time to create API docs, this code isn't a completed project.

Security overview

I am writing this document primarily as there are tools for editing content, available via the website. These entirely avoid the normal access privileges.

When completed the website will only have edit privileges via HTTPS. The usernames are entirely unrelated to any other privileges on the system, so ownership of a password provides no follow through. There is currently no tracking of IPs etc. Currently no chroot() is issued, as this is known to kill PHP, this may be revised after testing.

The edit / add content doesn't allow access to directories. Attempts to put directories in file names are suppressed with addslashes().

No access to PHP (or other languages) is provided, the admin is adding content (ie text). The uploaded content is never used in an executive context (think like Perl taint mode), so is passive. Currently it would be possible to run SSI directives, but Apache has these disabled, so this would fail. The user interface constrains large amounts of input, although there is no defined policy for limiting file size.

Any file uploads (say images) are not executed. The htaccess bars execution of files in the assets or resources directories, which where any uploads would be put.

There is no SQL to be compromised. The underlying box is secured. There is no protection against “human layer” semantic attacks, but there never was and never will be (i.e. putting “i fink you stink” in the top of all the pages).

Authentication notes and design

  • This site has a really basic authentication system.
  • Visit the friends page and complete the form.
  • This posts to authentication script, which checks if you are a known user.
  • On success your privileges are upgraded;
  • On failure you are bounced back to the form.
  • The system tracks page hits using sessions.
  • Sessions are currently tied to COOKIEs, as this looks cleaner than GET arguments.
  • For tracking purposes, the current level of auth is printed in the menu.
  • Theory of the auth system.
  • Most of the site is accessible without any form of id.
  • There is an escalating cascade of privileges.
  • A site admin user is also a friends user, is also a guest user.
  • As with Unix, the higher privileges have lower ids.
  • The auth level changes the menu displayed, each page is validated before it is displayed.
  • Security was not rated as an important feature in the development of this website.

Config Notes

As of 2007-02-10 the following config options are available.

Name Default value comment
url_prefix '/tbbs' Sets an optional directory etc in all generated local URLs. You want to be able set this is you have awkward directories/ hosting in a public_html dir etc.
branding_css '/assets/tbbs.css' The location of the sites CSS file. Recommend you leave this setting, and just add content to the file.
branding_js 'assets/tbbs.js' The location of the sites JS file. All the random functions in the forms have been dumped in here. Recommend you leave this setting, and just add content to the file.
strap_line 'Titchfield Carnival: 125 years of Tradition' The tag that is inserted below every page title.
default_page 'news' The default page you are bounced to if something blows up.
site_language 'en-GB' The language the site content is written in.
self_name 'the TBBS website' In various places the site needs to refer to its self, what should it say?
email_to <deleted to stop spam>'' The email address that mails are forwarded to.
smtp_servers '' A semi-colon separated list of SMTP servers to talk to, when sending mail.
allow_dumps 1 Whether or not to allow debug dumps. This logging option will add data to the error stack (see debug).
show_who 1 Whether or not to display the current user account in use. This is useful for debugging, but you might not like it.
force_https 1 At what level of user does https become forced? use -1 for off. This is meaningless unless you have a SSL enabled server.
colon_marker 'colon' What symbol acts as a marker for :. The real value shouldn't be used, as this is used in the page language and they collide.
session_name 'key' What the cookie or GET argument is called. This is specifiable so you can ensure it doesn't collide with another option.
session_type 'cookie' How are sessions maintained? You can use cookies or get arguments.
debug_level 2 How many debug symbols to emit. These are put in the hidden errors list on each page (view source to know).

Web hackery markup notes

Page Header

This defines all the offsets foe the following data.
A colon separated list, terminated by a UNIX newline char.

The header list has seven items:
name symbol comments
Web hackery version vr currently must be 1
HTML title ht 1 or 0 for whether the page has a HTML title
Page title pt 1 or 0 for whether the page has an “in page” title
Page Summary sm 1 or 0 for whether the page has a summary (used in links that refer to it.)
keywords kw 1 or 0 for whether the page has any keywords
Chunk count cc how many chunks to expect in the page.
Auth group ag what group this page is restricted to. This is a less then or equals test, so more privileged users automatically have access to low privilege data.
  • The chunk count has no default value. Any data present after the chunk count has been reached will be treated as comments, like the _ _DATA_ _ marker in Perl.
  • Where items are not specified a default value will be applied.
  • Other than for keywords, where the tag is omitted.

Depending on the values specified in the Offsets line, the next batch of lines are read for the page header info. If a value is disabled (i.e. 0), it doesn't occupy a line in the Page file; but the default value will be applied. From the above description, you can infer this is up to four lines.

The keywords must currently be specified in the HTML meta tag format (e.g. comma separated), as there is no translation.

Page Chunks

A colon separated list, terminated by a UNIX newline char.
The first char (not colon separated) is the chunk type, and is restricted to the below list.
Successive items (as listed out for each chunk type) are listed below that.

Anchors: a,
0=>displayed text, 1=>href, 2=>title

Anchors: A,
0=>displayed text, 1=>href, 2=>title
Same as above, but different chunk type so the user interface can be made simpler

Paragraphs: p,
0=>displayed text, 1=>class

Images: i,
0=>src, 1=>width, 2=>height 3=>title

headers: h,
0=>content, 1=>class

UL list u, has two forms
opening: 0=>o, 1=>class, optional
closing: 0=>c

HTML table t, has two forms
opening: 0=>o, 1=>class
closing: 0=>c

Form f, has two forms
opening: 0=>o, 1=>form action, 2=>form name 3=>form method, 4=>form encoding
closing: 0=>c

Fieldset F, has two forms, this is called a border in the GUI.
opening: 0=>o, 1=>legend, optional
closing: 0=>c

Raw HTML, r,

Structural DIV, d, has two forms,
opening: 0=>o, 1=>class, 2=>id
closing: 0=>c

Page comment, *,
Not emitted to the HTML page.

HTML comment, -
All of the line is emitted inside a HTML comment tag.

Form row e,
Display name, name, type (defaults to text, if absent), value (defaults to “”), extra settings (directly in HTML)

Form submit s,
Display name (on the button), extra value (HTML, hidden fields etc, optional).
May get revised to have a second version with a back button.

Missing features

  • Spell check
  • The addslashes() all over the place/ htmlentities
  • More documentation
  • Logging/ usage analysis
  • Correct the .htaccess, so the index.php isn't necessary
  • Add some security lock downs
  • Column styles in tables
  • Possible recursion in data structures for complex bits like tables.
  • Some of the add image GUI isn't correct yet.