Transition Technology: Ticket Query

#655: Add social media icons with counters to blogs listings views

ed — Thu, 12 Dec 2013 13:03:11 GMT

Investigate with Rob how to add Social media icons with counters into the /blogs listings views and individual node views.

I suggest starting with just Rob's blogs (/rob-hopkins), separate context for 'Transition Culture section' and then roll it out over other blogs and maybe news content type once the /rob-hopkins has been trialled

Sam to talk with Rob

Also cc-ing Ben as design - theme guy

#582: TN.org platform and sites

jim — Mon, 02 Sep 2013 09:30:02 GMT

The TN.org platform and Drupal site updates are to be tracked in this ticket.

Current PROD platform build = P009 Current STG platform build = S010

Updates pending:

SECURITY UPDATE - NO RISK: Pressflow core 6.30 is due, but the security holes fixed do not affect us, low priority. Platforms: present in S010, but not in P009.

#662: Subscriptions' links in text emails breaking

ed — Tue, 17 Dec 2013 15:37:13 GMT

for January - to get Sam and Jim talking - in January

The subs sent out to subscribers: are fine in html but the text version is broken and unsatisfactory. I know we've been through this and it's a known bug etc. etc. but I'm wondering if we can switch all subs to html, or if there are any patches to this problem?

Adding as Jim's ticket with Sam cc-ed

#701: Emails & Telephone calls

paul — Tue, 18 Mar 2014 09:38:24 GMT

#758: * Advisory ID: DRUPAL-SA-CORE-2014-003

paul — Wed, 16 Jul 2014 21:55:29 GMT

View online: https://www.drupal.org/SA-CORE-2014-003

Advisory ID: DRUPAL-SA-CORE-2014-003
Project: Drupal core [1]
Version: 6.x, 7.x
Date: 2014-July-16
Security risk: Critical [2]
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

.... Denial of service with malicious HTTP Host header (Base system - Drupal 6 and 7 - Critical)

Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header.

The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability.

.... Access bypass (File module - Drupal 7 - Critical)

The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.

This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.

Note: The Drupal 6 FileField? [3] module is affected by a similar issue (see SA-CONTRIB-2014-071 - FileField? - Access bypass [4]) and requires an update to the current security release of Drupal 6 core in order for the fix released there to work correctly. However, Drupal 6 core itself is not directly affected.

.... Cross-site scripting (Form API option groups - Drupal 6 and 7 - Moderately critical)

A cross-site scripting vulnerability was found due to Drupal's form API failing to sanitize option group labels in select elements. This vulnerability affects Drupal 6 core directly, and likely affects Drupal 7 forms provided by contributed or custom modules.

This vulnerability is mitigated by the fact that it requires the "administer taxonomy" permission to exploit in Drupal 6 core, and there is no known exploit within Drupal 7 core itself.

.... Cross-site scripting (Ajax system - Drupal 7 - Moderately critical)

A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field.

This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules.

/A CVE identifier [5] will be requested, and added upon issuance, in

accordance with Drupal Security Team processes./

Drupal core 6.x versions prior to 6.32.
Drupal core 7.x versions prior to 7.29.

Install the latest version:

If you use Drupal 6.x, upgrade to Drupal core 6.32. [6]
If you use Drupal 7.x, upgrade to Drupal core 7.29. [7]

Also see the Drupal core [8] project page.

The denial of service vulnerability using malicious HTTP Host headers was

reported by Régis Leroy [9].

The access bypass vulnerability in the File module was reported by Ivan

Ch [10].

The cross-site scripting vulnerability with Form API option groups was

reported by Károly Négyesi [11].

The cross-site scripting vulnerability in the Ajax system was reported by

mani22test [12].

The denial of service vulnerability using malicious HTTP Host headers was

fixed by Régis Leroy [13], and by Klaus Purer [14] of the Drupal Security Team.

The access bypass vulnerability in the File module was fixed by Nate Haug

[15] and Ivan Ch [16], and by Drupal Security Team members David Rothstein [17], Heine Deelstra [18] and David Snopek [19].

The cross-site scripting vulnerability with Form API option groups was

fixed by Greg Knaddison [20] of the Drupal Security Team.

The cross-site scripting vulnerability in the Ajax system was fixed by

Neil Drumm [21] of the Drupal Security Team.

The Drupal Security Team [22]

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [23].

Learn more about the Drupal Security team and their policies [24], writing secure code for Drupal [25], and securing your site [26].

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [27]

_ Security-news mailing list Security-news@… Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

#590: Drupal performance improvements

jim — Fri, 06 Sep 2013 10:27:27 GMT

This ticket is to track the work and changes done within the Drupal sphere in relation to performance enhancements done since #585.

More information is needed and will come when ticket:586 New Relic Monitoring for BOA is completed.

I also note that many of these cleanup operations will also help make the move to D7 smoother and better.

Summary of actions and status

TODO

O) Stop making so many URL aliases for non-relevant pages, clean up url_alias table -- 1/4-1/2 hour, medium reward, only risk is that some already broken links might break... Per chat with Ed, only these will be removed (plus releated tweaks to Pathauto settings):

3,579 entries where src = node/%/feed
1,856 entries where src = user/%/contact
= 5,435 or ~11% of entries in url_alias

L) Review slow query log, explain queries, tweak as necessary/flag poorly behaving modules. 2-4 hours, high reward, low risk... Keep looking at the slow query log and adjust Drupal or find patches as necessary. ALSO related Reduce your server's resource usage by moving MySQL temporary directory to tmpfs... Have opened ticket for this: #591 for Chris.

Done

A) Remove spam taxonomy entries ~~1/2 hour, Low risk, low reward -- See item 8 below. A simple delete from taxo term table where length > 50 is worth doing IMHO, and nothing I saw that would be clobbered is not spam.~~

B) Try a Taxonomy Cleanup: 3 hours, Medium risk, medium reward -- style module to try to merge terms with the same names and clean up the link tables back to nodes. Further, we can remove any taxonomies or relations to certain CTs that don't really add value.

D) Review Views caching ~~1 hour, low risk, high reward -- Utilise Views Content Cache this was done a while back but I think -- done (task 12) in comment 21.~~

F) Force blocks caches to cached appropriately (and be rendered/included only as needed) 1-2 hours, medium reward, low risk -- BOA packages the Block Cache Alter, which makes sure Drupal only renders blocks when needed. Potential small but nice boost quickly in whole site. -- per comment 22, block caching is disabled by other modules so this will have to go on hold for now.

H) Remove CustomError? module all together 1/2 hour, low risk, low reward -- We should take out the PHP code from the 403 section of CustomError? and put it into a simple page entry. See comment 6 below as this has happened for 404s (which need no PHP). We can then remove the CustomError? module all together, saving lots of sessions. I would go ahead and do this but since the 403 page has various displays depending on user type, I wanted to raise it here as it *may* have side effects. Or not...

I) Re-enable block caching. 2-6 hours, high risk, high reward -- Per comment 24, a module (probably Content Access) is stopping Drupal caching blocks, which for some of them means a fair amount of pointless overhead. We need to somehow get around this and get blocks cached if possible. R&D mainly, perhaps with some hacking/patching - but I'd stop short of doing this if so.

K) Add & enable Views Lite Pager on big views. ~~1 hour, low risk, low reward -- Using this module stops a heavy count query on views with pagers -- recommended for large sites.~~

M) Take control of Cron, and maximise time pages are cached for. .25h, high reward, low risk -- Cron is wiping the page cache, so we need to install https://drupal.org/project/elysia_cron so we can clear the page less often, and run other things when we want and the site is quieter. Now need per minute resolution set to get the best, see comment 33 and 34 for more...

N) Replace Admin Menu 1.x with 3.x -- will happen when #590 occurs, marking complete here -- ~~5 mins, high reward, low risk -- done when #582 happens, could be the cause of some load spikes as it occasionally goes made and does 2000-5000 queries~~~~

#636: Changes to Space.transitionnetwork.org homepage to facilitate user registration

ed — Wed, 27 Nov 2013 17:30:19 GMT

Space currently does not give users who aren't already registered a way in. Anon users can see some of the spaces but when they try to apply for membership, they hit a login page, which they can't complete as they are not registered.

RTFM for OA as to OA best practice - this is billable time. Then leave notes about it in wiki for later developers.

The homepage needs editing to sort this out. Here are some first changes:

2.1. Remove the 'Need the pros' pane (RHS) 2.2 Remove the 'Just getting started' pane (LHS) 2.3 Add a 'Request membership' pane which is basically a user registration form. Make registration 'approval only' for now, approval to be by a site admin (webproject@…)

The /spaces listings view shows the spaces that are publicly viewable, and there is a 'request group membership' button for each of them.

Can you make this into a registration form as well?

#772: new TIs not appearing on staging until caches flushed

annesley — Tue, 05 Aug 2014 09:26:32 GMT

i added a new Mulling transition initiative on staging in Afghanistan and it did not appear on the map... i flushed caches and then it started appearing on the main initiatives map. is this intended? is it a known?

#821: Projects forms being hammered by Spam

ed — Wed, 07 Jan 2015 09:53:33 GMT

Projects forms being hammered by spammers. I got 24 in the last 45 minutes.

What to do?

Lock off to a certain type of user?

Adding Sam as owner to follow this up

#606: Site upgrade tasks -- pre-migration cleanup

jim — Fri, 11 Oct 2013 12:00:13 GMT

This ticket is to track the issues left over from #590 that need to be considered and tackled prior to migrating the site from D6 to D7 (or 8).

Please feel free to add as needed, but sticky to the

C) Cleanup: List of features we don't really need

Ed to add his items to following list... Need rational and alternative approaches for each.

C.1) Remove 'Geographic region' and related taxonomy and Hierarchical Select modules 1 hour, low reward, low risk -- never really been used and is effectively a duplicate of the location field. let's kill it!
C.2) Kill Microsites and the Forums -- The handful of people using the CMS feature should be migrated to Open Atrium if they need such features.
C.3) Remove forums -- We could migrate the forum to a simpler setup (not using forum module) that leverages normal commenting, or even Disqus or other services to offload comments and moderation. Also encourage user-submitted ocontent and promote that if it's good or gets interesting debate.

D) Key development tasks

D.1) All inline PHP must be moved to modules and features -- This has great benefit for management, maintenance and developers. Eval()uated code is much slower than PHP in files, especially since it can't be accelerated by APC or Zend Opcode cache... We have a few blocks and many views that are loaded from the database and evaluated. Ideally the blocks would be moved to the 'Transition Extras' module, and the views would be pushed into features. This work is good to do for maintainability and D7 upgrades, too. See: http://2bits.com/api/abuse-drupal-best-practices-your-own-peril-poor-performance.html and http://2bits.com/articles/free-your-content-php-moving-php-code-out-blocks-views-and-nodes.html

D.2) Build in ESI (Edge Side Includes) support from the outset, ensure Drupal renders only what it needs to -- BOA packages the ESI (Edge Side Includes integration) module, which makes NginX cache the whole page (as it does now), but also for user-logged in pages (which it does for 5 seconds since the page data changes). This means Drupal renders the ESI component (blocks, panels panes) that are have user-specific data in. Potential boost quickly, but will need time to tweak settings to get best from this across whole site. See comments in 4 & 5 below for discussion~~, should be done after proposal F, above~~.

E) Key editorial tasks

E.1) More Taxonomy cleanup -- try to merge terms with the same names, clear out spammy terms, general spit-and-polish. Ed plus team of busy interns to do this when the time is right.

Z) old stuff for reference; tasks from #590 rendered pointless by move

Z.1) Find Variable table writes and kill them -- seeing plenty of SELECT * FROM variable calls, which imply a cache clear due to a variable being set. In normal use variables shouldn't be set (admin screens tend to do this), so I'd like to try to see what module it causing this and patch/remove it. Will need to run grep -R "variable_set() * > ~/static/variable_set-calls.txt" in the {{{sites/all directory to generate a list, then trawl though it to find candidates/bad modules practice.

#661: Add button block to homepage RHS: Send us your news stories

ed — Tue, 17 Dec 2013 15:34:53 GMT

January:

Create button for TN homepage and /news and /blogs to encourage people to send in stories.

create button like the existing ones - e.g:

https://www.transitionnetwork.org/admin/build/block/configure/block/89?destination=newhome

add suitably pithy text

if in doubt about style, read Ben's style cheatsheet on google docs:

https://docs.google.com/document/d/1z6JYGiy8EJ6pqjm_WyNUS26fQgIClmIFg0a-8y-Mots/edit#heading=h.siua52eim2e9

this will need to be an email forwarder to send to Rob instead of a http link as per the other buttons, so you'll need to set one up on United's dashboard using the main 'jmcgeechan' account

cc-ing benj as he can be around to help with postitioning/button make if an issue - but can't do email forwarder set up - and don't forget sam - if you're too busy you can always farm it out to ben (although this is probably a bit easy for ben, he'll know about how to get blocks in the right order)

#715: Views admin pages not visible.

sam — Tue, 08 Apr 2014 14:51:29 GMT

Hi I just tried to access the views admin interface here: https://www.transitionnetwork.org/admin/build/views

It doesn't load the views admin pages, just an overview of the 'site building' pages instead.

The page works as I expect it to on the stage site here: https://stg2.transitionnetwork.org/admin/build/views

I have checked and the module is still enabled, The permissions look right (site admin is allowed to administer views: https://www.transitionnetwork.org/admin/user/permissions)

Anyone got an idea whats going on?

Thanks

Sam

#741: Views editor disappears in backend

annesley — Thu, 12 Jun 2014 10:42:13 GMT

admin > views > edit the view editor interface appears and then disappears immediately this happens in Chrome / Ubuntu and Firefox / Mac

#761: Spam account cull

ed — Thu, 17 Jul 2014 08:45:33 GMT

There are bucketloads of spam accounts swamping us. Spam commeting is swarming again. I just did several pages of deleting spam accounts. No doubt I nailed some humans too (sorry Sam if this comes back to you); but the overwhelming majority of new accounts are spam.

It's crap and we need to have another spam sweep - especially if we're staying in D6 for a while.

See work done in Feb 2013: #461 See wiki page done in Feb 2013: https://wiki.transitionnetwork.org/Spam_accounts

SAM I'm going to suggest you start looking at it, and get your head around it, and the various modules and processes we've got running, then ask you to act/escalate accordingly.

#789: SA-CONTRIB-2014-088 - Mollom - Cross-site scripting (XSS)

paul — Mon, 22 Sep 2014 13:09:48 GMT

View online: https://www.drupal.org/node/2340029

Advisory ID: DRUPAL-SA-CONTRIB-2014-088
Project: Mollom [1] (third-party module)
Version: 6.x, 7.x
Date: 2014-September-17
Security risk: 11/25 ( Moderately Critical)

AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]

Vulnerability: Cross Site Scripting

Mollom is an "intelligent" content moderation web service which determines if a post is potentially spam; not only based on the posted content, but also on the past activity and reputation of the poster across multiple sites.

Mollom offers a feature to report submitted content as inappropriate which allows end users to indicate that a piece of site content is objectionable or out of place. When reporting content, the content title is not sufficiently sanitized to prevent cross-site scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the content type must be enabled for "Flag as Inappropriate" within the Mollom advanced configuration settings (which is not the default setting).

/A CVE identifier [3] will be requested, and added upon issuance, in

accordance with Drupal Security Team processes./

Mollom 6.x-2.x versions from 6.x-2.7 to 6.x-2.10
Mollom 7.x-2.x versions from 7.x-2.9 to 7.x-2.10

Drupal core is not affected. If you do not use the contributed Mollom [4] module, there is nothing you need to do.

Install the latest version:

If you use the Mollom module for Drupal 6.x, upgrade to Mollom 6.x-2.11

[5]

If you use the Mollom module for Drupal 7.x, upgrade to Mollom 7.x-2.11

[6]

Also see the Mollom [7] project page.

Matt Vance [8]

Lisa Backer [9] the module maintainer
Matt Vance [10]

Greg Knaddison [11] of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15].

#792: [Security-news] SA-CONTRIB-2014-094 - Webform Patched - Cross Site Scripting (XSS)

paul — Mon, 29 Sep 2014 09:28:08 GMT

View online: https://www.drupal.org/node/2344369

Advisory ID: DRUPAL-SA-CONTRIB-2014-094
Project: Webform Patched [1] (third-party module)
Version: 6.x, 7.x
Date: 2014-September-24
Security risk: 13/25 ( Moderately Critical)

AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]

Vulnerability: Cross Site Scripting

The Webform Patched module is a fork of the Webform module with Token support added. The module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site.

The module doesn't sufficiently sanitize field label titles when two fields have the same form_key, which can only be managed by carefully crafting the webform structure via a specific set of circumstances.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create webform content".

/A CVE identifier [3] will be requested, and added upon issuance, in

accordance with Drupal Security Team processes./

Webform Patched 6.x-3.x versions prior to 6.x-3.20.
Webform Patched 7.x-3.x versions prior to 7.x-3.20.

Drupal core is not affected. If you do not use the contributed Webform Patched [4] module, there is nothing you need to do.

Install the latest version:

If you use the webform module for Drupal 6.x, upgrade to webform_patched

6.x-3.20 [5]

If you use the webform module for Drupal 7.x-3.x, upgrade to

webform_patched 7.x-3.20 [6]

Also see the Webform Patched [7] project page.

Maurits Lawende [8]
Matt Vance [9]

Nate Haug [10] the module maintainer

Greg Knaddison [11], Dan Smith [12] and Lee Rowlands [13] of the Drupal

Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [14].

Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17].

#809: [Security-news] Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006

paul — Wed, 19 Nov 2014 21:35:25 GMT

View online: https://www.drupal.org/SA-CORE-2014-006

Advisory ID: DRUPAL-SA-CORE-2014-006
Project: Drupal core [1]
Version: 6.x, 7.x
Date: 2014-November-19
Security risk: 14/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Multiple vulnerabilities

.... Session hijacking (Drupal 6 and 7)

A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session.

This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content ("mixed-mode" [3]), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7.

.... Denial of service (Drupal 7 only)

Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).

This vulnerability can be exploited by anonymous users.

/A CVE identifier [4] will be requested, and added upon issuance, in accordance

with Drupal Security Team processes./

Drupal core 6.x versions prior to 6.34.
Drupal core 7.x versions prior to 7.34.

Install the latest version:

If you use Drupal 6.x, upgrade to Drupal core 6.34. [5]
If you use Drupal 7.x, upgrade to Drupal core 7.34. [6]

If you have configured a custom password.inc file for your Drupal 7 site you also need to make sure that it is not prone to the same denial of service vulnerability. See also the similar security advisory for the Drupal 6 contributed Secure Password Hashes module: SA-CONTRIB-2014-113 [7]

Also see the Drupal core [8] project page.

Session hijacking:

Aaron Averill [9]

Denial of service:

Michael Cullum [10]
Javier Nieto [11]
Andrés Rojas Guerrero [12]

Session hijacking:

Klaus Purer [13] of the Drupal Security Team
David Rothstein [14] of the Drupal Security Team
Peter Wolanin [15] of the Drupal Security Team

Denial of service:

Klaus Purer [16] of the Drupal Security Team
Peter Wolanin [17] of the Drupal Security Team
Heine Deelstra [18] of the Drupal Security Team
Tom Phethean [19]

The Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [20].

Learn more about the Drupal Security team and their policies [21], writing secure code for Drupal [22], and securing your site [23].

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [24]

#874: Please check & then install Georss if no problems

sam — Tue, 29 Sep 2015 13:31:02 GMT

Hi Paul

We'd like to play around with generating Georss from our current site.

Could you have a glance at the code /test https://www.drupal.org/project/georss

If it seems like it's going to be unproblematic then please install it on the live site.

Thanks

Sam

#907: TN Drupal database size

chris — Wed, 02 Mar 2016 10:20:10 GMT

6 weeks ago the datadase dump was 447M, see trac:ticket/896#comment:3 but now it is 1.8G:

ls -lah /var/backups/mysql/sqldump/transitionnetw_0.sql
-rw------- 1 root root 1.8G Mar  2 01:23 /var/backups/mysql/sqldump/transitionnetw_0.sql

Anyone have any idea what happened to cause this? Are we keeping too many log entries?

#919: Site offline

chris — Thu, 14 Jul 2016 18:17:26 GMT

The https://www.transitionnetwork.org/ site has been "off-line" since about 7pm, I see that Paul is logged on via ssh -- is this something that we should worry about or is this intentional?

#519: Fixing various URL in the Database

chris — Fri, 15 Mar 2013 13:47:21 GMT

This page:

http://transitionnetwork.org/support/what-transition-initiative

Contains this HTML:

<p><img alt="TransitionSantaCruz" src="http://transitionsc.org/sites/www.transitionnetwork.org/files/pixture_reloaded_logo.png" align="right" height="69" width="150"></p>

The image is a 404:

http://transitionsc.org/sites/www.transitionnetwork.org/files/pixture_reloaded_logo.png

The correct location for the image is:

http://transitionsc.org/sites/default/files/pixture_reloaded_logo.png

Looking at the Internet Archive this was correct back in October 2012,

http://web.archive.org/web/20121022030350/http://www.transitionnetwork.org/support/what-transition-initiative

Their munged HTML contains the correct URL:

<p><a href="/web/20121022030350/http://transitionsc.org/sites/default/files/pixture_reloaded_logo.png" class="colorbox initColorbox-processed cboxElement">

It appears to me that an edit must have been done on the database something like:

s;/sites/default/files/;/sites/www.transitionnetwork.org/files/;

There might well be other URLs to other Drupal sites that were changed when they shouldn't have been?

I have had a quick look at the database dump and couldn't find any examples of this problem, but there are 113 lines to check:

grep "sites/www.transitionnetwork.org/files" /var/backups/mysql/sqldump/transitionnetwor.sql | wc -l
113

I did notice that there are a lot of URLs in the database like this:

src=\"http://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/uploaded/u5857/Map-TransitionNetworkOffice.jpg\"

And

src=\"https://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/uploaded/u4/transition%20companion%20cover.jpg\"

Both the above links would be better starting with / or //www.transitionnetwork.org/ as this would avoid people getting HTTPS content when using HTTP and also getting HTTP content when using HTTPS.

I think it would be worth putting the site into maintenance mode, doing a dump of the database, checking these 113 lines for issues like those above, correcting them all and then reinserting the data, however this would need to be done at a suitable time.

I'd be happy to do this task. Ed, Jim, any thoughts about when would be a good time to do it?

#520: Session 443 config in settings.php

chris — Fri, 15 Mar 2013 23:16:49 GMT

There is this warning displaying at https://www.transitionnetwork.org/admin/reports/status

Settings.php is not setup correctly. With the current configuration of 443 Session module, the following lines must be in settings.php.
      if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
        ini_set('session.cookie_secure', 1);
      }

Based on the check of what is happening with cookies done on ticket:371#comment:34 and ticket:371#comment:36 things are currently working OK, session cookies do have the secure flag set, so I'm a bit confused by this warning message. I also think that the PHP suggested to add to settings.php looks perfectly sensible and should be included, I'm sure we did have it on the old server, however there are 33 settings.php files on wiki:PuffinServer and I'm not clear which one the live site uses.

#521: MySQL Unsafe statement warnings in the daemon.log

chris — Sat, 16 Mar 2013 09:46:57 GMT

I don't know if these matter?

I found them when hunting for 502 errors.

grep "Unsafe statement written to the binary log" /var/log/daemon.log | wc -l
343

Some examples:

Mar 16 09:28:20 puffin mysqld: 130316  9:28:20 [Warning] Unsafe statement written to the binary log using statement format since BINLOG_FORMAT = STATEMENT. Statements writing to a table with an auto-increment column after selecting from another table are unsafe because the order in which rows are retrieved determines what (if any) rows will be written. This order cannot be predicted and may differ on master and the slave. Statement: DELETE FROM notifications_event WHERE created < 1363426040 AND eid < (SELECT MIN(eid) FROM notifications_queue)

Mar 16 05:52:12 puffin mysqld: 130316  5:52:12 [Warning] Unsafe statement written to the binary log using statement format since BINLOG_FORMAT = STATEMENT. Statements writing to a table with an auto-increment column after selecting from another table are unsafe because the order in which rows are retrieved determines what (if any) rows will be written. This order cannot be predicted and may differ on master and the slave. Statement: INSERT INTO notifications_queue (uid, mdid, send_method, sid, module, eid, send_interval, language, cron, created, conditions) SELECT DISTINCT s.uid, s.mdid, s.send_method, s.sid, s.module, 61233, s.send_interval, s.language, s.cron, 1363413132, s.conditions FROM notifications s LEFT JOIN notifications_fields f ON s.sid = f.sid WHERE (s.status = 1) AND (s.event_type = 'node') AND (s.send_interval >= 0) AND ((f.field = 'nid' AND f.intval = 30718) OR (f.field = 'type' AND f.value = 'profile') OR (f.field = 'author' AND f.intval = 16908)) GROUP BY s.uid, s.mdid, s.send_method, s.sid, s.module, s.send_interval, s.

#603: Forwarding newsletter sends wrong message

ed — Thu, 03 Oct 2013 09:24:09 GMT

User forwarded newsletter to themself (other email account) and was sent the wrong message - from a different user to someone else. See forwarded mail below.

Please consider.

From: Jeanne <mackeyj@…> Date: Mon, Sep 9, 2013 at 11:57 AM Subject: Jeanne is forwarding an email to you To: jeano <jmackey50@…>

Hi Will Sutherland,

Kathleen L thought you'd be interested in this: http://us1.forward-to-friend2.com/forward/show?u=766036b57dc1247e2964584bd&id=7b4f6d65d1

Kathleen L also included this personal message to you:

more info for ya about Transition Towns - made me think of your game with their new book and ingredients and stuff - read about it... Did you find the link interesting?

You can forward it on to your friends, too: http://us1.forward-to-friend2.com/forward?u=766036b57dc1247e2964584bd&id=7b4f6d65d1

You can subscribe for more emails at: http://transitionnetwork.us1.list-manage1.com/subscribe?u=766036b57dc1247e2964584bd&id=33e8648c8d

Note: if any of the URLs above are not clickable, you can copy/paste them into your web browser.

#731: Meetings in maintenance

chris — Fri, 23 May 2014 10:47:39 GMT

Ticket to record time spent on Skype call on 22nd May 2014.

#646: Users denied access when trying to unsubscrbie

ed — Thu, 12 Dec 2013 10:16:23 GMT

I'm getting noticeably more complaints about users not being able to unsubscribe to email notifications for content or comment alerts and/or the newsletter.

The emerging pattern is that they are clicking on the unsubscribe link in their email alerts and going to an access denied page.

My sense says there's something in https/http? Or them not being logged in?

Something is definitely going on.

Adding this to Sam to pick up in January. SAM - tickets like this can bounce around the tech team a bit - stay on it!

#712: Create a new stgX.transitionnetwork.org site

sam — Tue, 01 Apr 2014 15:03:53 GMT

Hi Paul

I have been trying to build a staging site using your Github repository with the changes you made for ticket : https://trac.transitionnetwork.org/trac/ticket/693

I have edited the D6 s008 platform: https://tn.puffin.webarch.net/node/1157/edit to use your makefile.

It builds a site, but I just get an empty pressflow site at the end.

Could you build a staging site using your makefile?

Thanks

Sam

#802: Slovenian state information missing / 'Not listed' will not submit

sam — Thu, 23 Oct 2014 10:20:29 GMT

User reported: "I'm trying to register our fledgling initiative based in Dovje-Mojstrana, Slovenia. When I select the country, the Province/State? box automatically comes up as not listed. But then when I press preview to be ready to send, it says "The specified province was not found in the specified country." So I can't submit the form :-( Please help! I think we will be the first official Transition town in Slovenia!"

I had a go at creating the initiative in a different country, then editing it to Slovenia as a workaround, but that didn't work either: https://www.transitionnetwork.org/node/37435/edit

Any idea's as to why it won't accept 'not listed' as a valid choice? Or what we can do about it?

Thanks

Sam

#681: Submitting Transition event overseas: An illegal choice has been detected. Please contact the site administrator.

sam — Wed, 22 Jan 2014 12:31:29 GMT

Hi I'm using https://www.transitionnetwork.org/node/add/event

To create a Transition Training event in Belgium in the 'Limburg' region.

On submission I get the following error;

"An illegal choice has been detected. Please contact the site administrator."

It works for UK events.

I had a look at the fields in the event content type, but couldn't spot any problems