hubzero / hubzero-cms Goto Github PK

As the distributions drop support for PHP5, it may become necessary for the application to support PHP7.

Issue
Sensitive data exposure occurs when an application, company, or other entity inadvertently exposes personal data. Sensitive data exposure differs from a data breach, in which an attacker accesses and steals information.

Effected Vulnerable
/hubzero/framework/blob/283d21ec5963e613e455db737cccc5503f7d3ac1/src/Config/Tests/Files/Legacy/configuration.php/

Responsive

<?php
// @codeCoverageIgnoreStart
class JConfig
{
	var $access = '1';
	var $api_server = '1';
	var $application_env = 'production';
	var $debug_lang = '0';
	var $editor = 'ckeditor';
	var $error_reporting = 'simple';
	var $feed_email = 'author';
	var $feed_limit = '10';
	var $force_ssl = '1';
	var $gzip = '0';
	var $helpurl = 'English (GB) - HUBzero help';
	var $list_limit = '20';
	var $log_path = '/var/www/hub/logs';
	var $log_post_data = '0';
	var $offset = 'America/Indiana/Indianapolis';
	var $sitecode = 'hz';
	var $sitename = 'hubzero.org';
	var $tmp_path = '/var/www/hub/tmp';

	var $dbprefix = 'jos_';
	var $dbtype = 'pdo';
	var $host = 'localhost';
	var $password = 'drowssap';
	var $user = 'hubadmin';
	var $fromname = 'HUBzero';
	var $mailer = 'mail';
	var $mailfrom = '[email protected]';
	var $sendmail = '/usr/sbin/sendmail';
	var $smtphost = 'localhost';
	var $long = array('period' => '1440', 'limit' => '10000');

	var $session_handler = 'database';
	var $solr_client_id = '12b910947122dfab5238b9e728774486';
	var $solr_client_secret = '6e291d7c6a9c8859104dd04332f5f07cbb30d6c0';
	var $solr_host = 'localhost';
	var $solr_password = 'drowssaprlos';
	var $solr_port = '2093';
	var $solr_username = 'hubzerosolrworker';

Best Regards
@duckoverflow

On a fresh standup (via vagrant, https://github.com/axfelix/hubzero-vagrant), trying to see what API endpoints I can access based on the documentation available from https://localhost/developer/api/endpoint/projects:

Some of the listed endpoints return 404s, e.g.:
https://localhost/projects/list

Is this documentation up to date or is something broken in my standup?

https://hubzero.org/support/ticket/5416

David Lomas (dsl101) 7:57 am 20 Jun 2014

1.2.2 Thu, 19 Jun 2014

Recently updated this hub to fix the email HTML and Newsletter timezone issues - they're all gone, but we're still seeing problems in Group Calendar I'm afraid. I'll try to explain carefully, but it's pretty intricate...

I created 3 test events in a group calendar - here are the names, and you should be able to see what I put in the date / time / timezone fields:

Test1 01:00 UTC
Test2 05:00 UTC+1
Test3 09:00 UTC-5

The first snag here is that the timezone field here is a little confusing for people on daylight saving - in the UK we're normally on UTC, but in the summer we move to UTC+1. So, should I enter UTC or UTC+1?

Having entered them as above, this is what I see in the month view of the calendar:

2a Test1 01:00 UTC
6a Test2 05:00 UTC+1
10a Test3 09:00 UTC-5

I'm presuming those '2a, 6a, 10a' are intended to be the start times (e.g. 2am, 6am, 10am) in my local timezone? In which case, only the first entry is accurate - a 1am UTC event would be 2am for me. The others are wrong - 5am UTC+1 would be 5a for me, and 9am UTC-5 would also be 3p for me. It looks like it is assuming all events are in UTC, and just adding on the 1 hour for my current timezone, which is effectively UTC+1.

When I open up those events, this is the detail view I see:

Test1 01:00 UTC: 1:00 am BST
Test2 05:00 UTC+1: 5:00 am CEST
Test3 09:00 UTC-5: 9:00 am EDT

I don't think any of those are correct:

• The first one isn't 1am BST, it's 1am GMT (2am BST)
• The second one isn't 5am CEST, it's 5am BST (6am CEST)
• The third one isn't 9am EDT, it's 9am EST (10am EDT)

It's also strange that in the month view I get something approaching my local timezone, but in the detail view I get an (incorrect) version of the timezone for the event.

From the user experience (UX) perspective, launching a tool (e.g., from Dashboard) in the same tab is IMO a bad idea. It breaks/interrupts the flow and does not provide easy and efficient mechanisms of returning to a starting point or hub’s home. Thus, I wanted to suggest implementing the following (small) feature: 1) default behavior for Run Tool should be open in a new tab (trivially implemented by adding relevant flag to corresponding links’ URL code); 2) to enable the ultimate flexibility, allow hub admins to change the default behavior on a tool-by-tool basis (by introducing an additional configuration element in Control Panel and/or via a separate configuration file; e.g., “/etc/hubzero/tools_start.cfg” with key-value pairs “<tool_name>.start_in_new_tab = False”). Part#2 is optional and can be implemented separately at a later time, if needed. But implementing part#1 is quite important from UX perspective and, considering that it’s extremely easy to do, I see no reason for not improving this aspect.

Please let me know what you think and whether you would agree to implement this soon in the upstream.

-Aleks

Allow the HUBzero CMS to interact with a Globus endpoint

https://purr.purdue.edu/support/ticket/1221

Megan Dale (mdale) 3:02 pm 01 Dec 2016

1. What was the user trying to do?
   Show the dates of when files that are added or changed

2. What did they expect to happen?
   The file directory in your project should automatically display the last modified date for each file, and should show you the full version history for that file if you click on the date.

3. What actually happened?
   Sometimes a file directory shows N/A next to a file instead of the modified date. If I click the "Modified" heading at the top of the directory to sort by modified date, any N/A's in the list resolve to actual dates.

https://travis-ci.org/hubzero/hubzero-cms/builds/194885635 supposedly contained the same files as https://travis-ci.org/hubzero/hubzero-cms/builds/194928112

https://purr.purdue.edu/support/ticket/1198

It would be way cool to have a standardized way to represent DOIs on throughout the hub. I've attached an example of a Github-style badge used to communicate the DOI and resolve it when clicked.

http://pages.tacc.utexas.edu/~eijkhout/istc/istc.html

https://nanohub.org/support/ticket/317147

Suggested by Hubzero Foundation member, Jack Allen Smith

Would it be possible to label Collections prefixed/suffixed with the owner of the collection to distinguish collections with the same name when browsing/searching collections across the site? Collections named Books, Articles, Conferences, News,... are quite common across multiple users and groups.

https://purr.purdue.edu/support/ticket/797

https://hubzero.org/services/opensource advertises that

It is now possible to install HUBzero on RedHat Enterprise Linux 6.

but the link provided is to a blank page. Are there in fact yum packages available, and if not, how can I go about testing HUBzero on a Centos machine? Thanks for any advice!

PlantingScience Request

Bug Description

There is no package listed in packagist.org for hubzero/standards, found under require-dev in the composer.json file. Consequently, this causes a composer install command to fail.

Composer error:
The requested package hubzero/standards could not be found in any version, there may be a typo in the package name.

Reproducibility

From ./core run php bin/composer install

For bugs with fixers: How was the code fixed?

Environment

Up-to-date dev branch

Hello,

Can you please suggest detailed steps for API integration in Hubzero. Also, if you could point me to an example of API integration with Hubzero.

Thanks
Apurv

https://nanohub.org/support/ticket/314912

https://hubzero.org/support/ticket/9070

Allow batch processing of LDAP sync initiated by the CMS in Export to LDAP functionality found on the back-end. This times out for large hubs, such as nanohub.org

https://nanohub.org/support/ticket/309680

Create an interface on the backend to adjust API rate limiting.

https://purr.purdue.edu/support/ticket/944

The link to development styles and conventions in the contribution guide leads to an empty page.

Make the title of super group pages visible as a horizontal menu - probably below the 'main' menu bar i.e. the one showing Collections, Forum, etc.

From https://hubzero.org/support/ticket/10316:

hzcms is meant for the Debian or Redhat package versions of the CMS.

The manner in which we are distributing the CMS moving forward is a discussion that is happening internally.

It would be my hope to have the Debian and Redhat packages created more frequently so we can rely on them for distributing the code. In that manner, updating would be simply a yum update. There may be some downsides to that approach that I have not discovered yet, but this is an active conversation in the Hubzero development group.

Allow the default setting in a publication to "post draft" and not as "Publish draft"

Be able to control who can add comments to a wiki page. Do this via roles e.g. give someone the 'trusted editor' role. Ideally, this would work on a group level, rather than across the whole site.

https://nanohub.org/support/ticket/317123

A project TODO item does not get physically deleted upon user's confirmation in the "Permanently delete this item?" dialog box. A brief review of the relevant code ("core/plugins/projects/todo/todo.php") reveals that the call on line 718

if (!$objTD->deleteTodo($this->model->get('id'), $todoid))

does not actually process the user's input in the relevant dialog box (which is the 3rd argument in deleteTodo(), where the default value of the 3rd parameter (0) is to not physically delete an item).

Used by PlantingScience to manage students.

Better control over when/how often members are notified of changes/activity in a group.
https://hubzero.org/support/ticket/9267

Dear HUBzero team,

Following my message on Twitter, and your response, I open an issue concerning the fact that all Google HUBzero old links (hubzero.org) are not pointing the new URL (help.hubzero.org)... Maybe you can redirect this ?

Cheers,

Yvan

Bug Description

Storage indicator in a Tool window is expected to display value (bar size) that would match the actual size of the storage used by the tool. However, this does not happen (as can be seen in an image below).

Reproducibility

To reproduce, start a tool (e.g., Workspace) and observe the area to the right of Storage (manage) text in the bottom left corner of the tool window. Notice that the bar size does not match the actual storage size displayed as X%.

Environment

Additional Context (optional)

None

I created a new Debian 8 VM and followed the installation instructions for 2.2.0 at https://help.hubzero.org/documentation/220/installation/debian/install/ .

While it appears that the main CMS installs fine and works, some components do not. Notably, the configuration scripts error and dump a stack trace for Forge, VZ (container system), Maxwell, Workspace, Metrics, Rappture, and submit-server.

I'm guessing this is due to the 2.2.0 docs not reflecting the current state of 2.2.9... I noticed that #70 states that the packages are the official installation and update mechanism, is there a plan to update the installation docs?

Also, considering that Debian 8 only supports PHP 5.6 and that's no longer getting security updates as of Jan 1 2019, I'm guessing that the project will either be providing a backported PHP 7 package, or will be moving to Debian 9 as the supported platform. Is there any sort of timeframe on when that will happen? It's pretty old, but the latest info I've found on the topic is in #63: "We have not yet started work on determining whether Debian 9 will be able to host a complete hubzero environment and it will certainly not install or run on it until that work is begun."

Thanks!

Use-cases:

• A file shared in a slack channel can be imported into a Group or Project.
• Discussions can be transferred between Slack and Hubzero notes, blogs, other communication features
• Add web hooks for cms events to notify Slack channel

https://nanohub.org/support/ticket/285261

Currently uses old xprofiles table and other models. Convert to use Relational class / "ORM".

PlantingScience request.

Dear HUBzero team,

I encounter an issue.. Apparently a bug. When creating a new ticket on a fresh HUBzero installation (from 2.1.2.0 VMWare VM OR Dockerized HUBzero,) this ticket seems to be hidden... No opened ticket appears on the myhub/support/tickets URL even on the backend even if we can see on the backend control panel that there is one...

The link on https://github.com/hubzero/hubzero-cms to https://help.hubzero.org/documentation/current/installation is 404'ing as of 2018-07-11.

test issue

Transfer support tickets to GitHUB

https://nanohub.org/support/ticket/317085

If an account is linked to another login method like Facebook, Google, LinkedIn or an institution through Shibboleth, allow the user to disable the login method with a hub password; this should make the account never expire. The rationale is that it minimizes the attack surface of accounts and is less hassle for users (fewer passwords to keep changing). Also, if the other login methods support more secure logins like Google's 2-factor authentication, the hub password login method is a liability. Besides making sense on its own, this feature is needed before we can handle higher security requirements such as hubs with more than limited data sets (HIPAA).

From Pascal.

The landing page of the backend help articles (found in https://{hub}.aws.hubzero.org/administrator/index.php?option=com_help) has an incorrectly sized iframe. If debugging is on, it also has two debugging consoles: one at the bottom of the help-page iframe and one at the bottom of the whole page. The iframe needs to be expanded so users don't have to scroll to see all of the text.