Archive for the ‘software’ Category

« Older Entries

wp-cron and mysterious editing errors in wordpress

Monday, November 24th, 2008

We use several wordpress sites internally at work on a server with external web access. Ran into a very odd problem when using HTTP Authentication. By authenticating against the Windows Domain Controller at work, we don’t have to have users create another user name and password, which means things Just Work for the most part.

The problem was that someone would edit a post and the edits would vanish. No error, but their edits would never show up. It didn’t happen when using normal authentication, only with HTTP auth. I was able to verify that it also only happened when someone outside the domain the server and I were both on tried to edit a post.

Contacted the plugin author and he verified he was using his plugin on the same version of wordpress we were on. He got me on the right track by telling me to look for 401 errors in my apache logs. Found a TON of these where calls to wp-cron.php from the servers EXTERNAL ip addres were coming back with authentication failures. (the server has two IP addresses, internal to the domain and public facing).

Here’s what I think was happening: user in another domain would edit a post. As soon as they tried to save, the wordpress install would fire off a call to wp-cron.php from the external IP address of the server (since that’s how the user was accessing the site), which did whatever sort of housekeeping it was supposed to do when a post was edited. This would fail since the wordpress install itself didn’t have any means of authenticating to the Apache server as the user editing the post. (Editing the plugin might be a way around that). With normal cookie authentication, this wasn’t a problem (not sure why not - how does the server authenticate to itself? Or does it not, only when we tell apache to ask for authentication with every page load). So we get an apache error and the post is not saved.

Fix - The support forums for wordpress have comments from moderators suggesting that this is the fault of server admins who block this behavior, and that it is not a security problem. They also mention editing the servers hosts file so it never tries to access itself via the external IP. My personal feeling is that if this is happening enough to make it into the forums, the WP team ought to look at this and find a better way to do it. Anyway, disable the spawn call in wp-includes/cron.php. This seemed to work, although it means you can’t future post. But I would rather do this than mess with the hosts file on the server, which affects all workings, rather than just wordpress itself.

Posted in software, wordpress | No Comments »

SecureCode FAIL?

Wednesday, November 12th, 2008

SecureCode® is a program by MasterCard to have another (useless?) number you type in to use your credit card with certain merchants. You may remember when the CVV2 code was the NEW BIG THING that people asked for to make sure you were really the person using the card. (IMHO, each of these is perfectly useless once that bit of information is stolen. It’s an arms race where card ‘acceptors’ keep looking for a new bit of info to ask for, and thieves keep stealing it).

Yesterday, while making a purchase, I was asked for my SecureCode® for a particular credit card. I don’t remember it off the top of my head, and it’s not stored in my normal encrypted file of passwords. On top of that, I use No Script, which can make some JavaScript interactions tricky the first time you do them. You have to choose what domains to allow to run script.

With all that, I couldn’t get the purchase to go through at first because I didn’t have my SecureCode® card number. So I tried to get it from the issuing bank website, and got caught in a round robin of being sent to the mastercard site, my bank, and the merchant site. But somehow, with the various enabling and disabling of scripts, I WAS ABLE TO BUY THE PRODUCT WITHOUT EVER ENTERING THE SECURECODE®. I don’t know how much of a security failure this is, if at all, but it makes me think that SecureCode® is just another useless step that annoys me, and makes sure I won’t buy from that merchant again.

Posted in browsers, firefox, security, software | No Comments »

Accessibility tools in the page versus chrome

Sunday, July 27th, 2008

One of the Human Factors Engineers asked me about accessibility controls in the UI on Friday. Things like text zoom controls that allow the user to zoom the font size and so forth. He was asking whether those should be revealed to all users, or just shown to users who were using some sort of Assisstive Technology like a screenreader.

At first I showed him the WASP. If you visit that page and start tabbing through, a skip link reveals itself when it has focus. Nice touch, you only see if when you need it, and still usable.

But then I started thinking about a recent post by Mark Pilgrim, in which he talks about things that have moved from being parts of web pages to being part of the browser UI itself. Features like RSS feed icons - browsers support finding these on their own, so the icons aren’t really needed in the page itself not. (Personally, when I want to add a feed, I paste the homepage of the site into Google Reader and let them figure it out for me.)

Thinking about this from the standpoint of accessibility utilities, does it really make any sort of sense to put controls for these actions into the page? No. Let the browser handle zooming, so it’s consistent across all sites. Don’t make the user remember how things work on your site, remember, users spend most of their time on other sites.

This isn’t probably any news to anyone, but how Mark phrased it in his article made me think about it a little more, and I think the HF engineer and I felt it was a good design decision.

Posted in accessibility, browsers, software | No Comments »

Emacs, cygwin, and autocomplete

Thursday, July 24th, 2008

UPDATE2 - Sometimes I make things harder than they are. In .bashrc:
export CDPATH=.:~:/your/path/here
In .emacs:
setenv "PATH" (getenv "PATH"))

I think my problem was that a had a directory called re in both my HOME and the path listed in CDPATH. Now things seem to work as expected.

UPDATE - Now it doesn’t work correctly. After a system restart, Emacs picked it up, but bash failed. The way to test is to go into the shell and change directories, then try to open a file with Emacs. The two should both show you are in the same place. If not, try putting the CDPATH variable, in the same order, in the .bashrc file.

Just got a very weird issue fixed, but I don’t understand why it didn’t work. I use emacs on windows, with Cygwin for a shell inside emacs. When I set CDPATH in .bashrc, I can change directories ‘using’ CDPATH values on the command line, but then autocomplete in that directory fails. If I change directories ‘manually’, then the autocomplete fails. Very odd.

Then I went into my settings for cygin-mount.el and saw that there was an emacs command like this:(setenv "PATH" (concat "d:/cygwin/bin;" (getenv "PATH"))). On a hunch, I added this: (setenv "CDPATH" (concat "d:/my/path/here;~;." (getenv "CDPATH"))).

And things magically worked.

After 4 hours of checking, rechecking, trying, and retrying.

Looks like the CDPATH must be set in Emacs, not the .bashrc file. I’m not sure what controls what, but this is what finally worked. As a plus, now when I’m at a particular place in the shell, emacs commands to open files start at that location as well. Overall, about half my day was spent on this little bug. But that’s where you learn, I guess.

Posted in cygwin, emacs, software | No Comments »

Building

Monday, July 21st, 2008

** NOTE- This may be the last time I ever write in the goddam wordpress edit box. Just lost the last 15 minutes of writing. I’m gonna get atompub working in emacs if it kills me.

Spent some time today trying to automate some of the steps in prototyping. First off, the YUI Compressor is a great utility to have running locally. Dropped into a directory, created a bash alias for both css and js minifying so I can run it like cssmin main.css > main.min.css, and I’m off and running.

Jumped from there into creating a project template, with the common files I need so I can make new projects start faster. I usually have the following folders:

  • css
  • js
  • img
  • php - this holds actual php pages. Default file is called functions.php, and generates the DOCTYPE, etc. I guess these could be includes instead, but I usually just use a heredoc to insert them with an echo.
  • inc - this holds includes and/or functions
  • html - static html copies of the pages in the php directory, so a local server is not needed when someone else looks at the prototype.

At the project root is an index.html file that serves as a navigation for the whole project. It should point to both the php and the html files just in case.

Then started thinking about what I really need, which is a script to do all the following things depending on what step I’m at.

If I’m just starting out:

  1. Export the above structure from my repository.
  2. Name the top level folder from the user input.
  3. Add the new project back to the repository.

If I want to do a build to release to others (lost the rest of the post here), I’ll probably want to make sure all the files are under version control, add them if not, create the static html pages from the php pages (curl while looking for 404 errors?), change links to point to those pages, update the index page with the new ones, commit it all in and then export it to a temp directory where it gets zipped up, and then mail it off to the names listed in config file somewhere.

Overall, building the project should be automatic.

Posted in software, web design, work | No Comments »

« Older Entries