SymfonyLab

Hi,

I really know a very little number of symfony projects where would not be used sfGuardPlugin. I should say I’ve seen a few custom self-written user authentification solutions but I did not notice much difference. So in other words those were wheel re-inventions.

Here is a good place to find the answers on the most of related to this plugin questions:

http://trac.symfony-project.com/wiki/sfGuardPluginExtraDocumentation

But you may be looking also for the following solutions which are not hightlighted there:

1. How to extend sfGuardPlugin?
2. How to practically use multi-roles (groups) in sfGuardPlugin?
3. How to implement complicated user statuses (e.g. active, pending, frozen)?

I’m sure there must be more questions and please feel free to ask them

How to extend sfGuardPlugin

Pure sfGuard provides only basic functionality for authentificating, logging, etc. If you need “signup”, “forget password” functionality you’ll need to make some coding for it. But because of this is something you’ll use in every project you may want to keep it as a separate plugin. Here is my solution. I have a plugin which is called sfGuardPluginExtra.

It has actions class which extens default sfGuardAuthActions class:

require_once(dirname(__FILE__).’/../../../../sfGuardPlugin/modules/sfGuardAuth/actions/actions.class.php’);
class sfGuardAuthExtraActions extends sfGuardAuthActions
{
}

And this class implements everything I may need for the most of projects: signup, password reminder, password generate functions. Also in templates folder I have overriding templates for secure, login pages.

If you have complicated user structure you may want to put into sfGuardPluginExtra/config folder schema.yml file with profile structure:

propel:
_attributes: { package: plugins.sfGuardPluginExtra.lib.model }

sf_guard_user_profile:
_attributes: { phpName: sfGuardUserProfile }
id:
user_id: { type: integer, index: unique, foreignTable: sf_guard_user, foreignReference: id, onDelete: cascade }
first_name: { type: varchar(40) }
last_name: { type: varchar(40) }
email: { type: varchar(50) }
created_at:
updated_at:

This way I may keep upgrading original sfGuardPlugin without overwriting my code and add extra functionality to sfGuardPluginExtra.

How to practically use multi-roles (groups) in sfGuardPlugin

What if you have different roles on your site, e.g. buyers and sellers? sfGuardPlugin provides “groups” as an instrument for developer to implement multi-roles functionality. So the main idea is to create plugin similar to described above sfGuardExtraPlugin. The only difference that now you may want to isolate access rights for different groups and you may do that using sfGuardBuyerPlugin/modules/sfGuardBuyer/config/security.yml

default:
is_secure: on
credentials: buyer

signup:
is_secure: off

This piece of code obviously set access restrictions for the other user groups except buyer for this module. Also it allows anyone to get access to signup action.

The other piece of code you need to use when you create a buyer user:

$user->addGroupByName(’buyer’);
$user->addPermissionByName(’buyer’);

It adds buyer permissions for object $user. Of course, you must have added buyer permission and buyer group in sf_guard_group and sf_guard_permissions tables.

Another trick you may be interested in - to have user logged in right after registration without entering the username/password.
So while you have $user object created this command logging this user:

$this->getContext()->getUser()->signIn($user, true);

With multi-roles you may want to have multi-enviroments. So buyer has to be logged into buyer dashboard and seller has to be logged into seller dashboard. Frankly to say I dont know good solution for it. But you may use the following technique for it:

Use sfGuardPlugin/modules/sfGuardAuth/lib/BasesfGuardAuthActions.class.php

There is executeSignin() function defined. You may do a hack right here (bad guy) or override this function in your sfGuardExtraPlugin. So the idea is to figure out user object permissions and redirect him to proper place:

e.g. add this code if ($this->getContext()->getUser()->hasCredential(’buyer’)) $this->redirect(’sfGuardBuyer/dashboard’);

How to implement complicated user statuses (e.g. active, pending, frozen)

This hack is going to be explained in the following articles. Keep an eye!

Sometimes I’m asking myself if I have really to use Symfony? Why not the other PHP framework? Or do I have to know when/where to use another PHP framework for the specific cases, e.g. maybe CakePHP would be better exactly for THIS project? And should I insist on choosing a symfony as a platform for the coming projects?

The thing is that I had not too big experience working with the other frameworks except self-written. And when I was introduced to symfony I figured out it’s something that could really save my time. And yes I know the main differences between Symfony, CakePHP and Zend.. But how could I know if the other less popular frameworks are so worthless that it’s not even worth to try them. And why to try? Too much questions Maybe that’s just a winter depression and I’m sitting here and asking myself all this stupied questions.

However it would be interesting for sure to hear from the guys who came to symfony from the other frameworks. Or opposite, are there any developers who had to migrate from symfony to one the other frameworks. Here is a list of actual PHP frameworks and comparison table can be found here: http://www.phpframeworks.com/:

Akelos PHP Framework
ash.MVC
CakePHP
CodeIgniter
DIY Framework
eZ Components
Fusebox
PHP on TRAX
PHPDevShell
PhpOpenbiz
Prado
QPHP
Seagull Framework
Symfony Project
WACT
WASP
Zend Framework
ZooP Framework

I did not know there are sooo much of them. Well, and I must say there are the others not listed here. E.g. the latest one I got into my RSS subscription is SimplicityPHP: http://wiki.simplicityphp.com/

The thing that looks obvious to me - quality of PHP frameworks are getting better and better. What I know for sure I’d never come back to working with PHP without framework. There was a post by Manuel Lemos about possibility to use set of classes instead of single framework: http://www.phpclasses.org/blog/post/52-Recommended-PHP-frameworks.html and that’s what I’d not do at this moment. Of course, what he wrote makes sense but I’m too tired to tie together all that classes, writing wrappers and the other bullshit.
What about you?

Well, I’d need to mention here Javascript/AJAX/CSS frameworks but that’s another big stuff to talk about

The service we’ve been using to vote for usefull Symfony/AJAX resources went down because of a bunch of hacker attacks and we decided to not start it again. Old service used Pligg which as it turned out is quite buggy and vulnerable to attacks.

Also I was kinda disappointed when saw the following picture on symfony community page last week:

I dont think postings kinda “test” are very informative and I dont feel I know Japanise or Chineese to understand what those guys are writing about.

So as new platform we decided to try out coRank - service which allows you to create own digg-like site. The one we created dedicated to Symfony is:

http://symfony.corank.com/

So there is aggregating all the blog posts from symfony bloggers and everyone has a chance to vote for the most usefull resource and this way (hopefully) I wont ever see “test” posting as the top news for today. The more guys will vote for these resources that more objective picture we gonna have. If you want to propose other symfony-related RSSs which can be added for aggregating - we would be happy to add them.. so just let us know.

Thanks

In current 2008 we are still growing and very soon we are going to annouce our new service (instead of devgg one which we had to close). The greatest news for us in January was that we’ve got high page rank from Google (PR=5) in a very short time and it allows us to start showing non-adsense paid ads on our site. It will help us to focus on better content and ideas for our site.

Ok, so now we would like to propose you our statistics for January:

Monthly hits:

Hits=33837, Visits=8079

Most popular articles in January:

http://symfonylab.com/tricks-with-symfony-htaccess/ Views=1096
http://symfonylab.com/how-to-populate-object_select_tag-with-your-own-objects/ Views=955
http://symfonylab.com/ajax-with-multiple-content-updates/ Views=685
http://symfonylab.com/symfony-automation-idea/ Views=668
http://symfonylab.com/phoogle-usage-with-symfony/ Views=582

Most popular search strings in January:

object_select_tag, 142
symfony , 112
symfony htaccess, 66
symfony object_select_tag, 54
wforms, 41

Countries visits:

Unknown, 31%
Romania, 12%
United States, 11%
France, 6%
Poland, 4%
Netherlands, 4%
Spain, 3%

Browsers:

Unknown, 33%
Firefox, 32%
Internet Explorer , 24%

What is the funniest for us - Romania is still the leader between visitors. Good job guys! This is interesting why Symfony is more popular in Romania and USA than in France. But maybe that’s just specific of this site.

Hi all,

somehow I bookmarked a few usefull links (I found them in somone’s bookmarks actually) and I put them into my drafts. I was going to write a few posts on that topics. And now when I’m doing drafts cleanout I understand that I forgot what the hell I was going to write.

I thought these links can be helpfull for someone, so here they are:

symfony: creating individual modular sites with a base configuration

How to rig symfony-project with jQuery for AJAX

Forms Validation with Symfony and Prototype

It was a while ago when I wrote about a random site taken out from “Applications Developed With Symfony” section.
As you can remember I simply wrote about possible problems that may expect owner of this site. Preventing measures includes deleting of _dev files as well as extra securing of backend. There were a bunch of controversion comments regards to that posting - e.g. “Ryan Weaver” wrote that it’s great idea and “halfer” wrote that I’d need to inform site owner before write about security faults ( look for more info here: http://www.symfonylab.com/review-of-williamandersonca/ )

Today I quickly went through a few of the other sites listed in developed with symfony applications and figured out that both frontend_dev.php and backend_dev.php files are present on most of them, here are only a few samples:

[removed due to developer request]

Btw, based on web debug bar I noticed that a few sites (e.g. [removed due to developer request]) are using the same SQL to get content from DB:

SELECT sf_dynamic_cms_nav.ID, sf_dynamic_cms_nav.NAME, sf_dynamic_cms_nav.APPLICATION, sf_dynamic_cms_nav.CULTURE, sf_dynamic_cms_nav.ADMIN_CREDENTIALS, sf_dynamic_cms_nav.EDITOR_CREDENTIALS, sf_dynamic_cms_nav.TEMPLATES, sf_dynamic_cms_nav.CREATED_AT, sf_dynamic_cms_nav.UPDATED_AT FROM sf_dynamic_cms_nav WHERE sf_dynamic_cms_nav.APPLICATION=’frontend’

So it must be the same person who created them or maybe there is sharable plugin for content management. If so I’d like to take a look on that as well

Btw, when I made a search for sf_dynamic_cms_nav table I quickly found one more test site with the same content management:

[removed due to request]

That’s becoming funny.. So Google indexes symfony debug toolbar. Guys, you have to be carefull - today they control your _dev files and tomorrow they will drink your beer!

And another one about this CMS of unknown author, it looks quite universal (contains CREDENTIALS, APPLICATION, CULTURE fields) and at this moment I started to remember about symfony sfSimpleCMS plugin.. Oh shame on me.. I had to think about that! So it’s the same sfSimpleCMS plugin but seems to be customized.

Well, anyway, I was going actually to tell you about the other security hole where you can go down. That’s about sfGuardUser plugin. I wont tell here about the sites where this problem is available but it’s a sign for them to check out theirselves.
So if you use sfGuardUser and allow people to signup, please make sure you’ll restrict their access to backend and allow only admin group users to have access to there by adding security.yml:

default:
is_secure: on
credentials: admin # Access with the admin credential

I know someone finds it obvious but I’m sure (actually I know) there are a lot of sites where this is skipped.
This way you can signup as e.g. subscriber and have admin access to backend.

So I told you and dont say you did not hear

If you have ever needed a way to include Google Maps functionality into your project you should know what is Phoogle. There is also GoogleMap plugin for Symfony but I was not able to make it adding a point to a map based on lang an long values.
So it’s good to know that there is Phoogle php class which is going it simplify the life for developer:

http://www.systemsevendesigns.com/phoogle

Here is what they wrote about theirselves:

Phoogle Maps (pronounced like Foogle Maps) is a PHP class that integrates itself with the Google Maps API and with the Google Geocoding API to make an easy to use interface to display Google Maps on your site. With about 5 lines of PHP code you can display a customized Google Map on your website. Please note that you will need a free Google Maps API Key to use Phoogle Maps

And that’s the truth. If you need to have a quick way to display a point on world map - IMHO the easiest way is to use Phoogle.

Anyway, now.. does not matter if you’ll use pure Google Map API or Phoogle wrapper.. in both cases you may get into a small trouble with integrating it into symfony: how to add google map javascript code into header of only specific pages of your project.

Here is a trick for this (I found it on symfony forum, btw):

So you have to have this code in your layout.php template:

&lt?php if (has_slot(’gmapheader’)): ?>
&lt?php include_slot(’gmapheader’) ?>
&lt?php endif; ?>

Now dont forget to put phoogle class files into your lib/ folder.
And next step - for the pages where you want to show Google Map insert the following code into templates:

$map = new PhoogleMap();
$map->setAPIKey(YOUR_GOOGLEMAP_KEY_HERE);
$map->setWidth(700);
$map->setHeight(400);
$map->addGeoPoint($lat, $lon, ‘It is here!’);

slot(’gmapheader’);
$map->printGoogleJS();
end_slot();

echo $map->showMap();

This little trick works not only for Phoogle of course. You may use slot functionality as your additional weapon for inclusion of different javascript blocks or design elements.

As for me, this is gonna be quite popular task - do not use symfony project in root of web folder but keep it under kinda “forum” or “users” folder. This way you may use in root of web folder (public_html or web or wherever you have called it) another type of software (e.g. Joomla). So for instance when you go to domain.com you see Joomla pages and when you go to domain.com/forum you will get access to symfony-driven project.

This is not something complecated but requires some tuning. So first of all you’ll need to change a line in your .htaccess file in root: RewriteRule ^(.*)$ /forum/index.php [QSA,L]
This way your .htaccess (which is located directly in public_html) has to look like this one:

Options +FollowSymLinks +ExecCGI

RewriteEngine On

# uncomment the following line, if you are having trouble
# getting no_script_name to work
#RewriteBase /

# we skip all files with .something
RewriteCond %{REQUEST_URI} \..+$
RewriteCond %{REQUEST_URI} !\.html$
RewriteRule .* - [L]

# we check if the .html version is here (caching)
RewriteRule ^$ index.html [QSA]
RewriteRule ^([^.]+)$ $1.html [QSA]
RewriteCond %{REQUEST_FILENAME} !-f

# no, so we redirect to our front web controller
RewriteRule ^(.*)$ /forum/index.php [QSA,L]

# big crash from our front web controller
ErrorDocument 500 “Application error. symfony application failed to start properly”

And now of course you’ll need to move you symfony project into forum directory and change a bit your index.php, frontend_dev.php, backend.php, etc controller files so they contain correct path to symfony root:

define(’SF_ROOT_DIR’, realpath(dirname(__FILE__).’/../../’));

and you may also want to have fixed trailing slash problem on some hostings so use the following line for it (index.php is of course for index.php file and the other ones has to contain correspondent filename):

$_SERVER[’SCRIPT_NAME’]=’/forum/index.php’;

That’s it. In your forum directory you’ll have to keep standard .htaccess:

Options +FollowSymLinks +ExecCGI

RewriteEngine On

# uncomment the following line, if you are having trouble
# getting no_script_name to work
#RewriteBase /

# we skip all files with .something
RewriteCond %{REQUEST_URI} \..+$
RewriteCond %{REQUEST_URI} !\.html$
RewriteRule .* - [L]

# we check if the .html version is here (caching)
RewriteRule ^$ index.html [QSA]
RewriteRule ^([^.]+)$ $1.html [QSA]
RewriteCond %{REQUEST_FILENAME} !-f

# no, so we redirect to our front web controller
RewriteRule ^(.*)$ index.php [QSA,L]

# big crash from our front web controller
ErrorDocument 500 “Application error. symfony application failed to start properly”

Of course this is not that necessary to hide your project into a folder if you can have a workaround with routing features of symfony. But sometimes technique which I’ve just described can be very-very helpfull.

See ya!

As 2007 draws to an end and we thought it would be a good idea to close it off with an end of year message. Next week we’ll all be off visiting loved ones, relaxing, overindulging.

There were a few important things happened this year. Symfony framework was kept improving a lot and it became so popular that we’ve launched our site dedicated to this great framework

2007 was an amazing year for us here at SymfonyLab.

We wanted to send out a special thanks to some of our most active commentors. Thanks guys, you’ve helped us a lot bringing important and interesting questions.

Enjoy your Christmas holidays! We look forward to keep posting for you in the new year - it should be a very exciting one!

Ok, so this idea came to me on the stage when we’ve been launching SymfonyLab.com. I was going to review here existing symfony-based sites and I want finally to start doing that. I’m not a hacker and I’m not going to crack those resources. I’m also not security expert and the only reason why I’m doing that - it’s some kind of fun for me and it’s of course some warning for the resource owners and also it’s probably a ring for sites developers. Actually, what I want to finally reach - to help site owners to protect their sites a bit. Maybe when they will find their sites here - they will urgently protect/fix them or at least kick some developers asses

Today lets take a look into the first site I’ve took out of symfony’s sites list: williamanderson.ca

So as it seems to me - the most popular problem of symfony sites - developers forget to delete _dev.php files from production server. And as a result we may figure out some interesting information about this site. I dont think this information is really critical but this can be helpfull for the hackers. So what we may figure out from here:

http://www.williamanderson.ca/frontend_dev.php

Not too much but first thing is that here is not turned off eaccelerator (in dev mode cache is also disabled but this can be only per dev mode so we cant be 100% assured). Maybe that’s the reason why this site is loading so slowly?
The other thing I’ve noticed that computer name where this site is hosted is called:

COMPUTERNAME: NATALIE

Hey guys, that’s my wife’s name. What a good shot! Well, what else.. NUMBER_OF_PROCESSORS: 2, php: 5.1.2
os: Windows NT NATALIE 5.2 build 3790. Interesting?

Developer uses quite simple set of modules and based on configuration variables and dump of SQL requests it’s generally possible to obtain good vision of project architecture, e.g. here is set of custom classes

myTools: E:\www\wa\lib\myTools.class.php
photoTools: E:\www\wa\lib\photoTools.class.php
Content: E:\www\wa\lib\model\Content.php
ContentPeer: E:\www\wa\lib\model\ContentPeer.php
ContentMapBuilder: >
E:\www\wa\lib\model\map\ContentMapBuilder.php
PhotoMapBuilder: >
E:\www\wa\lib\model\map\PhotoMapBuilder.php
BaseContent: E:\www\wa\lib\model\om\BaseContent.php
BaseContentPeer: >
E:\www\wa\lib\model\om\BaseContentPeer.php
BasePhoto: E:\www\wa\lib\model\om\BasePhoto.php
BasePhotoPeer: E:\www\wa\lib\model\om\BasePhotoPeer.php
Photo: E:\www\wa\lib\model\Photo.php
PhotoPeer: E:\www\wa\lib\model\PhotoPeer.php

so there are only 2 tables photo and content. I think there is no users table so the most probably password is hardcoded (and maybe not even crypted!). Here are samples of SQL requests, so I was right about that :

SELECT wa_content.ID, wa_content.TYPE, wa_content.BODY, wa_content.CREATED_AT, wa_content.UPDATED_AT FROM wa_content WHERE wa_content.ID=2

SELECT wa_photo.ID, wa_photo.NAME, wa_photo.DESCRIPTION, wa_photo.SORT_ORDER, wa_photo.PHOTO, wa_photo.THUMBNAIL, wa_photo.FEATURED, wa_photo.VIEWABLE, wa_photo.CREATED_AT, wa_photo.UPDATED_AT FROM wa_photo WHERE wa_photo.FEATURED=1 LIMIT 1

I wish I can see full info in “log and debug messages” but only stars are there

+340 Creole connect(): DSN: array ( ‘database’ => ‘****’, ‘hostspec’ => ‘****’, ‘password’ => ‘****’, ‘phptype’ => ‘****’, ‘port’ => ‘****’, ‘username’ => ‘****’, ), FLAGS: 0

The other thing that was not complicated to figure out - admin access, I think most of developers use either standard “backend” way to determine admin access or like in case of this site - self-written authorization, and here it is:

http://www.williamanderson.ca/admin.php

Of course, I dont want to provide here information which way it’s possible to login into admin area but believe me this is not a big deal with only password field and no IP blocking. So dear William Anderson please contact your developer and ask him to secure your backend. At least that’s what I’d do ASAP if I were on your place.

Of course this is too simple site for good investigation. Also I think such kind of sites can be launched based on WP engine. I dont see the reason to waste time/money on re-inventing the wheel when this can be done in 2 hours with using of existing free open-source software. Using NextGen or another kind of gallery plugin it’s really simple and much more secure I believe.

As for the actual content of this site - Mr. William Anderson my hat off. I really love the photos you made.

Good night!