Patrick Proulx | 1 Sep 16:54 2015

[Tiki-devel] Preference setting and cross-site request forgery

Hey guys,

I’m currently working in the Addons feature and ran into some CSRF issues when trying to set prefs. I’ve figured out the issue but had a follow-up question for you guys. 

The issue appears to be around line 529 of tiki-admin.php. It checks if an associated admin/include_$pagename.php exists before generating the key/ticket to change the pref (this is an issue from the Addon’s perspective since it doesn’t check the addon subfolder - this is something I’ll be adding).

if (isset($_REQUEST['page'])) {
   $adminPage = $_REQUEST['page'];
   if (file_exists("admin/include_$adminPage.php")) {
      $check = key_get(null, null, null, false);
      $smarty->assign('ticket', $check['ticket']);
      include_once ("admin/include_$adminPage.php");
      $url = 'tiki-admin.php' . '?page=' . $adminPage;

From what I can tell the ticket used to be generated in that .php file but now appears to be generically generated in the key_get() function on line 530 instead.
So my question is whether it’s necessary to have the associated include_$pagename.php file to create the ticket or if this should be made optional. 

if (isset($_REQUEST['page'])) {
   $adminPage = $_REQUEST['page'];
   $check = key_get(null, null, null, false);
   $smarty->assign('ticket', $check['ticket']);
   if (file_exists("admin/include_$adminPage.php")) {
      include_once ("admin/include_$adminPage.php");
   $url = 'tiki-admin.php' . '?page=' . $adminPage;

Please let me know if I’m missing something and not properly understanding the purpose of the include_*.php files. 

Thank you!

TikiWiki-devel mailing list
Gary Cunningham-Lee | 29 Aug 16:16 2015

[Tiki-devel] Buttons vs. links visual styling


I know this has been talked about before, but looking at some of Tiki's 
pages, I'm wondering how things got off course. The rationale is that 
links are for navigating and buttons are initiate an action, right? But, 
for example, on a view calendar page there are three buttons (text with 
borders, etc.) - Admin, Add Event, and List View. Admin is clearly a 
link to leave the view page and go to the calendar admin page; Add Event 
also navigates away but I suppose this can be considered the first step 
of the action; List View to me is kind of a mutant: it doesn't initiate 
any action (as would require a "save", etc.), it just changes the view 
of the same data, but it doesn't really navigate anywhere either, in the 
sense of showing new content.

So there are some cases that aren't too clear, but there are more than a 
few cases that have the wrong visual styling if we're following the 
"button:action, link:navigation" concept. Any feelings about this? (It's 
easy to make any changes, usually just btn-default <--> btn-link.)

-- Gary

gezzzan | 28 Aug 21:37 2015

[Tiki-devel] events and activities -> anyone knows them enough to give training?


Lately I've been exploring events ( and activities ( and now after countless hours I can confidently say that I am lost :)

What I am trying to do: I am working on the menu service controller and want to trigger an activity when a menu is created/updated/deleted.

It is not as easy as I hoped it would be, read the available documentation, but can not get it working

If anyone has a good overview on this, please contact me, I would gladly even pay for a few hours of consultation to get some enlightment and than document these things

TikiWiki-devel mailing list
Jay Williston | 27 Aug 22:26 2015

[Tiki-devel] Customsearch: searching on multiple "item link" fields


I hope you all are not growing tired of me.   I really do try everything 
before I ask for help.  Here's my latest puzzle (tiki 12.4, 
customsearch, using a .tpl file for search template):

The fields areaOfExpertise_1, areaOfExpertise_2, areaOfExpertise_3, 
areaOfExpertise_4 are "Item Link" fields that allow users to select from 
a stored group of expertise (have a separate tracker for those expertise).

Using the "_text" trick I learned from Jonny earlier I can get this to 
work really well:
Area of Expertise: {input _filter="content" 

However I'm not able to specify multiple fields to search.  So this 
doesn't work:
Area of Expertise: {input _filter="content" 

Any idea why one would work and the other wouldn't?


Patrick Proulx | 27 Aug 15:45 2015

[Tiki-devel] Category List Formatter

Hey Guys, 

We had a request from one of our clients to list the categories of certain items in the search result (in this
case, it’s trackeritems). I tried the categorylist formatter and the results weren’t really
displayed how I would expect them to. So I made some changes and wanted to check with you all to see what the
functionality should be. 

Here’s an example category tree for my Tiki:

- Library
	- Human Resources
		- Staffing
		- Labour Relations
		- Forecast
	- Finances
		- Budgets
			- Non-Staff
			- Staffing
		- Departmental
		- Forecasts
	-  Memos
		- Departmental
		- Company-Wide
		- Important
		- Financial
	- Retention Period
		- 1 year
		- 3 years
		- 5 years
	- Importance
		- High
		- Normal
		- Low
- Theme
	- ...
- Groups
	- …
Now what my client wants is the full path of the categories with Library as a root category (separated by a
Ex: Finances > Budget, Finances > Budget > Staffing, Retention Period > 5 years, Importance > Normal

Currently the SingleList=y option shows as : 
"Budget, Staffing, 5 years, Normal” (plus includes any other category selected outside of library
since there’s no real way to set a ‘root’ category and include all descendants)

RequiredParents is a way to filter by the parent, but only goes one up. So if I set RequiredParents to
Library, I’d get no results since there are no direct descendants to Library. 

If I set singleList to ’n’, I would get:

Finances: Budget
Budget: Staffing
Retention Period: 5 years
Importance: Normal

So I’m looking to you guys to see what the desired functionality should be for this formatter and the best
way to parameterize the functionality that I need. 
The way I did it was that I added two parameters: showCompletePath=y and levelSeparator=“ > “. The only
time those do anything right now though is when singleList is set to ‘y’. I also made it such that if
complete path is set to ‘y’, if a requiredParent is set, it will show if the parent is anywhere in the
path (allowing us to set a sort of root). Would we be better of setting a ‘categoryRoot’ option
instead? We also don’t want to show the root in the complete path. Would you ever want to you think? Would
that be yet another parameter?

Another idea might be to just create a template and pass the categories to the template (which would allow us
to override the core Tiki template if we wanted to do something more custom).

Anyhow, I was just hoping to get some feedback from you all. 


TikiWiki-devel mailing list
TikiWiki-devel <at>
Torsten Fabricius | 26 Aug 22:42 2015

[Tiki-devel] <at> mdo recommends #noparents

A hint of one of the cracks:

nice read,


Gary Cunningham-Lee | 26 Aug 09:29 2015

[Tiki-devel] Only part of admin pages loading


I've seen this problem before but don't recall the solution. For a few 
days now, in my localhost trunk, only the main column (#col1) of the 
tiki-admin.php?page=xxx pages is loading. So there's no html head, so no 
CSS or Javascript, as well as no page-header or left column.

Other pages, including other admin pages like tiki-admin_xxx.php, 
display fine. Any ideas about what could cause this?

-- Gary

Gary Cunningham-Lee | 24 Aug 16:06 2015

[Tiki-devel] Tiki help - page tour scripts


Following up on some ideas on, I've been 
looking at page tour scripts. These are pretty simple scripts that are 
usually programmed as a list whose items are elements in the page. 
Popups give information and lead to the next item in the list. These can 
be used for Tiki itself, or for Tiki admins to provide a guide for their 
site (either for using the site, or as a guide for site content).

Some key points in selecting the best script are that it's pretty 
healthy as a project, has good responsive behavior, uses standard CSS 
selectors as "stops" in the tour, and of course has a compatible 
license. A bonus is multi-page capability (which one script I found has).

If anyone has some experience with a page tour script, please share it 
here or on the wiki page. Just looking at the specs so far, my 
recommendations would include Bootstrap Tour, Joyride, and Hopscotch. 
Next step is to do a some quick tests in a Tiki environment.

-- Gary

Frank Guthausen | 24 Aug 13:02 2015

[Tiki-devel] Booth at FrOSCon TikiFest

Hello folks.

Due to German regulations we are in a new situation regarding future
TikiFests at FrOSCon. The university has got a equal opportunities
officer who decided we are not allowed to run a booth with not having
a 50 percent rate of female attendants. All projects will have to
comply. This means in addition, all projects have got to ensure a 50%
rate of female contributions to the commits. We have to hold back all
commits of men whenever we exceed a 50% male rate. Those regulations
will become international with the upcoming free trade agreements
between the European Union and Canada/USA in a few months.

We'll leave the TikiFest FrOSCon 2015 sleeping location
(basecamp Bonn) in about one or two hours. Happy hacking,
have fun.


gezzzan | 24 Aug 12:28 2015

[Tiki-devel] Bootstrap 4 alpha

Hi Devs

Some interesting reading about where bootstrap is heading with its next major release

As they write: "There are a ton of major changes to Bootstrap", one is moving from less to sass

it is going to be a while until it is released (probably after Tiki15), but worth reading

TikiWiki-devel mailing list
Gary Cunningham-Lee | 24 Aug 10:50 2015

[Tiki-devel] Forum posting strangeness


There's some weirdness in posting in the forum that should be corrected. 
I just spent time writing a response to a forum post at the community 
site, and clicked "preview". Then a modal came up and said "This page is 
asking you to confirm that you want to leave - data you have entered may 
not be saved." There were two buttons, the highlighted one was "Leave 
page"; the other was "stay on page".

What does this mean? Normally "leave page" means just that, but I didn't 
want to leave the page if it means my post isn't saved, which the dialog 
warned about. So I clicked "stay on page" and watched the "save in 
progress" anim rotate forever, over my ghosted post which I feared would 
be lost. So I opened my DOM inspector and "display:none"ed all the modal 
layers and was able to hit the "post" button. (I was using Firefox 
developer edition which gets daily updates, so browser issues are possible.)

In a follow-up test, I clicked the "Leave the page" button and this in 
fact allowed me to stay on the page and see a preview of my post.

Clearly things aren't as they should be. The "stay on page" action is 
completely dysfunctional, and the "leave page" is, ah, misleading. Is a 
warning needed here at all? Why not just show the preview? If a 
confirmation is needed for some user-unfriendly reason, then at least 
the wording could be corrected.

I filed a bug report at

-- Gary (rant mode off :-)