Firefox PHP

Template updates

Posted by DavidVB 
Template updates
July 29, 2009 08:07PM
I was wondering if you could explicitly state in your changelog which template files are changed for versions when there are changes to the templates. In your docs, you recommend that all the template files be transfered to a custom directory, so a site's working templates won't get upgraded by normal procedures (bad when there are security concerns). Right now it seems that you have to browse the SVN branch to see what template files have changed.

One thing that may be considered in the future would be to be able to just put your modified files in your new custom template directory. The info.php file could point to the default template you based your template(s) on. Then you would only have to update any files that you have modified (this might make it a lot easier to keep track of which files have been customized).
Re: Template updates
July 29, 2009 08:20PM
We explicitly tell when there are template upgrades but for 5.1 - 5.2 it were too many to list them all and changes in the template language required template upgrades anyway.
5.3 will have compatible templates.
I don't see the security concerns with a custom template directory. Thats how you should always work with templates. Your own template set with its own name.

Thomas Seifert
Phorum Development Team /
Custom Phorum and general software development
worry-free Phorum Hosting
Re: Template updates
July 30, 2009 01:23AM
I don't have problems with upgrades between stable versions, but rather when there are upgrades to templates after the first stable release. For instance in the Emerald template there was an update to read_thread.tpl five months ago for "Added post form confirmation into message deletion process to protect against CSRF attacks" - which sort of sounds like something that probably should be fixed on a site. I didn't see anything in the change logs for the dot upgrade (I may have missed it, but something that I have to fix manually either by updating my template or at least copying it over to my template directory - and for anyone who doesn't just run a stock template, would be nice if it was highlighted).
Re: Template updates
July 30, 2009 08:04AM
We might have missed that one in the changelog, sorry for that, but it is really not a big one. There is no security threat if a site does not update this template change. The only thing that will happen if the update is not done, is that there will be two confirmation questions for deleting messages. One as a javascript popup and the second one as the CSRF protected confirmation page.

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Sorry, only registered users may post in this forum.

Click here to login