Frustration with IPS

[7SiN]

Alright so I plan on this being a rather lengthy topic, however, if you are a developer who is planning on purchasing IPB I suggest you read all of it.

So anyway I began developing on Invision powered boards at the beginning of the summer. It began with just simple template edits and tiny tweaks that were easily able to be done. Everything seemed to be working fine. Well naturally I began wanting to use hooks. So where would one go other then the documentation? Now anybody who has ever even glanced at IPS's documentation will know and agree that it is absolute trash. I mean lets just take a look real quick.



Ok so there are ~ 70 sections
and about 420 articles

So this means each section averages about 6 articles in each section. Now I don't know about you but if you try to develop on something and you only have 6 articles to work with. Those better be some damn good articles. Lets just look at some randomly selected ones shall we?

No I really can't speak for everyone but i'm going to have to say those seriously can't even be considered decent articles. So anyway I guess we can assume all the old documentation is terrible however, as long as they have some good tutorials to get us started maybe I can learn my way around.



So lets take a look here well. For starters it is a huge relief that they used the new spelling of 'customizations'. I was really beginning to question wether those tutorials were really going to be advanced. Clearly the guy writing these 'advanced' tutorials must be right on the ball.
Incase you didn't get the joke I am saying who ever did that was retarded.

But maybe the person who wrote general tutorials had half a brain. Maybe they won't be 12 lines like the documentation.
WOAH Here's a lengthy one!
http://community.inv...nd-folders-r636
Thank god someone wrote a tutorial telling me how to delete files. Don't get me wrong, I find it great that there is an article for this, however, Why is it one of the lengthiest articles in the documentation. That kinda says something.


Well lets fast forward to the Developer resources considering the section deemed as the knowledge center simply contains hot fixes. And we will finally figure out our hooks system. Good thing there are a total of 6 articles. I'll be writing hooks in no time! Especially with quality articles like this.





Anyway lets take a look at this so called new documentation. Well security seems to pop out at me so we shall take a look at that. Going though this one by one.
http://community.inv...pplication-r616
Am I the only one who thinks that isn't even posted in the right section?

http://community.inv...efficiency-r565
Well this is actually a pretty quality article I will say, however, please take note of their suggestion of "saving SQL Resources"

http://community.inv.../debugging-r579
Decent article, however, as a developer I would like to be able to see debug level 3 at ALL times (on a live board) Why is it that it is not possible to do but have it show up for admins (or even specific users) only? It just doesn't make sense.

Ok so system scheduler / cookies… They are what they are. So we shall skip those.

But here is where I am absolutely flabbergasted "securing your community" and "ACP Restrictions".
So to begin:
Securing your community:
Now personally I find it kind of absurd that IPS was only able to come up with 6 things you can do to secure your site.
Choose a secure password - yes, common sense, but often overlooked.
Account locking- Isn't this default? and if not why isn't it.
Disable flash & HTML - I'm sure there are several people who don't understand the security risk so yeah

Now putting a .htaccess on your ACP… This either mean the person who wrote this article is a full blown retard. Or IPS seriously is not aware of how .htaccess files work.

Ok Take a .htaccess file. Put a passwd in there. Use allow deny all and ip address authentication. LOCK IT DOWN.
Go to mysite.com/admin/ - seems pretty secure right?
now go to mysite.com/index.php/admin -be amazed. Seriously are you kidding me?

Ohh but it's ok because the forum always submits to mysite.com/admin anyway so we don't' have to worry about it.
Well what happens when they fire bug the submit button and every link? Yeah it's a pain in the ass but if I want to compromise a community it's a very small price to pay. All I would have to do is make my way to the templates- fwrite a shell to the server then delete the .htaccess.
So yeah if you are using a .htaccess on your board thinking you are secure you are as dumb as the person who wrote this article.

So next. Lets do some security by obscurity this is alright I mean it's not fool proof but it is decently a good measure to take. The problem I have with this is why is EVERY last thing in IPB done though the admin directory? Why is it that whenever my site throws an error it kindly tells everyone "Hey this is where my ACP is". Why has IPB not changed the location of where the ACP is accessed? then allow us to change that link.
Now you may think that IPB throwing error is un common but it really is not. Go to a post and spam several empty member tags if your members database is large enough you should see a lovely error with your ACP link and everything. (I believe this was fixed on 3.2.2 but anything prior is subject to this).

Now speaking of securing the ACP link why is it that this article doesn't even speak of the benefits of just simply taking the link off the board so if an admin account is ever compromised the ACP can't easily be found. Good thing there is an option for that in the ACP. But you know what would be terrible. If some application was added to you board which wouldn't honor this 'securing of the ACP link' and would post it on your homepage regardless. Surely IPB would be infuriated if this were the case as it is a potential security risk. Ohh wait never mind they do it themselves with nexus.


But I mean lets think about the security on the ACP. You login you create a token. That token is sent with you on every page via a get parm. Now this is able to be used on your IP address without any form of authentication. So lets say you were managing your board on a school network. Someone decided it would be a good idea to ARP poison the router. Boom all they need to do is copy pasta the link and they are logged into your ACP. Seriously, How is this not seen as a threat. Well the solution is simple SSL. IPb has a very nice tutorial on their board (community submitted) which explains how to set your ACP up to require SSL. Why is this not pressured? I fully understand why you may not be able to ship with ssl enabled by default but it should be a warning when you log in to the ACP that tells you your ACP is not secured by SSL.
http://community.inv...r-admin-cp-r532







Anyway I digress, lets say our ACP was compromised what is stopping people from getting places that they shouldn't be. Ohh why trusty ACP restrictions. Now one of the main parts of security is making sure that there is no end user confusion. Making a system complex to use is flawed in its self. Human error is the number one cause of systems being compromised.
Now obviously having a lot of options and control over your admins is great, however, do you really think people even know what they are doing half the time?

ACP restrictions are completely flawed if a person can drop them. Now lets just brain storm how this can be accomplished.
1) having the permissions to edit your own
2) SQL tool box
3) query from the templates
4) query from ip content
5) upload a hook with a the query in the set up
6) promote an unrestricted admin
7) change an unrestricted admin's email/password

Now honestly how many beginner users even know of all of these. Why are these possible security risk not bolded and properly identified. But at least these actions will be logged right?

Well that depends is it to the right of the members tab? If so then no the action won't be logged. It is completely absurd that queries that are run through the SQL tool box are not logged. Further more why do we stop people from editing the admin login logs but not the admin logs via the tool box? More importantly why are these checks not done directly at the database abstraction layer. I mean seriously so I can't run the query from to delete login logs from the sql tool box but i can run it from the templates?







So any way if you are like me At this point you have probably completely given up on writing hooks and applications. Well thank god there is an alternative. IP.Content.
IP.Content is a wonderful application. If you actually go to se7ensins.com You will see that our entire homepage, sorting system, sidebars, act act are all done with IP.Content. (excuse the lack of content we just launched this homepage yesterday).




However, I wish I could say I had nothing bad to say about CCS(IP.content).
So for starters I had noticed a terrible bug where IP.Content would run approximately 3 times the amount of queries that it should have been. Upon reporting the staff essentially told me "raw query count isn't an accurate indicator of efficiency" which yes, is absolutely true but they completely missed the point that the queries it was running where UNNEEDED! Finally after about a week of 'Barneys Girlfriend'ing bfarber finally acknowledged the issue and attempted to fix it. This is where things went terribly wrong. By design even if a block isn't cached IP.Content still wants something in the cache for that block. Therefore when saving a block you need to write the cache regardless of wether it is cached or not.
This 'fix' ended up causing terrible error such as not being able to create new blocks or IP.Content not recognizing that a file was changed. Just a nightmare. So a bug report was made as my site waited for a fix (considering we completely rely on IPC) a month later he came back and simply just un did the changes that he had done to fix my bug in the beginning. Why it took full month to revert changes i have no idea. Soo anyway now two months have gone by and my site is terribly behind because of this bug. So I decided to go in and look at it myself. After about an hour I was able to find a very simple fix. I posted my solution in the bug report and brandon essentially back lashed by telling me I was retarded and that he is clearly superior to me because he is always right. He told me that if I wanted the bug fixed I would have to go into the feed back forum and suggest that they fix bugs?!?. I seriously have never received poorer customer service before in my life.

So anyway moving on a little further it finally came where I could no longer wait on IPS and i decided to launch my site. Now clearly brandon's code still doesn't work properly which caused me a load of trouble. So I went back to my old board and grabbed my fix and what do you know! IP.Content randomly decided to work. I wonder what the independent variable was.


So now after all this today I decided it would be a good idea to play around with 1 new application. ip.nexus. Now i'm not exactly an expert with nexus, however, all I know is that we have lost lots of money dude to past bugs with the system. So I decided to code a few custom actions which would make jobs that my admins have to do manually a lot easier. So while browsing the forums I saw mark boasting about how custom actions are great and the fact that IPS likes to do security by obscurity does not retard development at all because he tells us what the methods are…
well ok. But that would be cool if the methods actually had functionality to them.

So lets say I wanted to gift a subscription from one member to another.
Essentially, I would make a package with a custom field of the member who is being gifted.

Then on the onPaid method I would just get that custom field and promote the gifted member. Seems simple right?
Well I ran into the problem of the custom fields not being imported. Not a huge problem I can simply just query to get the custom field right?
Nvm the method doesn't even import the primary key of the current invoice being processed. Seriously how are you suppose to do anything if you don't even know what invoice is being processed.
Seriously if you are going to obfuscate your code because you aren't confident enough in your codes security. I would either A) not release until i was or B) Atleast make sure the parts that users can hook into give them the right amount of control.

I'm not quite sure if i've made myself clear but security by obscurity is an absolute joke.



Anyway this rant is becoming way to long I could go on and on about my frustrations with IP.SEO, the tracker, and converge (Yes, that is every IPS application I have ever used) so I shall end it here.

[FadE.]

wow what a rant dude!

[NenaDice]

Well, it is true that some articles about the Developing Section can use some extra details here and there, but overall they are easy to understand and follow. I can not speak for others, but personally I have never had any problems with them. They have helped me a lot at the begin in creating my first hooks.

[Mark]

For starters it is a huge relief that they used the new spelling of 'customizations'. I was really beginning to question wether those tutorials were really going to be advanced. Clearly the guy writing these 'advanced' tutorials must be right on the ball.

Incase you didn't get the joke I am saying who ever did that was retarded.

That "retarded" person would be me, and I'm from the UK, where we all spell "customisations" thus. It's the correct way :wink:

[Cozza]

That "retarded" person would be me, and I'm from the UK, where we all spell "customisations" thus. It's the correct way :wink:

I feel your pain mark, my community is primarily american. Though i'm from Australia we spell things differently, always copping flak from it!

ontopic: i haven't particularly had any issues with the documentation. Just read through it carefully and if there are any issues or concerns i just ledge a support ticket :smile:

[Aisha]

Hey man if you don't like it then don't use it. :) No one is forcing you to use their documentation.

[7SiN]

That "retarded" person would be me, and I'm from the UK, where we all spell "customisations" thus. It's the correct way :wink:

So the only thing you get out of this is the way a word is spelled?! That's one word out of thousands that have been written to shine light upon this boasted multi-platform product. And these are the types of answers we tend to get in our tickets and tracker...the ignoring of the true meat and potatoes of the content posted.

Also I apologize for my foul language. Was up for 24 hours and sick and tired of fixing bugs in a system that shouldn't be there or bugs that I'm told are either there for a reason or do not exist. I'd edit the post if I could, but sadly...can't.

[Michael]

As a developer, I've always found IPS's documentation to be a little less than what I'd hope for, but adequate. I don't need them to document everything that is possible, it's up to me to understand PHP code, all I want is for them to be able to show me how I can write hooks and apps to connect to their framework, and they do that. I feel if you're serious enough about wanting to develop with the product, you'll study the existing product to understand how things work. It should be fairly easy to see what the basics are to creating an application, since IP.Board comes with several. And then there is documentation that shows you how to expand upon that.

What would be very helpful would be if we had full phpdoc documentation for everything (maybe we do, and I just don't know where it is?), especially things like Nexus. Nexus is pretty much a complete black box to us outside of the office walls, except for the bit that is documented.

[Fishfish0001]

Isn't it sort of up to the owner of the server to know what they are doing in terms of security? I mean if you are unaware of all of the security issues that can arise, then you really need someone else to be there doing that for you.

Next thing you know we are going to have that MS Office Paperclip thing on the pages saying "I think you ment to do this, so I have fixed it for you."

[Marcher Technologies]

... Sev3n.. the docs you seem to be focused in on(as a dev IDK WHY) or not the ones that are useful to us as devs....
http://community.inv...oper-resources/
oh.. and a BIG thank you for the IPC 0-cache bug.... thats been pleasant.
yes the block data HAS to be stored SOMEWHERE... what did you think, auto-magically have data/changes without saving it to/loading it from the database?

[7SiN]

Isn't it sort of up to the owner of the server to know what they are doing in terms of security? I mean if you are unaware of all of the security issues that can arise, then you really need someone else to be there doing that for you.

Next thing you know we are going to have that MS Office Paperclip thing on the pages saying "I think you ment to do this, so I have fixed it for you."

Bc I'm sure you knew the answer to the universe the very second you installed IPB...

[Lindy]

This topic is already spiraling out of control. To the OP, we recognize documentation could be improved and it is indeed an ongoing project. If you have specific documentation feedback - ie: "I'd like to see xyz" documented, please do feel free to let us know. Referring to the team as "retarded" and chastising other members is not a productive or acceptable way to get your point across.

Thank you.