Andy Millne

New Application Extensions Three new application extensions are available; core/RssImport core/MobileNavigation core/OverviewStatistics \IPS\Application::getRootPath() A new \IPS\Application::getRootPath() method is available to return the path to application files regardless of the server environment, which should be used instead of \IPS\ROOT_PATH Stock Photos The WYSIWYG editor now includes an "allowStockPhotos" options array parameter. A boolean value is accepted and will determine whether or not the editor can have images attached via the Pixabay stock photo picker if also enabled in community enhancements. Admin Control Panel CSRF Protection Additional protections are now required for admin control panel controllers to protect against cross site request forgery attacks. The steps required are described in the security considerations guide.

The Invision Community framework is set up with security best practices in mind but there are a few things you should make use of in order to not inadvertently bypass these protections. Validating User Input Where your application or plugins request user data the built in Form handling methods should be used. By default form input is protected against vulnerabilities but you should still ensure the correct form types are used for example using email address, number and radio fields etc. where appropriate. This not only provides the best user experience but also means the input is validated using appropriate methods. When using environment, request and cookie variables you should also be sure to use the \IPS\Request methods that are adjusted to account for environment differences. This data is *not* validated and should be treated as untrusted and validated and sanitised as appropriate. Escaping Output Invision Community template syntax automatically escapes variables on output but this can be bypassed with the raw modifier as explained in the template syntax guide. The raw modifier should only ever be used with trusted and sanitised content otherwise a risk of introducing a vulnerability exists. Querying The Database The database class contains distinct methods for selecting, updating, inserting and deleting data and contains security features to prevent database injection vulnerabilities. The raw query() method should be avoided wherever possible and if used, only ever with sanitised and pre-formatted queries. Protecting Against Cross Site Request Forgeries Any methods that alter data/state, or which process any data, should be protected against cross site request forgeries to make sure requests are initiated by the user that intended it. When using the built in form handling methods this will occur automatically when called in conjunction with the $form->values() method. Outside of forms you can protect links generated with the built in URL classes by using the built in csrf() method. For example the following; \IPS\Http\Url::internal( "app=myapp&module=mymodule&controller=mycontroller&do=myaction" )->csrf() ...will add the csrf key to your link. The controller that acts on the request should then be protected by adding the following before the action is performed. For example; public function myaction() { \IPS\Session::i()->csrfCheck(); // Your code here } Both of these steps must be in place for an effective CSRF defense. When deleting something, you should also implement the deletion public function delete() { \IPS\Request::i()->confirmedDelete(); //your deletion logic } In addition, within the admin control panel you should add the following class property to confirm suitable CSRF checks are in place; /** * @brief Has been CSRF-protected */ public static $csrfProtected = TRUE; This page is not an exhaustive list of security considerations and serves only as a guide to the most common pitfalls new developers face. Industry best practices should be followed at all times when developing applications and plugins for the Invision Community platform.

What it is MobileNavigation extensions are used to add new tabs to the mobile app navigation menu, tying in directly with the menu manager in the AdminCP. How to use Many of the same methods are implemented as the core/FrontNavigation extension so if you are familiar with this extension you already have a head start. Implemented methods in the mobile navigation extension are as follows; /** * Can the currently logged in user access the content this item links to? * * @return bool */ public function canAccessContent() The canAccessContent() method allows you to dynamically check if the current viewing member an access the page or not. Often this will come down to checking if the member can access the module or not, however you can perform whatever checks you want, returning TRUE if the member can access the tab and FALSE if not. /** * Get Title * * @return string */ public function title() The title() method returns the tab title to display within the app. /** * Get Link * * @return \IPS\Http\Url */ public function link() The link() method, as you might expect, returns the link that the tab should point to. A full \IPS\Http\Url object should be returned. /** * Permissions can be inherited? * * @return bool */ public static function permissionsCanInherit() By default permissions can be inherited by menu items (e.g. if you cannot access any menu items, do not show the tab), however you can disable this if you wish by overriding this method and returning FALSE. /** * Allow multiple instances? * * @return string */ public static function allowMultiple() By default, only one instance of a menu item is available to set up (so you cannot create two 'Gallery' tabs by choosing Gallery in the menu manager), however if your menu class would benefit from supporting multiple instances this method can be overridden and return TRUE. This is used for the base generic Menu mobile navigation extension, for instance, as you may want to create multiple menus. /** * Get configuration fields * * @param array $configuration The existing configuration, if editing an existing item * @param int $id The ID number of the existing item, if editing * @return array */ public static function configuration( $existingConfiguration, $id = NULL ) If your menu requires special configuration, you can define a static configuration() method to return an array of form helper elements to display in order to configure the menu. /** * Parse configuration fields * * @param array $configuration The values received from the form * @return array */ public static function parseConfiguration( $configuration, $id ) If your menu requires special configuration, you can define a static parseConfiguration() method to process the form helper elements returned with the configuration() method described above. /** * Can this item be used at all? * For example, if this will link to a particular feature which has been diabled, it should * not be available, even if the user has permission * * @return bool */ public static function isEnabled() As the docblock states, you can return FALSE from the isEnabled() method if you need to completely disable the menu item regardless of user permissions. MobileNavigation extensions extend \IPS\core\MobileNavigation\MobileNavigationAbstract so it is worth taking a look at this class to understand the methods being extended and how they interact if there is any confusion.

You can allow your members to sign in to your community using their Apple ID with the benefits that brings such as FaceID/Touch ID and Two factor authentication. Using this method, members can also protect their privacy by choosing to hide their real email address. Their account will be created using a relay email address unique to your community. Sign in with Apple requires a paid Apple developer account that can be created at https://developer.apple.com. Creating the Credentials Once you have an Apple developer account you can create the credentials needed. Create an App ID Go to Certificates, Identifiers and Profiles. Click on Identifiers from the side menu and then the + icon to create an identifier. Choose App IDs on the first step and click continue. Enter a description and Bundle ID. The description can be anything you like but your community name is a good one. The recommended bundle ID is the reverse DNS style of your domain name e.g. com.yourdomain. Select "Sign in with Apple" from the list of capabilities and then confirm. Create a Services ID Return to the identifiers page, click the + icon again and this time choose Services IDs followed by Continue. For the description you can enter the same as you did for the App ID above. For the Identifier field enter the same identifier as in the first step followed by .client e.g. com.yourdomain.client. This is your Services ID - make a note of it, since you'll need it later when setting up Invision Community. Click Continue and then Register. You will see your service listed on the Services page. Click the service you just created. From the capabilities list, again select Sign in with Apple and then configure. This is where you will add your community domain name. First select the App ID you created in the first step above and then enter your domain name. If you only have one App ID on your developer account it should already be selected. The return URL should be set as the path to your community followed by /oauth/callback/ e.g. yourdomain.com/oauth/callback Click Next, then Done to close the popup. Click Continue then Save on the page. Create a Private Key After returning to Certificates, Identifiers & Profiles choose "Keys" from the side menu and then the + icon to create a new key. Enter a key name select Sign in with Apple from the list of capabilities and click configure. Select the App ID you created earlier and click Save. On the page you are returned to, click Register. A .p8 key file will now be generated. Be sure to save this key now as it can't be retrieved later. Finally, return to the key details page and make note of your Key ID. Fetch your Team ID The Team ID can be found on the Membership page in your Apple developer account, or at the top of most pages when creating/editing keys and services. Set up Invision Community You should now have a Services ID, Team ID, Key ID and Key file you can use to set up Invision Community. In your Invision Community admin control panel go to System > Settings > Login & Registration and click "Create New" on the Methods tab. Choose Apple from the list of handlers. You can now enter the credentials obtained above and upload the .p8 key file and set the other settings according to your preference. Click Save. A test of your settings will be performed and if everything is correct Sign in with Apple will be enabled on your community.