Jump to content



  • Content Count

  • Joined

  • Last visited

  • Days Won


Colonel_mortis last won the day on September 27 2016

Colonel_mortis had the most liked content!

About Colonel_mortis

  • Rank
    Community Regular

IPS Marketplace

  • Resources Contributor
    Total file submissions: 4

Profile Information

  • Gender
  • Location
  • Interests
    Breaking things
    Making the devs pull their hair out

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. I don't disagree, and I think it makes sense. However, I would dispute your claim that it requires a new dns lookup, tcp connection and tls setup - it is fetching from the same server as the main content so if your server is correctly configured with keep-alive it will reuse the existing connection, resulting in 0ms overhead. Even if you have keep-alive disabled (as ips did for a while, although they may have changed that now), the dns lookup will always have been cached and if you are running an up to date version of openssl and nginx/apache you can get 0- or 1-rtt tls session resumption, so there should only be 1-2 round trips of overhead. Resending the cookies is still a reasonable concern, but the others are not.
  2. Not all of my members want to receive new device emails - some people regularly log into different devices or are browsing at work and don't want to leave cookies behind. I do want staff members to receive new device emails, and currently there is no way to have it both ways. I propose that the new device email setting should be 3- or 4-way configurable – on for everyone, default on but customisable, default off but customisable, and off for everyone. The setting would fit nicely on the "Account Security" page (2FA) of account settings. Alternatively, at least make it a per-group setting. It would also be nice to get a similar email for ACP logins, perhaps using the same device tracking as the front end to avoid sending too many emails.
  3. I've not read through the whole topic in detail. However, for what it's worth, enabling X-XSS-Protection (XXP) breaks embeds in Safari under certain circumstances. Also, XXP has absolutely nothing to do with ddos attacks, it is just a rudimentary safeguard against reflected XSS attacks. Of the handful of XSS attacks that I can recall finding in IPS, only one could be blocked by XXP (and as it happens, it was on a page where XXP was enabled and the attack was blocked in the browser which support it).
  4. All activity currently checks for updates automatically, but only inserts them when you click the button. It would be nice, as suggested by one of my members, to add the option of automatically showing the new posts too. It adds no extra server load, because the posts are already loaded into the browser during the background poll, not when then click show. This could get annoying if the user is scrolled below the top and there is no handling of scrolling the viewport to match where they were looking, but this can be solved by making it an option, or by implementing viewport scrolling so the posts are inserted above but the browser is scrolled accordingly so they don't notice.
  5. Downloading the image was the thing I originally posted in the OP... But glad to hear that you're working on it.
  6. If the user disables the map, the EXIF data is still retained on the image (when using Imagemagick), so this gives the user a dangerous false sense of security that their location is private. All I need to do is download the image and I can extract the location.
  7. Ah, you seem to be right. I guess I must have been thrown off by the method name, because I did think I had checked how it worked. Nothing to see here. However, I would still like to see the user being given the option to use the name or choose another, rather than it being an admin decision, or at the very least it shouldn't count towards their username changes.
  8. The following is from the Facebook login handler; other default login handlers are largely the same /** * Get authenticated user's username * May return NULL if server doesn't support this * * @param string $accessToken Access Token * @return string|NULL */ protected function authenticatedUserName( $accessToken ) { if ( isset( $this->settings['real_name'] ) and $this->settings['real_name'] ) { return $this->_userData( $accessToken )['name']; } return NULL; } This function does not fulfil the contract specified in the documentation - the server does support getting the name, regardless of the real name configuration. By returning NULL when real name import is disabled, my name won't be shown when in my account settings, or in ACP. This is not good, and defeats most of the point of displaying the name in UCP/ACP in the first place. Moreover, the whole username import process is not fit for purpose in my view. If I create an account, I don't want to be forced to use the name from my social service, especially as when that feature is enabled it counts as a username change, so I can't actually change it for some time (as specified by the admin, 180 days on my site). I would, however, like my name to be prefilled in the username box, at least when connecting to a site that doesn't use my real name. Also, on some third party sites, my display name and my username might be different, and I would like my display name to be prefilled when creating my username here, but I would like my username to be displayed when viewing my account link in my settings (and ACP). A concrete example: I want to let people use their steam name, but lots of people on Steam have clan tags in their usernames, which would not make sense on my site. They should get the option to edit their name to remove these clan tags before creating the account. Another concrete example: On discord, my display name is, say, "coolName". There can be multiple people called "coolName", so internally I am actually "coolName#1234", and this is displayed in some places. When I create an account, I want "coolName" to be prefilled in the box, but when I view it in my account settings (or, more importantly, in ACP), I want to see that it's actually coolName#1234. You can fix this by removing all the useless stuff from authenticatedUserName, and just prefilling the username box with the value from it if available. If no name is available, it will behave as it does now, but if the service provides a name it can be prefilled magically (or, if you really thing users appreciate less friction over having their real name displayed next to their posts without getting a choice about it, you could give admins the option of automatically creating the account with that name, but it should be an OPTION). Ideally, also add another method for getting the name to display in account settings and/or ACP (separate methods would be nice, but the same is fine), which defaults to the name returned above, but lets me return a different value if I so desire.
  9. And yet I still see people asking how they can add a local password. Using "forgot your password" when you never had a password is not intuitive enough for all of my relatively technical users (I of course don't have figures for how many people figured it out on their own, and how many people looked at their account settings, couldn't see a way to add a local password, and gave up).
  10. There are a few reasons that spring to mind: They want to be able to log into a device that they're not signed into Facebook on, or a device where Facebook is blocked (school, work) Privacy - if they signed up with facebook, but no longer wish to grant other sites access to their Facebook data (which includes their real name), they would want to switch to local login (since switching to Google/Microsoft/etc would shift but not solve the issue) They want to delete their Facebook/... account Security - at least to me, I would rather not need to place extra trust in a third party service (and rely on it having been connected correctly) as well as the existing trust that I need to have for the site itself. While I am sure that there is no risk, I still don't permit anything other than local passwords for ACP login. Redundancy - third party logins have failed in the past (usually due to problems on my end, but that doesn't actually matter), so having a way of logging in when that happens is useful (they can use the reset password link, but that is not communicated to users). Personally, I try to keep everything isolated to one site, so I very rarely use social login options. That way, no matter what happens to Facebook, my account on websiteX will be safe, and no matter what happens on websiteX, my account and data on Facebook will be safe.
  11. In 4.3 (I think), you added support for LOGIN_REAUTHENTICATE, which you use to verify a user's authenticity when changing their email or 2FA credentials. This means that the ability to authenticate by a method supported by LOGIN_REAUTHENTICATE is sufficient to add a local password anyway, as you can change the email then reset the password. LOGIN_REAUTHENTICATE supports reauthentication using social login methods such as Facebook. However, there is still no UI support for adding a local password if you currently only have social logins enabled, so you have to go through the password reset process. This is poor UX, and is not at all clear to users who are trying to add a local password (there is no message that they should do this). As there is negligible security benefit of the current system, I think it would make sense to allow users to add local passwords in the same way as users can change their existing passwords, but allowing them to authenticate using a social login to gain access to the new password form.
  12. Or it should be an extra option. If I ignore a member, I don't just not want to see the posts that they make within a topic, I also don't want to see the topics that they have posted. This has been requested by a few members on my site.
  13. Suggested to me by a member. Especially when you're pasting images into the editor, but also when reviewing attachments associated with your account, it would be useful to be able to rename them to make certain files easier to find, so that they can be referred to elsewhere.
  14. As much as I would absolutely love IPS to switch to a better language, like Go, the big benefit of PHP is that every webhost supports PHP, but very few will support any compiled languages like Go. While many more technical users are running on a VPS, there are a lot of people still using shared or managed hosting, and I would be quite surprised if IPS dropped support for them any time soon. Perhaps if CiC became much more reasonably priced there could be an argument for it, but it would still cause a lot of complaints I expect. If they did switch language though, and go through the whole process of retraining their staff, I don't see any reason to stick with PHP for any part of it - if you're going to do a service-oriented architecture like that, you might as well do the front end using a framework like react or angular, and just do an API backend. Again, I would really love it if this did happen, but it seems pretty unlikely to me.
  15. The 4.3-style announcements look really nice, and a big improvement over the earlier versions. However, I still have a couple of issues with them that I think would be super easy to solve and would make them much better: Allow announcements without a description, or that link somewhere else. Spoiler alert: you want this too - on this site you have a commented out banner which is exactly what I'm asking for: (but with the option of it just being a link to somewhere else too). This would be used for things that don't need any more content, like "Site maintenance tomorrow", and references to other areas, such as the rules. Make the announcement areas more consistent. Currently the top announcement has a "Read more" link, the contentTop announcement is all a link and has a bullhorn at the start, and the sidebar announcement has a bullhorn at the top of the block, each announcement is entirely a link, and has a random (i) icon at the end. This is not great UX. The announcement sidebar block doesn't show unless you have another block in the sidebar - there's no way to display just the announcements. While it's useful to be able to not show announcements or the sidebar in general on a page, I could plausibly want to show the announcements and nothing else. It's also pretty poor UX when adding blocks, because the announcements don't show up/disappear until you refresh the page. Fix these (especially the first - I can tweak the second in themes and the third doesn't actually matter to me personally) and I will be very happy with announcements.
  • Create New...