Spacebug Open Source Initiative » CakePHP

How to Make Web Pages Fit and Scale Nicely on Android Web Browser

Amir Shevat — Fri, 11 Mar 2011 15:50:35 +0000

I just released an Android version of my Cats Idol pet project – it lets you browse through photos of cats submitted by other people, rate the cats, and set the photos as your Android wallpaper.

One of the things I wanted to do was to provide users with the ability to upload photos straight from their phone. I decided that a web interface would be the easiest way to go at it. So, my application has a button called “Add cat” that launches the Android web browser with a URL of my server-side CakePHP-based upload HTML form.

The Problem

Then I ran in to a problem - The HTML upload page was “zoomed out” on android, seemed like the browser did not scale the HTML properly and you needed a lot of zooming in order to work with it.

I thought this was a problem with my android code but found that it was actually a server-side issue.

After some digging, I found a solution to this issue.

The Solution

Adding these two Meta Tags in the head Tag of the HTML page solved this issue:

In CakePHP I added these Meta Tags to the mobile.ctp layout so it will affect all pages using the mobile layout.

Using these Meta tags fixed the way Android showed the HTML web page – The page looks zoomed-in and fits the screen very nicely:

CakePHP Ajax/JSON calls fail? Try turning debug output off

Amir Shevat — Mon, 17 May 2010 03:34:17 +0000

CakePHP is a rapid development framework for PHP that provides an extensible architecture for developing, maintaining, and deploying applications. CakePHP provides several Ajax features, but if cakephp debug is not turned off, most Ajax calls and JSON encoding would fail.

The problem / symptoms

When calling a server side cakephp method through Ajax calls usualy in combination with JSON encoding, the call fails. The server returns HTTP 200 and everything seems fine, but the Ajax call just doesn’t work.

Diagnostic

By default, cakePHP adds debug information to it’s HTML output. This debug information is very useful, but also very disruptive to Ajax calls and JSON parsing.

The solution

Turn debug off by setting it to 0 – There are two ways you can do that:

1) For the entire cakephp application – go to core.php under the app/config folder and replace this line “Configure::write(‘debug’, 2);” with this line “Configure::write(‘debug’, 0);”

2) For only a specific method call – add this line to your relevant method in the controller –

function yourAjaxCallMethod() {
Configure::write(‘debug’, 0);

…

}

CakeOTP 1.1 – User Registration with One Time Password for CakePHP Released

Amir Shevat — Tue, 20 Apr 2010 14:05:08 +0000

CakeOTP is a reference implementation of User Registration with a secure, table-less and expirable implementation of One Time Password for the popular CakePHP development framework.

New in CakeOTP release 1.1

1) Automatic login process, after the account activation- The user is automatically logged into the site and is redirected to an internal page, immediately after activating his/her account.
2) User email validation.

Download this release here.

Checkout the Online Demo, project page and getting started page.

How to: Automatic User Login in CakePHP

Amir Shevat — Tue, 13 Apr 2010 19:27:42 +0000

Sometimes you need to enable silent (implicit) login for your users. A good example of this would be this – after a registration process, you would want to automatically login the user, rather then having him retype the user name and password.

In CakePHP there is a simple method in the Auth components that lets you login on the user’s behave.

Here is how it is done:

// assuming $password is the clear text password $this->data["User"]["password"] = $this->Auth->password($password); $this->data["User"]["username"] = $username;


// do the login

$login = $this->Auth->login($this->data);
// $login is true is login went well.

// now we can redirect the user to any page:

if($login){

   $this->redirect(array('controller' => "anycontroller",

          'action' => "any_secure_action", null));

}

This will be implemented in the next CakeOTP release.



Security issue in CakePHP code documentation
Amir Shevat — Fri, 05 Mar 2010 12:37:05 +0000
I have been using CakePHP for a long time now and enjoy every second. It provides a productive, easy to use and well document  platform for PHP application. The key advantages for me are – transparent OR mapping, a strong Model View Controller framework, and tons of extra utilities that make your life better.
I have came across a possible security issue in one of cakePHP code examples. This section of code is responsible to authorize or un-authorize clients access to a certain action (MVC flow)
action == 'delete') {
            if ($this->Auth->user('role') == 'admin') {
                return true;
            } else {
                return false;
            }
        }

        return true;
    }
?>

The major security rule this code is breaking is – never ever have ‘return true’ as a default for an authorization method.



Security driven operations should always return “unauthorized” as a default value.  You should always take the white-list-approach to authorization methods, in other words you want to allow privileges to specific scenarios and block all other scenarios by default.
This is how this method should be implemented:
action == 'delete') {
            if ($this->Auth->user('role') == 'admin') {
                return true;
            }
        }
	if ($this->action == 'view') {
                return true;
        }
	...
        return false;
    }
?>

A good way to prove this is a safer implementation would be to think what will happen if we add a new  action (let’s call it “edit”) and let’s say we forget to rewrite the isAuthorized method.

 Original implementation:  The ‘edit’ method would be accessible to any role in the system and the developer would have hard time discovering that he/she forgot to rewrite the isAuthorized method. This security hole might never be found until it is too late.
 New implementation: The ‘edit’ method will not be accessible to any role and the developer would immediately know that there is something he forgot to do.

I have submitted the correction to the official CakePHP tutorial and hopefully they will amend the reference code shortly.



CakeOTP 1.0 – Secure, Expirable, Table-less One Time Password for CakePHP Released
Amir Shevat — Thu, 11 Feb 2010 20:34:25 +0000

CakeOTP is a secure, table-less and expirable implementation of One Time Password for the popular CakePHP development framework.
A one-time password (OTP) is a password that is only valid for a single login session or transaction. It is commonly used in the internet for registration and password reminder process in which OTPs are provides to the user in a form of a link that the user uses to access in order to create/reset his password.
The problem is that most one-time password implementation involve maintaining additional database tables and batch process that handle the persistence and expire date of the one time password. This adds complexity and reduces performance.
CakeOTP is a simple and clean implementation of one time password. It reduces complexity by removing the redundant SQL calls and DB batch maintenance while still keeping the one time password secure and expirable.
Download this release here.
Checkout the Online Demo, project page and getting started page.



Feel free to post comments and questions.



CakeOTP  0.1 beta release – One Time Password Reference Implementation for CakePHP
Amir Shevat — Fri, 22 Jan 2010 21:05:16 +0000


I have started to implement the algorithm for tableless, secure One time password.
Here is a link to the Demo, and here is a link to the beta release.
The only thing you need to do other then the regular cakePHP setup is to create a user table (used by the CakePHP Auth component):


CREATE TABLE IF NOT EXISTS `users` (
  `id` int(11) NOT NULL auto_increment,
  `username` char(50) default NULL,
  `password` char(40) default NULL,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=23 ;

Please note – This is still a beta release, just out of the oven – no documentation and extensive QA.
Any feedback or bug reports would be great.