[tooltrainer]

Well it’s not so much a matter of censoring, it’s a question of security. Until I had them whitelist a rule in ModSecurity, I couldn’t post a lot of stuff in WordPress either, whether from admin or not. ModSec is treating certain words as SQL language and assuming they are an injection attack attempt. I’ve seen this problem before many times in the past but never realized what it was until this issue and subsequent conversation.

They’ve now whitelisted /topic/, /forum/, and /edit/ and that seems to have fixed this issue. I’m guessing this isn’t really something that can/should be fixed from within bbP itself, but if I’m wrong feel free to do so.

And though I personally believe that bbP is the way to go for my community, my users are used to PHPbb and VBulletin sites and so this already seems “weird” to them. Adding technical issues and using beta software isn’t really helping instill confidence but hey that’s my choice to do. They’re spoiled by forum solutions with all the bells & whistles that I’ve had to add with plugins for things like Private Messaging, showing unread topics, protecting content for members only, signatures, etc. This is of course by design, and though I’m essentially putting back in a lot of the stuff that bbP has intended to leave out, I believe I wouldn’t be happy with the lack of integration of any other forum solution within WP so… bbP it is!

They’ll get used to it, I just hope I don’t lose any because they can’t make the leap. Time will tell, and bbP keeps getting better with time. I hope my posts never suggest a lack of appreciation for this plugin and all the work you’re putting into it!

Jonathan

[kai920]

What do you guys think about adding wp_register(); to the login widget?

https://codex.wordpress.org/Function_Reference/wp_register

[Gautam Gupta]

qzplx: For theme integration, you can either do deep integration – looks like that didn’t work for you OR create a new theme based on your wp theme on your own. There is a theme integrator too.

[John James Jacoby]

If your host is controlling what parts of your site what words are allowed where, to the point where it’s censoring genuine conversation, that’s a conversation to have with them.

There are a few things you can do to confirm, but it depends if they’ve white listed those locations or not.

1. Can you post a blog comment with that same content?

2. Can you create a reply within /wp-admin/ with the same content?

Your members are “unimpressed” because they’re frustrated, and because your site is unfinished because bbPress has only had a handful of testers in recent months. You’re opting to be a tester, which is *great* of course… but making the decision to let other people use an unfinished site never goes well.

Your feedback is invaluable, and their unhappiness is going towards a good cause. If you communicate that to them clearly, in my experience that usually calms them down.

[Kevin Muldoon]

I’m getting the same issue. It runs fine in my test area but when I activate it on my live site the admin area goes white. Will look into what plugin is causing this

[tooltrainer]

Yeah probably true, I’m just impatient. The host have whitelisted URLs beginning with /edit/ which has fixed existing posts that are being edited, but does not fix creation of new posts or replies.

For the moment, I’m having them whitelist /forum/ and /topic/ as well. If JJJ can suggest a better solution or fix to this, then I’ll just have them remove the whitelist rules. I’d certainly rather not have to override any security, but my members are getting annoyed and right now are “very unimpressed” with my choice of forum software.

Jonathan

[Anointed]

before you relax the rules, wait until we hear from JJ. There is a possibility that the info is being saved to the db in a slightly different way than standard posts.

I’ve been reading through the code, but do not have a strong enough understanding of wp to know for sure.

No reason to relax unless needed, more security is always best

[tooltrainer]

Yep I just found the same:

ModSecurity: Access denied with code 500 (phase 2). Pattern match “((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe):space:+[A-Z|a-z|$

I’m guessing it’s my use of the word “create” in my example string.

Given how much my forum discusses code, I think I’m going to have no long term option but to relax ModSec. I’ve already asked the host to look into it so hopefully they come up with something.

Thanks for all your pointers as usual!

Jonathan

[Anointed]

It is not the individual words but the combination spaces and keywords that are usually used to ‘inject malicious code’ into a db.

select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe

*each host uses diff keywords, so your rules may vary

I’d wait until you hear from JJ, just in case the info is saved to the db differently before you mod anything in mod-security

[Anointed]

Yup, it is mod-security, same on my end:

[Sat May 28 18:03:04 2011] [error] [client ip] mod_security: Access denied with code 403. Pattern match ":space:+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe):space:+[A-Z|a-z|0-9|\\*| |\\,]+:space:+(from|into|table|database|index|view):space:+[A-Z|a-z|0-9|\\*| |\\,]" at POST_PAYLOAD [severity "EMERGENCY"] [hostname "mysite.com"] [uri "/topic/need-healing/page/3/"] [unique_id "TeFxGEUuJUQAAGLkflw"]

You are probably going to have to have your host think about relaxing the rules.

Only thing I don’t understand is why it works on posts but not topics/replies. I will read through how the topic/reply is being saved to the db and see if I can track it down. If not, I’ll ask JJ later.

(he’s finally asleep after pulling yet another all nighter)

[Anointed]

@tooltrainer

Keep in mind that this is only beta2, and there are very few people using this plugin so far. It is NOT intended for a live site as noted many times.

*one last set of tests if you don’t mind:

1. Try to create a new topic with the exact same string you are trying and see if that works.

2. Try to create a new reply with the exact same string you are trying and see if that works.

That will tell me if it is the replies or topics part of the code to look into.

Finally, understand you have tried this same string a number of times, so it could be a hidden duplicate in the db. I would check your db tables to see if any of these attempts managed to save in a cell behind the scenes.

JJ has been working on this plugin non-stop, check the change-log, and you will see he never sleeps LOL

I still think it may have something to do with mod-rewrite. I am 100% that is what happened to me, although it could be different for you.

What you really need is some server logs in order to really help track this down. If you have a half decent host, then it should only take them 2 mins to track down any errors.

*It is a good idea to ask your host how to access your own error logs for server, security, and php

[tooltrainer]

Yeah I can paste the content into a post without any issue.

I’ll go through line by line until I find the offender(s), but if this is going to be a continued problem, I’m going to have to abandon bbP. If this is a bug I’m surprised nobody else is seeing it.

Jonathan

[scylderon]

Would be helpful to know how to integrate BuddyPress hooks into the bbp template as well. For example:

<?php echo xprofile_get_field_data(#); ?>

or

<a href="<?php bp_displayed_user_link() ?>"><?php bp_displayed_user_fullname() ?></a>

[mhjerde99]

Great stuff!

@kai920 +1 for adding “register” link to the login widget. And I like Register Plus Redux, that plugin works nicely!

@anointed Thanks, good tip! Implemented.

My sidebars disappeared when upgrading to beta 2b. I’m using the Woo Sidebar Manager and I had to move login/registration down in the footer for the time being. I can’t say for sure that there is causation. Esp because Sidebar Manager seems a bit flaky. But it happened at the same time

[Anointed]

@mhjerde99 Can I make a suggestion on the template?

Add the following to your woothemes custom.css file in order to get full width forums. I saw your post over there, but didn’t really have time to answer your questions as I am also very busy building a custom woo theme.

#content table.bbp-topics, #content table.bbp-forums, #content table.bbp-replies, #container table.bbp-topics, #container table.bbp-forums, #container table.bbp-replies, #main table.bbp-topics, #main table.bbp-forums, #main table.bbp-replies {

width: 100% !important;

}

[kai920]

I was just looking into this topic a bit – I wonder if it’s useful to add a “Register” link at the bottom of the login widget inside /bbp-includes/bbp-core-widgets.php? This would bring a user directly to /wp-login.php?action=register and would only display if WP’s “Anyone can register” option was turned on.

I’ve also just installed the Register Plus Redux plugin (https://wordpress.org/extend/plugins/register-plus-redux/) which allows you to upload your own image for the registration page and gives other nice options.

[kai920]

Good to hear – just updated to 3254 and I see Home > Forums > Forum Name breadcrumb

[John James Jacoby]

I’ve been tweaking the breadcrumbs, trying to find the sweet spot. There’s starting to be a lot of possible ways to display the forum archives now. With page templates, archives, shortcodes, etc… it’s hard to know what is the actual root and where.

I think I’ve got it dialed in for Beta 3. I spent the majority of last night testing all of the above scenarios.

[tooltrainer]

Definitely no chance at all that the content is identical. It’s like a 2 or 3 page post.

I turned on the slug and – IT POSTED!

So you’re right on with that… problem is I really seriously don’t want those slugs being shown. So is this just a bug that can be fixed perhaps?

Thanks!

Jonathan

[John James Jacoby]

I can guarantee you with 100% confidence that a bbPress plugin update alone will *never* nuke any files outside of the /wp-content/plugins/bbpress/ folder.

When you update any WordPress plugin through the auto-updater, it deletes the plugin folder, recreates it, and puts the contents of the new version in there; that’s it.

[John James Jacoby]

When are adding your theme compatibility? If you are hooking in on the ‘init’ or ‘wp’ actions, then it is too late for theme compatibility to pick it up.

function anointed_theme_setup() {

add_theme_support( 'bbpress' );

}

add_action( 'after_setup_theme', 'anointed_theme_setup' );

Can you confirm the bbpress.css is inside the bbPress plugin directory and bbp-twentyten theme?

If it wasn’t working at all, then your custom theme’s bbPress template files wouldn’t be getting loaded either.

[John James Jacoby]

@Johnathan – Can you use a tool like Firebug or Inspector, and look at the hidden input fields in your reply form?

Should look like the following

<input type="hidden" name="bbp_reply_title" id="bbp_reply_title" value="Reply To: Updated to bbPress 2.0 pre-beta 2" />

<input type="hidden" name="bbp_forum_id" id="bbp_forum_id"    value="138" />

<input type="hidden" name="bbp_topic_id" id="bbp_topic_id"    value="439" />

<input type="hidden" name="action" id="bbp_post_action" value="bbp-new-reply" />

<input type="hidden" id="_wpnonce" name="_wpnonce" value="0b78bb87eb" />

<input type="hidden" name="_wp_http_referer" value="/discussion/topic/updated-to-bbpress-2-0-pre-beta-2/" />

Also, some details about your configuration would be great. WordPress version, Multisite/single-site, custom theme/theme compatibility, etc…

[John James Jacoby]

There’s absolutely no way that bbPress is responsible for doing anything inside your wp-content/themes/ directory. If you made changes to files inside the bbPress plugin folder, then you broke the first rule of using a WordPress plugin.

[Anointed]

I’m no sysadmin, so understanding what is happening is a bit beyond me right now.

Here’s what I was doing to cause the 403 error:

1. I wanted to test to see what bbpress does with a really long forum post title, so I tried the following:

Let’s create a really crazy long title name to see if the table properly removes any extra text from the title or not

The body of the post says:

Well I hope that title above was long enough, I can’t imagine any forum titles being longer than this one.

When I click submit, I get a 403error below:

[Fri May 27 20:21:10 2011] [error] [client 76.121.8.129] mod_security: Access denied with code 403. Pattern match ":space:+(select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe):space:+[A-Z|a-z|0-9|\\*| |\\,]+:space:+(from|into|table|database|index|view):space:+[A-Z|a-z|0-9|\\*| |\\,]" at POST_PAYLOAD [severity "EMERGENCY"] [hostname "mysite.com"] [uri "/forum/prayer-requests/healing/"] [unique_id "TeA-9kUuJUQAABVAGuk"]

I am unsure of how to interpret the error, and what steps I need to take in order to resolve the problem. Hope this error helps identify something.

[wsokc]

Gotcha…

Its because of bb_config integration.

/** WP Theme **/

define(‘WP_BB’, true);

if ( !defined(‘DB_NAME’) ) {

require_once( dirname(__FILE__) . ‘/../wp-config.php’);

}

Hmmm… Last time is not happening, why its happened now ?

Is there any solution to integrate the theme without having to hardcode the theme itself ?

Currently I installed bbpress on separate database.

and I intend to separate the user too.

So I want only to integrate the theme….

Any better solution for this ?