PhpBB3

From RavenWiki
Revision as of 20:24, 18 July 2008 by jml4 (talk | contribs) (Add details of phpBB3.0.2-raven-0.5 + misc tidying)
Jump to navigationJump to search

Introduction

phpBB is a very popular PHP-based web forum package, which has been extensively updated for version 3.

Although phpBB3 includes an authentication "plug-in" facility, that does not make it trivial to enable use of Raven - it makes too many assumptions about how authentication works.

As the first stage of a larger project, the Computing Service has developed the necessary modifications to allow fully integrated use of Raven with phpBB3. Those modifications are being made available in the hope that they will be of wider use around the University.

While there is no formal guarantee of support for any problems, any problems affecting Computing Service use of the modifications are likely to be addressed, sooner or later.

Since there is currently no way to automatically install modifications supplied in the XML-based phpBB3 "mod file" format (and manual installation would be very fiddly), these modifications are being provided as sets of added and replacement files for specific phpBB3 versions. NB Installing them on any other version would most likely be disastrous, losing significant changes between the phpBB versions and quite probably breaking phpBB3 functionality.

phpBB3.0.2-raven-0.5

Version 0.5 is compatible with phpBB 3.0.2, but otherwise unchanged from versions 0.31 & 0.4 (see below). It should not be used with any other version of phpBB.

Downloads:

phpBB3.0.1-raven-0.4

Version 0.4 is compatible with phpBB 3.0.1, but otherwise unchanged from version 0.31 (see below). It should not be used with any other version of phpBB.

Downloads:

phpBB3.0.0-raven-0.31

Version 0.31 is a small - but important - update to version 0.3. It includes an updated (version 0.62) copy of the PHP authentication library (ucam_webauth.php) which resolves a potentially serious security problem described in an announcement (29 Apr 2008) on the cs-raven-announce and cs-raven-discuss mailing lists.

See New version (0.51) of the ucam_webauth.php library [SECURITY FIX] in the mailing list archive for details of the problem.

It is recommended that any phpBB installation using an earlier version of these modifications should be upgraded, in order to resolve the security issue.

NB You cannot simply switch to using version 0.51 of ucam_webauth.php (as previously announced) with phpBB to fix the security problem, since (a) the security fix requires changes in the application using it, and (b) the phpBB modifications require an enhanced version of ucam_webauth.php.

As for earlier versions of these modifications, the required version of ucam_webauth.php is included in the phpBB modifications kit. Also, the enhanced version (0.62) of ucam_webauth.php is not suitable for applications requiring the older functionality, as that currently has known problems rendering it unusable. It is hoped that a future version of ucam_webauth.php will correct that, make the enhanced functionality more widely available and remove the need for different versions to be used by different applications.

For phpBB 3.0.0 installations using version 0.3 of these modifications, a simplified installation procedure is documented in the INSTALL file, amounting to copying three modified files from the kit and (typically) one or two changes to the phpBB configuration.

The main difference between version 0.3/0.31 of these modifications and the earlier versions (apart from the security fix) is support for the official phpBB 3.0.0 release (whereas prior modifications were for phpBB3 "release candidate" versions). Additionally, the location of the Raven server's public key file(s) is now specified through the Admin Control Panel (rather than by editing a file), and various checks are done before enabling Raven authentication, refusing to enable it (with an explanation) if any of the various pre-requisites (such as the PHP OpenSSL extension) are not met. That greatly reducing the risk that Raven authentication will be enabled when it is certain to fail. The README file in the tar and zip file kits has been split into three files: Changelog (details of what's changed), README (what to expect from these modifications, etc.) and INSTALL (how to install the modifications).

Special care is needed (details in the INSTALL file)

  • if you are upgrading from version 0.2 or earlier of these modifications (because of the change to how the the Raven public key directory is specified), and also
  • for upgrades from version 0.3 and earlier, and also for new installations (to ensure that a couple of phpBB configuration settings are compatible with the security fix, as their default values set during installation may not be appropriate)

Downloads:

Future plans

With no promises about timescales, or exactly what will be included in futures versions, the following may be of interest as a guide to potential short-term developments.

Support for later phpBB releases

  • updated versions may be be made available for future phpBB releases

Planned enhancements to existing facilities

  • improvements to error handling
  • resolution of known problems documented in the README file

Planned new functionality

  • (optional) ability to use data from the University of Cambridge "lookup" directory to set relevant phpBB3 User Profile fields.