file: RELEASENOTES

2016-jun-16
 - COMPAT BUSTER: PEAR::Log required for logentry() function to work

2015-dec-25
 - FEATURE: updated www site (bbsengine.org) to use scss files.  this is
   mostly a change in the Makfiles to do a proper conversion from scss to
   css.  the actual bbsengine has not had it's css files converted yet. this
   feature did not require any code changes, so strictly speaking it is
   "optional"
 - COMPAT BUSTER: bbsengine now requires php 5.4!
 - COMPAT BUSTER: requires a beta version of MDB2 (pear)
 - COMPAT BUSTER: requires a beta version of HTML_Page2 which has the
   getBodyContent() method.
 - FEATURE: 'enhanced forms'. using a combination of javascript and custom
   php, fade out a form and fade up the result page using a css3 animation.
 - FEATURE: 'USESHOPPINGCART' define which adds ecommerce related functions
   to bbsengine including a 'currectcart' smarty variable available to all
   templates.

2014-May-23
  - "attributes" are removed (essentially user variables stored in the db)

2012-Jul-12
  - SECURITY: added call to session_regenerate_id() to login.php to protect
    against possible 'session fixation' attack. @see https://www.owasp.org/index.php/Testing_for_Session_Fixation_%28OWASP-SM-003%29
2012-Apr-09
  - FEATURE: displayredirectpage() now accepts an array of stylesheet URIs
    which will have the SKINURL define prepended to them before being added
    to the html_page2 instance via addStyleSheet().

2012-Jan-03
  - FEATURE: custom session handler using pgsql as datastore

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

- FEATURE: additional "google friendly" url rewrite rules, this time for
  gfiles, have been added to the htaccess file

- BUGFIX: fixed poll.php so it uses absolute instead of relative urls. in
  some cases, changed the urls so they are in "google friendly" format. this
  change makes some of the menu options and redirects actually function
  properly again.

- BUGFIX: fixed gfile.php so it uses absolute instead of relative urls. in
  some cases, changed the urls so they are in "google friendly" format. this
  change makes some of the menu options and redirects actually function
  properly again.

- BUGFIX: close a small hole in aolbonics module regarding partial searches
  which may allow an sql-injection attack.

- COMPATBUSTER: go into common.php and adjust the function getsmarty() to
  suit. pay particular attention to the compile_dir property of the object
  being returned. I changed this value to point to a filesystem that is not
  mounted via nfs and noticed the template performance go up quite a bit.
  it's a compatability buster because the named directory has to be created
  by the sysadmin in order for things to work properly.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 

- FEATURE: rewrite rules have been added to present a more "search engine
  friendly" set of links.

- CLEANUP: updated poll module to use more "modern" techniques.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 

- FEATURE: beginnings of integration of a WYSIWYG editor called "tinyMCE"
  into the system.

- COMPATBUSTER: php5 is now required to use bbsengine because it now uses
  XML_Feed_Parser for parsing rss/atom/etc feeds.

- FEATURE: make use of PEAR::HTML_Menu in displaysidebar()

- SECURITY: preparestring() calls htmlentities() on all user input. this
  should make the code invulnerable to xss-type attacks, but I would
  appreciate an email if it is proven to not be effective enough. please be
  specific regarding which modules (or applications) are vulnerable.

- CLEANUP: updated Makefile in templates directory

- SECURITY: tightened up database permissions for the "www" group. thanks to
  folks on postgresql (freenode) for pointing out how much of a security
  risk this issue is.

- BUGFIX: fixed a bug in rssfeed.php that was not correctly handling the "title"
  field. fixed another minor bug that displayed the form incorrectly because
  it was wrapped in the "leftcontent" div.

- CLEANUP: moved _validate_captcha() from post.php and comment.php to common.php.
  this is so the code will be consistent and bugs only need to be fixed
  once. all that needs to be done to have CAPTCHA support is (1) put a form
  rule in the right place and point it to this function (2) add two fields
  to the form in question.. see post.php for an example.

- CLEANUP: squashed a notice from php in the news.php module.

- DOCS: updated INSTALL.txt and UPGRADE.txt

- COMPAT: made proper use of references so that all code is compatible with
  php4.  note that in php5 this calling convention is no longer needed, and
  in php6 it "might" become a fatal error. thanks to CelloG on #pear (efnet)
  for explaining this to me clearly.

- CLEANUP: changed view mode of member.php so it uses a frozen form instead of a
  separate template.

- FEATURE: changed article.tmpl show it shows what SIG an article has been
  posted in, if any.

- CLEANUP: changed view mode of newscategory.php so it uses a frozen form
  instead of a separate template.

- CLEANUP: note that forum.php and common_sig.php are going to be removed soon

- CLEANUP, COMPATBUSTER: the poll table has had some fields added which the
  latest version of the library will take advantage of. there are some notes
  in UPGRADE.txt that will help bring the database up to date.

- CLEANUP, COMPATBUSTER: the link table has had some constraints added which
  might throw errors if an old version of bbsengine is being upgraded. these
  issues can be resolved with a simple update query that is documented in
  UPGRADE.txt.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 

- thanks to indigo on #postgresql (freenode) for assistance with adding a
  primary key on the map_member_attribute table and a query that returns
  attributes for a specific member id.

- fixed up some of the templates so they will work properly. in addition,
  removed some print statements from the php code.

- changed view mode in link.php so it freezes the form instead of using
  link-view.tmpl.

- all modules now make use of the new getsmarty() function instead of making
  the smarty instance by hand. this change allows a bit more flexibility in
  terms of what variables are available to all templates and where they can
  be stored.

- added use of CAPTCHA to protect article comments and sig posts. the file
  "army.ttf" (or some other TrueType font) will need to be acquired and
  installed to the proper directory before this will work properly.

- added smarty modifier that parses text through wp_prop_eval. you'll need
  to install modifier.wpprop.php to a place where smarty can find it. see
  the file zoid.php and the append to the plugins_dir array in order to
  configure for your setup.

- removed several print statements that did nothing more than print out a
  div tag with the 'leftcontent' class. the same functionality has been put
  into the templates which is where it should have been to begin with.

- fixed some bugs regarding deleting and editing a sig.

- fixed a bug regarding editing an existing post.

- getsmarty() API function added to zoid.php

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 

- bbsengine aims to be a reasonably secure and feature-rich Web Application
  Platform that builds upon PHP, Postgresql, PEAR and the Smarty Template
  Engine. It can be used to build intranets, extranets, portals,
  "interactive business cards", "blogs" or other custom applications.

- "forums" have been replaced with a feature that allows a post to go into
  any sig what-so-ever.

- posts can now be marked "sticky" and/or "frozen". "sticky" means a post will
  appear at the top of a listing and "frozen" means no further replies to a
  post are possible. thanks to janet and rhk for their assistance with these
  features.

- new "preferences" system (lib/common_pref.php) for members inspired by
  Auth_PrefManager1, Auth_PrefManager2 from PEAR.

- new preparestring() implementation that does not throw the kitchen sink at
  user input and hope for the best. testing to be sure that this change has
  not broken things is appreciated.

- new "sidebar.tmpl" which, well, displays the sidebar on most pages of the
  system. this change is part of a project to virtually eliminate print
  statements from the php code and move all display operations into Smarty
  Templates.

- this release has been tested with php 5.0.4 and *might* work with older
  versions.

- 'root' is no longer be required for a 'make install'. 

- API documentation is improving, but still needs work.

- wpprop code for images ([img]) has been temporarily disabled for
  security reasons.

- The css file has been cleaned up quite a bit, and the default theme is a
  little more interesting (in my opinion)

- more of the output is xhtml compliant but this process is not yet
  complete.

- new module, "rssfeed.php" and a poller script suitable for running from
  crontab that grabs rss feeds from remote locations and stores them in the
  system's database. the poller script is written in python and will also
  require the postgresql-python rpm to be installed.

- the upgrade.py script is *NOT* fully tested and it may not work properly. 
  please test it and let me know if there are any problems.

- backend.php generates an xml file suitable for a mozilla "live bookmark",
  or it can be added to your rss reader.

- made a fix to post.php which prevents anonymous users from editing
  anonymous posts.

- this release has been tested with Smarty 2.6.12 and found to be working.
  please use at least that version with this code.

- anonymous users can no longer edit or delete anonymous posts.

- various modules now use DB's autoExecute() instead of making up the
  queries by hand. in theory this will make use of databases other than
  pgsql more likely and it should also improve performance.

- a member password can no longer be the same as the handle.

- changed various modules to use PEAR's Pager and a Smarty template (or two)
  for summaries instead of the previous implementation methods which are not
  nearly as clean.

- the poll module requires the GD extension to render results correctly. I'm
  currently using the php-gd-5.0.4-10.5 rpm on a fedora core 4 installation.

- changed the permissiondenied() function to it sets a "403" http status
  code instead of 200 (OK). see
  http://en.wikipedia.org/wiki/List_of_HTTP_status_codes for the list of
  status codes.

- new directoryindex.php module for file listings. *note* that this module
  is custom to the specific set up on www.zoidtechnologies.com and will have
  to be modified a bit to get it working properly.