Blog

November 2019 work summary

This was a pretty busy month overall. I did not have time to work on my extensions, although two extensions went through a formal review (Digests and Selective mass emails) but were, alas, rejected for more code changes. I am working on the book on phpBB administration and nearly done with a first draft. I hope to get it professionally edited but it needs a lot of work.

  • Updated board from phpBB 3.2.5 to phpBB 3.2.8. I also updated the Cleantalk extension from version 4.6.9 to 4.7.1. I reapplied the logo. The forum uses the default prosilver style.
  • A client getting hammered by bots in China and probably Hong Kong too. He was experiencing lots of HTTP 508 (loop detected) errors. I installed by Filter by Country extension (beta) 1.0.8 to see if that helps, blocking IPs from both China and Hong Kong. Analyzed Awstats statistics for October that indicated a lot of Hong Kong access. Client also blocked the Hong Kong range of IPs in cPanel. I changed the spambot countermeasure to reCaptcha. I disabled the contact form. More work may be needed later depending on how well this works.
  • Troubleshooting. A client had an issue with “Secure connection failed” error messages. I advised to change server settings, change protocol to https and port to 443. Later, I gave advice to use the domain name instead of an IP in the server settings. This was peculiar in part because the client wouldn’t give me access to his forum, so I couldn’t directly see the problem. Also, for payment he mailed me cash!
  • Client was having an open_basedir error with his Joomla content management system. Although not my area of expertise, I worked on it. The /logs and /tmp paths in Joomla’s configuration.php were incorrect and had to be pointed inside the Joomla folder. I figured out the absolute path and made these changes. The issue, or at least the reported error, seems to have gone away.
  • I updated a board from phpBB 3.2.7 to phpBB 3.2.8. I updated the board’s prosilver_se style to latest version, as well as Danish and German casual honorifics language packs.
  • The previous board owner has been non-responsive. He may be dead, and board issues were piling up. Traded some emails with an alternate administrator with no founder privileges on what I could do for her. I moved some users between groups. I also made her a founder. I answered questions on how to change group color, and ranks vs. groups.
  • Client failed trying to upgrade a board from phpBB 3.0.8 to phpBB 3.2.7. All files in the board’s root folder were missing including config.php, but the folders were there except for files, images and store folders, which I uploaded. I uploaded missing files too and created a config.php file, after finding the database and creating a database user. I then could update the board. Attached images in posts may be missing, along with avatars, ranks, etc. I changed folder permissions as necessary. Later, ran the update to phpBB 3.2.8. There were no issues after I corrected the username to use. I disabled the contact form. I did not change their spambot countermeasure.
  • I updated a board from phpBB 3.0.14 to phpBB 3.2.8. There were no mods on the old board, but AutoMOD was installed that I cleaned up manually. About 180,000 posts. No issues during upgrade but entering the ACP caused a VigLink error that I fixed by removing a row from the phpbb_config table. I installed the proprietary Milk style, which also meant installing its extension first. I gave the style a default color so I could see it, otherwise it was washed out. I disabled the contact form and added reCaptcha V2 checkbox spambot countermeasure. I changed the board’s config.php file to use mysqli. I recommended upgrading PHP to 7.2.
  • I converted a forum from phpBB 2.0.22 to 3.2.8. About 120,000 posts. I kept the default prosilver style for now. I installed the German Casual Honorifics language pack. I installed the GDPR Extension (Release candidate) and Advertisement Management extension. I disabled contact form and recreated the search index. I set up reCaptcha V2 spambot countermeasure. Client watched the whole process online with Skype. I suspect he will do the fine tuning.

Understanding roles, part five – forum roles

As the name implies, forum roles control the privileges to forums. Forums are the key structure in phpBB and where most of the action happens, so there must be a lot of ways to finely tune access to forums.

Forum roles are most typically used to control forum privileges as they simplify the process. I will also demonstrate a way of circumventing these roles to set more granular forum permissions.

User roles provide a broad set of permissions, many of which extend to work users do in forums. Allowing attachments to posts is one example. Since roles are bundles of permissions, permissions in forum roles may override some user role permissions.

Pre-defined forum roles

The following forum roles come built in to phpBB:

  • No Access. Can neither see nor access the forum. This should be applied when you want to hide a forum from appropriate groups and users. You most typically use it to hide forums from guests and bots.

  • Read Only Access. Can read the forum, but cannot create new topics or reply to posts. You often see this role applied to guests.

  • Limited Access. Can use some forum features, but cannot attach files or use post icons. This role is often applied to newly registered users.

  • Limited Access + Polls. As per Limited Access but can also create polls. This role is also often applied to newly registered users.

  • Standard Access. Can use most forum features including attachments and deleting own topics, but cannot lock own topics, and cannot create polls.

  • Standard Access + Polls. Like Standard Access but can also create polls.

  • Full Access. Can use all forum features, including posting of announcements and stickies. Can also ignore the flood limit. Not recommended for normal users. This is often applied to more privileged users such as moderators and administrators.

  • On Moderation Queue. Can use most forum features including attachments, but posts and topics need to be approved by a moderator. This role can be applied to a problematic poster known for making inflammatory posts.

  • Bot Access. This role is recommended for bots and search spiders. It does allow bots to read the forum, so if you don’t want bots to read the forum, the bots groups should use the No Access role.

  • Newly Registered User Access. A role for members of the special newly registered users group; contains NEVER permissions to lock features for new users. This gets around a quirk in phpBB where newly registered users can start new topics (which have to go through moderation) only because they are also in the registered users group. It’s strange that phpBB is not configured this way by default.

There is one other implied role: No role assigned. As the name implies, it indicates a lack of permissions in the defined context, so other forum permissions if they exist are used instead.

Setting forum roles

Generally, it’s best to attach roles to groups. Attaching roles to users can be done, but it makes it hard to fix permissions issues. Most likely, roles already exist for groups accessing your forums. However, when you create new forums, you often need to attach some roles to the users that will use them, generally through group forum permissions: ACP > Forums > Forum based permissions > Group forum permissions.

First, select the user group whose roles you want to change or add. In the Look up usergroup dropdown, select the group then press Submit.

On the next screen, select the forum or forums you want to add or change roles for, in the appropriate Select a forum select list or dropdown. The dropdown is used to select a set of forums inside a category. Then press Submit.

Finally, you have an interface for changing or adding roles for each forum for the user group selected. See screenshot below. In the Role dropdown, select the role to be applied for the forum and user group. When all are set as desired, press the Apply all permissions button at the bottom of the screen.

Assigning roles to forums
Assigning roles to forums

 

Creating new forum roles

You can define a forum role using similar procedures for user, moderator and admin roles: ACP > Permissions > Permission roles > Forum roles > Create role. In general, the existing roles make it unlikely that you will need to create other forum roles.

Overriding role permissions

While not a good idea generally, I should point out you can override forum role permissions for groups and users. Use either:

ACP > Users and groups > Users > User forum permissions

ACP > Users and groups > Groups > Group forum permissions

Here’s an example of how it can be done for a user’s forum permissions.

In this case, Jane Doe is a teacher and in the teacher’s group, so she has Standard Access role’s permissions to the teachers’ forums. This means she cannot post sticky topics, i.e. posts that stick to near the top of the list of topics in a forum.

We would like to allow her to post stickies but not change her permissions otherwise.

User forum permissions, pick user
User forum permissions, pick user

 


We first enter her name by entering it in the Find a member field and pressing Submit. See screenshot above.

User forum permissions, select a forum
User forum permissions, select a forum

Then we pick the forums where we want the permissions applied. In this case, it makes sense to select the Teachers forums category and the forums inside it. Once selected, press Submit. See screenshot above.

On the next screen, the role shows no role assigned because no user role has been applied. The user still has a group role applied. Click on the Advanced permissions link.

You can then select any permissions you want to grant. In this case, I granted the Can post stickies permission by changing it to Yes. Since multiple forums should be show on the screen, do this for each forum in the category. See screenshot below, which shows only the permissions for the category.

 

User forum permissions, advanced permissions
User forum permissions, advanced permissions

Clicking the Apply permissions button will make the permission stick for this forum, or do all then press the Apply all permissions button at the bottom. Now Jane Doe has the necessary added permission, but it was done outside of the forum role.

 

Understanding roles, part four – administrator roles

It’s tempting to think of administrators as one size fits all, but you can have various kinds of administrators. The kinds of administrators are based on the roles they are given.

If you don’t want to be granular about administrator privileges, simply add the user to the administrator’s group: ACP > Users and groups > Groups > Manage groups > Administrators > Members. In the Add Users block, enter the usernames on separate lines that you want to make administrators. Use the Find a member link if needed, and press Submit when done. See the screenshot below.

Adding an administrator
Adding an administrator

These new administrators will inherit the Standard Admin.

There are four administrator roles:

  • Standard Admin. Has access to most administrative features but is not allowed to use server or system related tools.

  • Full Admin. Has access to all administrative functions of this board. Not recommended.

  • Forum Admin. Can access the forum management and forum permission settings.

  • User and Groups Admin. Can manage groups and users: Able to change permissions, settings, manage bans, and manage ranks.

The main role to worry about is the Full Admin role, because if you grant it, then you are giving the administrator virtually complete control of the board. The administrator is not technically a founder but might as well be since they can do pretty much anything a founder can do too except make themselves a founder or create additional administrators.

If you want to make someone a founder, you first must already have founder privileges.

ACP > Users and Groups > Manage users

Enter the user’s name and press Submit. In the Founder field select Yes and press Submit.

You can also create a new Administrator role if you want similar to the process used for moderators: ACP > Permissions > Permission roles > Admin roles > Create role

Large and busy boards might find a need to assign people to the Forum Admin and User and Group Admin roles.

These new administrators get into the Administration Control Panel the same way as you do: by selecting the link in the navigation bar or from the link that appears in the footer.

Understanding roles, part three – moderator roles

In addition to having global versus forum-specific moderators, phpBB allows you to place moderators into various roles. The permissions of the role determine how much power a moderator has. These moderators roles come out of the box:

  • Standard moderator. This type of moderator can use most moderating tools, but cannot ban users or change the post author.

  • Simple moderator. This type of moderator can only use basic topic actions. They cannot send warnings or use the moderation queue.

  • Full moderator. This type of moderator can use all moderating features, including banning.

  • Queue moderator. This type of moderator can use the Moderation Queue to validate and edit posts, but nothing else.

There is nothing to stop you from changing the default permissions for these moderator roles. The process is similar to changing user roles.

You could create a new moderator role. Let’s say you have a popular and busy forum with a lot of topics that are out of place. You want to keep the primary moderator for handling the bigger duties, but delegate moving topics, splitting topics, merging topics and locking topics to another type of moderator via a moderator role.

ACP > Permissions > Permission Roles > Moderator roles

First I create the role called Special Moderator. Since a Full Moderator has all permissions, I’ll start with its permissions and take away permissions I don’t want the role to have.

Create new moderator role, screen 1
Create new moderator role, screen 1

I enter “Special Moderator” in the Create role field, and select Full Moderator from the Use settings from dropdown, then press Submit.

On the next screen, I first went to the Post actions tab and clicked on the No column to disallow all those privileges. I did the same on the Misc tab. On the Topic actions tab, I left these as is. See the screenshot above. Pressing Submit created the role.

 

Create new moderator role, screen 2
Create new moderator role, screen 2

With the group now defined, I can select members to have this role. Since I want these moderators to do this for any forum, it’s easiest to make them global moderators, but with the Special Moderator user role.

ACP > Permissions > Global permissions > Global moderators

Assigning moderators, screen 1
Assigning moderators, screen 1

See screenshot above. The first step is to add the users to get this role in the Add users block, then pressing the Add permissions button. The Find a member link makes it easy to find the usernames, if you don’t know them.

The next step is to assign the moderator role to these users. In the Role dropdown, I select the Special Moderator role I created, then pressed the Apply all permissions button. See screenshot below.

Assigning moderators, screen 2
Assigning moderators, screen 2

Done!

Understanding roles, part two – user roles

User roles bundle sets of permissions that apply to what users can do on your board. There are six built-in user roles:

  • Standard Features. Can access most but not all user features. Cannot change user name or ignore the flood limit, for instance.

  • Limited Features. Can access some of the user features. Attachments, emails, or instant messages are not allowed.

  • All Features. Can use all available forum features for users, including changing the user name or ignoring the flood limit. Not recommended.

  • No Private Messages. Has a limited feature set, and is not allowed to use Private Messages.

  • No Avatar. Has a limited feature set and is not allowed to use the Avatar feature.

  • Newly Registered User Features. A role for members of the special newly registered users group; contains NEVER permissions to lock features for new users.

If you want to create a new role, there is nothing from stopping you. ACP > Permissions > Permission roles > User roles. Enter the new role name in the Create role field, then select the role you want to inherit the permissions from in the Use settings from dropdown. Then press Submit. Change the permissions as desired for each tab.

Once a new role is created, you generally want to assign groups or users to the role. Use one of the following paths:

ACP > Users and groups > Users > Manage users

ACP > Users and groups > Groups > Manage groups

Understanding roles, part one

What is a role?

Roles are one of phpBB’s most useful but most obscure features. It can be a little hard to understand what roles are intended to do.

Roles essentially are a collection of permissions with a name. This collection of permissions can be assigned broadly to users of various types (users, administrators or moderators). For example, the Standard Features user role describes the privileges users with this role have.

You can view and change these permissions: ACP > Permissions > Permission roles > User roles > Standard Features > Edit

User role permissions
User role permissions

The screenshot shows some of these user permissions for the Standard Features role. The permissions comes in four sets, represented by a tab. The Post permissions are shown. It is green because all permissions are set to Yes. Change just one of these to No or Never, and the green turns into blue. The Profile, Misc and Private messages tab are blue, letting you know that at least one of the permissions on these tabs is not Yes. If the color is red, all the permissions on the tab are either No or Never.

Since these are user permissions, any user granted the Standard Features role will get these permissions, such as the ability to attach files. These are the default permissions. Forum permissions may override these settings.

What’s neat about roles is that you can change them at any time. Don’t want to allow this role to attach files? Change it to No or Never and the permission goes away immediately. A No permission might be overridden by a subsequent Yes permission, but a Never permission cannot be overridden.

Types of Roles

Four categories of roles exist:

  • User roles. These are broad permissions that apply to any user of your board.

  • Administrator roles

  • Moderator roles

  • Forum roles. These allow permissions to be finely tuned for individual forums. They are applied after any user role permissions and may override any user role permissions.

October 2019 work summary

I kept busy in October, more so in the first half of the month than the last half. But that’s the paid work.

I’m still working on a book, the working title is “Mastering phpBB Administration”. Even if you cut the topics down, it’s a lot of material.

I updated all my extensions in October, with the last being an update to the digests extension. Two are in development: Filter by country and Selective Mass Emails. The latter got a review by the phpBB extension review team and is now back in the queue, along with Smartfeed. Filter by country is having issues and is back to Beta status. I haven’t yet submitted the latest version of Digests for review. It may wait until the next version.

As for paid work, here’s a summary of it. It was a reasonably profitable month.

  • I upgraded a forum from phpBB 3.0.12 to 3.2.8. I applied the prosilver_se style and added the advertisement management extension, which was used as a mod on their phpBB 3.0 board. The old ads were retained from the mod. I tried to replicate the old header. Ads were placed in a HTML table inside it. That won’t work with the extension, as it has defined places where ads are injected in various templates. So all ads currently show at the top. I placed the old logo on the new style. I was asked to make the phpBB search use a Google Custom Search instead. I couldn’t get that to work and got recurring HTTP 401 errors trying to install a Google Custom Search extension instead. I removed the standard Quick Links and FAQ links from the navigation bar as requested.I added a home link. Also added the Mandarin Traditional language pack. Later, user noted a lot of HTML was embedded as text in various posts. I used the SQL replace function to remove post text that had onclick Javascript code. I suggested asking web host to troubleshoot 401 issues in Administration Control Panel and suggested embedding static ads in various forums.
  • I updated phpBB from version 3.2.5 to 3.2.8. Also updated the board’s ne_greenblack style to version 3.2.8. Created a custom style and moved all changes there. Updated PHP from 7.1 to 7.2. Changed site’s .htaccess file to force https and the www prefix. Added two new extensions: Cleantalk and Hide Newest User & Stats Permissions. Set phpBB to use https including using a secure cookie. Later, I added template logic to viewforum_body.html and viewtopic_body.html to show custom ads on particular forums. A HTTP 401 error occurred when trying to install the Google Search extension on this forum too. I tried lots of things, but there was no clue in the error log. I suggested that his web host should resolve it. He didn’t want me to spend any more time on it. Later, there was some additional labor figuring out why Cleantalk wasn’t working: service wasn’t paid for was the most likely cause. Also, made main web links use SSL and set up .htaccess for forum to redirect http to https. Changed board settings and cookie too.
  • I updated a forum from phpBB 3.2.0 to 3.2.8. Updated the Board Announcements, Lightbox and Cleantalk extensions. I created a custom style to insulate his style changes.
  • A client of about ten years standing has decided to let me handle their new user requests, outsourcing it you might say. It’s pretty simple ad-hoc work when I get it, but they are happy to pay my commercial rate for the service. I also updated their forum from phpBB 3.2.7 to 3.2.8, updated two extensions and one style. Added or troubleshooted issues for about ten users over the course of the month.
  • I updated a board from phpBB 3.2.7 to 3.2.8. There were no issues. It was a very vanilla installation of phpBB. Client noted a new high for the number of users online. These were likely spammers, but it didn’t seem to be impacting performance.
  • Extended the logical volume containing forum, adding 400 gigabytes to the volume.
  • Client was running out of quota. I removed excess backups from the forum’s store folder. I suggested getting the web host to add space to the logical volume containing the forum for a more permanent fix.
  • I updated a board from phpBB 3.2.7 to 3.2.8. As part of it, I updated the following extensions to the latest versions: ABBC Box, mChat, Media Embed, Precise Similar Topics and Recent Topics.
  • I updated a board from phpBB 3.2.5 to 3.2.8. I also updated the Cleantalk extension to latest version and disabled the Advertisement management extension. All this work had to be done with file manager because FTP credentials would not work.
  • I created a custom style for a client, which meant taking their changes to an existing style and moving them into a custom style that selectively overrides the primary style, so that updates can be done easier. Changes were applied to phpBB 3.2.1 to a testbed forum. These changes would need to be replicated to a production forum, which the client will handle.
  • Client paid me for some additional work and advice regarding hosting issues. I providing a better understanding of Cleantalk integration issues he was experiencing. The Tapatalk required a refresh of current version to work. I helped with making site use https and redirection to folder containing the forum. Client’s server IP was blacklisted in the Cleantalk dashboard. I made it a whitelisted IP and was able to register.
  • I updated a board from phpBB 3.2.4 to 3.2.8. I added the following extensions: Simple spoilers, simple mentions, media embed, advanced BBcode box, best answer and Cleantalk. Extensions were slow to install and sometimes required many retries to install them. The media embed installation failed and I had to add two rows to the phpbb_acl_roles table manually to get it to install. I added the Cleantalk key and updated the American English language pack. I got occasional errors getting into Administration Control Panel.
  • I updated two forums from phpBB 3.2.5 to 3.2.8. I created a custom style on each forum to encapsulate the style changes from the primary style. I updated three extensions on the first forum and 4 on the second one. There was an issue with ads being served may because the width of the ad exceeds the 980 pixel margin for the forum. I had to change config.php files to use mysqli instead of mysql to update the forum, as it was using PHP 7. I also updated AllanStyle-SUBSILVER to the 3.2.7 version for both forums.
  • I updated my digests extension from version 3.2.4 to 3.2.15 for a client, to address a bug that was encountered. I noticed in file manager that files and store folders were missing. I created them manually but the 777 folder permissions would not stick. I suggested a ticket with the web host. Likely some security software is doing this.
  • I updated a forum from phpBB 3.2.5 to 3.2.8. No one had an admin username and password, so I had to create my own access. However, I could not get into the database in cPanel. No credentials worked. So I installed phpMyAdmin in a folder of the same name off the domain, and got in that way, made myself a founder and then was able to do the upgrade. I noticed some dead AutoMOD modules that I removed, otherwise it was completely generic forum. This work was a referral from another customer, which is always nice!

Enhancing your security: I now use U2F authentication

At last count, I have had 391 different clients since I started this business in 2006. So that’s at least 391 times that customers have had to send me confidential information on how to access their forums so I could work on them.

For many years, I have been using two-factor authentication. Since the data clients share with me is largely sent via email, it usually ends up in GMail. I don’t normally delete emails you send me because there are often issues, and the conversations over email help me remember what I did for you. With two-factor authentication, it’s not enough to know my Google username and password to get into my account. You would also have had to enter a code sent by text message to my cell phone. This helps explain why to the best of my knowledge the information you sent me has never been compromised.

However, it was still possible that someone malicious that knows my cell phone number could hijack it, and do a two-factor authentication that way. Now that’s no longer possible because I am using U2F (Universal 2nd Factor) authentication.

U2F authentication is what Google employees use to work remotely. It’s a physical key they have that they use for two-factor authentication. Depending on the key and your device, you either plug it into a USB port, use your device’s Near-field Communication, or a Bluetooth signal as part of logging into sites that support U2F. The key issues a public key while hiding a private key. It will issue the public key to the authentication service, but only when I authorize it by pressing a button. The key will work only with that service, like Google.

What this all amounts to is that the safety of the information you send me is even safer, exponentially so. Now a malicious person would need not only the username and password to my Google Account, but would have to get one of these physical keys from me. That’s not impossible, but so unlikely as to be effectively impossible.

I do depend on Google’s security system, however. But if Google’s accounts are successfully hacked, millions of us are going to be in a heap of trouble. Hopefully such a breach would affect only those not using two-factor authentication.

Google always lets me know if a new device has attached to my Google account, via various means including text messages and emails to my primary and alternate email accounts. So in the event something like this happens, hopefully I could take action to mitigate any danger before any vulnerabilities are exploited.

So rest assured your information is as safe as I can practically make it. I would never betray the trust you place in me.