João Prado Maia’s Weblog

Harry, thanks for the praise for Eventum. This is mainly the result of my work and Bryan Alsdorf at MySQL, even though I’m no longer with MySQL AB anymore. We do agree with you on the aspects of making the page controllers as simple as possible, and also trying to let the code be as simple as possible, but still easy to maintain and change.

For some of its technical weaknesses such as the use of HTTP_GET_VARS and etc, there is a reason for this. Eventum was initially supposed to be a commercial product, and I wanted to sell commercial licenses of this application, to be then installed at the customer’s server. I tried to make the installation process as easy as possible (and it still is one of the easiest web applications to install around), and that meant working with whatever PHP configuration was available on that server. That forced me to make concessions on a few features, and that is one of them.

Anyway, thanks for the pointer, even though I’m not really involved with Eventum too much myself. I’m sure Bryan will like hearing about this.

We released 1.6.1 last friday with these changes:

РFixed the installation procedure to add the INDEX privilege to the MySQL user (Jọo)
– Fixed bug with handling HTML characters in Internal FAQ entries (Bryan)
– Fixed bug displaying priority in current filters (Bryan)
– Added feature to set X-Eventum-Type header in new assignment email (Bryan)
– Fixed bug that allowed users to access attachments, custom fields, phone calls and time tracking from issues they did not have access too (Bryan)
– Added new workflow method to check if an address should be emailed (Bryan)
РFixed the issue searching routine to properly handle disabled fulltext search and customer integration features (Jọo)
РImproved the IRC Bot script to be easier to configure (Jọo)
– Added feature to update issue assignment, status and release for multiple issues at the same (Bryan)
– Fixed labels on workload by date range graphs (Bryan)
– Added feature to highlight quoted replies in notes and emails using smarty plugin from Joscha Feth (Bryan)
РUpdated the bundled XML-RPC library to the latest PEAR 1.4.0 release (Jọo)

The most important change is this last one above. The XML-RPC library from PEAR, which we were bundling to make installations easier, was changed so it wouldn’t use that nasty eval() code.

We strongly recommend users to upgrade to 1.6.1 as soon as possible. Download 1.6.1 now.

I was busy last week with meetings in Cupertino, but Adam Donnison wrote me to tell me about the work he did to provide some integration between the two systems. I personally never tried dotProject myself, but for those interested, here is the email from Adam:

It provides the backend for Eventum using Companies and Contacts
within dotProject, and provides a reciprocal view-only listing
of open issues for dotProject users.

It does require the latest CVS version of dotProject (or more
correctly the classes/query.class.php from the latest CVS) to
provide the multi-db query support.

URL is:

http://sourceforge.net/project/showfiles.php?group_id=70930&package_id=159274&release_id=345568

Feedback is very much welcome!

Go get it here.

A few security problems were found on previous releases, so upgrade as soon as possible.

Eventum has a feature to provide RSS feeds of custom filters, which is basically a way to save advanced search parameters into a special URL that you can call out to check on results. Pretty useful feature, and a lot of people use that. However, we can’t simply have an open window into a potential confidential database of issues/bugs/tickets, so the RSS feed script authenticates the user with HTTP Auth, with the usual PHP way of doing things:

<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo "Hello {$_SERVER['PHP_AUTH_USER']}.";
echo "You entered {$_SERVER['PHP_AUTH_PW']} as your password.";
}
?>

Everything works fine most of the times, but we started getting reports of problems from Microsoft IIS users. It turns out that PHP doesn’t automagically sets up the PHP_AUTH_* variables for you in some cases, and there’s even a quick mention of that on the documentation:

Another limitation is if you’re using the IIS module (ISAPI) and PHP 4, you may not use the PHP_AUTH_* variables but instead, the variable HTTP_AUTHORIZATION is available. For example, consider the following code: list($user, $pw) = explode(‘:’, base64_decode(substr($_SERVER[‘HTTP_AUTHORIZATION’], 6)));

However, that wasn’t true for a Microsoft IIS 6.0 that had configured PHP as a ISAPI module. Instead of getting a $_SERVER[‘HTTP_AUTHORIZATION’] variable like that, he would get this when doing var_dump($_SERVER):

array(30) {
["ALL_HTTP"]=> string(985) "HTTP_CONNECTION:keep-alive
HTTP_KEEP_ALIVE:300
HTTP_ACCEPT_CHARSET:ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_ACCEPT_ENCODING:gzip,deflate HTTP_ACCEPT_LANGUAGE:en-us,en;q=0.5
HTTP_AUTHORIZATION:Basic ********************************************"
}


So instead of simply using the $_SERVER variables, I had to manually handle the HTTP environment variables and get the proper value:

if ((!empty($_SERVER['ALL_HTTP'])) && (strstr($_SERVER['ALL_HTTP'], 'HTTP_AUTHORIZATION'))) {
preg_match('/HTTP_AUTHORIZATION:Basic (.*)/', $_SERVER['ALL_HTTP'], $matches);
if (count($matches) > 0) {
$pieces = explode(':', base64_decode($matches[1]));
$_SERVER['PHP_AUTH_USER'] = $pieces[0];
$_SERVER['PHP_AUTH_PW'] = $pieces[1];
}
}


That will do the trick.