MyBB Community Forums

Full Description - Change Log - Support Forum

============================
Name: MyBBPublisher v2.0.1
MyBB download: http://mods.mybb.com/view/mypublisher
Direct download: http://www.communityplugins.com/forum/my...down&did=2
New Files: 7 PHP, 3 Images
New Folders: 1
DB Changes: 3 fields to each of 2 tables.
Compatibility: 1.6.x and 1.4.13 (and likely earlier)

============================
Description:

MyBBPublisher can be used to publish new threads and announcements to Twitter and/or Facebook.

This plugin will publish the subject of new threads in specified forums or threads moved into the specified forums to your Twitter account and/or Facebook wall or page. It will also publish announcements made through the ACP.

For Twitter, the status update includes a URL to the thread, which if enabled, will be in Bit.ly or Adf.ly format depending on settings. The plugin will also apply a limited number of hashtags that match keywords you specify. Hashtags are optional.

For Facebook, the plugin will post to your own wall or to a page you specify. If you choose to publish to a page, you can choose to post as yourself, or as the 'page'. Also appears to support posting to a group or app page. The status update appears similar a the built-in Share a Link format and includes poster's avatar, titled link to the thread or announcement and the first 100 characters of the message.

The index page can also indicate which forums are published if an icon image is specified in the ACP. Only forums that guests and regular registered users can view threads in will be published, even if specified in the setting as being publishable. Forums to be published can be specified in the ACP as inclusive or exclusive. That means that you can specify what forums to publish or what forums to not publish.

This plugin also deletes published status updates when a thread is deleted or moved out of a published forum or when an announcement is deleted. If an announcement or thread is edited, the old status is dropped and a new status is posted at the top of your wall/list.

Compatible with RSS2Post and similar feed readers that post to your forums.

This plugin requires the site admin to have a Twitter or Facebook account/page or permissions to post to a page. You will need to create an 'application' in the service's developer site and authorize the plugin to access your accounts on your behalf.

MyBBPublisher is compatible with MyBB 1.4 and 1.6

Support:
I much prefer to support MyBB Publisher at my own site Community Plugins MyBBPublisher Support Forum. Please register there and start a new thread specific to your issue.

=============================
Upgrading:
From 1.5.1 and later to 2.0.1

1. Deactivate
   
2. Upload files
   
3. Activate
   

From v1.4.3 to 1.5.1:

1. Deactivate old plugin
   
2. Delete folder - \inc\plugins\MyBBPublisher
   
3. Upload new package
   
4. Activate plugin and use new tools to setup Facebook (if using)
   

============================
Change Log:
Version 2.0.1
1) Fixed install.uninstall bug due to missing variable declaration

Version 2.0.0
1) Added debug mode to track errors to cache
2) Added links to view and clear errors from cache
3) Added support for new Facebook access token expires method (via new task and during initial setup)
4) Added support for default avatar added to FB updates
5) Changed FB status update to sharing a link style versus basic text
6) Output user's avatar for posts, default image for announcements and users without an avatar set
7) Removed bit.ly and ad.fly shortening from FB status updates given new status format

More details at the official Change Log

Approved and I've added in the link for you

Amazing. Will use this soon!

Love this plugin, after i got it working lol as i had no idea how to get the Token and Token Secret (now i know why the Dev Site has "My Access Token" in the right menu lmao but yea great work and thanks for this!

This is great!
Btw, how to remove fb icon and twitter icon from Forum list on index??
That's very annoying..

and here's the link to generate FB One-Time token:

http://www.facebook.com/code_gen.php?v=1.0&api_key=YOUR_API_KEY

your previous link on Readme was expired based on new FB setting.

Nice... Interesting
Thanks for this.

(2010-08-11, 10:03 AM)habs Wrote: [ -> ]This is great!
Btw, how to remove fb icon and twitter icon from Forum list on index??
That's very annoying..

and here's the link to generate FB One-Time token:

http://www.facebook.com/code_gen.php?v=1.0&api_key=YOUR_API_KEY

your previous link on Readme was expired based on new FB setting.

just set the image paths to nothing (blank)

One suggestion, instead of doing $disporder++; do:

"disporder"	=> (++$disporder),

Less lines of code only

And use $db->write_query instead of $db->query.

Fix this security issue:

$aid = $mybb->input['aid'];

Make sure you use $aid = (int)$mybb->input['aid']; instead.

Your luck is that as far as I remember, MyBB escapes that when initing the core class.

The variable $id also needs to be escaped.

$id = $msg_url['id'];

Should be:

$id = (int)$msg_url['id'];

There are probably more security issues but I haven't looked at all lines carefully. (note that some of these might be false positives exactly because I didn't look at the code too carefully)

Edit:
Same here:

$query = $db->simple_select("announcements", "*", "aid=".$mybb->input['aid']);

(2010-08-11, 04:56 PM)Pirata Nervo Wrote: [ -> ]One suggestion, instead of doing $disporder++; do:

"disporder"	=> (++$disporder),

Less lines of code only

For some reason I can never remember that particular syntax

(2010-08-11, 04:56 PM)Pirata Nervo Wrote: [ -> ]And use $db->write_query instead of $db->query.

Is there a significant difference? How often is the read link different from the write link? I suppose I should technically correct it, but its the same code so many plugins use so I am not the only one doing this. I can see that if there is a non-typical SQL setup, it may be an issue. I can concede that I should change it

(2010-08-11, 04:56 PM)Pirata Nervo Wrote: [ -> ]Fix this security issue:

$aid = $mybb->input['aid'];

Make sure you use $aid = (int)$mybb->input['aid']; instead.

Your luck is that as far as I remember, MyBB escapes that when initing the core class.

Yes, all MyB inputs are cleaned up and that is the assumption I am working with

(2010-08-11, 04:56 PM)Pirata Nervo Wrote: [ -> ]The variable $id also needs to be escaped.

$id = $msg_url['id'];

Should be:

$id = (int)$msg_url['id'];

As $msg_url['id'] is directly derived from cleaned variables already in the MyBB scope. None are taken from user input or they are obtained from integer fields in the database returned by queries. The plugin does not get run unless the aid and tid variables I use are already validated, otherwise the MyBB would not get far enough to call the hooks I use.

(2010-08-11, 04:56 PM)Pirata Nervo Wrote: [ -> ]There are probably more security issues but I haven't looked at all lines carefully. (note that some of these might be false positives exactly because I didn't look at the code too carefully)

Edit:
Same here:

$query = $db->simple_select("announcements", "*", "aid=".$mybb->input['aid']);

Again, MyBB inputs are cleaned when putting form inputs into $mybb->input

So I believe that they are all false positives, unless there is an unknown/new security exploit that can change these variables during the time the hooks are using them.

I appreciate the feedback though and am willing to listen to feedback that counters my above points.

(2010-08-11, 05:32 PM)pavemen Wrote: [ -> ]

(2010-08-11, 04:56 PM)Pirata Nervo Wrote: [ -> ]One suggestion, instead of doing $disporder++; do:

"disporder"	=> (++$disporder),

Less lines of code only

For some reason I can never remember that particular syntax

(2010-08-11, 04:56 PM)Pirata Nervo Wrote: [ -> ]And use $db->write_query instead of $db->query.

Is there a significant difference? How often is the read link different from the write link? I suppose I should technically correct it, but its the same code so many plugins use so I am not the only one doing this. I can see that if there is a non-typical SQL setup, it may be an issue. I can concede that I should change it

(2010-08-11, 04:56 PM)Pirata Nervo Wrote: [ -> ]Fix this security issue:

$aid = $mybb->input['aid'];

Make sure you use $aid = (int)$mybb->input['aid']; instead.

Your luck is that as far as I remember, MyBB escapes that when initing the core class.

Yes, all MyB inputs are cleaned up and that is the assumption I am working with

(2010-08-11, 04:56 PM)Pirata Nervo Wrote: [ -> ]The variable $id also needs to be escaped.

$id = $msg_url['id'];

Should be:

$id = (int)$msg_url['id'];

As $msg_url['id'] is directly derived from cleaned variables already in the MyBB scope. None are taken from user input or they are obtained from integer fields in the database returned by queries. The plugin does not get run unless the aid and tid variables I use are already validated, otherwise the MyBB would not get far enough to call the hooks I use.

(2010-08-11, 04:56 PM)Pirata Nervo Wrote: [ -> ]There are probably more security issues but I haven't looked at all lines carefully. (note that some of these might be false positives exactly because I didn't look at the code too carefully)

Edit:
Same here:

$query = $db->simple_select("announcements", "*", "aid=".$mybb->input['aid']);

Again, MyBB inputs are cleaned when putting form inputs into $mybb->input

So I believe that they are all false positives, unless there is an unknown/new security exploit that can change these variables during the time the hooks are using them.

I appreciate the feedback though and am willing to listen to feedback that counters my above points.

You should never rely on that. If there's another plugin which for some reason assigns $mybb->input['aid'] (or even inside MyBB!) to something else your plugin is exposed.
You should always try to prevent yourself without relying on something else, only rely on your code because every input might have been modified - Defence in Depth principle!