mysiteonline™

As I'm working on a desktop application that needs to connect to the database backend, and CakePHP provides an awesome mechanism for REST or AJAX communication (as well as data validation), I decided to have my desktop application talk directly through the Cake interface to do its magic.

Unfortunately, I was also using CakePHP's rather secure Security component to prevent XSS/CSRF attacks. The problem is that because the desktop application was directly accessing the method with data and bypassing CakePHP's FormHelper automatically created (and Security Component friendly) rendered HTML, it was failing (and because it wouldn't even get to the action since the Security Component was set in the AppController, I couldn't even use $this->log($this, LOG_DEBUG) to see what was happening).

After searching for a good 30 minutes or so, I came across this archived Google Group post by franky06l:
if(isset($this->Security) && $this->action == 'myaction')) $this->Security->enabled = false;I updated this to only be used in my specific controller's action, as so:
function beforeFilter(){ parent::beforeFilter(); if(isset($this->Security) && $this->RequestHandler->isAjax() && $this->action == 'add'){ $this->Security->enabled = false; } }Voila! It now works as expected.

Note: One will need to be extra cautious when disabling the Security Component. The Security Component takes care of a lot of issues for us automatically, by disabling it, you're opening yourself up to some possible troubles. Extra precaution is recommended, and I relinquish myself from any use of the above code that may cause harm - use at your own peril (or absolute need)! :D

I needed a way to authenticate users from our library from a server outside our network, and therefore also not connected to Active Directory. At first I was thinking LDAP would be the best way...then I did my research and learned enough about LDAP to realize just how much information it gives out - WAY too much for it to be very secure. Even if I used SSL, created an account specifically for this access, set that account to read only...all it would take would be one person to hack our server and grab that information and all our organization's data is out there. Although it's about as much of a chance as getting hit by lightning in the middle of the desert in a sand storm, I wouldn't want to be responsible.

The only server with any sort of external web presence that is also touching the internet is our Exchange server's web access portal. I thought, "Ah HA! I can use cURL, or streams, or fsockopen or something to fake a login to this page to verify authentication!" After searching a bit (I'm terrible every time I attempt to write something using cURL to authenticate), I came across a few things.

1. Exchange Server 2007 uses SOAP to provide a web service...AWESOME! We currently use 2003 though, but we will be upgrading later this year, so this may be helpful later on. [Link]
   1. HowToForge article on how to use PHP with 2007's SOAP Web Service
2. I found this PHP script that I tested, which successfully contacted our OWA server and authenticated.
3. I also found a PHP class on Google Code from Tyler Hall - it's not any particular project repository, just miscellaneous code he's hosting. It looks like it's slightly more feature rich, allowing info from address books and a user's inbox, for example.

I only needed to authenticate our building, so thankfully we had our own subdomain (not sure of the proper terminology) in the AD... If your domain was example.com (DC=example,DC=com), just getting OUR office (assume "Office1") was as easy as defining office1.example.com (DC=office1,DC=example,DC=com) after the @ symbol in the user's username (typically unnecessary information with OWA, but adding it explicitly was important here). It (seemingly) worked perfectly.

If you plan on doing something similar, just make sure that you cache (and encrypt) username/password information locally, hitting the OWA page continuously would probably make your System (or Email) Administrators a little unhappy with you.

So, for those of you who read my last blog post, you might notice that I was having issues with a script I wrote to create a new post in Wordpress when it came time to upgrade the Wordpress code.  The SQL internals were modified, and I was inserting directly in to the database (yes, I know, I broke a cardinal rule).  I needed an alternative way to insert information in to the database that would be much more future-proof.  I remembered about XML-RPC.

It took me some time to find answers to questions I had about XML-RPC and the Wordpress’ API.  Wordpress comes with the ability to use XML-RPC, and AtomPub.  With regards to XML-RPC, it supports a few protocols:

1. MetaWeblog
2. Movable Type
3. Blogger
4. Wordpress’ own methods

Since there was little written documentation as to how to do this, I thought I’d share my findings.  Also, although the Blogger API was very easy to figure out and use, I’m not going to cover it here mainly because it doesn’t support the creation of a title field – something for my purposes were required.  (To access the blogger API, I used this class.)  I’m also only going to cover what’s necessary to create a new post for my own means, nothing more – hopefully it’ll get you on your way to how you’d like to use it.

There was recently a nice posting from PHPDeveloper.org linking to an article by Florian Eibeck, where on his blog he discusses some solutions to these extremely fun situations.

http://blog.thinkphp.de/archives/342-Multilingual-Websites-with-PHP.html

Disclaimer: These are primarily notes for myself as I get accustomed to CakePHP's (v1.2) authentication and ACL. I've been building a website and wanted to finally make use of CakePHP before I start using it for the library's CMS. A CMS is a large undertaking and I don't want to go into it "cold-turkey", so I came up with some side-project to help me understand the framework a bit better. All in all, it truly is an extremely rapid development tool.

I decided not to go with ExpressionEngine or Drupal simply because I'd still have to take time to learn those systems and make modules or extensions within those languages - and there's no guarantee I'd be able to do what I'd need to do with them. If I build it myself, it would take just about the same amount of time with Cake. Anyway, to continue...