Rocketz

He just got back to me.   I hope the various projects I have with him are back on track. 

ya, i think my dev ran into this same issue. He had to create the html templates directly in the sql database. Not a work around i was very happy about 

Based on my previous post, I set out this evening to fix the current security issue with the following goals in mind:
Remove the Manage button by the service listing in all states except Active. Remove the Switch icons on service row expansion in all states except Active. If someone enters the direct URL to the cPanel Extended dashboard it disables all functionality and displays a message that the account is not properly setup (similar to default cPanel module). Add a notification message somewhere in the Admin so an administrator is aware the next time they login. Email an administrator of the failed provision (this might already be an existing Blesta feature). After getting familiar with Blesta and cPanel Extended codebases, I have fixed the issue and accomplished my first three goals. I'll continue to become more familiar with the codebase so I can complete goals 4 and 5 too.
To accomplish goal #1, I wrapped the template code with a status active check. This removed the Manage button in the Options column of the service row. Here is the code:
/app/views/client/[template]/client_services.pdt
<td> <?php if ($this->Html->ifSet($status) == "active") { ?> <div class="btn-group"> <a href="<?php echo $this->Html->safe($this->base_uri . "services/manage/" . $this->Html->ifSet($services[$i]->id) . "/");?>" class="btn btn-xs btn-default"> <i class="fa fa-cog fa-fw"></i> <?php $this->_("ClientServices.index.option_manage");?> </a> </div> <?php } ?> </td> To accomplish goal #2, I wrapped the containing table row with a status active check. This disables the row expansion feature in all service states except active. Here is the code:
/app/views/client/[template]/client_services.pdt
<?php // List all services for ($i=0; $i<$num_services; $i++) { if ($this->Html->ifSet($status) == "active") { ?> <tr class="expand service_info"> <?php } else { ?> <tr> <?php } ?> <td><?php $this->Html->_($services[$i]->package->name);?></td> <td><?php $this->Html->_($services[$i]->name);?></td> To accomplish goal #3, I wrapped the sidebar tab building code with a status active check. This removes all of the cPanel Extended tabs and features from the /services/manage/ view. By removing the Manage button in goal #1 above, the average user will never be able to reach this URL. But for the tech savvy, it wouldn't be hard to figure out. And my goal with this fix is to prevent those tech savvy types from causing harm?  So just in case this URL is called, unless the service is active, no manage features are available. Here's the code:
/app/controllers/client_services.php
public function manage() { $this->uses(array("Coupons", "ModuleManager")); // Ensure we have a service if (!($service = $this->Services->get((int)$this->get[0])) || $service->client_id != $this->client->id) $this->redirect($this->base_uri); $package = $this->Packages->get($service->package->id); $module = $this->ModuleManager->initModule($service->package->module_id); $module->base_uri = $this->base_uri; $method = isset($this->get[1]) ? $this->get[1] : null; // Set sidebar tabs if ($service->status == "active") { $this->buildTabs($service, $package, $module, $method); } I've also attached some screenshots showing the updated UIs where a cPanel Extended service is in PENDING state and management is basically disabled. Overall, I've had a fun night getting familiar with some of the code. Most importantly, I'm happy I was able to fix this security issue for my needs. I welcome any suggestions and advice from the Blesta Developers as well as cyandark. If there's a better way to fix this issue, please share so I can learn in the process. Thanks again for providing this community and everyone here who are so helpful.
Cheers!

 
 
 

Very much agree with this.
How we dealt with this in another system was this way : 
- If a user opens a ticket from their client portal, and 2 factor is enabled : perform the request
- If a user opens a ticket from the client portal, but 2FA is not enabled : ask for a support pin or security question
- If a user emails in : same as above
The support pin or security question is something the user sets up at order time. They cannot be changed or reset by the customer. If they need to be reset, you ask for ID before allowing the user to change them. 
And then of course, it was noted on the ticket how it was opened, as suggested in this thread. 

So i just found out today that if you perform a cancel action from the admin side, there is no popup that asks you "are you sure?". Most of the time, these popups are just annoying, but i've seen tired staff members first hand removing an entire account by mistake. 
I'd really like a popup to slightly slow down these actions, like cancel, schedule cancellation, etc. 

1. Added to To-Do List
2. This is not part of the module. 

Certain fields are encrypted automatically, but modules and plugins can define which fields to encrypt. Because search operations cannot be performed on encrypted data, we usually don't recommend encrypting all fields, but that's a decision the developer should make.
This page should give you a basic understanding of what is encrypted in Blesta and how it's performed: https://docs.blesta.com/display/user/Encryption

ya, i think my dev ran into this same issue. He had to create the html templates directly in the sql database. Not a work around i was very happy about 

ya that's how i say everything should run. I don't want to rely on a stable browser connection to have anything done within my software. As little failure points as possible. 
I suppose a cool feature would allow the user to go back to a page and see the action in progress, but not actually rely on the browser to keep the process going

There are a lot of repeated requests from customers. Like website migrations, restores, security stuff etc
I currently have a form setup to ask for that information on the website, but I'd like to have that implemented within Blesta instead. 
So how can I set this up : 
Customer goes to open a ticket. 
Is shown a list of common support requests, clicks one
A form shows up, asking for specific info
That specific info is then created in a ticket (sensitive info in a note)
 

I'm not a coder... but I asked my dev to really customize my blesta install, and he did a great job doing it without ever touching the core files. We hit some limitations (like you would on competitors), which could be overcome, but that meant overwriting core files and like you, I didn't think it was a good idea
It's very secure though. I had an outside party try all the common attack vectors + whatever they had in their toolbox and no exploits to be found. So while I didn't do it myself, it does seem like Blesta's way to theme things is still secure. 
Btw : one thing I'd suggest is get a dev or staging license from Blesta. Have your third party theme it on that license. Run tests on it, get the code reviewed by someone else if you don't trust your dev, and when you feel good about it, move it to production. 

Just remember there are a bunch of open source modules/plugins/templates/gateways/etc from naja7host. That doesn't include his helpful code posts in this forum.  Plus he has been around the forum since the end of 2012.  That gives me a lot to go on to base his coding skill off of as well as his reputation around this community.
You are fairly active on the forums but from what I can see you don't have any open source projects for blesta that I can look at. You haven't yet contributed enough to the community to be considered at naja7host's level. Maybe in the future as contribute more and have more people using your modules/plugins and reviewing them, but not yet.

weird. When i tried to make it cause errors, a little red box appeared on top and it said there was an error. There were no details, but at least it showed an error
Maybe a firewall / timeout issue? I can't say for sure without more info. That's what usually happens to scripts who hit a CSF problem. 
Maybe @cyandark can chime in, and provide some log locations to see if you can find the exact error and what the script is doing. 

I'm not a coder... but I asked my dev to really customize my blesta install, and he did a great job doing it without ever touching the core files. We hit some limitations (like you would on competitors), which could be overcome, but that meant overwriting core files and like you, I didn't think it was a good idea
It's very secure though. I had an outside party try all the common attack vectors + whatever they had in their toolbox and no exploits to be found. So while I didn't do it myself, it does seem like Blesta's way to theme things is still secure. 
Btw : one thing I'd suggest is get a dev or staging license from Blesta. Have your third party theme it on that license. Run tests on it, get the code reviewed by someone else if you don't trust your dev, and when you feel good about it, move it to production. 

Update 5.1.1
Security Update cPanel Extended 5.1.1 Source Code Audition: https://codeclimate.com/github/CyanDarkInc/cPanel-Extended/issues

Not sure which plugins you are talking about . from my part all my plugins/ modules will be upgraded to be fully v4 compatible . we have begin the most used free plugin "cookies cutter" , we have added so many option now to that plugin, the next is clean orders and resend welcome email . i think they need just a small Html code change .
We have Logicboxes Reloaded already upgraded , but we will not release it now, as we respect other developer that has a paid version, so we don't want to disturb his business . 
 
 
 

I really think Blesta should raise the prices a little bit. Keep the same model, but for 4.0, do some math and see what 1 extra dollar per month would mean for you guys, or $10 more per year of updates. If it means being able to expand the team, or purchase others' work, it could be worth it. I'm not big on actuarial math, but i don't think any current customers would leave over a modest price increase if you showed them what that price increase will offer in return. 
A billing system should not be priced like a commodity. 
Full disclosure : this is coming from someone who's likely upgrading to lifetime license so it won't really affect me. I noticed it for the first time when it was discussed in this thread  

Use my plugin support manager badge , it add the box for client part .
 

awesome, i can't wait for that! But that's only a band-aid for what i'm looking to do. But still, that would be a great step forward for the support manager

it appear you need a custom fields in support manager, that is not supported now .

Just a little bit of info, this is planned in Blesta. So when you start typing a ticket the knowledgeable articles show up which match the content. Doesn't seem to be a public CORE- for this but I know this is happening because Paul told me ages ago.

I swear, history keeps repeating itself. This is the same thing Modernbill tried to pull years ago, and 2 years later they lost their entire market share. Well this, and just other bad development decisions. 
funny, because it's that act that created room for WHMCS. 

In other words to Paul and company : DON'T MISS THIS BOAT. this is a gift to you guys, take advantage of it
 

Right, it's a good time to really market the privacy aspect of Blesta. But we go back to what you guys need to do to grow into the hosting industry, feature-wise. Maybe re-prioritize some stuff? Up to you, but there's a lot you guys can do to take advantage of this. 
If my competitor did this for me, I'd be dancing all night, and then work on removing them from the picture  
Maybe a good time to talk to 3rd party developers, pay to integrate their modules directly into Blesta, making migrations from WHMCS a lot easier, a less costly and complicated process. At least to grow it quickly while you have all eyes on you

Parallels is the worst company in the world. I haven't used them in years, but when I was with them, you were nickle and dimed for everything. Need a bug fixed? Pay for support to report it. Our update broke things? No worries, pay for support. 
Things like that. No way to run a business with that kind of partnership. Buggy updates and really bad support.