Questions without an answer

[Altegras]

Hello,

 

First of all, I never installed Blesta before ... rolled over documentation over and over again trying to learn how it works and what's the logic of the development, read about modules, plugins, gateways and I find them developer/object oriented which is fine for me. But I haven't found an answer of the following questions:

 

1. Blesta uses any kind of template system (smarty, twig, etc) ? I'm a php developer not a webdesigner ... and I need to give an access to various webdesigners which I don't fully trust in order to get the job done (only templating), is that possible ?
2. I haven't found documentation about creating an empty / blank page (like: http://docs.whmcs.com/Creating_Pages) as we do have a couple of .php pages which generate dynamic content for our clients, please point me to it if it's supported.
3. whmcs have a client_area output for a service module (http://docs.whmcs.com/Provisioning_Module_Developer_Docs#Client_Area_Output) haven't found something simillar on blesta, it's that possible ?

 

Thank you!

[Tyson]

5 hours ago, Altegras said:

Blesta uses any kind of template system (smarty, twig, etc) ? I'm a php developer not a webdesigner ... and I need to give an access to various webdesigners which I don't fully trust in order to get the job done (only templating), is that possible

Blesta uses the native template system, php itself. There is no smarty/twig integration. My experience is that these template engines unnecessarily add undo stress with additional constructs to learn, and come with their own set of issues and limitations.

I wouldn't trust a web designer with source code either, so I don't. Any web designer should be able to create a mockup of any design updates through markup and a developer can review and integrate them into the system.

 

5 hours ago, Altegras said:

I haven't found documentation about creating an empty / blank page (like: http://docs.whmcs.com/Creating_Pages) as we do have a couple of .php pages which generate dynamic content for our clients, please point me to it if it's supported.

Custom pages are typically created within plugins, otherwise you would need to add/update source code in Blesta itself. Blesta is built on an MVC framework, so you would need to create an appropriate controller, all views (templates), and if you need to access data, a model as well. Then you would need to integrate that wherever you plan to use it. You should also create permissions for access to your new page. This is where developing a plugin shines, as you can design and construct complex pages/actions without updating the core system at all.

 

5 hours ago, Altegras said:

whmcs have a client_area output for a service module (http://docs.whmcs.com/Provisioning_Module_Developer_Docs#Client_Area_Output) haven't found something simillar on blesta, it's that possible ?

Modules can define their own pages which will appear as tabs when managing the service they are attached to. There is a short example in the module documentation for creating tabs.

[Michael]

1. Quote

   Blesta uses any kind of template system (smarty, twig, etc) ? I'm a php developer not a webdesigner ... and I need to give an access to various webdesigners which I don't fully trust in order to get the job done (only templating), is that possible ?

   Blesta uses MinPHP which they created and H2O tags like: https://github.com/speedmax/h2o-php/wiki/Tags-and-Filters-references-

2. Quote

   I haven't found documentation about creating an empty / blank page (like: http://docs.whmcs.com/Creating_Pages) as we do have a couple of .php pages which generate dynamic content for our clients, please point me to it if it's supported.

   You can create a page as you would in the root folder it just won't be connected or integrated to Blesta, if you want to you can I suppose just copy and paste the header and footer html bits by viewing a source. Or edit the structure.pdt file with the php stuff and use a custom page plugin like: BlestaCMS (paid) Admin Tools (Free by Naja7host) or edit the portal page: 

    

3. Quote

   whmcs have a client_area output for a service module (http://docs.whmcs.com/Provisioning_Module_Developer_Docs#Client_Area_Output) haven't found something simillar on blesta, it's that possible ?

    

Not sure about that, we use our own custom messages on urls like ?tracking=no using:

<?php
        if( !$this->Html->ifSet($_GET['tracking']) == "no" ){

}
?>

you can show data like active services:

 

 

[Altegras]

Lack of any kind of template engine which separates php and html template is the biggest drawback for us (and for Blesta I guess), I know there is always the solution to manually do edits myself but I won't start doing a webdesigner job which is paid for that just to make sure he doesn't do anything nasty in there. With smarty you could strictly define security which you could use to completely lock out an webdesigner of any kind of unallowed functions. 

 

Also, I'm strongly against modifying the sourcecode as it would be a nightmare for future upgrades

[Michael]

8 hours ago, Altegras said:

Lack of any kind of template engine which separates php and html template is the biggest drawback for us (and for Blesta I guess), I know there is always the solution to manually do edits myself but I won't start doing a webdesigner job which is paid for that just to make sure he doesn't do anything nasty in there. With smarty you could strictly define security which you could use to completely lock out an webdesigner of any kind of unallowed functions. 

 

Also, I'm strongly against modifying the sourcecode as it would be a nightmare for future upgrades

define security? Blesta is the most secure billing system because of the way it's coded there's no need to worry about that unless you add php which could be exploited which would mean somehow getting around the mysql code, which I think is impossible as it's like:

Loader::loadComponents($this, array( "Record" ));
        $records = $this->Record->select()->from("blestacms_data")->fetch();

And even then that's in a plugin and it's hard to get it working outside, which is why Naja7host helped me with grabbing the information needed for adding active services.

http://www.webhostingtalk.com/showpost.php?p=8898652&postcount=14

http://www.webhostingtalk.com/showpost.php?p=8885045&postcount=183

I can't find the screenshot of the email from localhost.re who emailed Paul stating that Blesta is safe and secure (the guy who released WHMCS exploits to the web).

But if you don't trust the web designer don't use them :).

[Paul]

Giving someone you do not trust access to your code, via your templates or otherwise, is never a good idea. Blesta uses a template engine as part of minPHP, it just so happens it is very light weight. If I recall, Smarty had some major security vulnerabilities which affected at least 2 of our competitors. The bottom line is, you should only install extensions or themes from sources you trust.

[Rocketz]

I'm not a coder... but I asked my dev to really customize my blesta install, and he did a great job doing it without ever touching the core files. We hit some limitations (like you would on competitors), which could be overcome, but that meant overwriting core files and like you, I didn't think it was a good idea

It's very secure though. I had an outside party try all the common attack vectors + whatever they had in their toolbox and no exploits to be found. So while I didn't do it myself, it does seem like Blesta's way to theme things is still secure. 

Btw : one thing I'd suggest is get a dev or staging license from Blesta. Have your third party theme it on that license. Run tests on it, get the code reviewed by someone else if you don't trust your dev, and when you feel good about it, move it to production. 

[Altegras]

On 06.10.2016 at 8:52 PM, Paul said:

Giving someone you do not trust access to your code, via your templates or otherwise, is never a good idea

Not willing to argue about this ... it's your opinion but in mine there is virtually no risk giving out access to a template directory which cannot be accesed from browser, the webdesigner could do his own thing ... in the end you just audit the code and put it live, simple. We're doing this for all of our projects w/o no problem (twig / secured smarty / etc)

 

On 06.10.2016 at 0:31 PM, Licensecart said:

define security? Blesta is the most secure billing system because of the way it's coded

I understand that devs considering security first, that's the most appreciate thing to consider using Blesta, but there is no software on earth which is 100% secure of any kind of exploits, this is a dream. (remember glibc exploit advisory ...) But I didn't said anything about blesta security, all I've said that we're using webdevelopers from freelancer / elance to do things when we need - that's why is a drawback for us, we do have a bunch of individuals who we like to work with and we have trust in them, but I just won't give them access to the sourcecode of the billing system.

 

[Michael]

14 minutes ago, Altegras said:

Not willing to argue about this ... it's your opinion but in mine there is virtually no risk giving out access to a template directory which cannot be accesed from browser, the webdesigner could do his own thing ... in the end you just audit the code and put it live, simple. We're doing this for all of our projects w/o no problem (twig / secured smarty / etc)

 

I understand that devs considering security first, that's the most appreciate thing to consider using Blesta, but there is no software on earth which is 100% secure of any kind of exploits, this is a dream. (remember glibc exploit advisory ...) But I didn't said anything about blesta security, all I've said that we're using webdevelopers from freelancer / elance to do things when we need - that's why is a drawback for us, we do have a bunch of individuals who we like to work with and we have trust in them, but I just won't give them access to the sourcecode of the billing system.

 

Rack911Labs and SafeOrNot both went over and both are trusted security experts, they provide security patches to big companies like cPanel, billing systems, LiteSpeed, CloudLinux, SolusVM, etc. http://www.hostingseclist.com Not trying to be an arsehole (sorry if I am getting off like that here) but if you don't trust that they know what they are talking about after everything they've done in our industry not sure who you can trust. And the glibc, openssl, etc are server issues and open source projects.

I've been trusted with root access / full access to Blesta and I only do what I'm asked to do, otherwise that tarnishes my reputation and if you don't trust me then you don't let me have access . As you said that's my opinion but Smarty doesn't stop security issues if you have access to files. Just like Blesta with the PDT and php (minPHP) / h2o stuff.

[Paul]

It's just a difference in opinion and that's fine. We opted not to go with a heavy template engine for the reasons Tyson mentioned, because they are known to have vulnerabilities, and because they produce more overhead. That's not to say that the purpose these template engines fulfill isn't valid, I can understand certainly how the restrictions they place can be beneficial. Using smarty/twig/other wouldn't make me feel any better about giving someone I don't trust access to the templates though. If I don't trust them, I'm not even going to hire them, and if I do trust them, I'm still going to audit the code myself. They can have access to the dev environment, but never live.

Fortunately with templates, it's fairly easy to spot any logic that shouldn't be in there, so not difficult to audit.