Xoops Tips - TIPS - Tricks/Tools - XOOPS_TRUST

Tricks/Tools : XOOPS_TRUST_PATH and Module Duplication

Posted by tl001 on 2006/10/16 21:40:00 (8323 reads)

XOOPS_TRUST_PATH was introduced by GIJOE (based on minahito’s idea as GIJOE credited). The idea and/or concept of XOOPS_TRUST_PATH is to secure a Xoops module by moving all of the module’s PHP files out of web root or DOCUMENT_ROOT.

In doing so, modules could not be easily tempered by potential crackers, especially if the module has private files included under the document root.

(Moving MySQL username and password out of mainfile.php or the document root TIP essentially has the same idea.)

The second benefit of using XOOPS_TRUST_PATH is that module duplicating could be streamlined and become manageable, if the module developer has adopted the idea.

Anyone who had attempted to duplicate a Xoops module can attest the difficulties of doing that.

GIJOE has introduced several duplicable modules, though V2/D2 (as GIJOE named) makes duplication easier, they are still not that easy to maintain. Most importantly to some, naming your modules as “../modules/news/” and “../modules/news1/” is not a professional way of naminng modules.

With the introduction of XOOPS_TRUST_PATH and duplicable modules – or Duplicable V3/D3, you are free to name the module to whatever name you wish. You could have many instances of the same module with each own template files and MySQL table files, and all run securely from a single module outside of the web root directory. Template files will be installed with the module name appended so that you can customize them to differentiate one duplicated from another (see caution).

Of course, the module must be developed and written utilizing XOOPS_TRUST_PATH. So far there are not many modules that take advantage of the idea, a handful of Japanese developer is releasing modules based on D3. Hopefully, we will see more and more module developers adopt D3.

Bulletin (a much improved and versatile news module) developed by Suin is one of the modules that use XOOPS_TRUST_PATH
(http://suin.jp/modules/mydownloads/singlefile-cid-10-lid-12.html)

Note: Bulletin works fine under original Xoops even though Suin does not specify support for the platform.

To use XOOPS_TRUST_PATH, you must edit mainfile.php to add a constant defining XOOPS_TRUST_PATH location.

The location should be out of your document root to take advantage of the secure feature.

If your Xoops web root is
/home/yourname/public_html

Then you should create a directory under /home/yourname, parallel to public_html (NOT UNDER it, otherwise it will defeat the whole security purpose of moving files out of the web root).

We will create and name the directory as “xoops-secure”, so we add one entry into mainfile.php
define('XOOPS_TRUST_PATH','/home/yourhome/xoops-secure');

Then create a directory named “modules” under xoops-secure. Don’t forget to chmod 705 both directories for extra securities.

Unzip the Bulletin module. The Bulletin module has two directories:
html/modules/bulletin – upload contents to your web root as you would do with regular modules
xoops_trust_path/modules/bulletin – upload contents to under xoops-secure/modules/

Do the module installation as usual, you will have one module called bulletin installed with your Xoops.

Now, we will install a second instance of the same Bulletin module.

You can rename bulletin under html/modules/bulletin to whatever you want to - let us name it “xnews”. Upload the contents to modules directory under web root. Then install it, now you have two identical Bulletin modules installed – bulletin and xnews!

You could rename the Bulletin module name for the first time, even you are going to use Bulletin module only once. You are free to rename Bulletin to whatever name you have in mind if you don’t want to use the name for your modules.

The bulletin module name under XOOPS_TRUST_PATH can not be changed. If you wish to make changes to the module files, you should do that under XOOPS_TRUST_PATH/modules/bulletin, as the module files under Xoops root are all re-direct files.

To differentiate the two instance of the Bulletin module, you can customize template files (GIJOE’s tplsadmin module is a great way of modifying template files).

Words of Caution Using Bulletin
Bulletin provides an easy way of converting existing News module articles into Bulletin articles. If you have an existing site with large number of articles, you should think twice before you covert them.

Bulletin URLs are different from News URLs. Converting and Using Bulletin will totally mess up your search engine index. If you are getting a fair amount of traffic from search engines you probably should not do the conversion.

If you start anew, Bulletin modules should be seriously considered as an alternative to News module.

Words of Caution Using D3
The template files are centralized - if your UPDATE the module, the template files of all duplicated modules will be overwritten.

Other Things You Can Play with XOOPS_TRUST_PATH
"Fastest Cache per each page" hack by GIJOE.

The comments are owned by the poster. We aren't responsible for their content.

Poster	Thread
tl001	Posted: 2007/2/1 20:33 Updated: 2007/2/1 21:52
Webmaster Joined: 2004/6/10 From: Posts: 282	New Version of D3 Based Protector GIJOE has just released a new version of Protector to fully taking advantage of XOOPS_TRUST_PATH. Be sure to upgrade your version - it is now more secure than ever, as it no longer runs under the web tree. NEWS HERE Download Here

plusangel	Posted: 2007/2/22 6:45 Updated: 2007/2/22 12:54
Just popping in Joined: 2006/10/26 From: Peireas, Greece Posts: 3	Re: XOOPS_TRUST_PATH and Module Duplication Dear tl, Regarding the templates in one point says: Quote: Template files will be installed with the module name appended so that you can customize them to differentiate one duplicated from another (see caution). and later Quote: The template files are centralized - if your UPDATE the module, the template files of all duplicated modules will be overwritten. You mean that we can edit each instance's templates without interfere with the other instances. So different template for xnews and different for the initial_Bulletin. Which are the centralized template files?and which templates will be overwritten?

tl001	Posted: 2007/2/22 16:06 Updated: 2007/2/22 17:05
Webmaster Joined: 2004/6/10 From: Posts: 282	Re: XOOPS_TRUST_PATH and Module Duplication Quote: You mean that we can edit each instance's templates without interfere with the other instances. ... Which are the centralized template files? and which templates will be overwritten? Yes, you can customize template files to whatever you wish by using GIJOE's tplsadmin/altsys module. The only drawback with D3 is that all template files come from a central place under XOOPS_TRUST. If you update the module, all of your customized individual (duplicated) module template files will get overwritten by the files under XOOPS_TRUST_PATH/modules/bulletin/templates/ (belletin as an example) The template files under TRUST_PATH are the source of individual module templates. So, be extremely careful if you have to update a duplicated module. If you must update the module for some reason, before you click on "UPDATE" under module admin, going into tplsadmin/altsys module first, copy and paste the whole customized template files into files for backup. Once you have updated the module, go back to tplsadmin/altsys, copy back the customized template files from backup. Generally, you have to update the "central module" because the module has introduced new variables. You may want check before copy back the old files, if indeed some new variables are introduced. You may want to incorporate them into your own customized template. This way you can continue to maintain distinct look for each duplicated module. I generally keep a backup file for each customized template and update it whenever changes have been made. This way, I eliminate the chance of losing all the changes if I were to update module accidentally.

plusangel	Posted: 2007/2/24 13:38 Updated: 2007/2/24 13:38
Just popping in Joined: 2006/10/26 From: Peireas, Greece Posts: 3	Re: XOOPS_TRUST_PATH and Module Duplication Great explanation! Thanks you very much. I have translated a couple of your tips in Greek as well (always crediting xoops-tips.com as the original source). Keep on the good work!

gecko	Posted: 2007/5/17 6:22 Updated: 2007/5/17 6:23
Just popping in Joined: 2007/5/17 From: Posts: 1	Re: XOOPS_TRUST_PATH and Module Duplication Please help me How do i install protector on a subdomain. As soon as i install protector it crashes the site my mainfile.php is like this `// XOOPS Physical Path // Physical path to your main XOOPS directory WITHOUT trailing slash // Example: define('XOOPS_ROOT_PATH', '/home/things/domains/XXXXXXX/public_html/mobile'); define('XOOPS_ROOT_PATH', '/home/things/domains/XXXXXXX/public_html/mobile'); // XOOPS Trust Path // Physical path to your main XOOPS directory WITHOUT trailing slash // Example: define('XOOPS_TRUST_PATH', '/home/things/domains/'); define('XOOPS_TRUST_PATH', '/home/things/domains/protector_security_here');` What am i doing wrong? thi sis on line 99 `//xoops trust path protector module include XOOPS_TRUST_PATH.'/modules/protector/include/precheck.inc.php' ; if (!isset($xoopsOption['nocommon']) && XOOPS_ROOT_PATH != '' ) { include XOOPS_ROOT_PATH."/include/common.php"; } include XOOPS_TRUST_PATH.'/modules/protector/include/postcheck.inc.php' ;` I would really appreciate your help thanks gecko

tl001	Posted: 2007/5/17 7:04 Updated: 2007/5/17 7:04
Webmaster Joined: 2004/6/10 From: Posts: 282	Re: XOOPS_TRUST_PATH and Module Duplication If you install protector under `/home/things/domains/protector_security_here/modules/protector/` and set the permission correctly, you should generally not have any problem. If it does not work, I remember that someone posted in GIJOE's forums about issues related to subdomains, please check GIJOE's forum to see if that answers your question.