Posts in Category: Releases

mojoPortal 2.3.6.1 Released

I'm happy to announce the release of mojoPortal 2.3.6.1, available now on our download page. We will submit this release to the Web App Gallery next week after we've had a chance to get any feedback from our early adopters.

New Security Options

  • It is now possible to require approval of new users before they can sign in, a setting in Site Settings enables it and you can specify email addresses to receive notification of new users that need approval, and a new button will appear on the member list page to find users not approved yet if you enable this. This is not a recommended configuration if you are doing eCommerce since it creates more barriers to completing a purchase if the user must wait for approval before he can sign in.
  • It is now possible to require any user to change their password from a setting in user management.
  • From Site Settings, you can now configure it to require a user to change their password after password recovery or reset.
  • There is now a custom error message you can configure in site settings if you are using a regular expression to validate password rules, you can provide an error message that explains the rules.

We also made the MS SQL packages of mojoPortal pre-configured for Medium Trust by default since this is the most common installation issue that people encounter. If you are hosted in Full Trust you can use the Web.fulltrust.config file.

Easier Content Re-Use

There is a new way to mark re-usable content as global content, which makes it available for page editors to add existing content to their pages. Joe Davis of i7MEDIA has made a nice video tutorial showing how to use this new feature, see the Global Content Section on this page.

Blog Improvements

  • Someone asked for the ability to not create a 301 redirect when a post is renamed and the URL changes. By default, we believe this behavior is what should happen to automatically help with SEO when a URL changes, but if you don't want that behavior you can turn it off by adding this to your user.config file: 
    <add key="Blog:Create301OnPostRename" value="false" />
  • It is now possible to use Bing Maps in the blog instead of Google Maps.
  • There have been settings in the blog for a while to allow showing the right and left column content from the main blog page also on the blog post pages. Recently someone asked to be able to show upper and lower content when using skins that have 5 content panes, so we added these Web.config settings that you could add to user.config:
    <add key="Blog:ShowTopContent" value="true" />
    <add key="Blog:ShowBottomContent" value="true" />
  • Improved Feedburner integration. When using Feedburner, we now redirect to the FeedBurner feed instead of direct linking so that you can keep users subscribed to your original blog feed and not lose subscribers if you later decide to stop using Feedburner. See updated documentation Using Feedburner with your Blog.

Miscellaneous Little Improvements

  • There is a new setting in Page Settings that allows you to control if pages appear in the child pages site map separately from if they appear in the menu
  • added config setting to allow using a custom registration page URL
  • added config option to not re-suggest URLs when renaming existing pages
  • made it possible to exclude HTML content instances from search index for landing pages that one doesn't want to come up in search, this is in the feature instance settings for Html Content
  • when moving items in pagelayout.aspx keep the item selected
  • make it possible to move pages to the top or bottom of their page tree node in PageTree.aspx
  • revamp of PageLayout.aspx thanks to Joe Davis - it required additional CSS so skins were all updated as well, see notes in this sticky thread for new CSS you need in your skin
  • CSS and markup improvements in WebStore - thanks to Joe Davis
  • when using excerpts in the feed manager make it possible to open the link in a new window
  • added an instance setting in Image Gallery to control the background color used when resizing images
  • update to a strong name signed version of NeatUpload so it can be installed in the GAC to make it work in Medium Trust hosting
  • upgrade to CKEditor 3.5
  • refactor system content templates and add new 2 column over 1 template from Jamie Eubanks
  • make it possible to specify a different site map data source id for SiteMenu control
  • when not combining CSS make URLs relative
  • updated Italian resources from Diego Mora
  • updated Persian resources from Asad Samarian
  • updated German resources from Jan Aengenvoort

Bug Fixes

  • restore possibility to edit HTML content instances that are loaded by modulewrapper
  • make IE specific CSS and favicon respect page specific skins
  • fix a bug in blog RSS when using folder based child sites it was incorrectly resolving URLs
  • fix bug where the smiley base path was not resolving correctly if running in a virtual directory instead of root
  • fix a bug in pgsql data layer for survey
  • fix a bug in pgsql data layer for content catalog paging
  • fix bug in sqlce data layer when adding features to child sites
  • fix a bug in timepicker - thanks, David Dean
  • fix an issue where export to CSV or word was not working correctly in IE 8 when SSL is enabled
  • fix a bug in webstore - add abstract to offer edit page
  • fix a bug in the forum where external images were handled differently on edit page than thread page
  • fix bug - don't show host name tab in site settings until after new site is created

As always, it is a good idea to backup your site and database before upgrading.

Corresponding Update For Form Wizard Pro

Users who have purchased  Form Wizard Pro should upgrade at the same time to the new version of Form Wizard Pro 0.0.2.3, released today for compatibility with mojoPortal 2.3.6.1. This was needed because we updated to a new version of NeatUpload and Form Wizard Pro must use the same version of NeatUpload as mojoPortal or it will result in errors.

Follow us on twitter or become a fan on Facebook

follow us on twitter become a fan on facebook

Gravatar Joe Audette is the founder of the mojoPortal project and was the primary developer until February 2017.

mojoPortal 2.3.5.8 Released

I'm happy to announce the release of mojoPortal 2.3.5.8, available now on our download page.

Whats' New?

  • A new Flickr Gallery feature
  • A new User Sign In Module that can be put on a content page such as the home page
  • A new scroller setting in the Feed Manager to enable a scrolling news ticker
  • Some improvements to the List/Links feature including a new introduction that can be used to place html above the list and a new option for non-ajax paging
  • Thanks to Jamie Eubanks for implementing a way to use both database authentication and LDAP, there is a new config setting for fallback to LDAP if database authentication fails. This allows scenarios where your internal users such as content authors can login with their LDAP credentials while still allowing public users to register and sign in with database credentials.
  • A new option to disable CSS caching while designing by clicking a button that sets a cookie to disable it. The previous way of of disabling it from config still works but this new way may be more convenient. You will find the button under Administration > Advanced Tools > Designer Tools
  • Upgraded to CKeditor 3.4.2
  • Updated Italian resources thanks to Diego Mora
  • Bug fixes for things reported in the forums since the previous release including several fixes in the SQL CE data layer and the Firebird data layer.

flickr gallery screen shot

sign in module screen shot

 

 

Follow us on twitter or become a fan on Facebook

follow us on twitter become a fan on facebook

Gravatar Joe Audette is the founder of the mojoPortal project and was the primary developer until February 2017.

mojoPortal 2.3.5.5 Released

I'm happy to announce the release of mojoPortal 2.3.5.5, available now on our download page.

A few weeks ago I was on the verge of releasing my new add on product In Site Analytics Pro, but when I tested the package I discovered that the graphs did not work in Medium Trust hosting. It turned out to be a problem with ZedGraph that was easily fixed by re-compiling it with the AllowPartialyTrustedCallers attribute set to true. However, since both mojoPortal and In Site Analytics use ZedGraph, they really need to both be compile against the same version of ZedGraph. There are ways around such issues with configuration to map assembly versions, but to keep things simple I decided to wait and release a new version of mojoPortal with the new version of ZedGraph before releasing In Site Analytics Pro. So I went through our list of to do items and things that have been requested by the community to find a few low hanging fruit items that could be finished quickly to make the mojoPortal upgrade more appealing. I will follow up in the next few days and make the first release In Site Analytics Pro, but it will require mojoPortal 2.3.5.5 or newer.

What's New?

In recent versions, we added a Facebook like button and a Tweet This button in the blog, in this release we made it also possible to have the Facebook like button and/or the Tweet This button in the RSS feed so that users who subscribe to the feed using Google Reader or other Feed Readers can also Like or Tweet your posts. We also added logic so that if a blog post is saved with a blank url, the url is generated by server side code.

Thanks to a good suggestion from Tim Cadenbach, we added some nice ajaxy transitions for the jQuery UI tabs and Accordion used in administrative features and elsewhere.

Added a setting in Site Settings to require a Captcha on the Registration page.

Added a setting in Site Settings to require users to type their email address twice on the registration page (to avoid typos during registration).

Added a setting in Site Settings to show a Password Strength Meter on the registration page to encourage strong passwords.

Added a setting in Site Settings to require a Captcha on the login page, not something I generally recommend doing but if your security requirements call for this it is now possible.

Added support for a new token in newsletters for #viewaswebpage# which is replaced with a link to the web page version of the newsletter.

There was a usability issue previously with the forum notification emails where an opt out link was shown for both the forum as a whole and for just the thread regardless of whether the user was really subscribed to both the forum and the thread. Now we have different notification templates for each scenario so that only opt out links are shown for notifications the user is actually subscribed to.

Added an automatic machine key generator to the Security Advisor page to make it easier to create a custom machine key.

screen shot of machine key generator

Bug Fixes

  • Fixed issue where ZedGraph was not working in Medium Trust
  • Fixed issue where multi file selection for bulk upload did not work in IE after a recent Flash update
  • Fixed Member list paging bug in pgsql data layer

Don't forget that we are moving this site to a new server this evening so there may be some down time during the move.

If you haven't already, please vote for mojoPortal in the 2010 Open Source CMS Awards

 

Vote For mojoPortal in the 2010 CMS Awards

 

Follow us on twitter or become a fan on Facebook

follow us on twitter become a fan on facebook

Gravatar Joe Audette is the founder of the mojoPortal project and was the primary developer until February 2017.

mojoPortal 2.3.5.4 Released

mojoPortal 2.3.5.4 is now available on our download page.

This is a compatibility update for the changes in ASP.NET that resulted from the security patch recently released by Microsoft and now available from Windows Update. I blogged about this issue previously and provided a workaround for the compatibility issue, this new release eliminates the need for the workaround.

Before the security update, there was a possibility for a System.Security.Cryptography.CryptographicException when decrypting the role cookie if the machine key had changed and the user was already authenticated. We already had error handling for this error, but after the security update the behavior changed and it would throw a more generic HttpException there which we were not handling, and this would cause users who were previously authenticated to experience an error until they cleared the cookie. Even without a machine key change, the same error could happen if a user was authenticated before the windows update was applied, the error could happen for that user after the update was applied (because there were also changes to how cookies are encrypted in the security update) In this release we have added handling for the new more generic exception so the cookie will be reset if this error occurs and the user will not experience an error on your site.

We've also removed the previous workaround for the ASP.NET security issue since it is not needed after the update is applied.

Other Changes

Thanks to Steve Railsback of Colorado State University we have some new CSS that can be used to add images to the Administration menu. It uses some Crystal Icons which are licensed under LGPL. I've updated many of the included skins that ship with mojoPortal to use the new icons, you can easily add them to your skin by adding this to your style.config file:

<file cssvpath="/Data/style/adminmenu/style.css" imagebasevpath="/Data/style/adminmenu/">none</file>

It will transform the admin menu from a plain looking vertical list to a list of images with hover effects like this:

screen shot of admin icons

This release also has:

  • upgrade to CKeditor 3.4.1
  • upgrade to TinyMCE 3.3.9.2
  • updated Italian resource files thanks to Diego Mora
  • fixed a bug where menu items that were configured as unclickable were still clickable in the breadcrumbs

I'd also like to point out a new article in the skinning documentation written by Steve Land, Using Wireframe Skins. Steve has shared a skin he designed to solve the problem of how to keep your discussions with clients focused on functionality when you need to. It is a very common issue that the customer can easily get side tracked onto colors and other visual aspects which is fine if you are trying to discuss the design but distracting if you are trying to focus the discussion on functionality or other non-design aspects of the site. The wireframe skin can help with this because it is designed to not be distracting and to clearly represent that the design is not what is being shown. Please let Steve know if you find his wireframe skin useful if there is interest he might make more variations.

Follow us on twitter or become a fan on Facebook

follow us on twitter become a fan on facebook

Gravatar Joe Audette is the founder of the mojoPortal project and was the primary developer until February 2017.

mojoPortal 2.3.5.3 Released

mojoPortal 2.3.5.3 is now available on our download page.

This is another security update in follow up to version 2.3.5.2 which we released on Friday afternoon to address 2 mojoPortal specific security issues and it had some initial defense against a more general ASP.NET vulnerability the full details of which were released Friday afternoon at a security conference in Argentina. On Friday night Microsoft released information about the vulnerability and a workaround to help protect sites until Microsoft can provide a fix to the underlying problem. On Saturday morning I updated the post for version 2.3.5.2 with the workaround information.

Over the weekend we continued to review how best to protect mojoPortal and this morning we are releasing mojoPortal 2.3.5.3.

This release has the same fixes provided in version 2.3.5.2, but also has the Microsoft suggested workaround pre-applied. Additionally, we have added a new page in the Administration Menu that can detect a few common configuration issues that affect security and provide links to information about how to correct the configuration. If a serious configuration issue is detected, it shows an alert in the Administration Menu to bring it to your attention.

screen shot of security alert in the administration menu

Note that in a multi site installation this page is only available in the root administrative site.

I strongly advise everyone to upgrade as soon as possible if you haven't already.

There was also a bug introduced in version 2.3.5.2, the fix I had made for the FileService issue had caused an error in the page if using the alternate File Manager (which doesn't use the file service). This issue is fixed in version 2.3.5.3

Note that in this release I also commented out the PageNotFoundHandlerModule in Web.config. I'm not 100% sure this is needed but it is probably better to play it safe. The downside is that users who click bad links will not see the friendly page not found page but the generic error page. 

For more details see also:

UPDATE 2010-09-25

Scott Guthrie of Microsoft just posted about an additional protection that can and should be applied at the server level. If you have control of your own server you should take the additional step of installing UrlScan and configuring a rule as indicated in the article.

http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx

UPDATE 2010-10-04

The fix for the ASP.NET  security bug is now available in windows update. However, the change has a negative side effect for the current release of mojoPortal which may cause authenticated users to experience an error on your site. The error occurs when trying to decrypt the role cookie which was encrypted before the update was applied. Previously, if there was an error decrypting a role cookie, it was throwing a System.Security.Cryptography.CrypotgraphicException (which we were handling so the user would not experience any error). After the windows update it now throws a more generic HttpException which the current release does not handle so the user will see the error page, and the only way to solve it is to clear the cookie. I have added handling for the changed error for the next release of mojoPortal. There is one workaround you can do right away to solve this problem, you can add code to the ErrorPage.aspx in the root to clear the role cookie so that at least the user will only see the error page one time. To do this, edit the ErrorPage.aspx file with a text editor. At the top add this:

<%@ Import Namespace="mojoPortal.Business" %>
<%@ Import Namespace="mojoPortal.Business.WebHelpers" %>
<%@ Import Namespace="mojoPortal.Web" %>

then add this code to the bottom of the Page_Load event:

try
        {
            SiteSettings siteSettings = CacheHelper.GetCurrentSiteSettings();
            if (siteSettings != null)
            {
                string roleCookieName = SiteUtils.GetRoleCookieName(siteSettings);
                HttpCookie roleCookie = new HttpCookie(roleCookieName, string.Empty);
                roleCookie.HttpOnly = true;
                roleCookie.Path = "/";
                HttpContext.Current.Response.Cookies.Add(roleCookie);
            }
        }
        catch{}

 

Follow us on twitter or become a fan on Facebook

follow us on twitter become a fan on facebook

Gravatar Joe Audette is the founder of the mojoPortal project and was the primary developer until February 2017.