Please share your opinions on this blog post

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

Please do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This forum is for discussing mojoPortal development

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

You can monitor commits to the repository from this page. We also recommend developers to subscribe to email notifications in the developer forum as occasionally important things are announced.

Before posting questions here you might want to review the developer documentation.

Do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.
This thread is closed to new posts. You must sign in to post in the forums.
11/17/2009 10:20:19 AM
GQAdonis
Gravatar
Total Posts 5
View Posts

Re: Please share your opinions on this blog post

Thanks so much to the both of you for the detailed and quick responses.  There was some admitted ignorance in my asking my question, because I had had very little contact with either CMS before now--I had done more with Drupal, Joomla!, and Telligent Community Server.  I eliminated Drupal and Joomla! on the basis of wanting to have a single code base based on .NET for server side functionality.  I eliminated Community Server because it was expensive and did not improve function or extensibility any better than open source solutions.

Bottom line is this is what I found since I have reviewed the materials both of you sent:

  • Both solutions offer ways to accomplish my goal quite nicely.  Setting up a development environment for Umbraco was slightly easier and natural to do, and I like the way "packages" are done so fluidly.  It reminds me of the neat fluidity of Wordpress in this regard (ability to search for and load packages from the Internet in place as an administrative function).
  • After following the instructions Joe has posted on setting up the development environment manually and watching his video going over the code, I had a much better understanding of what was going on and was able to get myself started.  I do wish there were options other than adding all those post-build steps to copy assemblies, etc., however, because my "quote engine"--the back end services infrastructure--makes use of Microsoft Enterprise Patterns for DI and has its own layered architecture, which means about 6-10 more assemblies to copy than in Joe's "WebStore", which is the example I followed.
  • As far as theming, mojoPortal seems to have a slight edge for what I am doing although, the XSLT-based model in Umbraco is VERY similar and compatible with the work I am doing on the iPhone application, where I am using XSLT, JTemplate (with JQuery), and other template methods to create HTML on the fly for use in "hybrid" views (HTML local to iPhone and used for display in WebKit while data comes from my back end services mentioned above).  There is some good potential to share XSLT templates, I believe in the future, although this will take more time than I want to spend figuring it out right now.  On this point, mojoPortal still wins for me, because I don't have to create my own theming theory or infrastructure like it seems I have to in Umbraco (unless someone can point me to how I can do it easily without giving my graphic design partner--who knows HTML and typical models for theming like Wordpress and ASP.NET--a heart attack and making HIS job tougher).
  • Authentication with the model I am looking for can be implemented either place, but I, at this point, think my intended model for providing applications (iPhone, BlackBerry, and other web based integrations to other sites and widget frameworks) might be more quickly done with mojoPortal by a very slight margin.
  • Administration facilities are prettier, cooler, and a bit more functional and extensible--in my quick analysis--with Umbraco.  Like I said, I love the packaging, but I also feel this could be accomplished with mojoPortal by extending it a bit to process zipped files of resources with a manifest XML file somewhere in there telling mojoPortal where to find everything (like the features XML and setup and tear down components).
In the end, for my first project, I am moving forward with mojoPortal just because I understand it better at this point--it is more like what I already know with ASP.NET and other CMS'es I have worked with.  However, for my NEXT iPhone project that involves a web community in the back end, I would like to try Umbraco just because I think I can share user interface code a bit more creatively considering my "hybrid" model on the iPhone, and I might be able to support mobile devices in general more fluidly--adjusting to form factor, features in JavaScript, etc. for each individual platform without a lot of repetition in creating separate controls for each platform, etc.  Eventually, I would like to have most of my time in coding invested in the mobile platforms (iPhone, Android, Palm WebOS, BlackBerry, etc.) and NOT on building the web versions that must be provided for "backward compatibility" and to support lower level devices.
Thanks for the tutorials and pointers, guys!  You both are very, very good at this with each platform, and I as I learn more, I hope to participate in future development on potentially BOTH projects, adding some of the mobile-friendly capabilities, etc. that I am looking for in a "partner" CMS package.  No matter what, a web site is always needed in addition to a native mobile application that provides community style features.
If either of you has any additional pointers that might make things easier, please let me know.  I will follow both projects and blog about this process on my personal blog.  I have at least 3 mobile projects planned that require community features and connectivity, and I hope to narrow the field on this to a single platform.
Finally, any words of wisdom or comparison with regard to the "cloud" capabilities of each product?  When all is said and done, at least my back end database will be in the Amazon cloud (MySQL), although I am also evaluating SQL Azure and the Azure platform for this (I noticed that  mojoPortal already has code for this type of thing, although it is for SQL Azure, which has not been released and has its problems with database size and SQL transactions features from my understanding).  Eventually, it would be nice to have the web site in the cloud as well--along with my REST services infrastructure.  What is planned for the future of both products in this regard?
Thanks again, and sorry for the lengthy messages!

11/17/2009 11:10:17 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Please share your opinions on this blog post

Hi GQAdonis,

I have it on my Road Map to implement Web Farm support including Azure support as an add on product. Most of the issues to resolve to run on Azure have to do with eliminating all use of the file system as discussed on this thread.

However, not all cloud infrastructures require not using the file system, as I have been told the mojoPortal can run in the Rackspace Cloud, and I will be installing it myself for one of my customers in the Rackspace cloud in the next few days.

I will tell you why mojoPortal does not have a feature like DNN or Umbraco to install features via the web. Like DNN allows you to upload a .zip and it extracts it an install the dlls and Umbraco goes and gets a package from the internet and installs the dlls in the /bin folder.

To me this is not a good idea from a security perspective. The entire web site must be writable by the web process to support this. I do not want my web process running with permission to write to the/bin folder nor change the Web.config file, nor upload files to any folder that is marked to allow execution. To me it seems particularly risky for the web code to be able to download more code over the internet and install it. It seems to me that some DNS spoofing could be used to manage to install malicious code, so there is a potential for remote code execution.  It is not that I couldn't build a feature to install features, it is that I think features should be installed via a more privileged  ftp user just like the initial installation. There is always a trade-off between convenience and security and I tend to land on the security side. In general I  don't like to see a web app that requires the web process to have full control over the whole web file system. Probably there are ways to mitigate some of those risks like a private/public key pair could be used to verify the server where the download comes from but it is more secure not doing these things.

mojoPortal limits the need for write permissions to only the /Data folder and App_Data folder and scripting/execute permissions can be removed from those folders to harden security further.

I do have plans to make it possible to upload skins as a .zip and also to be able to create/edit skins right in the browser, but this doesn't involve any executable code and skins like every other user uploaded file live beneath the /Data folder.

Best,

Joe

11/17/2009 11:59:50 AM
GQAdonis
Gravatar
Total Posts 5
View Posts

Re: Please share your opinions on this blog post

Thanks again for the quick response!  I do have a question with regard to your statement about not supporting an installable packaging model due to security concerns:

The beauty of ASP.NET and the Application Pool model is that you have so many options for determining how the logged in user can or cannot write to the file system.  It is possible to support dynamically installable features through the configuration of the site, and you can make this "hard" to do, so the installers are forced to have specific privileges.  This would seem to allow the best of both worlds.

I am very interested in what happens with your cloud install on Rackspace, and I read your forum posting on the things that need to be done in order for you to support Azure.  It seems that solutions to those can be found by the time that Azure itself has its model worked out.

 

Another idea:  would you consider providing REST-based access to each and every feature in a manner that makes it automatic for third party developers to tap into (as a matter of definitions of entities and workflow via attributes, metadata, or configuration without extra coding)?  The reason I ask is that such access (e.g., being able to read/write the blog, forums, threads, or any other "content" based entity equally from REST or web interface) would make integration with other systems and native mobile development automatic.  If there is one thing I would perhaps consider doing as a contribution to the mojoPortal community, that would be the thing.

 

Finally I really appreciate your approach to building your software as a "labor of love."  This approach to your work will continue to result in spectacular results, and I wish more software providers/developers adopted this point of view.  It makes this a fun job.

11/17/2009 1:24:16 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Please share your opinions on this blog post

Hi,

I'm not really following you on the installation question. File system permissions are set on the file system, the identity of the application pool is the user who must have file system permissions for reading and writing to the file system. Yes you could limit use of some installer functionality to a site user in the admins role, but the web process does not run as the site user and does not execute with permissions based on the site user unless you are using impersonation and this only works with windows authentication which does not work on the internet. So the web process is going to run with the same permissions no matter who is signed in or even if the request is anonymous. So the only protection you have is in the application code where you can limit what a user can do. But you get additional protection from the file system by not making it writable, then even if someone finds a way around or a way to exploit your application code, they cannot install unwanted code. Anyone who can manage to bypass you or exploit your app logic and install executable code essentially now owns your app/site. It is basic security strategy to reduce attack surface, making the whole web file system writable opens up a much larger attack surface.

My opinion is that giving write permission on the whole file system to the web process user is a bad idea. I design my add on features to be installed by ftp by constructing the package such that uploading the files in the root of the package to the root of the web site makes everything land in the right place. It is very easy to install but it requires using ftp.

If someone wanted to make a feature for mojoPortal that could be used to install other features it certainly would be straightforward to implement and could be used if the whole web file system is configured as writable but it is not something I really want to bake in as a requirement for the whole file system to be writable or encourage as a best practice.

Other strategies that occur to me would be implementing an install arrangement where the user uploads a .zip to a writable folder under /Data, and a more privileged Windows Service comes along and does the installation, but this would only be possible in dedicated server environments where you could install the windows service. At the end of the day I really don't think it is so difficult to just install with ftp.

I am very interested in having a REST API wrapping most functionality. If you would like to help with that, it would be great as I have a lot of other things much higher on the priority list and my current plan is just to implement REST methods on a case by case basis as I find need for them. So if you have an interest in working on a more comprehensive REST API, I would welcome your help on that.

Best,

Joe

11/17/2009 2:18:11 PM
GQAdonis
Gravatar
Total Posts 5
View Posts

Re: Please share your opinions on this blog post

Hey, Joe!  Thanks for your reply once again.  I am probably thinking too hard about how to engineer a solution that provides that "downloadable install" kind of convenience just because it looks so cool and seems so convenient despite the risks.

 

As for the REST API work, I would love to participate in providing that feature, as I will be doing it anyway as part of my current iPhone project.  As I complete my work on this for the first site, I will communicate with you about how it goes and send a proposed design that would work for the larger set of functions on the site.  Take a look at http://blogs.msdn.com/vbertocci/archive/2008/03/10/wcf-rest-at-mix08-the-tale-of-myspace-apis.aspx for my thinking regarding adding REST support to a community site.  MySpace uses this method with WCF to provide basic and OAuth support for authentication. 

11/17/2009 2:40:42 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Please share your opinions on this blog post

Sounds great! You can reach me directly at joe dot audette at g mail dotcom.

Quite  a while back I stubbed out a project using the WCF REST Starter Kit as you'll see in the source code mojoPortal.Web.Rest. However I never got back to working on it and I think there is a newer better version of the REST Starter kit since then. We can completely ditch what I have there now and start from scratch. I'm completely open to ideas about how it should be organized.

Best,

Joe

11/17/2009 3:04:38 PM
GQAdonis
Gravatar
Total Posts 5
View Posts

Re: Please share your opinions on this blog post

Thanks, Joe!  I have already started my own process for this, and I will send you an email, so we can sync up.  I am very excited to work on this!

11/30/2009 3:52:48 AM
asterix
Gravatar
Total Posts 31
View Posts
There are 10 kinds of people in the world, those who know binary, and those who don't

Re: Please share your opinions on this blog post

It seems Daniel Bardi did not really do his research well. The first "con" in the review is that MojoPortal only has three content panels, but in fact anyone can find this page easily in the skin design page: http://www.mojoportal.com/morethan3contentpanels.aspx If the first con is plain wrong, I would hesitate to rely on the rest of it to make any meaningful decision. Note that I am not trying to defend either system but my opinion on the blog post post is that it is just a piece of subjective opinions.
11/30/2009 7:22:22 AM
paiman
Gravatar
Total Posts 192
View Posts

Re: Please share your opinions on this blog post

umbraco? can something that can only be installed to the root and can't be installed to a sub-folder or a virtual directory be called a good system? this this was enough for me to forget umbraco for ever.

how is it compared to the commitment of joe to the project to keep everything perfect?

You must sign in to post in the forums. This thread is closed to new posts.