Protecting Externally Generated HTML Reports in Joomla
A number of reporting applications will generate extensive interactive HTML web sites that are very useful, but can be hard to secure behind a login, especially when you must incorporate HTML from a number of different report generators. Fortunately, there is a relatively simple way to do this in Joomla using the “wrapper” menu item type. The example that follows shows how to do this in situations where you want to secure the HTML report from scanning and indexing by search engines, but do not require absolute security. This might apply to content that is not confidential or proprietary, but which would generate unwanted email inquiries were it to be indexed. This approach will meet many low security needs but does not provide total security; see the discussion during the section on modifying
.htaccess for more information on security issues with this approach.
Step 1: Upload the HTML Web Report
The first step is to upload the HTML report into its own directory; you do not want to mix your report files in with anything else. It should be a directory that is only accessible to people who are trusted and authorized, so it probably should not be a subdirectory in the
images or other media directory. The directory name should not be identical to the names used for any categories, tags or articles, as this will make URL collisions a problem and create issues for SEO. If you will have a lot of reports, you will probably want to create some kind of directory hierarchy.
For security reasons that will be described later, your directory name should contain a random string that is eight or more characters.
Step 2: Fix Permissions on HTML Web Report Using Akeeba Admin Tools
The next step is to make sure that the directory and file permissions are secure–755 for directories and 644 for files. Many of the report generator tools do not pay attention to this.
In Akeeba Admin Tools, go to the Custom Permissions option shown in Figure 1 and make sure that your directories are listed with the proper permissions, and select
Apply; using shell access or some other means, verify that the permissions were set properly using
ls -l or some other command.
Step 3: Create Menu Option for HTML Wrapper
Next, create a new menu options using the Wrapper option as shown in Figure 2. Put your HTML report’s URL in the option field as shown in Figure 3. If you want to restrict access, change the Access from “Public” to a particular group as shown in Figure 3.
If you used a secure group for access, only logged in users will be able to locate the information, and search engines will not find the pages for indexing. However, if someone knows the URL, they could still get to it directly without any difficulty; we still need to secure access by changing the
Step 4: Add Custom Rules to .htaccess Using Akeeba Admin Tools
To secure the HTML report from direct access, you must add lines to the
.htaccess file that is used to control Apache. There are perhaps a million ways to do this but the easiest relies on the way that Joomla implements the wrappers. For the wrapper menu option, Joomla uses the
iframe HTML tag; this has the side effect that all accesses to these HTML pages through your site will have your site as the referrer. We will write
.htaccess rules that prevent access to the files if the referrer is not your site. This still leaves open the hole that someone could spoof the referrer and guess the correct URL and get access to the files, thus the recommendation that you use unique random strings in the directory names.
The URL will be visible to logged in authorized users via “View Source”. If one of those logged-in, authorized users decides that the HTML report should be publicly visible, that uses can post the URL at which point it will be possible for a malicious user to spoof the referrer and gain access. Well-behaved search engines still would not index the page, unless the logged-in, authorized user posted the link in a publicly accessible and indexable area of your site.
For many applications this is an acceptably small attack window, but it should be recognized that it is an open window, however small.
Figure 4 contains the code that you should use in your
.htaccess file. Make sure to replace the domain and directory in the example with your own domain and directory.
Step 5: Modify Module Display for Report Menus
The final step in the process of adding an HTML report to your Joomla website is optional and depends on the report and template that you are using. Many reports will benefit from having a wide column layout. If you have navigation, recent articles, popular articles or other Joomla modules to the left and right of your HTML report, you might get some awkward or unusable line wraps. To give your report a wider column, you may want to omit these Joomla modules from the menu options that drive these HTML reports as shown in Figure 5.
- Written by Bruce Moore
- Hits: 637
Using CiviCRM on Joomla
Most technical professionals end up doing website technical support for one or more community organizations. Most organizations need operational systems for managing members, handling dues payments and event registration fees and calender management, but these organizations frequently do not have the money to pay for a commercial services to support these needs. Many non-profits have adopted CiviCRM to handle these organizational capabilities. Although CiviCRM runs on Wordpress, Joomla and Drupal, most CiviCRM installations are on Drupal which is beyond the technical capability of many small organizations.
Although Wordpress is a popular CMS for small organizations, it does not have the robust permissions system that both Drupal and Joomla have and is not well-suited to CiviCRM installations; in Wordpress, controlling access to sensitive information would be difficult, unreliable, or impossible. Because of the migration issues between Drupal 7 and Drupal 8, Joomla may actually be a good alternative for Drupal 7 installations that do not want to make or cannot make the conversion to Drupal 8.
The article that follows describes the basic features of CiviCRM, how you can use the Joomla permissions system to control sensitive information, and how you can use Joomla menu options to present CiviCRM capabilities to end users.
CiviCRM is a Non-profit Oriented Customer Relationship Management System
CiviCRM provides both backend administrative tools that are accessible through the Joomla backend to users with administrative privileges, and frontend information and registration tools that are accessible through the Joomla frontend either publicly or to users with front-end privileges. For many non-profit community organizations these two capabilities are critical. There are several vendors that host CiviCRM installations, so if your organization loses the technical person who manages the CiviCRM installation, there is a fall-back alternative that is competitively priced compared to commercial membership management solutions.
Administering a CiviCRM installation is not a trivial undertaking; there are many decisions to be made for member types, document types, case types and numerous other things, so an organization must have a good technical succession plan in place before making the decision to implement a CiviCRM system. This is true of any membership management system.
Perhaps the biggest consideration in hosting a CiviCRM system for membership management will depend upon the risk of private data compromises and whether or not the organization can protect itself technically and legally from the risk of compromise.
- Written by Bruce Moore
- Hits: 575
Upgrading to Joomla 3.8, 3.9, 3.10 and 4.0
Since the release of Joomla 3.8 in September of 2017, the Joomla community has been preparing for two major technical upgrades: moving from PHP 5.6 to 7.x and from Joomla 3.x to Joomla 4.0. PHP 5.6 will cease to get security updates after December 31, 2018, while PHP 7.0 will cease to get security updates after December 3, 2018, so it is imperative that webmasters move their sites to PHP 7.1 or 7.2 in November, 2018. Similarly, the security fixes in Joomla 3.8.13, make it wise to get to at least that software level as of this writing and move to 3.9 and subsequently 3.10 as soon as possible. All of these upgrades have higher than normal testing requirements; this article aims to help with preparation for these migrations.
Joomla 3.8 included a number of changes to provide support for Joomla 7.x and is required in order to upgrade to PHP 7.1 or PHP 7.2.
Moving to Joomla 3.8
Because of the changes to support PHP 7.x, Joomla 3.8 ended up requiring changes to many templates, template frameworks and extensions. Moving early, as I did, required a lot of work, but today most vendors have updated everything so there is not much work required. Here are the steps for upgrading to Joomla 3.8:
- Backup Joomla
- Update your template framework. If there are no updates after September 2017, you will probably be forced to change templates and template frameworks.
- Update your template. If there are not template updates after September 2017, you will probably be forced to change templates.
- Update your extensions.
- Update Joomla.
You will probably find that some things are broken. If so, you may need to replace functionality with a different extension, as most extensions that have support have already fixed any problems related to the upgrade to Joomla 3.8 and the related upgrade to PHP 7.x.
Moving to a New PHP Level
Most web hosting firms use CPanel to provide a graphical user interface (GUI) for system administrator. CPanel introduced MultiPHP support that allows each shared host to run a different PHP level and configuration which makes it possible to move to more recent software in an orderly way. If you have a Virtual Private Server (VPS), you have a lot of control over how PHP packages are provisioned, but if you are on a typical shared host you do not. Doing some research on your current configuration before starting. With this in minde, here are the suggested steps to migrate to a higher PHP level:
- Verify that you are on at least Joomla 3.8.
- First do research to identify the PHP modules that you need.
- Look at the PHP requirements for Joomla, and make a list of the PHP packages are listed in Technical Requirements. “Zlib support” means that the Zlib PHP module
mod_zlibmust be installed. Make a list of all of the modules that Joomla requires. Do not forget
mod_sslfor HTTPS support.
- Look at the PHP requirements for the Joomla extensions that you use. Some may require PHP Exif support for image metadata, other Joomla extensions my have other unique requirements.
- If you have a VPS, list the modules currently selected.
- Provision the new PHP release in the EasyApache section of CPanel
- If you have a VPS, use the list of PHP modules that you need to provision the new level of PHP.
- If you do not have a VPS, you will need to call your hosting firm’s technical support to have them confirm that the various modules have been included.
- In Cpanel, set the php.ini file values for the new PHP level to match the values in your current configuration.
- In CPanel, use MultiPHP to change PHP levels.
- Test. If you have problems, turn on debugging in the Joomla configuration to see some of the error messages. It may take two or three tries to get all of the PHP modules that you need.
Moving to Joomla 3.9, 3.10 and 4.0
Moving to Joomla 3.9 required another round of template and template framework updates for all sites along with updates to a number of extensions. Otherwise, this was an uneventful upgrade.
Moving to Joomla 3.10 is planned to be an uneventful upgrade as it is intended to be a transitional release to provide security fix support for two years while site owners and developers fix and test extensions on 4.0. Although 4.0 has some new function, most of the changes are updates to outdated and unsupported dependency libraries; it is likely that a lot of extensions will need maintenance to work with new levels of the various libraries. See the article Potential Backward Compatibility Issues in Joomla 4. In any case, do not move to 4.0 without testing extensively first.
- Written by Bruce Moore
- Hits: 129
Writing an Article Using the Joomla Frontend
Joomla has both a “frontend” of general user interface for writing aritcles and a “backend,” or administrator interface. The administrator interface has potentially more options and can be more confusing for new users. The tutorial that follows describes how to write a basic article for your organization’web site using the frontend interface. The website for Hillcrest Toastmasters is used for the example.
Resources Menu Before Logging In
In most web site designs, the options for adding a new article will not be available unless you log in. The example web site is designed so that the options appear under “Resources for Toastmasters” menu; before login, this only shows a menu option for the list of useful articles as shown in Figure 1.
Log In to the Website
To log in on most web sites, there will be a login screen or button. On the example web site, use the login panel at the bottom of the right side of the screen. The “Secret Key” box is used for Two Factor Authentication; this provides security when accessing the web site from a public terminal. If you do not know more, leave the Secret Key blank. For more information see Setting Up Google Authenticator for Joomla.
- Written by Bruce Moore
- Hits: 548
New Privacy (GDPR) Features in Joomla 3.9
The European Union’s (EU) General Data Protection Regulation (GDPR) went into effect in May, 2018 and has resulted in major changes in privacy administration within the Information Technology world in general and web business operations in particular. Joomla release 3.9 (November, 2019) indroduced a number of changes that immediately provide tools to help with compliance and APIs so that extension developers will be able to easily provide compliance tools.
What is GDPR?
Before talking about the new privacy features in Joomla 3.9, it makes sense to talk give an overview of GDPR. First, neither this article nor Moore Software Services provide legal advice on whether you are subject to GDPR, whether or not your site is compliant, or any other legal advice. This article describes new privacy features in Joomla; whether these are sufficient for your compliance needs is beyond the scope of this article. GDPR became effective in May, 2018 and resulted in a large number of emails where businesses asked customers to confirm consent for data tracking related to email newsletters and other customer relationships. There are many good web articles on the history of GDPR so there is not point in repeating the history here. Suffice it to say that the regulation is overdue and that most businesses have struggled to comply with the basic requirements of the regulation.
Requirements of GDPR
The regulation is complex and has many pages, but is based upon a few simple principles:
- Reporting to user of what data a company has pertaining to the user
- Must remove data about a user upon user’s request
- Must report data breaches to users with 72 hours of discovery
- Must maintain records of processing of user data.
These represent significant changes from the way most web businesses have traditionally operated and will require significant work for many firms.
The Penalties for Failure to Comply are Draconian
Failure to comply is fundamentally a bankruptcy issues for most companies and is the greater of
- €20 million
- 4 percent of annual global revenue.
Ignoring GDPR is not an option.
Do US-based Companies Need to Comply with GDPR?
The short answer is yes for most companies and web businesses. If any of your customers are EU citizens and use the site at home or while in the US, you probably need to comply. If any of your customers are non-EU citizens, but use your site while in the EU, you must comply. Consult an attorney. Whether it will be enforced heavily for smaller businesses is an open question, but given that the California Consumer Privacy Act of 2018, the Chicago Personal Data Collection and Protection Ordinance and other US jurisdictions have implemented similar legislation, it is probably a good idea to work toward GDPR compliance; GDPR appears to be the most strict, so complying with it may make it easier for you to comply with the hodgepodge of regulations developing outside the EU.
Joomla 3.9 Helps with GDPR Compliance
The new privacy features and APIs in Joomla help with tracking consent, responding to user requests for information, and maintaining processing records. The sections that follow take a user-interface approach to the new features rather than a functional approach. There are five major user interface additions for the new GDPR privacy functions:
- Privacy Dashboard (under the Users menu)
- Privacy User Action Log (under the Users menu)
- Privacy menu item types (under the Menu menu)
- Privacy plugins (under the Extensions->Plugins menu)
- Privacy Global Configuration options (under the System->Global Configuration menu)
The GDPR Privacy Dashboard is Under the User Menu
The User menu adds new Privacy and User Action Log options as shown in Figure 1. Going to the Privacy menu option shows the dashboard (see Figure 2) where you can get an overview of the information requests an other compliance status items for your site. The Requests option in the dashboard (see Figure 3) shows the number and status of user’s requests for a report on the data pertaining to the user plus a work flow for processing requests.
The most powerful addition in Joomla 3.9 is the addition of API features for extensions to integrate with the core privacy functions. Figure 4 shows the privacy-enabled extensions reporting back what privacy features they have implemented.
The last option in the privacy dashboard is the report on the status of user consents (see Figure 5).
The GDPR User Action Log is Under the User Menu
GDPR requires that you keep a log of how user information is processed. The User Action Log (see Figure 6) under the User menu provides this capability. It will probably be very helpful for problem diagnosis in addition to compliance.
New GDPR End-User Forms are New Menu Item Types
To implement the user interface for the new privacy capabilities, a new menu item category, Privacy (see Figure 7) has been introduced along with three new menu items types (see Figure 8).
GDPR Plugins for Logging
GDPR Privacy Options in Global Configuration
The final user interface change for the Joomla 3.9 privacy enhancements is a Global Configuration category Privacy that now contains one item for the number of days before a user request for data is escalated to URGENT status.
The privacy extensions in Joomla 3.9 do not provide everything you need for compliance with GDPR and other privacy regulations, but they do provide a way for extensions developers to add capabilities and make it easier for webmasters. Over the next two or three years, extension developers that do not implement privacy features will have a much more difficult time selling their extensions.
- Written by Bruce Moore
- Hits: 123