Current development on JAMWiki is primarily focused on maintenance rather than new features due to a lack of developer availability. If you are interested in working on JAMWiki please join the jamwiki-devel mailing list.

Comments:JAMWiki 0.5.2

Contents

JAMWiki 0.5.2 Status[edit]

Archived from the Feedback page:

Apologies for the lack of any updates for JAMWiki 0.5.2. I've just updated jamwiki.org with the latest code, including the first batch of changes needed to implement the file upload whitelist/blacklist. Once that feature is fully implemented and working I'll put the first beta up for download, with the hope of getting a final release out a week or two later. Changes in 0.5.2 will likely be fairly minor - some look & feel updates, the file upload whitelist/blacklist option, some changes to the way the admin pages are laid out, and probably a few bugfixes. Work is taking up a lot of time, so unfortunately my time to devote to wiki development is limited.

If anyone has any opinions on the look & feel changes that have been made thus far please let me know - aesthetics aren't my strong suit, so feedback is appreciated. -- Ryan 20-Feb-2007 23:45 PST

New code with a (hopefully) working blacklist is now on jamwiki.org. The default blacklist includes the following: bat,bin,exe,js,jsp,php,sh. If there's anything else that should be in that list please add a comment. -- Ryan 24-Feb-2007 18:28 PST

JAMWiki 0.5.2 beta 1[edit]

The new whitelist/blacklist feature for file uploads is the big item I wanted to get done for 0.5.2, and since it's finally ready, here's the first beta:

Other changes since 0.5.1:

  • Upgrade to commons-io 1.3.1 and commons-fileupload 1.2.
  • Updated translations for Chinese, Polish and German (thanks!).
  • Several look & feel updates.
  • Split Special:Admin into two screens - Special:Admin and Special:System.
  • Display "create topic" links when viewing a page for a topic that does not exist.
  • Additional automatically-generated JUnit tests (thanks!).
  • A few miscellaneous code cleanups.
  • Option to clear the cache added to Special:System.

As always feedback is appreciated. I don't expect to make many additional changes before 0.5.2 final - I know there are a number of open issues on the Bug Reports page, and I'll see if I can get to some of them, but I think the file upload blacklist/whitelist feature is important enough that it should be released sooner rather than later. -- Ryan 24-Feb-2007 23:35 PST

JAMWiki 0.5.2 beta 2[edit]

The only change in this beta is a fix for a fairly serious bug that could cause CPU usage to spike to 100% when parsing some topic names. The fix needs some testing, so feedback as to whether any topic parsing breaks is appreciated.

-- Ryan 25-Feb-2007 21:21 PST

Final Release[edit]

I haven't stumbled on any problems with the current code yet, and since the current code has some worthwhile fixes and a new feature that addresses a potential security problem I'd like to get the final release out soon. I'd like to try to get it done this weekend, so if anyone has translation updates, minor bugfixes, or anything else that should go in the final release please get them in in the next couple of days. Thanks! -- Ryan 01-Mar-2007 10:45 PST

File upload types[edit]

Archived from the Feedback page:

Is there currently a setting used for specifying allowable file types for upload? -- scroco 08-Sep-2006 17:20 PDT

Currently the only restriction on file uploads is file size, which is provided automatically by the org.apache.commons.fileupload.FileUpload class. Restricting by file type is an option that should also be provided, so please add something to the Roadmap if you want to. If you have any other requests for file upload restrictions please add those as well. -- Ryan 08-Sep-2006 17:26 PDT

Security Issue with Uploading[edit]

Archived from the Feedback page:

One issue that i found while using JamWiki is that any file can be uploaded as an image, including JSPs. i lost my private key for accessing my web server (my webserver is on Amazon's EC2) and i had my private key stored on the server, so i uploaded a JSP that would search for files titled "id_rsa" and print them to the writer of the HttpServletResponse. less than 2 minutes later, i had my private key sitting before me. This seems like a pretty serious security issue. Alexander Boyd 26-Jan-2007 14:09 PST

Thanks for pointing this out. The ability to upload potentially malicious content is something that was originally allowed as a trade-off - as a tool for collaboration people should be able to collaborate using all sorts of files, not just images - but the software is getting to a stage where the ability to lock down the system is also an important consideration. I'm not going to delay the 0.5.1 release for this issue, but one of the first issues addressed for 0.5.2 will be providing an administrative interface to limit (if desired) the types of files that can be uploaded. If you or anyone else has suggestions about what features are needed or what this interface should look like I'd be interested in hearing them. My thoughts right now (bearing in mind that it's late and I had sake with dinner) are:
  • The default should be that only images can be uploaded.
  • There should be an option to do one of the following:
    1. Disable uploads entirely.
    2. Enable ALL uploads that are not blacklisted.
    3. Disable ALL uploads that are not whitelisted.
Feedback and comments would be appreciated. -- Ryan 27-Jan-2007 01:35 PST
That sounds great. However, it seems like it would be better if there was separate blacklists and whitelists for administrators and general users. For example: I would want to be able to upload JSPs but I wouldn't want anyone else to. How does this sound? Alexander Boyd 27-Jan-2007 12:00 PST
User permissions are something that has been at the top of the to-do list for a while, and for whatever reason keeps getting pushed back; the current admin vs. non-admin differentiator is just a simple flag, which isn't at all extensible. It would definitely be useful to be able to give different users and groups different upload permissions, although ideally I'd like to do something like that once a true user/group infrastructure is available to keep things as simple as possible. Provided the initial implementation can be extended once better user/group permissions are available, does it sound reasonable to start out with a global whitelist/blacklist? -- Ryan 27-Jan-2007 15:04 PST
Sorry I haven't been on in a while. Anyway, a global whitelist/blacklist sounds OK to start out with. Do you have an estimate as to when work on users/groups will be started and completed? Alexander Boyd 18-Feb-2007 23:10 PST
My current job has had a huge effect on the amount of time available to work on JAMWiki, so I'm not sure when user/group permissions will get implemented. It's possible someone else might do it, but if I end up being the one to implement it then I suspect it will likely be a 0.6.x item. The holdup for me at this point is trying to do something that integrates well with Acegi and uses its capabilities, and I'm still not as up-to-speed on that package as I need to be. -- Ryan 19-Feb-2007 00:08 PST
Looking back on this, I'm starting to sound like I'm trying to be in charge, so I apologise. Anyway, I could take a shot at it, but it would be a few weeks before I would have any time. -- Alexander Boyd 27-Feb-2007 22:05 PST
I didn't see anything at all that needed apologizing for, and in fact greatly appreciated your feedback. In regards to anyone being "in charge" around here, I'd love it if enough people were actively involved that the project became more collaborative. In the mean time I'm just trying not to scare anyone off, and to make sure that any submissions that do get included in the project add useful features and don't make the code more difficult for others to understand and expand on. In the case of users & groups, that's something that once implemented we'll probably be stuck with, so I've been a bit hesitant to implement anything that isn't well thought out. If you've got the time and the interest I'd love to hear any proposals you've got (I'll start a Tech:User Permissions article), but otherwise I'm sure it will get done eventually. In the mean time, feedback and suggestions are helpful, but bear with me if any implementation of those ideas is a bit slow :) -- Ryan 27-Feb-2007 23:25 PST

Create new page[edit]

Archived from the Feedback page:

Hi Ryan, is it possible to add a link "create new page" next to the result, if the topic being searched for does not exist, like in mediawiki? Thanks. -- Kwee Tin 30-Jan-2007 23:40 PST

I like easy requests :) To be clear, the feature you want is the "Create this page" link that appears after clicking on the "Go to" link for non-existent topics, such as the result shown on this page? If that's all there is to it then it should be a simple thing to add, and I can get it done in the next day or two. Let me know, however, if I'm misunderstanding or if there's anything else you'd like to see. -- Ryan 30-Jan-2007 23:52 PST

Yup :D Just a simple link so that users will be able to create the pages directly when the "Go To" results in a non-existent topic. Thanks! -- Kwee Tin 31-Jan-2007 00:16 PST

Done. Sorry for the delay - I need to stop making estimates about when features will get implemented. -- Ryan 03-Feb-2007 15:30 PST

Japanese Translation[edit]

Archived from the Feedback page:

Hi. I uploaded a Japanese translation of the app resources with the upload file page. --Natto Lover 26-Feb-2007 07:54 PST

Awesome, thanks! Two questions: first, just to make sure it's on record, you're OK with releasing this file under the GFDL, right? (I have to ask!) Second, how would you like your name to appear in the CREDITS.txt file? Most people use their real name followed by their jamwiki.org login, so is "Natto Lover (nattolover)" OK? Thanks again! -- Ryan 26-Feb-2007 08:25 PST
One additional note, Image:ApplicationResources ja.properties looks like it may have gotten cut off around "m" - could you either re-upload the file or email it to me directly at (removed)? Thanks! -- Ryan 26-Feb-2007 08:29 PST

Hi. Yes I agree with the terms. And I like my anonymous alias "Natto Lover (nattolover)" to be used as a credit. I would have to go through paperwork with my employer to go public. I'd rather go anonymous.

And yes, I uploaded it again. The file was cut on my side. I don't know how it happened. I confirmed that no lines are not lost this time.

And I noticed that you already applied my file to the site. Really nice to see that.

I've updated the site with the latest translations, added you to the CREDITS file, and added the translations to the Subversion repository. If you'd ever like to make updates to the file you're welcome to do so by either uploading a new version of the file, emailing me, or using the Special:Translation tool; alternatively if you'd prefer to update Subversion directly please just let me know your Sourceforge ID and I can give you Subversion access. Thanks again! -- Ryan 26-Feb-2007 20:45 PST

Hi again. I also translated the StartingPoints.txt and LeftMenu.txt files. Please find them as uploaded files. I hope this helps JAMWiki gain some popularity in Japan. Again I agree with distributing them under GFDL. --Natto Lover 02-Mar-2007 07:28 PST

I tried the translation tool. Thanks for issuing me the permissions. (But are you sure you want me to have all admin rights?) I found some new entries that didn't exist at my last upload, so I translated them. I haven't seen the actual screens, so I'm not quite sure my translations fit into context well. --Natto Lover 02-Mar-2007 07:50 PST

Thanks for the updates! I've added them to the Subversion repository and they will be included with JAMWiki 0.5.2. I also hope it helps attract more Japanese users. The new entries are most likely new values introduced for JAMWiki 0.5.2.
As to why translators have admin rights, until JAMWiki gets fine-grained user permissions the only way to give someone access to Special:Translation is to give them full admin rights. That will change eventually, but for now I'm willing to trust that anyone contributing translations isn't interested in breaking the site! In addition, there isn't too much damage that can be done using the admin tool - the site could be configured to look weird, but that's about all. Besides, I have access to all the logs, so I'd know who broke things :) -- Ryan 02-Mar-2007 19:22 PST

New admin tab/page naming[edit]

Archived from the Feedback page:

Hi. I have some comments on the new page tab name of the admin screen for 0.5.2. I noticed that you are separating the admin page into a page with settings (Special:Admin), and another page with some maintenance operations (Special:System). I noticed that the names of these pages appear differently among page tab names and links, and I think they should be consistent.

Judging from the contents of the page, I think Special:Admin page could better be called "Admin Settings" or "System Settings" or "Configuration", something along that line. And I think the Special:System page could be called "Maintenance", which is the name used for the resource string for the tab.

When I switched between these tabs, I noticed that the page title does not change. The common admin.title string is used as the page title for both pages. But since the two tabs are treated pretty much as distinct pages, I think they should have separate page titles, just like the third tab in the series, "Translation".

The page names appear in the Special:SpecialPages page. In this page, the pages are referred to as "Admin" and "System Options" respectively. This should match the page title names.

If I were to do something about these namings, I think I would do the following:

  • rename Special:Admin to Special:Configuration
  • rename Special:System to Special:Maintenance
  • Let the page title for Special:Admin be "Configuration"
  • Let the page title for Special:Maintenance be "Maintenance"
  • Let the links in the Special:SpecialPages match those names
  • Let the page title for the two pages be "Configuration" and "Maintenance" respectively.

Of course you can name them however you like. Just please make them appear consistent!--Natto Lover 03-Mar-2007 02:12 PST

These are all good suggestions, and I've committed code that should implement all of them except for renaming Special:Admin - since that's an existing page, changing the page name would mean having the old name be an alias to the new page name for backwards compatibility, and I'm not sure the change is important enough to warrant any extra code - let me know if you (or anyone else) disagree. Thanks for pointing out the inconsistencies, and let me know if you see any other problems, or if you feel that page names other than "Maintenance" and "Configuration" should be used (it's easy to change). -- Ryan 03-Mar-2007 10:19 PST

Ok. Great! Based on the new names, I done the ja translation of SpecialPages.txt and uploaded to this site. I also made some minor changes through the translation tool to improve consistency between tab names and page titles. I'm leaving the footer text file because copyright notices usually appear in English even in Japanese pages so I don't see a need for translation at this moment. --Natto Lover 03-Mar-2007 22:42 PST

Thanks! I've added the new translations to the source code repository and will update jamwiki.org soon. -- Ryan 04-Mar-2007 09:40 PST