Pico CMS for Nextcloud v1.1 (WIP)

[PhrozenByte]

🎉 Development of Pico CMS for Nextcloud v1.1 has started 🎉

This PR is work in progress!

It's great to see that the community accepted Pico CMS for Nextcloud v1.0 so well (> 1'000 downloads for v1.0.2 👏 👏). It looks like that most upgrades went pretty well, too - that's great news! We had some minor issues of course, but I guess it would have been a bad sign if we would have had no issues at all - that's only possible if we would have got no users 😆

Anyway, Pico CMS for Nextcloud follows Semantic Versioning, thus adding new features yields a new minor release - and since I just implemented sharing websites with groups, development of Pico CMS for Nextcloud v1.1 has officially begun.

I didn't make any decision about what to implement yet, I'm very open to suggestions. Specifically I'm thinking about implementing #30 (custom config.yml files per website) and #83 (hosting websites using different domains). Optionally using user IDs as sort of "namespace" might be a good idea, too (#114; however, we should still support "global" websites). Both could be incorporated in some sort of a CNAME feature. When logging in after accessing a private website, users should get redirected to the website they initially requested (help.nextcloud.com). Changing a website's title might be a good idea, too (#123). My current implementation of sharing websites with groups feels pretty "incomplete" - Nextcloud should have got some generic interfaces for sharing arbitrary contents with not just groups, but also users and circles. However, I couldn't find any documentation. It would be great if somebody could point me to the right place.

Anyway, feedback is highly appreciated! ❤️ This also includes code reviews, PRs to my fork, suggestions and any other comment 👍

Closes #123

[artelse]

Would be nice to have a Pico icon up in NC's nav bar at the top.

[PhrozenByte]

@artelse Since we can't possibly decide which website to show there, you better simply use Nextcloud's external app

[cyberfish]

The idea Pico for Nextcloud is cool! I'm looking forward to version 1.1! #83 (hosting websites using different domains) would also be very important to me! Thank you for now!

When will v1.1 be roughly expected?

[nilsbecker]

Hi, I've been using pico CMS for two days now, starting from zero knowledge about pico (and very little web development/CSS/PHP/whatnot). I don't have admin rights. Initially getting a web site to run was simple, but the majority of the time got sunk in trying to make customizations to themes work. IMHO, customizability of themes without admin rights, in some safe-ish way, would be very valuable. No-one is gonna want to publish their stuff with the default theme at the end, and making anything else work requires too much work from the admin IMO. In particular, a viable solution must allow tweaking of colors, details of the template, etc by the user.
Allowing a custom config.yml would probably already fix this to an extent.

Another observation: I was unable to embed an .svg from the assets directory into the default theme as a logo -- this was always served as text MIME type. Only the .svg included in the default theme worked properly. This probably has something to do with configuration of the web server on nextcloud -- but i would expect something as basic as including an .svg to work without tweaking of config files by the admin?

otherwise, great work and highly appreciated!

[PhrozenByte]

The greatest limitation of Pico CMS for Nextcloud are security considerations: We must not allow users to include active content, because otherwise we'd end up allowing users to perform XSS attacks on your Nextcloud. Thus we can't allow users to include custom themes. However, that's not all - it also has some rather weird side-effects, like not being able to use .svg files (because SVG allows scripting and is thus considered insecure 😒 try using a .png or .jpg file).

Since these security considerations apply to Pico CMS for Nextcloud only and not to Pico itself, most theme developers never had this in mind. There's simply a higher number of web developers within the Pico userbase than the Pico CMS for Nextcloud userbase. Thus there's indeed some trouble to make these themes work with Pico CMS for Nextcloud and its specific limitations. However, we can't do much about that. Those themes were made by 3rd-party developers. If one chooses to create a feature-rich theme specifically for Pico CMS for Nextcloud I'm more than happy to promote it on Pico's website or even include it as a system theme in Pico CMS for Nextcloud.

The only way to mitigate the security concerns is to use distinct domains for your websites (see #83). This is indeed planned for Pico CMS for Nextcloud v1.1. However, this definitly requires some advanced webserver config. So it makes the setup even more difficult. We are faced with a classic conflict of aims here... 😒

[nilsbecker]

I see, thanks for the explanation. Things being as they are, I think that pico on Nextcloud currently slightly oversells itself. Reading the docs, it sounds like it should work like any other CMS (Pico, Jekyll etc) while in fact, the customizability is strongly limited. Reading the Pico docs on their standard theme, they encourage you to modify it to your needs. As a newcomer, you don't know that this is not possible on NC.

To avoid false expectations, I think it would be good to have a section "Limitations compared to standard Pico" or some such right on the landing page in the docs. The information that .svg cannot be used should be there, as well as the info that only admins can ever customize themes.

[republicus]

#83 (hosting websites using different domains). Optionally using user IDs as sort of "namespace" might be a good idea, too

I second both ideas, the latter being more important (and I'd assume a bit more trivial to implement)

[dumblob]

Is there any way to track progress on this rather bigger issue? Especially the #83 support would be interesting. I'm new to pico CMS, but I'd try to help if I knew there are some smaller points left I could help out with 😉.

[PhrozenByte]

Besides some code cleanup and updating to PHP 7.2 this PR currently just includes the following:

• Configure access to private websites based on groups
• Copy Pico's DummyPlugin as a template for creating new plugins

That's it right now I'm afraid. So, you can basically choose to work on any new feature you want 😃 Please don't hesitate to open a new PR on the cms_pico-1.1 branch. It's very appreciated! ❤️ You don't have to wait until you've finished your work, you can basically open the PR right now and work on it step by step.

My ideas about #83 resemble around some sort of CNAME feature. First we need an overview of all websites for admins and could then add a small dialogue to add custom domains. As a second step we could also implement #114 by prefixing site IDs by the owner's user ID by default and then use the same CNAME admin dialogue to add global site IDs. But these are just ideas, there's no code yet. Actually, maybe it might be easier to implement #114 first. I'm not sure whether it is possible to hook into Nextcloud's routing right now to actually incorporate other domains. We might have to create a PR on nextcloud/server first. This definitely needs some research.

But as I said, you can basically choose to work on any new feature you want. So, if you want to start with something smaller it's still very, very appreciated! You don't even have to stick to the list above. If you feel like any other feature might be useful - go ahead! 👍

[dumblob]

That's it right now I'm afraid.

Ah, ok. I was hoping for something smaller 😉. Anyway, I'll look around a bit and if I'll ever come up with some patch, I'll definitely make a PR despite it being unfinished. And thanks for the prompt response and welcoming attitude.

[dumblob]

However, that's not all - it also has some rather weird side-effects, like not being able to use .svg files (because SVG allows scripting and is thus considered insecure  try using a .png or .jpg file).

Hm, thinking about this, shouldn't this be alleviated by imposing this restriction only on certain users (e.g. all non-administrator users)? From what I've seen the usual use case for pico CMS is not private (user-specific) pages, but pages prepared by administrators and they should by definition know what they do (there should though still be a warning somewhere). Not having SVG support is very painful (it also undermines the current and future web principles where SVG plays increasingly important role).

[PhrozenByte]

Unfortunately not, for the same reason we can't manage themes from within Nextcloud: It would allow Nextcloud admins to include arbitrary active content, something that is not possible for an Nextcloud admin otherwise (i.e. a privilege escalation). The only solution is to serve contents using a different domain.

[cm-t]

Hi, I am not sure this is the right way to help, but I have opened this issue at nexcloud server

[dumblob]

Unfortunately the subdomain request on upstream NC was rejected. What now? I see more and more people asking for "web page maintained through OC" functionality.

[PhrozenByte]

Since I simply don't have time to work on the more advanced features I'm going to release the existing bits soon, even though the most requested feature (accessing sites via other domains) isn't included. I simply don't have enough time to implement this... 😒

There's a lot more code towards allowing website owners to share websites with arbitrary users, groups, and by email with a more generalized Shares API. As soon as Pico CMS for Nextcloud 1.1 is released (and the groups-only approach implemented in this PR) I'll push the existing (but not yet working) code to a cms_pico-2.0 branch (i.e. targeting Pico CMS for Nextcloud 2.0) - in the hope that someone else picks up the existing work. Help is highly appreciated 👍

Regarding the CNAME feature (i.e. accessing sites via other domains) there is no real news. I did a lot of research and implemented a few things, but it didn't really work out - Nextcloud's routing system simply isn't flexible enough. Likely we'll have to create a separate index.php and bypass Nextcloud's routing altogether. This shouldn't be a big deal code-wise, but requires a lot of knowledge about Nextcloud's inner workings I don't have (yet). This might take a lot more time - and help from other developers. Again, help is highly appreciated 👍

By the way: Custom config.yml per website (#30) depends on the CNAME feature, too. We can't use HTMLPurifier for config values (as it might change config values in a unexpected manner), but config values are often used by themes to include arbitrary HTML snippets. Thus we can't allow users to create their own config.yml for security reasons.

---

The following features were implemented and thus will be included in Pico CMS for Nextcloud 1.1:

• Websites can be shared with groups
• Rename website? #123
• l10n: Spelling unification #185 (PR pending)
• Adding Pico's DummyPlugin
• A few changes "under the hood"

Please give it a try (see https://github.com/nextcloud/cms_pico#manually for install instructions, just checkout the cms_pico-1.1 branch instead). As always, feedback is highly appreciated! ❤️ This includes code reviews, PRs to the cms_pico-1.1 branch, suggestions and any other comment 👍

[dumblob]

Thanks @PhrozenByte !

I'm also out of time, but it's very important you've specified what exactly is needed, what are the next steps, what are the obstackles etc.

So thanks again!