New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

site_url preference #469

Closed
jstubbs opened this Issue Apr 11, 2015 · 9 comments

Comments

Projects
None yet
5 participants
@jstubbs

jstubbs commented Apr 11, 2015

As requested in the forum thread below, could we add an option to output a secure link to the site_url tag, perhaps something like: <txp:site_url scheme="https" />

Many thanks.

http://forum.textpattern.com/viewtopic.php?id=42865

@colak

This comment has been minimized.

Show comment
Hide comment
@colak

colak Apr 11, 2015

Member

It would also be good if there was an option for https in the admin side.

Member

colak commented Apr 11, 2015

It would also be good if there was an option for https in the admin side.

@philwareham

This comment has been minimized.

Show comment
Hide comment
@philwareham

philwareham Apr 11, 2015

Member

I'd prefer the attribute to be 'protocol' instead of 'scheme'.

Member

philwareham commented Apr 11, 2015

I'd prefer the attribute to be 'protocol' instead of 'scheme'.

@Bloke

This comment has been minimized.

Show comment
Hide comment
@Bloke

Bloke Apr 11, 2015

Member

Is there any need for this? How many times do you switch protocol during normal site use? If you want to deliver secure links, you normally set this at the end of your config.php file:

define('PROTOCOL', 'https://');

then all URLs in tags return secure protocol prefixes. At least, that's what it's supposed to do. If this doesn't work as expected, then by all means we'll look into alternatives.

Member

Bloke commented Apr 11, 2015

Is there any need for this? How many times do you switch protocol during normal site use? If you want to deliver secure links, you normally set this at the end of your config.php file:

define('PROTOCOL', 'https://');

then all URLs in tags return secure protocol prefixes. At least, that's what it's supposed to do. If this doesn't work as expected, then by all means we'll look into alternatives.

@jstubbs

This comment has been minimized.

Show comment
Hide comment
@jstubbs

jstubbs Apr 11, 2015

@Bloke I believe so. In my case, I would like to send users to a secure page for registrations rather than have an overall site based on https://.

jstubbs commented Apr 11, 2015

@Bloke I believe so. In my case, I would like to send users to a secure page for registrations rather than have an overall site based on https://.

@Bloke

This comment has been minimized.

Show comment
Hide comment
@Bloke

Bloke Apr 23, 2015

Member

That makes sense. No idea how best to implement it though. The site_url tag simply returns (verbatim) the value of hu, which is a global based on your Site URL preference. The protocol prefix is already baked into that variable, and it's used everywhere, all over the core and in plugins. So changing it will have a potentially massive impact.

That leaves us with altering the <txp:site_url> tag, which requires some thought. Presumably, setting protocol="https" will overwrite whatever protocol has been stored in hu. But what if you've set the PROTOCOL to secure by default (as defined in my comment above) and don't specify any protocol attribute to the <txp:site_url /> tag? Guess it would have to default to the 'current' system protocol unless explicitly set to something else.

Also note that altering this tag will only affect markup you build from scratch using the tag. It won't affect any places where hu is used in the core or in plugins (e.g. <txp:images>, <txp:file_download>, <txp:category_list> etc). They will continue to serve URLs as determined by the system. This may well create some kind of weird, head-scratching mishmash of secure and insecure links throughout the site, which may not be what is desired.

As I say, not sure how best to move forward.

Member

Bloke commented Apr 23, 2015

That makes sense. No idea how best to implement it though. The site_url tag simply returns (verbatim) the value of hu, which is a global based on your Site URL preference. The protocol prefix is already baked into that variable, and it's used everywhere, all over the core and in plugins. So changing it will have a potentially massive impact.

That leaves us with altering the <txp:site_url> tag, which requires some thought. Presumably, setting protocol="https" will overwrite whatever protocol has been stored in hu. But what if you've set the PROTOCOL to secure by default (as defined in my comment above) and don't specify any protocol attribute to the <txp:site_url /> tag? Guess it would have to default to the 'current' system protocol unless explicitly set to something else.

Also note that altering this tag will only affect markup you build from scratch using the tag. It won't affect any places where hu is used in the core or in plugins (e.g. <txp:images>, <txp:file_download>, <txp:category_list> etc). They will continue to serve URLs as determined by the system. This may well create some kind of weird, head-scratching mishmash of secure and insecure links throughout the site, which may not be what is desired.

As I say, not sure how best to move forward.

@jstubbs

This comment has been minimized.

Show comment
Hide comment
@jstubbs

jstubbs Apr 23, 2015

Mmm so does sound like the best way forward at this point is simply to use your 'define('PROTOCOL', 'https://');' example in 'config.php', especially if Phil is right that maybe its a good idea to have a site serve SSL entirely. http://forum.textpattern.com/viewtopic.php?pid=290200#p290200

I just added your code to this site - http://court28.com - and it seems to be working very well. Like colak (http://forum.textpattern.com/viewtopic.php?pid=290205#p290205), up until now my approach has been to use SSL only on certain pages where the user needs to enter data.

jstubbs commented Apr 23, 2015

Mmm so does sound like the best way forward at this point is simply to use your 'define('PROTOCOL', 'https://');' example in 'config.php', especially if Phil is right that maybe its a good idea to have a site serve SSL entirely. http://forum.textpattern.com/viewtopic.php?pid=290200#p290200

I just added your code to this site - http://court28.com - and it seems to be working very well. Like colak (http://forum.textpattern.com/viewtopic.php?pid=290205#p290205), up until now my approach has been to use SSL only on certain pages where the user needs to enter data.

@philwareham

This comment has been minimized.

Show comment
Hide comment
@philwareham

philwareham Apr 23, 2015

Member

Sounds like we need a better way of exposing this define('PROTOCOL', 'https://'); - I'd never heard of that feature before. Would it be better to have a site pref to control this (after all, we have site prefs for messy URLs and suchlike, this isn't a million miles away from that context)? Don't know.

Member

philwareham commented Apr 23, 2015

Sounds like we need a better way of exposing this define('PROTOCOL', 'https://'); - I'd never heard of that feature before. Would it be better to have a site pref to control this (after all, we have site prefs for messy URLs and suchlike, this isn't a million miles away from that context)? Don't know.

@Tlturner77

This comment has been minimized.

Show comment
Hide comment
@Tlturner77

Tlturner77 May 26, 2015

Another example of how this could be used if someone was using Textpattern as a small e-commerce shoppingcart where you would not want https on your product listing and product view page but you do want it for the checkout process and where the checkout/cart is within same domain and install of text pattern.

However to add to @Bloke first point if the site is 99% read only a entire https site may have some advantages when using OSCP and http2 or spdy. My point would be for site that rely on cacheing where loading lots of products is used and where there is a good portion of the site that is writable such as a shopping cart.

Tlturner77 commented May 26, 2015

Another example of how this could be used if someone was using Textpattern as a small e-commerce shoppingcart where you would not want https on your product listing and product view page but you do want it for the checkout process and where the checkout/cart is within same domain and install of text pattern.

However to add to @Bloke first point if the site is 99% read only a entire https site may have some advantages when using OSCP and http2 or spdy. My point would be for site that rely on cacheing where loading lots of products is used and where there is a good portion of the site that is writable such as a shopping cart.

@philwareham

This comment has been minimized.

Show comment
Hide comment
@philwareham

philwareham Oct 12, 2015

Member

Not an issue right now. If someone wishes to provide a patch in future we would consider it, if handled correctly. Closing for now.

Member

philwareham commented Oct 12, 2015

Not an issue right now. If someone wishes to provide a patch in future we would consider it, if handled correctly. Closing for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment