Posts Tagged ‘achievo’

Yesterday someone reported a security issue in bugtraq:

http://www.securityfocus.com/bid/23992/info

Although the issue was reported directly to SecurityFocus and not to us, I want to stress that this is a bug in an old version of Achievo. Version 1.2 that was released over a year ago already had a fix for this issue. (The report originally didn't mention this but I had them include the info on 1.2 when I discovered the report.)

Those of you still running Achievo 1.1 are advised to upgrade to the latest stable version of Achievo, 1.2.1.

If that is not an option, the issue can be fixed in two ways:

• Make sure that register_globals is turned off in php.ini. The problem is not present when this setting is turned off.
• Edit index.php, and add the line $config_atkroot = "./"; right in front of the include of atk.inc

When in doubt, or if you have questions according to this issue, please consult the Achievo forum or contact me directly.

This is a blog message particularly for readers of my blog that are using the Achievo project management application.

Many of you had problems in the past with the hoursurvey in Achievo, when using it, but also when making extensions to it.

The hoursurvey is based on code that was written for Achievo back when the ATK framework didn't exist yet, and ever since we've been dealing with the legacy of that.

Given the demand for a better version of the hoursurvey, I would like to combine forces and see if we can raise some money to be able to invest in the hoursurvey.

The best way to do this is through the donations option, on

http://www.achievo.org/support/donate

Now, we wouldn't want to waste anybody's money if we don't raise enough, so we came up with the following plan:

Option 1

If we manage to raise 2000 euro, we have enough to invest in a new hoursurvey that is based on the more generic 'extended search' functionality that is present in ATK (compare to the extended search in other screens). We'd rewrite the hoursurvey report to make use of this functionality, and make it easier for external modules (such as billing) to append new columns and criteria to the hoursurvey. The report itself would be based on the 'basereport' class (if you don't know what this means, it's a more generic way of creating lists of records).

So basically, option 1 gives us roughly the same functionality as the current hoursurvey, only with code that is easier to maintain.

Option 2

If we manage to raise 4000 euro in total, we can do option 1, but also make use of the ajax based 'smart search' method, which includes the ability to store and load predefined searches. Also, in this option, we can use the generic CSV export function of ATK to export the entries to a CSV file.

So this gives us the current functionality, is easier to maintain, and gives us some new functionality.

Option 3

If we manage to raise 6000 euro in total, we are able to generalize the hoursurvey in such a way that a report like this is not generated in code, but can be defined in the database. This way, we can more easiliy create similar reports for other parts of Achievo and/or other ATK applications.

Fallback option

There is a risk that we may not raise enough for option 1. If that is the case, to prevent us from having to reimburse everybody's investment, we would like to dedicate the funds to fixing as much of the issues and getting as close to option 1 as we can.

Also, if we raise more than, say, option 1 but not enough for option 2, we'll invest the extra money in the quality and features of that option.

If you like this idea, and want to help improve the hoursurvey, which in our opinion is one of the most important parts of Achievo, please consider donating funds.

We will keep the fund raiser open for about 2 weeks; at which point we look at how much we raised and which option we are going to implement.

Funds can be donated on:

http://www.achievo.org/support/donate

(please specify 'hoursurvey' somewhere in your comment, so we know that your donation is for the hoursurvey fund raiser).

If you do not want to use paypal but want to donate in a different manner please contact me at ivo at achievo.org

On behalf of the Achievo crew, thanks for any donation that you want to do.

If you have any questions, please post them here or send them to me personally (ivo at achievo.org).

My decision to hand over project maintenance of the Achievo project has turned out to be a good one.

Since Sandy took over, we've had 3 new releases. A first release candidate for Achievo 1.2 was out when he was at the helm hardly one month, and yesterday, he released Achievo 1.2.1, which contains several important bugfixes for the 1.2 branch.

I've had several remarks from users who were 'glad the project was apparently still alive after months without a release'. I think the project would've died prematurely if Sandy hadn't taken over.

As a result of the takeover, I was able to finally take the time to do some other things I've been planning to do for a while now. I've written a Typo3 ATK bridge that makes it possible to develop Typo3 backend modules in ATK. This reduces Typo3 backend modules from hundreds of lines of code to the minimal amount of coding we're used to from using ATK. This extension is currently being tested internally and will be released with a howto soon.

Also, I'm finishing up ATK 5.6. It contains some interesting new features, among which is an atkCalculatorAttribute for arbitrary calculations on fields and an atkMlWrapper which can turn any attribute into an internationalised field (sponsored by our friends at Zicht). ATK 5.6 should be out within 2 weeks.

Finally I've been spending a lot of time on epointment.com. We're finally getting somewhere with the features we need. I will be writing a 'syncing Achievo with epointment.com' howto soon. Although at its current state, we have a lot of competition from the big guys, we're seeing quite an amount of interest from Dutch people (probably because Google Calendar only has an English interface at the moment), so we're coming along nicely. We're also talking to the guys from MarkThisDate for cooperation (open standards rule!).

The largest benefit for ATK will be that we're pushing the development of the Ajax functionality in the framework. In ATK 5.7 (which might become ATK 6) you can expect a lot of (optional, ofcourse) Ajax powered functionality such as autocompletion and Partial Page Rendering.

For almost 6 years, I've been the lead developer of the Achievo Project Management application. It has always been an interesting project. While being a relatively small application, among larger suites such as phpGroupware, we've always tried to keep it simple, targeted at a certain set of functionality, with a specific focus. I think we succeeded in doing so, as because of this, it appeals to a specific set of users and mainly to smaller companies with small projects they need to track.

About 5 months after its first release, we rewrote Achievo from scratch, because a community started to form that demanded new features that were time consuming to add, even if it was just the addition of a new field. Achievo was in fact the first thing I ever wrote in PHP, so the code was not something to be proud of. We learned an important lesson from that first release, and we replaced the large set of php scripts with clean, object oriented code, and the basis of this quickly became a framework. About two years ago the framework had evolved enough to stand on it's own, and the ATK framework was released as a separate product.

Since then, ATK has seen a lot of growth. Last year, the ATK community became larger than the original Achievo community, and as such, took up a lot more of my time. Also, I'm working hard to get my own company, epointment up and running.

The result is that the Achievo Project Management application does not get the amount of attention that it deserves anymore. This is painfully evident in the release frequency, the last stable release was (although development never stopped) a year ago. This is not motivating for the developers that are working on new features, and it's not good for the community.

So I've made the decision to hand over the Achievo Project Management app, so I can concentrate on ATK and epointment. The most likely candidate for taking over is Sandy Pleyte, as he has been one of the main developers since the start, and has always fueled Achievo development. I've discussed the future of Achievo with him, and he has a lot of ideas, both for functionality and for restructuring the development process, so I'm confident that Achievo is in good hands with him.

This does not mean I will leave the project entirely. I will remain on the development team, and will continue to work together with the rest of the team. It's just that I think the project maintainer should be able to have more dedication for the project than I am currently able to offer.

So I think this is what's best for the project, and I wish Sandy the best of luck. You will probably start seeing the results of this very soon, as Sandy is eager to put his plans to action.

I know my way around PHP. I've been working on frameworks, web applications and CMS'es for almost 6 years now. I'm even a Zend Certified Engineer.

Still, last week I amazed myself in how stupid I can be.

ATK can be downloaded with a demo application. To aid the developer, most pages in the demo application have a 'view source' link. What was I thinking when I used __FILE__ to determine the source file and pass that to a viewer through the url, not checking the validity of the filename? I created a 'Local File Include Vulnerability': any logged in user was able to tamper with the URL, and for example use ?file=/etc/passwd to view any file that the webserver has read access to.

I've read numerous blogs about the subject, read slides and articles from security experts such as Chris Shiflett, but still, one unguarded moment of late night, sleep-deprived hacking and bang, there you have it.

Luckily, it was only the demo application, which is usually not installed in public places, and also, you still have to log in to actually be able to exploit anything, but still, given how relatively easy it is to make such mistakes is discomforting.

(A fix was immediately released of course, at http://www.achievo.org/atk/download you can find the 5.2.2 version which fixes this issue).

There is also some positive news about ATK. Boy wrote a new howto on custom record actions. This shows how to do a lot more with your app than the usual CRUD operations.

Guido did some excellent work last week on an Open Office template engine. It is now possible to generate Open Office documents right from an atkNode. As usual, documentation comes second, so it's undocumented right now, but it is already available in the nightly build. If you want to experiment with it, we can help you on IRC or in the forum. We will give a demonstration of this new functionality at our booth at the PHP Conference in Frankfurt next week.

Finally, Sandy created a new CRM module for Achievo. It's far from finished (it only works with Achievo 1.1, not yet with the development version), but it's a start. This one is available from Achievo's nightly build page.

In my previous entry I already talked about how 9 of our employees already were certified, and that 3 were coming up. Right now, we have 12 ZCE's, which makes us the number 1 certified company in The Netherlands. Whoot!

For this reason, Zend invited me to take part in their webcast about the PHP Job Market on august 24. I'm looking forward to it. If all goes well, there will also be a case study about ibuildings on Zend.com soon.

Some other bits of news: we've attracted 2 sponsors for the Achievo project management tool. The next few months we will be building quite some interesting features, among which finally a completion of the billing module, an Open Office export/template feature, an upgrade to ATK5 and parts of the 'task based time-registration' we've been planning for almost 2 years now.

The next release of ATK is around the corner. I've got some contributed translations to add, but besides that, the next release is almost ready.