Monday, July 28, 2014

Server sent events in PHP

Server sent events are really pretty cool.  They let your application function a little bit more like an application and a little less than a click adventure in the web wonderland.  They are very simple to code and allow your backend code to notify your frontend of progress or other changes.
I could get into trouble for this class comment

At time of writing they are not supported by Internet Explorer ( see here ) but hopefully Microsoft will either stop making Internet Explorer or bring it up to speed with modern browsers.  Yeah I know that's not going to happen, but we can wish right?

You don't need to retain an open connection for every visitor to your site because browsers will reopen a closed connection after a few seconds.  The additional load for implementing SSE seems to be manageable according to people like this guy who have done tests.

My first project implementing them was for a database consistency tool that is intended to be run against the database in off-peak times to verify that things are as we expect them to be.  Basically I wanted a tool to check for dirty data, but more importantly to audit the financial transactions occurring on our site.  I wanted to play with SSE so implemented them as a notification service.  As the program runs through the various batches of tests it spits out information to the frontend about what it's busy with, if it found an error, and other interesting snippets.

There are bunches of tutorials available on them out there so I'm not going to paste code.

One thing that did concern me a bit is the possibility of forged messages.  It's pretty simple to check the origin of incoming messages against a whitelist of domains.  Here is an example from that has a simple origin validation:

 source.addEventListener('message', function(e) {  
  if (e.origin != '') {  
   alert('Origin was not');  
 }, false);  

Personally I think SSE should be in the toolkit of any web application developer.

Saturday, November 16, 2013

Useful tool when helping Windows users install their OS

This post is more of a "note to self" than an attempt to be useful to somebody else.

I am even typing this post in Internet Explorer. It feels like a Pterodactyl is about to swoop into the room and try to shit on HTML standards.

In any case I gave my backup laptop to my kid and so had to install Windows on it. Why? Well I want her to be able to play games so Windows seems the best choice. Plus she can still learn open source programming languages, albeit in a funny way.

Luckily I remembered this blog that I read and they posted this really nifty tool called Ninite. Click the link here ( This helpful tool lets you download a single install file that installs free (either OSS or free to use) software like Libre Office, Flash, Notepad++, antivirus, etc.

Lets just say that it feels almost like an Ubuntu meta-package that helpfully installs everything you need, but you get to choose.

Plus it's all free and the only software I don't trust (at the moment) is Truecrypt. Why? Well we don't know who wrote it.

So save yourself a bunch of time and use Ninite :) It's a really useful tool to introduce kids to FOSS.

Thursday, September 26, 2013

A rare Google UI failure

A Google UI employee contemplating how to make
Larry and Sergei some money
I updated my Google Chrome mostly because I trust Google in terms of UI. In the past they've always released updates that make things faster or easier to reach (while perhaps adding new extra functions).

Why am I so disappointed? Well now when you open a new tab you're confronted with a Google search bar and your most visited sites. This most probably sounds like a good thing. BUT... your tab is in the omnibar which is the same as a Google search if you don't specify a valid URL. So to make use of the default Google search requires you to tab or click into the box.

More annoyingly you can't choose to have your installed apps show instead of a Google search box and an acknowledgement that they track your browsing activity and share that with the American spy agency. So instead of hitting CTRL-T and clicking feedly I have to face NSA surveillance by Google showing me they're tracking me, click on the top left to open apps, then click Feedly. Why? Because for some reason Google thinks it is more important for me to have no option but to use their search engine and that I am incapable of deciding to use applications instead of sites I visit regularly.

Do I support American spy surveillance? Not really. This nation has invaded a foreign nation every decade for the past 60 years. They're the only nation to have ever used nuclear WMD on civilian targets. They routinely hack and spy on neutral foreign nations. I trust the American government a great deal less than I trust Google.

Nonetheless, lets assume for the moment that using an American Internet product is somehow "safe".

You can't choose which search engine is default. Google says "Don't be evil" .... really? As soon as you have a majority browser share you enforce your search engine as a mandatory non-changeable option? And you require me to click into it? Fuck off Larry and Sergei.... you click (since you charge people for clicks ).

And now instead of pressing CTRL-T and hitting an app (like RescueTime or my REST interface or my news browser) I have to move my mouse to the top left? How is this beneficial to me, Larry or Sergei? It really reduces the usefulness of Chrome as a developer browser. What benefit is there for Chrome to load your Google default search into my app tabs when your omnibar works the same? Are you fucking retarded? Don't you see you're stopping me from hitting my apps quickly?

Fork Chromium and get a sensible community version.

Thursday, August 15, 2013

Fixing the "smsbox_list empty" error in Kannel

I got this error even though I had an smsbox defined. 

Unfortunately I had forgotten to create the smsbox-route group, so this is a very quick fix:

group = smsbox-route
smsbox-id = mainbox
smsc-id = ztemodem-smsc-group
sim-buffering = false
... continues ...

Just make sure the id's matchup, so my smsbox group begins with this:
group = smsbox
smsbox-id = mainbox
... continues ...

And my SMSC looks like this:
group = smsc
smsc-id = ztemodem-smsc-group
... continues ...

This successfully cleared the "smsbox_list empty" error and allowed messages to be delivered properly. Kannel had until then been able to send messages and receive delivery reports, but was not reading messages stored on the SIM.

I've included sim-buffering = false in the above config because some people on the kannel mailing list suggested experimenting with it.

Also, the "message-storage" tag in my modem definition is set to "sm". Some people suggested trying it on "me", but this didn't solve the problem for me and setting to "sm" now works.

Wednesday, August 14, 2013

Setting up a Kannel SMS centre on a Raspberry Pi with a K3565-Z modem

Our office (who wants me to mention how awesome they are) had a need for a means to send/receive automated sms messages relating to online banking. We decided to give a Raspberry Pi the job and so I have had the fun of setting it all up.

First off I installed Rasbian ( ) which is a Debian fork and is sufficiently easy to do following the guide on eLinux ( here ) which is linked to from the Raspberry Pi project website downloads page.

Next came a standard LAMP stack install.  I needed to have a web-server running because we will be running a management package on the box to track messages etc.

Next came Kannel.  I used the default package available from the Rasbian repositories so there was no need for fiddling.

My kannel.conf file was the next hurdle.  For the most part this is pretty easy to set up from the examples given on Kannel's site and elsewhere on the web.  I want to just mention the modem part, which was perhaps the most challenging part of this endeavour:

 group = smsc  
 smsc = at  
 smsc-id = ztemodem-smsc-group  
 device = /dev/gsmmodem  
 log-level = 0  
 connect-allow-ip = "; localhost; 192.168.3.*"  
 modemtype = auto  
 speed = 9600  
 my-number =   
 sms-center = +27831000113  
 #validityperiod = 167  
 alt-charset = "ASCII"  
 group = modems  
 id = vodafone  
 name = "vodafone"  
 detect-string = "ZTE INCORPORATED"  
 message-storage = sm  
 init-string = "ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0"  

Note that I've set an init string explicitly. This is because I was getting the "got +CMT but pdu_extract failed" error consistently when I sent a message. I obtained that init string by using wvdialconf, so if you have a modem other than the K3565-Z you might be able to use it to get your init string. Apparently it's not required for all modems though.

Ah, but I'm missing the best part... how do you actually get the modem to be a modem? The K3565-Z is a "zerocd" modem. When you plug it into a Windows box it mounts as a CD-ROM, installs drivers, which then flip it into being a modem.

To illustrate here is the output of lsusb on the Raspberry with the modem as it is on powerup:

 Bus 001 Device 002: ID 0424:9512 Standard Microsystems Corp.  
 Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub  
 Bus 001 Device 003: ID 0424:ec00 Standard Microsystems Corp.  
 Bus 001 Device 004: ID 19d2:2000 ZTE WCDMA Technologies MSM MF627/MF628/MF628+/MF636+ HSDPA/HSUPA  

And here is the output after using usb_modeswitch -c /etc/usb_modeswitch.conf to flip it into a modem:

 Bus 001 Device 002: ID 0424:9512 Standard Microsystems Corp.  
 Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub  
 Bus 001 Device 003: ID 0424:ec00 Standard Microsystems Corp.  
 Bus 001 Device 006: ID 19d2:0063 ZTE WCDMA Technologies MSM K3565-Z HSDPA  

Note that the device product has changed, as well as the description. I am not sure why but the stick was never mounted as a cdrom for me, so I could not eject it to flip its state. So I had to use usb_modeswitch to do it.

 sudo usb_modeswitch -c /etc/usb_modeswitch.conf  

I found the correct settings for this on a forum (here ) which also gives some useful information on how to accomplish the flip. You need to append the following snippet to your /etc/usb_modeswitch.conf file.

 # Gediminas Simanskis  
 DefaultVendor= 0x19D2  
 DefaultProduct= 0x2000  
 TargetVendor= 0x19D2  
 TargetProduct= 0x0052  

You will need to experiment on finding the best way to execute the flipping, but this is really the only complication in the setup.

Monday, February 11, 2013

Installing phpMyAdmin and removing the popup authentication in CentOS 6

Installing phpMyAdmin is a snip in CentOS, but there is a little trick that most tutorials skip out. For some reason the default setup (using standard repositories) does not like you having a null password for your mySQL root account. I know that you are supposed to be able to set a blank password in the pma config file and set the option to allow blank passwords to true, but this did not work for me until I set a root password. I kept getting a popup box that looked exactly like a .htaccess Apache protect but was actually just a Javascript prompt.

So here goes:

Step One - enable your EPEL repo:

 $ cd /tmp  
 $ wget  
 # rpm -ivh epel-release-6-5.noarch.rpm  

Step Two - Install phpMyAdmin

 # yum search phpmyadmin  
 # yum -y install phpmyadmin  

Step Three - optionally edit your Apache conf

If you get Apache forbidden errors (should not be the case) you can try editing your .conf file
 # vi /etc/httpd/conf.d/phpMyAdmin.conf  

So that it looks like this:

 <Directory /usr/share/phpMyAdmin/>  
   Order Allow,Deny  
   Allow from All  

Remember to restart Apache afterwards

Step Four - Set a mySQL root password

 $ mysqladmin -u root password "hackme"  

Step Five - Edit your file

You should be able to navigate to http://localhost/phpmyadmin/setup and use that to create your config file, but I rather copied the sample to a new file.

Your /usr/share/phpMyAdmin/ file should include the following:

 /* Authentication type */  
 $cfg['Servers'][$i]['auth_type'] = 'config';  
 $cfg['Servers'][$i]['user'] = 'root';  
 $cfg['Servers'][$i]['password'] = 'hackme';  
 $cfg['Servers'][$i]['AllowRoot'] = true;  

Friday, December 7, 2012

Role based authentication in Cake 2.x

I do not like reinventing the wheel so really just want to build on existing tutorials and provide some background information and experience.

 Firstly make sure you understand the difference between ACO and ARO. To put it in very simple terms an ACO is something that is protected by ACL and an ARO is something that uses ACL to access the ACO.

 It might help to think of ARO as users (groups) and ACO as controller actions. You will be marking your user and group models as requester objects and setting ACO on controller actions across the board.

The Cake manual really is good in explaining the concept of ARO, ACO, ACL. Please make sure you read it and understand it before continuing.  Unless you understand what ARO, ACO, and ACL mean at this point the rest of this post will make no sense.

Please RTFM before continuing.

Okay, now read through the Cake page that introduces the ACL shell (here). Ignore the sections "Create and delete nodes" and "Grant and Deny Access". We will be using tools to do these tasks since manually assigning permissions for even a medium sized project (20 models) would be unmanageable - especially if you are using a feature driven Agile approach.

Read and preferably try out the tutorial found on the Cake book site (here). Following this tutorial will give you a role based authentication system. Since we are predominantly interested in Role Based Authentication please make sure that you follow the instructions regarding "Group-only ACL" (here).

Still with me? Okay - I typically use a feature driven Agile approach when developing. CakePHP really lends itself to this development methodology. BUT it does mess around a bit with ACL when you need to add new models and controller methods. So what's the fix?

Well, in my opinion, the AclExtras plugin (available here) that the tutorial I linked to earlier is an indispensable tool. By using it to sync the ACO table (read the tutorial) you can quickly create/recreate the ACO tree.  Now you should understand why I told you to ignore the section "Create and delete Nodes" from the Shell Manual.

Go back to the page about the ACL shell (here). At the bottom of the page there are instructions to output the tree. I personally like to output it into a text file and store it in my documents folder. Not only is it useful to have a list of the ACO's but it really helps in creating the initDB method in the Users controller (see the tutorial).

 Please don't make the mistake of making every model an ARO. Only the User/Group tables need to be ARO. The tutorial doesn't explicitly say this and I remember the first time I worked with ACL I made this mistake. Do not copy and paste the ActsAs requester into each model!

Development is never static (unless you are using a Waterfall approach in a legacy environment like Cobol or Fortran). So working with ACL in CakePHP will require some tweaking as you go along.

 Fixing the ARO table is relatively simple. There are a couple of ways to fix it:

1) Truncate the table, add the allow method from the tutorial to your before filter in Users controller and add new users who are linked to the appropriate groups. Remember: We are focused on role based authentication so you should have assigned group as parent to user.
2) Truncate the table and manually add the groups required (should only be a handful)

Once you have fixed your ARO table you should rerun the initDB method in your Users controller to recreate the join table (aros_acos). I'm not sure why this join table is named in such a way as to break Cake conventions but truncating it and rerunning your initDB method (see the tutorial) is the way to fix permissions.

What happens if you get a node error? No problem really - resync your ACO table with AclExtras plugin (see tutorial). When will this occur? If you add a new controller, or a new method to a controller. This is why I use the ACL shell (linked above) to export the ACO tree (created with AclExtra's plugin). It allows me to quickly check what nodes exist.

What do the tables do?

  1. 'acos' => objects that can be requested by ARO
  2. 'aros' => requester objects that require access to protected ACO
  3. aros_acos => join table linking the permissions
In the tutorial linked above the initDB method sets up the 'aros_acos' join table.

Any questions?  Please comment on the post and I will answer.