cmsXperts

Alfresco, the popular open source alternative for enterprise content management, recently partnered with Joomla! to launch the first “Content Management Interoperability Services” (CMIS) standard and released a module that allows seamless integration between Alfresco and the Joomla! CMS.

The module was built respending the drafted CMIS specifications and is meant to illustrate the advantages that would come from the industry-wide adoption of such a standard.

Larry Cannell wrote on the Burton group blog that Alfresco put live an online demonstration of just such an integration, thanks to which Joomla! users can navigate the folder structure of the Alfresco content.

“What is most interesting to think about is the flexibility this might enable. Either Joomla or Alfresco could be replaced:

* The Alfresco back-end could be replaced with another CMIS-compliant ECM (without changing code on the Joomla site).
* The Joomla front-end could be replaced with another CMIS-compliant application or website (without changing code on the Alfresco site).”

The CMIS standard — which, oddly enough, doesn’t specify the details of how the two systems would authenticate and create a secure connection — is currently being advanced by an OASIS technical committee and will enable anyone to develop content applications on Alfresco and deploy them on SharePoint, EMC, IBM, or OpenText.

Starting last month, Alfresco released throughout documentation on the project as well as sample code. On the Alfresco.com website, a blog and a forum dedicated to CMIS are also available: everything seems to indicate that the company is investing a lot of effort in this project, which many analysts believe will turn out to become of great importance in the CMS market.

Alfresco has been a contributing member to the specification for some time: in mid September, the company released “Labs 3B”, the first implementation of the protocol, on the very same day that EMC, IBM and Microsoft announced the publication of CMIS v0.5.

“Since the beginning we felt it best to provide feedback and push forward the specification by actually building an implementation against the specification, to test how feasible it is to map to an existing content repository and for developing test clients that support the primary use cases.”

Within Alfresco, the implementation is known as “Project Seamist” and provides support for the REST and Web Services bindings allowing client applications to connect to, navigate, read, and create content against the Alfresco content repository; support for the CMIS Query Language providing SQL-like querying of the repository; and a CMIS Test Suite to allow compliance compatibility testing against any CMIS compliant REST Binding.

Other CMIS implementations include EMC Documentum (jointly created by EMC, IBM and Microsoft), IBM FileNet P8 Content Manager 4.0, and sensenet 6.0 Beta 1.

For additional information and to download the integration module, click here.

After announcing a “feature freeze” for their 5.x and 6.x versions while the team is working on the next major release, Drupal 7.x, several bug fixes have just been released for current versions of the software to address several security issues in the platform.

The new versions, Drupal 5.13 and 6.7, correct cross site forgery and XSS vulnerabilities that could result in database damage or unfiltered content being inadvertently published on the site. For this reason, Drupal users are highly recommended to perform the upgrade.

The platform can be updated in two ways, either by patching the current core files with the updated ones, or — best option — by performing a full upgrade by downloading and installing the new versions on the server.

Either way, webmasters should remember to update.php to refresh the menu cache and other website caches and to make a backup copy of their .htaccess and robot.txt files, since the updates modify both these files.

Microsoft recently unveiled Oxite, an open source blogging platform built on the new ASP.NET MVC framework that, according to the company, is however also able to host large websites as well.

The new CMS is a product that aims at competing with the industry leader WordPress, and represents an unexpected addition to SharePoint, the company’s own content management system distributed with a proprietary license.

The platform has common features such as pingbacks/trackbacks, anonymous and authenticated commenting, global avatar support, SEO friendly URLs, RSS feeds and support for the MetaWebLog API to extend its functionality.

Oxite is both open source and fully standards compliant, and relies on a provider based architecture: providers included in its first release include Microsoft SQL Server and Live Search, which the webmaster can change to fit his own needs.

The source code can be downloaded from CodePlex and is licensed via the Microsoft Public License (Ms-PL): it also includes the full version of the MIX Online website as a sample.

After an almost one-month delay, the next version of WordPress has finally graduated from beta stage and will be available to download later today, as announced by Jane Wells from the WP team in a recent blog post on the WordPress.com website.

According to Wells, the much anticipated new version of the best known content management system on the Web will go live at 8pm Eastern Time, when the company servers are likely to experience a particularly high spike in traffic.

The current WordPress version number is 2.6.5, which was released shortly after version 2.6.3 to deter webmasters from using a fake 2.6.4 version that was developed and distributed by malicious users to interfere with the normal webmasters’ activities.

The release comes after a fairly long wait and a couple of delays due to stability issues: version 2.7 was in fact initially scheduled for October 10th, but the development cycle — typically very smooth and fast, especially for a product of this size — had to be prolonged to enable developers to fix some pending stability bugs that were introduced by the new features.

As for the changes introduced by the new version, the blog post on the Wordpress website contains a very thorough list of what users should expect from the update.

The first, most noticeable change will be the navigation bar, now at the left side of the screen, which will feature contractible panes and allow for a quicker, one-click navigation as opposed to the previous top navigation bar that only listed the main categories. Each category will feature an icon (the sets were selected thanks to an internal competition we covered earlier last week) to improve the visual impact of the interface.

On the organization front, some minor changes are also being made: posts, pages and comments will now have their own categories instead of being all grouped together under the “Write” and “Manage” tags, for an improved usability and even quicker access to what are, without doubt, some of the most used feature in just about any content management system.

The new WordPress 2.7 sidebar

The display will also be customizable: webmasters can very easily rearrange the various modules with a simple drag and drop and can choose to open/close and hide or show every single one of them. The platform will remember the latest updates automatically, without the need for the user to manually save the changes as they are being made.

As for more substantial changes, one of the most welcome new additions is going to be QuickPress, a mini WYSIWYG post editor that allows to create, edit and publish posts (including picture and other media uploads) directly from the dashboard.

Thanks to a new module, webmasters will also be able to moderate comments directly from the dashboard, too: actions such as Approve/Unapprove, Mark as Spam, Delete, or Reply to a Comment will be easily accessible within the module itself.

Other improvements include a new WordPress software updater for self-install users that will automatically download and install the latest version with one click: previously, users had to install a third-party plug-in that would do the job for them.

Finally, a new category called “Media” is going to be added to the platform, from which users can select several default settings — such as image sizes or crop settings — for the images and videos they upload to the site.

As Wells warned on the post, this WordPress version will be particularly JavaScript-intensive, which is the reason why the team suggests using one of either Firefox 3 or Google Chrome browser, currently the two products with the best performance in that field.

A release candidate has been available on the WordPress website since Monday, and only a few minor bug fixes (if at all) should have been made to the platform. As many have noted, with every new update the platform is leaning more and more towards website publishing rather than simple blog posting.

In a blog post published just a few days ago Leslie Camacho, EllisLab VP, announced that thanks to the contribution of several sponsors the company will be able to offer three scholarships for its “Southern Fried ExpressionEngine” trainee class.

The class will take place from January 20-23 in San Antonio, Texas and will be lead by Mike Boyink, author of the first ExpressionEngine book and a veteran in the Expression Engine developer community, assisted by AJ Penninga, also a long time member of the EE team.

Further information on the classes is available from the “Train-ee.com” website. To apply for the scholarship, those who are interested only need to send an email to the team detailing in no more than 300 words the reasons why they want to participate. As noted on the website, the scholarship doesn’t cover the travel, and users are invited to choose responsibly whether to apply instead of paying the full price, in order to leave the bonus to those who couldn’t otherwise afford to attend the lessons:

“We encourage those of you who wish to attend the Class and can afford the costs to simply register for the Class. If you are deciding between a second iPhone, a widescreen HD TV, or a new car stereo the Class is still for you, but the Scholarship is not. Please help ensure that the Scholarship goes to someone with a genuine financial need.”

Scholarship applications must be received by 5pm Pacific Time, December 8th, while the recipients will be announced by December 12th. Although the scholarship does not cover transportation or lodging costs, breakfast and lunch are provided and optional evening activies might include food as well.

Interested webmasters and developers can access a page within the Train-ee.com website with many details, pictures, and directions for the hotel where the lessons will take place, along with the full schedule for the lessons that will be held during the four days.

One of the most interesting questions being addressed in the page is about which version of the EE content management system will be featured, since version 2.0 is about to come out and might probably get released before the class starts. The answer: should version 2.0 be released before January 20, the class will be geared on the new software as much as possible. From the Train-ee.com website:

“If EE 2.0 is out in beta form, I’ll work a preview/tour into the class. If EE 2.0 is through beta and has been released, I will try to gear as much of the class towards 2.0 as is humanly possible. Realize, however, that in order for all of the class materials to be ready on time I need to wrap them up roughly 2 weeks before the class, so depending on the birthdate of EE 2.0 there may or may not be time to work it into the course materials.”

Prerequisites for the class include a working knowledge of (X)HTML and CSS, a laptop with MAMP/WAMP configuration and Expression Engine already installed.

Those who won’t be needing the scholarship are invited to register early for the event from this page: the cost of the early registration ticket is $1499, while the price after December 8th will raise to $1895. General information on Expression Engine’s classes is available from here.

In a recent post appeared on the WordPress.org Official Blog, the developer team announced the winner of the “Project Icon” competition to decide which set of icons will be featured in the menu of the upcoming 2.7 version of the software.

As revealed in an announcement on October 22nd, the menu icons that were being used this far in presentations and product previews — which were taken from the Crystal Project and released under the LGPL license — were merely temporary and only served as placeholders. In the same post, the WordPress team invited any interested designer to submit their works for user evaluation.

“Icons should be subtle, with a classic/designed look, nothing cartoonish. Thin lines. Maybe a little old-fashioned looking. They’ll be grayscale by default, possibly with a color version for active menu items”, the post reports. However, the timing requirements were very stringent since the release of 2.7 was initially scheduled for November 10th.

Interested designers had to send an email to the WordPress team with a cover letter complete with their portfolios to be considered for the application, after which the team would announce the details on how the winner would be chosen.

After the release of 2.7 was delayed by a couple weeks, a second post on the WordPress.org blog explained that, since about a dozen of designers from all around the world responded to the invitation, the team had decided to let users vote to decide which set of icons would be featured in the new WordPress version.

Following the announcement, about half of the designers backed out from the competition: the remaining ones submitted two icons (Posts and Links) to the WordPress team as samples of their designs, and two of them were “thanked for their submissions but eliminated from the competition because their icons were considered too far afield from the WordPress visual style”.

The WordPress team then published the competing icon sets, each with a short designer introduction and some feedback from the CMS developer team, encouraging everyone to vote and leave feedback on the various designs — all in grayscale rather than color, as per specifications — within 48 hours.

Last Monday, after over 3,700 users gave feedback on the finalist designs, a third post on the WordPress blog announced the winner of the competiton: designer, artist and professor and  Ben Dunkle from upstate/western New York State managed to grasp 35 percent of the total votes, while the runner-up Verena Segert was second with 29 percent.

Both icon sets will be featured in the 2.7 version, since the runner-up set will become the alternate palette selectable from the profile screen. Now, as we approach to the new version, both designers will revise their sets and produce the colored “on” states for when the menu section corresponding to a given icon is being browsed.

The two designers will also have to produce larger versions of each icon, to be featured in the h2 scren headers. As per user vote, Dunkle and Segert will have to change a few icons in order to adapt them to the metaphores voted by the community.

In particular, 40 percent of users who participated in the survey on the WordPress site chose a house as the best metaphore for the “Dashboard” icon, 65 percent chose a camera + musical note as the logo for the “Media” section, and 53 percent chose an outlet plug as the best icon to illustrate the “Plugins” section.

Thoughout the next week, the two designers will adapt and uniform their sets to make them even more complementary, while the launch of the new 2.7 WordPress version, which was delayed by a couple of weeks, is now expected to be released within the end of the month.

Yesterday, WordPress released yet another update to its platform in order to fix a cross-site scripting (XSS) vulnerability.

As explained by the WP team its most recent blog post, the bug only affects IP-based virtual servers running on Apache 2.x versions: in those setups, it might be possible for hackers to affect systems so that they serve up malicious Java Script from domains under their control.

The update also addresses three minor stability features: the first prevents accidentally saving meta data into a post revision; the second prevents the XML-RPC protocol from fetching incorrect post types, while the third adds some user ID sanitization during bulk delete requests.

Users who are only interested in the XSS-related security fix are advised to simply copy the wp-includes/feed.php and wp-includes/version.php files from the 2.6.5 release package.

Some webmasters will note that the version numbering has skipped 2.6.4: WordPress developers explained that this was the case because the team didn’t want to create confusion with 2.6.4, a fake version recently offered via a third party site. According to The Register, system administrators were directed to download the backdoor-rigged code earlier this month by hackers exploiting vulnerabilities in the software.

The latest version can be downloaded from here, while the full changelog can be found on the WordPress.com website, allowing users to easily change the code themselves without the need to download the full package: the number of changes for the new version is in fact apparently very limited.

A lengthy post on ExpressionEngine’s official blog explains the reason why the much-awaited version 2.0 of the platform, which should bring relevant architectural changes and provide the foundation for several years of development, has been delayed for several months in a row and is currently quite far from being completed.

Derek Jones, Chief Technology Officer for EllisLab, the company behind the ExpressionEngine content management system, wrote a blog post on Friday detailing how the architectural changes required for the next software generation to work as expected are revealing a bit harder than previously thought:

Rewriting all of ExpressionEngine to a new architecture is a time consuming process, there’s just no way around it.  It’s not glamorous work, and we have a very small team of developers who carry many duties in addition to programming ExpressionEngine 2.0.

The development team, however, doesn’t regret taking the hard, but important architectural changes that need to be undertaken in order to provide the foundation for the future of the company’s most well-known software product, even though they admit having underestimated the time that such renovation process would have taken.

Jones then dives into the implementation details and PHP code to provide a better illustration for the migration code: a small, 30 lines long snippet in simple PHP is taken as an example, and we are taken through the migration process from the 1.x to the 2.x architectural changes and how the code needs to be modified in order for everything to conform to the new specifications.

As Jones readily points out, the process won’t add any functionality to the code, but simply migrate it to the new, better platform, the CodeIgniter open source PHP Web application framework. One of the main difficulties, said Jones, is separating models, views and controllers, which under CodeIgniter each solve a different problem and are used in quite an unusual way, forcing programmers to intersperse controllers within the program logic.

The migration process, however, will provide a key feature to the entire codebase: abstraction.

Internet company SocialTwist recently released “Tell-a-Friend”, a useful tool to share hot news, deals and other bits of information with your friends over instant messenger, email, blogs and social networks, all from a unified interface. While there already is a number of similar tools that get the job done, Tell-a-Friend is notable for both ease of use and number of social networks supported, and can be easily installed on WordPress, Joomla! and Pligg websites in a matter of minutes.

When hovering the mouse on the small widget, the tool reveals a dropdown menu through which users can choose which way they want to spread the word about the content they just stumbled upon: you can send emails by logging into your Yahoo!, Gmail or Windows Live account, or even compose and send a custom email to up to ten friends directly from a small popup window featuring a WYSIWYG editor.

Tell-a-Friend blog publishing interface

As for instant messaging platforms, you can also log into your Yahoo! Messenger, Windows Live, Google Talk and AIM accounts to display a list of your contacts and choose which one(s) to notify.

Tell-a-Friend also lets you login directly to your CMS of choice and publish a post or article on the content you just came across: supported platforms include WordPress, Blogger, LiveJournal, TypePad, MoveableType, Xanga, Joomla! and even ExpressionEngine.

Finally, the tool also lets you make use of social bookmarking tools such as FaceBook, Twitter and FriendFeed.

Whenever dealing with software like this, a note on security is imperative: when using tools such as Tell-a-Friend, which allow you to login to third-party platforms by asking you for their username and passwords, users should always be very aware of the risks that this process involves.

A widget like this one could in fact potentially be used to fish for user/password combinations and store them in a remote server, although nothing in this specific case leads to believe this hypothesis true. In any case, most publishing platforms (including WordPress) simply don’t allow for third-party access unless the site administrator hasn’t explicitly allowed it.

In the case of WordPress blogs, in order for Tell-a-Friend to work properly and be able to publish a blog post from it, the site administrator needs to enable the remote publishing capabilities, and in particular the XML-RPC protocol, which is also used on the MovableType, MetaWeblog and Blogger publishing platforms.

To enable the XML-RPC protocol on your WordPress site, log in as administrator and click on the “Settings” tab, then tick “XML-RPC” under the “Remote Publishing” voice. The option is unselected by default for security reasons, but it will do no harm as long as you trust the third-party application not to be a malicious one.

When it comes to sensitive data issues, trust does indeed play a dominant role in the process. For this reason Vivek Lakshman, SocialTwist director, told us that Tell-a-Friend is in the process of getting certified by a third party to confirm that the application doesn’t store sensitive user data on their servers, which should give both users and webmasters one more reason to keep using this tool with confidence.

On our side, all we can say that an analysis of the packets sent and received to and from SocialTwist’s servers revealed the data exchanged between the local computer and the remote SocialTwist server is fairly limited, which makes a phishing attempt a bit less likely.

To download and install Tell-a-Friend on your site, simply go here, choose the widget you want to display and copy the HTML code, pasting it in your style sheet (e.g. in the “/wp-content/themes/yourtheme/single.php” file, below the post content, for WordPress sites) to see the widget displayed on every post and allow your visitors to make use of this very versatile, fast and easy-to-use tool.

If you also wish to be able to take a look at usage statistics, a larger selection of buttons and color themes and personalize the custom email and IM messages to be sent though the platform, you can simply sign up for free with your site URL and start personalizing this tool immediately.

After the runner-up award in the “Overall Best Open Source CMS” category as a part of PacktPub’s CMS awards, yesterday the “Joomla! Bug Squad” corrected two minor security flaws in the popular content management system and released the latest version of the platform, 1.5.8, codenamed “Wohnaiki”.

This new major release, which comes about two months after the previous 1.5.7 version, doesn’t add any feature to the platform, but rather corrects some bugs and two XSS (cross-site scripting) security issues in particular:

• Com_content XSS Vulnerability: allows entry of dangerous HTML in article submission with default settings for users with Author access or higher and without filters set up in com_content configuration.
• Com_weblinks XSS Vulnerability: allows raw HTML to be placed in the title and description tags for weblink submissions from both the administrator and site submission forms.

Both these vulnerabilities affect 1.5.x version of the platform, including the previous 1.5.7. Webmasters are recommended to upgrade to the latest version to fix these and other minor bugs that were detected and quickly corrected by the open source developers team.

Other minor updates correct components, modules and some of the default templates that are shipped with the default package: a complete list of the fixes can be read in an official post on Joomla’s official website, while the new full, stable package can be downloaded directly from here.