cf. function bug

when using the admin side of things to browse compo listings it would be handy to have a button to download the entry or screenshot directly through the browser, without having to dig through the ftp to find it.

Should look like the voting page (no tables)

Hi!
I've tried both install in a server or Dockerfile on a clean services, on Debian and every time i try to save the initial settings i got this error:

PHP Fatal error: Uncaught Error: Cannot access protected property SQLLib::$link in /var/www/www _admin/config.php:138\nStack trace:\n#0 /var/www/www_admin/config.php(245): perform('')\n#1 {main}\n thrown in /var/www/www_admin/config.php on line 138, referer: http://localho st:8090/

Also tried using nginx or apache

A lot of people forget that the timetable / livevote can be added to the menu

It'd be nice if the self-registration asked users for the email address, too. This would be one of my proposed enhancements to make WUHU work for a fully online party, too.

Optionally, verification of user identity would work with this email, too, i.e. don't activate the user in the system until the user confirmed their email address by clicking a link in their email.

The Timetable plugin does not appear to properly check the logged in state of a user before displaying the timetable, even when the menu type for the Timetable plugin is set to "Logged in only".

While the top menu does not show a URL link to the Timetable page, anyone with access to the Timetable page URL will be able to view the timetable without logging in. Other pages (such as Voting) properly show an expected UNAUTHORIZED REQUEST! error.

As discussed by the Solskogen crew after the most recent iteration of the party, it would be very nice to have a platform / production type field to show on the slides, in the cases where the user has submitted very sparse information and it sort-of matters what platform/limitation a given production has.

We've seen this successfully implemented in other party systems, and it would be very nice to have in Wuhu as well.

It'd be nice if the self-registration asked users for the email address, too. This would be one of my proposed enhancements to make WUHU work for a fully online party, too.

Optionally, verification of user identity would work with this email, too, i.e. don't activate the user in the system until the user confirmed their email address by clicking a link in their email.

Time/date formatting etc

Merge the autorename + zipcheck plugins, add feature to autorename per compo, check zips for file_id.diz, etc.

After submitting votes the vote page is shown again but when I want to reload it (because new compos are available) I’m asked if I want to repeat my submission because the page is rendered as a result of a POST request. I would expect the POST request to result in a redirect to the same page so that I can reload it without repeating my votes.

See what problems this causes.

Hi,

It seems there's an SQL error with MySQL 5.7:

[Sat May 12 10:53:56.338737 2018] [:error] [pid 23535] [client 192.168.1.1:35380] PHP Fatal error:  Uncaught exception 'Exception' with message '<pre>\nMySQL ERROR:\nError: Expression #1 of SELECT list is not in GROUP BY clause and contains nonaggregated column 'wuhu.votes_range.id' which is not functionally dependent on columns in GROUP BY clause; this is incompatible with sql_mode=only_full_group_by\nQuery: select * from votes_range group by userid' in /srv/wuhu/www_admin/sqllib.inc.php:56\nStack trace:\n#0 /srv/wuhu/www_admin/sqllib.inc.php(70): SQLLib::Query('select * from v...')\n#1 /srv/wuhu/www_admin/votesystem.inc.php(30): SQLLib::SelectRows('select * from v...')\n#2 /srv/wuhu/www_admin/index.php(20): VoteRange->GetVoteCount()\n#3 {main}\n  thrown in /srv/wuhu/www_admin/sqllib.inc.php on line 56

I would assume this is the code in question:

  function GetVoteCount()
  {
    $v = SQLLib::selectRows(sprintf_esc("select * from votes_range group by userid"));
    return count($v);
  }

I'd supply a patch, but I don't honestly know what this query is supposed to mean? What would GROUP BY without any aggregates mean?

use *.dist instead

About time, none of the nomenclature makes any sense and is a mishmash of terms

Just throwing this out here, in case someone else is interested about this. I made a fork with couple of small changes and added configuration files to run Wuhu on Docker in here https://github.com/teeli/wuhu-docker. Not tested at a real demoparty (yet). Should make it pretty simple to get it up and running if you're familiar with Docker.

Hi,

After clicking 'Generate new!' I get:

Fatal error: Uncaught exception 'Exception' with message '<pre> MySQL ERROR: Query: insert votekeys (`votekey`) values ('RWXTTLYBPL')
Error: Field 'userid' doesn't have a default value' in /Users/argasek/Sites/www_admin/sqllib.inc.php:23
Stack trace:
#0 /Users/argasek/Sites/www_admin/sqllib.inc.php(61): SQLLib::Query('insert votekeys...')
#1 /Users/argasek/Sites/www_admin/votekeys.php(16): SQLLib::InsertRow('votekeys', Array)
#2 {main} thrown in /Users/argasek/Sites/www_admin/sqllib.inc.php on line 23

If you select the option to move a prod to another compo and the prod is not the last entry of the compo, it will leave a void in the entry order of the original compo (highlighted in red but hard to recover from), the dragentries plugin will then start throwing php errors if you try to reorder things. Only way to recover seems to be to either edit the database directly or to move out all the remaining red marked entries from the compo one by one and move them back in.

Would be nice if moving the entry would also update the order of all prods; or only allow to move an entry when it's already the last entry of the compo; or dragentries plugin to override those errors automatically afterwards to become an easy fix.

This used to be available in the early Wuhu

To avoid the clunk when the slides reload

users who are requested to submit a video capture of their entry often replace the binary .zip with just the video file, which ends up being considered the final version and makes exporting the compo a bit more troublesome.

there should be an independent file input for video capture, similar to screenshot.

preferably clearly listing the server upload limits and informing users to include the download link on orga comments when the file is too big.

Don't require a votekey for registration, rather, after the user is self-registered, allow the admin to assign a not-yet-used votekey to the user. User would not be allowed to vote until they have this votekey (even if they are registered already). Consequently, allow admins to revoke votekeys, too (e,g. from users who cheat).

I think this would be a small, but important step towards making WUHU work with online-only parties, too.

Hi,

When trying to activate the timetable plugin on a fresh install, I get a 500 Internal Server Error. The log says:

[Thu May 18 22:35:00.290093 2017] [:error] [pid 23888] [client 2001:67c:a4:1:5e51:4fff:fe2f:86ef:47510] PHP Fatal error: Uncaught exception 'Exception' with message '<pre>\nMySQL ERROR:\nError: Invalid default value for 'date'\nQuery: CREATE TABLE `timetable` ( `id` int(11) NOT NULL auto_increment, `day` smallint(6) NOT NULL, `date` datetime NOT NULL default '00:00:00', `type` enum('mainevent','event','deadline','compo','seminar') collate utf8_unicode_ci NOT NULL, `event` text collate utf8_unicode_ci NOT NULL, `link` text collate utf8_unicode_ci NOT NULL, PRIMARY KEY (`id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; ' in /srv/wuhu/www_admin/sqllib.inc.php:57\nStack trace:\n#0 /srv/wuhu/www_admin/plugins/timetable/plugin.php(167): SQLLib::Query(' CREATE TABLE `...')\n#1 /srv/wuhu/www_admin/hooks.inc.php(17): timetable_activation(NULL)\n#2 /srv/wuhu/www_admin/plugins.php(30): run_hook('timetable_activ...')\n#3 {main}\n thrown in /srv/wuhu/www_admin/sqllib.inc.php on line 57, referer: https://admin.party.solskogen.no/plugins.php

Evidently '00:00:00' isn't valid for MySQL's DATETIME type; you will also need a date (https://dev.mysql.com/doc/refman/5.7/en/date-and-time-literals.html).

Put the countdown in an overlay / PIP thing?

As the title says. So account creation could be skipped.

puryx is a genius

Remove deleted entries from list, add new entries to the end of the list, never fail.

Old sliderviewer was removed (thank god) so did these become obsolete?

This:

Hey! We displayed our project on Solskogen a couple of years back. Think it was back in 2016. When I saw your interface and how we interacted on the party, I thought, hey, our system would be great in that setting. Drag & drop to upload stuff to our cloud desktop. Etc.
FriendUP is open source - so you could host it on the party. Share live links. There's video / audio and IM chat. IRC. Everything needed for a party really.

Web apps are easily turned into Friend apps, complete with icons and a dock. So you can easily autostart the app on the Friend desktop on login.

Check us out on: https://github.com/FriendSoftwareLabs/friendup

Give me a shout if you're interested for this year's event.

Something like

17:30 - entry 5 uploaded
17:40 - user 9 registered
17:42 - entry 5 updated
18:42 - voting for x compo opened

Hello:
I have find a Reflected XSS vulnerability in this project.

The vulnerability exists due to insufficient filtration of user-supplied data in “id” HTTP parameter that will be passed to “wuhu-master/www_admin/users.php”. The infected source code is line 67, there is no protection on $_GET["id"]; if $_GET["id"] contains evil js code, line 67 will trigger untrusted code to be excuted on the browser side.

So if a attacker construct a special url as follow and send it to a victim, when the victim click the url, the code which is contained in the url will be executed on the victim's browser side to do some evil.
http://your-web-root/wuhu-master/www_admin/users.php?id="><script>alert(1);</script><"

The follow scrrenshot is the result to click the upper url ( win7 spq x64 + firefox 51.0.1 32bit ):

Discoverer: ADLab of Venustech

After submitting a prod the user gets "Submitted successfully!" flash message, but the URL still says at the prod submission page. A more standard way would be to redirect to "Edit" page of the new submission.

when submitting prods a few minutes before deadline most folks don't bother with opening an image editor to prepare a proper screenshot. a lot of the screenshots submitted end up getting badly cropped (especially graphic images in portrait mode). would be nice to have an option available to customize the uploaded screenshot a bit more, either to allowed the user to select the region or toggle on/off a fit vs crop setting.

Something similar to Siegmeister, but not as boring.