Add option to show full CMS version number in generator tag 

Implementing Access levels for Content Languages

Make the auto-update process more reliable across different hosts

details here

http://www.joomla.org/announcements/release-news/5419-joomla-1526-released.html

and here

http://developer.joomla.org/security/news/9-security/10-core-security/396-20120305-core-password-change

details here

http://www.joomla.org/announcements/release-news/5419-joomla-1526-released.html

and here

http://developer.joomla.org/security/news/9-security/10-core-security/396-20120305-core-password-change

Obviously just having the code in Joomla’s folder isn’t enough – the application needs to be loaded and looking through the code to find the correct way of doing so isn’t immediately obvious — Joomla contains thousands of files after all. Not to worry, they make it quite easy

<?php
define( ‘_JEXEC’, 1 );
define( ‘JPATH_BASE’, “/var/www/mywebsite” );
define( ‘DS’, ‘/’ );

require_once ( JPATH_BASE .DS.’includes’.DS.’defines.php’ );
require_once ( JPATH_BASE .DS.’includes’.DS.’framework.php’ );
require_once ( JPATH_BASE .DS.’libraries’.DS.’joomla’.DS.’factory.php’ );
$mainframe =& JFactory::getApplication(‘site’);

From there on in you will be able to access various Joomla variables, e.g. use the following to get the user object for the currently logged in user – assuming this script is called in a link from Joomla.

$theUser =& JFactory::getUser();

Or use other JFactory functions like getConfig() or getSession()

Should work in Joomla 1.5 upwards. A simple way to add some simple Joomla integration to your scripts.

details here

http://developer.joomla.org/security/news/391-20120301-core-sql-injection

and here

http://developer.joomla.org/security/news/392-20120302-core-xss-vulnerability

Announcement here:

http://www.joomla.org/announcements/release-news/5415-joomla-252-released.html

I don’t know what it is about this subject but many people are completely baffled by unix permissions, like 777, 666 and 755 particularly if one is used to using a PC or Mac but don’t have any unix or linux background. So why is it important for us? Well the vast majority of web servers run on Linux boxes. These servers assign a specific set of permissions for each file and folder based on it’s creator. The problem is that sometimes default permissions on many hosts may cause your websites, plugins and extensions to break because the web server cannot write to the appropriate location.

So say you have a great new Joomla website but want to install the latest / greatest extension. You go to the extension manager and upload the archive only to get the dreaded “Failed to move file” error. Argh! Permissions have scuppered the installation. One way to fix this is to change the permissions of the relevant folder and files to 777. Easy to do in your FTP client (if the FTP user is the owner), but hang on a second, surely there’s some catch.

Well there is. Changing permissions may be easy but these permissions have been set for a reason. Namely security. As soon as you open the permissions of any files or folders on your website you are creating a security hole that may be potentially be exploited by a malicious attack. The advice in this circumstance is always the same. Don’t do it, find another way to install that extension. It is far more worthwhile to put up with inconvenience rather than trying to clean a hacked website.

Understanding Users, Groups and Ownership

To understand unix/linux permissions one needs to understand a few other concepts. Nix systems support multiple “Users“, Users can be placed in “Groups” and can belong to more than one group. The file system is made up of File and Directories, each of which are “Owned” by a user and a group (yes, each file/directory is owned by one user and one group). If you create a file it is automatically owned by the user you are logged in as and it’s default group. If a file is owned by you can read, modify, delete,  execute it.

What are 777 and 666 and why should I avoid them?

Permissions can be expressed in a number of ways but the easiest to understand is the numerical format. Each file has a “permission” consisting of 3 digits ranging from 0 to 7. The first digit refers to the permission for the owner, the second is the permission for the group that the owner belongs to and the third digit refers to every other user on the system. Each digit is a sum of the permissions for that user or group based on the following:

Read = 4

Write = 2

Execute = 1

So if a file is 600 it means that the owner can read and modify the file but cannot execute it and no other user can do anything with it.

755 (a common permission) means that the owner can read, write and execute the file but no other user can modify it at all.

666 means that the file is readable and writeable by everyone.

777 means that the file is readable, writeable and executable by everyone.

The latter two settings are to be avoided at all costs. Why, well say someone managed to exploit a script on your server that allowed access to the file system. That person may be running the script under, say, the Web Server user. If a file is 666 or 777 they would be able to modify that file and potentially inject malware into it. If a folder is 666 or 777 the user could create more files with malware. A very dangerous situation.

Workarounds

When installing your Joomla, WordPress, or other CMS based website, upload the entire zip file and extract using a web script, e.g. Akeeba’s excellent kickstart.php instead of uploading by FTP. That will ensure that all files are owned by the web server’s user. Note that all your virtual hosts will still be running in the same user space so it’s not exactly the most secure option, but it’s alot better than opening permissions.

Use SuPHP. SuPHP allows apache to run php files under another user. This would mean that one could isolate php execution for each virtual host using the Linux file system. It’s an excellent method to add security to your system. That said, I am not going to go into the details here as I find the next option (mod_itk) a much much more elegant solution as Apache itself is run with another user’s permissions – not just php scripts.

A more technical solution, but safer if you have multiple virtual hosts that you would like to isolate from one and other is to run Apache as a different user for each host. Note that you need the apache2 mod_itk extension to do this. It’s easy to install, e.g. on Debian a simple apt-get install apache2-mpm-itk should do the job. Here’s the cool part. In your virtualhost just use the AssignUserId directive to run apache2 as a different user for that host, e.g. I may have a host called MyCmsbloke.com that I want to run under the user account of “cmsbloke” and group “cmsblokeadmins”. In this case I used the following in the virtual host:

<ifModule mpm_itk_module>

AssignUserId cmsbloke cmsblokeadmins

</IfModule>

Remember to restart apache after you change these configs.

This is where you need a file manager that where you can, temporarily chmod files and folders for access via FTP or edit your files within the browser. Luckily there are a number of options. Here are the ones I typically use. Some install as Joomla components and some are standalone scripts that can be used in the case where you have a non-working installation of Joomla or have not installed Joomla yet.

Each of these scripts acts like a cross between and FTP client and Windows Explorer/Macintosh Finder, etc.

extPlorer Joomla File Manager

This was my workhorse file manager for years. However it’s getting old at this stage and I’ve found it doesn’t always work on some hosts. The script can be installed in standalone mode without Joomla or installed into Joomla via the exension manager. It’s darned powerful and will allow on to edit files, changes permissions on files and folders recursively, upload and download files, move and copy files. One of the most powerful features of the script is that it can also use your FTP credentials, essentially changing it’s ownership propoerties. This tool can be downloaded from extplorer.sourceforge.net . As with any script make sure you download the latest version.

NavPHP File Management Script

NavPHP is another exellent management script. This one is standalone. Just download the archive, unpack and upload to your host (or upload the archive and unpack using a script like Akeeba’s excellent Kickstart.php). This script also enables the user to upload, download, chmod, edit, etc. One downside is that one can only select individual files and folders to perform actions on; no recursive chmod available here unfortunately.

I use this when I don’t have a Joomla install or in an emergency where I need to fix some simple things fast. Good free tool.

OSE File Manager Joomla File Management Component

This one is like a simplified but more modern version of extPlorer. It suits most of my needs and supports Joomla versions 1.5, 1.6, 1.7 and 2.5. These days OSE File Manager is my file manager of choice. Again it support recursive chmod, upload, download, editing, source code editing, file moving, copying, and the creation of files and folders amongst other tools.

Another reason for using it? Well I find Open Source Excellence products to offer a high level of quality. Their OSE Membership extension is a great tool for instance and their support desk is responsive – though I have never had to contact them in relation to the file manager. This tool can be installed via the extension manager and accessed via the Components menu.

Download OSE File Manager here

NinjaXplorer File Management Script for Joomla

On the odd occassion that OSE does not work for me (I don’t know why it fails on some websites – probably some hosting issue) I use NinjaXplorer. It’s very similar in feature set and interface. As with OSE File Manager it can be installed via the extension manager and accessed via the Components menu.

So you may ask yourself what the downside of such scripts are. Well they give full access to the file system in your virtual host so they are a major security hole if someone breaks in. Make sure you set a proper password for the standalone scripts and do delete them once you have finished with them if they are not going to be used again (or set them to be non-executable using CHMOD).

So there you have it. These are your best bets if you need a web based file manager for your Joomla website. Let me know if I’ve left any out or if you have any suggestions of comments

You can download NinjaXplorer here

This post presents a step by step tutorial showing how to migrate your Joomla 1.5 website to Joomla 2.5 using two methods, i.e. using SP Upgrade or JUpgrade. Instructions for JUpgrade follow afterwards. SP Upgrade is simpler as it ignores 3^rd party extensions. JUpgrade tends to fail more and has limited error reporting, however if you do need to port items like Kunena or Community Builder do use JUpgrade as the manual migration of these is non-trivial.

Using SPUpgrade to Migrate to Joomla 2.5

Process Summary — A new installation of Joomla 2.5 is installed. The SP Upgrade component is installed on this system and configured to connect to the Joomla 1.5 database. SP Upgrade will copy and translate the data from j1.5 to the new installation.

Note1: If you want to port K2 featured websites use JUpgrade instead – it’s free. Download from here:

Note2: Both JUpgrade and SP Upgrade copy data only, you will need to copy your content/media files over to an appropriate location separately. The same applies for your template.

Note3: Ensure that your new installation does not have ANY articles in it.

1. Download and install the latest 2.5x on your host. Do NOT install the sample data.
2. Download and install SP Upgrade to this new Joomla installation  http://extensions.joomla.org/extensions/migration-a-conversion/joomla-migration/15609
3. 
4. Go to Components | SP Upgrade
5. Fill in the database details of the Joomla 1.5 database (you need to be able to access the db from the 2.5 host)
6. 
7. Choose the options you want ported — typically I would select all options except template
8. Click the Migrate button
9. A new window will open and show progress of each step of the conversion, including user migration, categories, sections, content, etc. Make note of any errors that appear. Don’t worry if the dialog stays blank for 30 seconds or so – this is normal. This will take some time, even on small websites.
10. 
11. Copy over your image files, e.g. you may copy the images/stories folder into the J2.5 images folder so that you do not need to realign links in your content
12. Choose and install a template (or port your existing template to J2.5)
13. Go into the module manager and change positions to match those of the new template
14. Make note of all extensions that need to be installed on the new 2.5 installation. Verify by looking in the Joomla 1.5 extension manager. Many extensions do have a Joomla 2.5 version available so these would be ones that you will want to procure and install. For those that don’t have a Joomla 2.5 version either decide upon an alternative or leave this functionality out of the mix for the moment.
15. Install Akeeba Backup
16. Install and configure relevant extensions
17. Repopulate extensions, e.g. create galleries and upload pictures, for image galleries.
18. Test installation

Using JUpgrade to Migrate to Joomla 2.5

Note: JUpgrade works in a different manner to SP Upgrade. It also only migrates data but instead of installing into a blank Joomla 2.5x installation one just installs JUpgrade into the old Joomla 1.5 website. Once run JUpgrade will download and unpack the latest Joomla and migrate the appropriate data.

You will need to use JUpgrade if you have problems with SP Upgrade or if you need to port any of the following 3^rd party extensions:

• Adminpraise
• Kunena
• K2
• JoomComment
• Virtuemart
• redSHOP
• CommunityBuilder
• JCE
• Contact Enhanced
• JomSocial
• redFORM
• JEvents
• Akeeba Backup
• Jumi
• redMEMBER

1. Ensure you have CURL enabled
2. Download the latest version of JUpgrade  http://extensions.joomla.org/extensions/migration-a-conversion/joomla-migration/11658
3. Install using the Extension Manager
4. 
5. Go to Extensions | Plugin Manager
6. Enable the “System – Mootools Upgrade” plugin
7. Go to Components | JUpgrade
8. Click on Parameters
9. Make sure you have appropriate values in the settings and turn on the debug option
10. Save
11. Start the migration. JUpgrade essentially downloads the latest copy of Joomla and installs it in the cmsroot/jupgrade/ folder ready for your joomla 2.5 upgrade
12. 
13. 
    
14. Wait for the completion message
15. 
16. Use the links for Site and Administrator to test your installation.
17. If you did port 3^rd Party extensions you will need to install the Joomla 2.5 versions of these in your new installation (remember it was only data that was ported and the old extensions would not work on Joomla 2.5 anyway).
18. Copy over your image files, e.g. you may copy the images/stories folder into the J2.5 images folder so that you do not need to realign links in your content
19. Choose and install a template (or port your existing template to J2.5)
20. Go into the module manager and change positions to match those of the new template
21. Make note of all extensions that need to be installed on the new 2.5 installation, i.e. the ones not ported by JUpgrade. Verify by looking in the Joomla 1.5 extension manager. Many extensions do have a Joomla 2.5 version available so these would be ones that you will want to procure and install. For those that don’t have a Joomla 2.5 version either decide upon an alternative or leave this functionality out of the mix for the moment.
22. Install Akeeba Backup
23. Install and configure relevant extensions
24. Repopulate extensions, e.g. create galleries and upload pictures, for image galleries.
25. Test installation

Finalising your Upgrade to Joomla 2.5

So last steps is to go through your new site, verify that all extensions are working, that there are no broken links and images and that all of your users have been ported over successfully.

There you go. Hopefully this will help you to upgrade to Joomla 2.5.

It’s a recommended security fix so update by:

• uploading a security patch via FTP or
• using Akeeba Admin Tools or
• go into the Joomla extension manager and use Joomla’s core updater to get to the latest version.

As a side note the 1.7 stream has been similarly updated to 1.7.5 fixing 3 medium priority information disclosure issues. Similar steps required to update.

Make sure you update your Joomla 2.5 installation as soon as possible.

So do you need to upgrade to Joomla 2.5? That’s the first question you’ll be asking yourself. For those of you who remember the migration from Joomla 1.0 to 1.5 I can feel you cringing already. It’s slightly easier this time around though but it’s still not a one click upgrade as the differences between 1.5 and the 1.6 stream, to which Joomla 2.5 belongs are significant. If you have a bunch of 1.5 websites you know that it will be alot of work. If you have a bunch of clients’s websites on 1.5 you need to inform them of the impact and the effort required in upgrading to the latest version along with the significant benefits that they will see.

Update: I have written a step-by-step tutorial showing how to upgrade to Joomla 2.5 here

As mentioned in my previous post “Joomla 2.5 Released” your old 1.5 websites will not stop working but security updates will stop when it is officially decommissioned in April 2012, which is just around the corner. So my recommendation is to migrate to 2.5 if you can and to concentrate on those websites that deal with eCommerce or sensitive data first.

Terminology: I use Upgrade to Joomla 2.5 a bit in this article as that’s what most people will term the process as but this is really a  migration. Probably should have called it Migrate to Joomla 2.5, but I’d probably confuse too many people!

How to I upgrade to Joomla 2.5?

Unfortunately there is no “upgrade path”. The changes between Joomla 1.5 and the Joomla 2.5 stream are quite significant to put it mildly, requiring site owners and developers to follow a migration path, i.e. a way in which the data from your current website is translated to the data schema of the new version. An additional, and major stumbling block for many is that much of the 1.5 extensions do not have corresponding Joomla 2.5 versions. So if you’re using something that’s not supported in 2.5 you’re either out of luck for that functionality or need to find another extension or core functionality that can fit the gap.

All is not lost however. There are two tools that can greatly help you to upgrade to Joomla 2.5:

Note: each extension can migrate your data to the new 2.5 format. You will however still need to copy over all of your images to an appropriate location and may also need to change or update your template.

Firstly there is Joomla.org’s recommended JUpgrade component. This extension was written by Matias Aquirre, the same kind sole who developed the MTWMigrator extension to help with Joomla 1.0 to 1.5 migration. Without that extension I may very well have given up on Joomla altogether when 1.5 came out. JUpgrade is very similar. Simply install the component into your Joomla 1.5 website, configure it with what data you want migrated, e.g. core data like articles, categories, users, etc + some supported 3rd party tools like the Kunena forums, K2 and Community Builder. The system will then automatically download the latest Joomla core, and install it in the root/jupgrade folder with all of your ported data. This way you can run your Joomla 1.5 website while you are configuring, updating and testing your brand new 2.5 website. Pretty cool eh?

Secondly there is a commercial extension called SP Upgrade. When I say commercial you do need to pay for this but at $30 it’s a steal IMO. It seems quite similar to Mattias’s old MTWMigrator component but it has a few extra features, one of which is that it can attempt to port your template over — do note that this isn’t foolproof however, it’s not guaranteed to work for templates. This one requires you to install a blank new Joomla and install the component there. Then you point it to the Joomla 1.5 database, tell it what you want ported and it will suck the relevant data in, giving some nice status updates along the way.

Both extensions are excellent though I do tend to use the latter at the moment, simply because it gives me so much information, e.g. it will list each of the rows in the user table that cannot be migrated if there is a problem. I also prefer building a blank Joomla 2.5 website and sucking the data into that rather than the subsite method of JUpgrade. Both tools work well however so it’s up to you which you use.

JUpgrade is available here.
SP Upgrade is available here.

More details on the upgrade process using JUpgrade can be found on joomla.org here. The article is old but everything still stands as 2.5 belongs to the1.6 stream.

Once you have migrated your data you will now need to install or convert your template and install new extensions to deal with whatever non-core functionality you require (unless you are only using 3rd party extensions supported by JUpgrade or SP Upgrade).

Do note that if you are on Joomla 1.6 or Joomla 1.7 that there is no need to migrate to Joomla 2.5. Just use Joomla’s inbuilt upgrader to do the work for you.

Update: I have written a step-by-step tutorial showing how to upgrade to Joomla 2.5 here

So hopefully this article has given you the information you need to make the decision to migrate to Joomla 2.5 or upgrade to Joomla 2.5 or not and if you have decided to do so I hope the pointers above makes it easier for you. Just in case you haven’t heard my excitement – “Joomla 2.5 is here!” Happy migrations!

Well the title says it all. The good folks at Joomla.org have relesed their next Long Term Support (LTS) version of their ever popular CMS with added features, functionality, improved language support and enhanced security features. Click on the post for a rundown of the main points.

Joomla 2.5 Long Term Support (LTS)

The numbering may be confusing for those who haven’t been following the project but this is the 3rd major release in the 1.6+ series. Up to recently 2.5 was designated as Joomla 1.8. The reason for the odd number is that each new major long term support version will be a .5 series, e.g. 2.5, 3.5, 4.5, etc. This means that they will be supported with bug fixes and security patches for at least 18 months.

New Features in Joomla 2.5

So here we get to the juicy part that you’ve all been waiting for; the new features in Joomla 2.5. The main areas of improvement are:

• Better search engine with auto-completion
• Multi database support – a massive plus for scalability
• Extension update notifications – no need to check these manually using the Find Updates feature any more
• Captcha in core — begone you 3rd party Captcha extensions!
• Link to module — the new menu system will allow linking to modules (whereas before only components could be linked). A long standing feature request comes good.

And don’t forget all of the new features you get when you are migrating from Joomla 1.5, those added in Joomla 1.6 and 1.7, e.g.

• Joomla 2.5 has much improved access control list (ACL) for fine tune multi-level permissions
• Much improved native multilingual support
• Download and apply security patches from within the Joomla administrator
• Much improved template management and template features
• Scrapping of the old Section | Category paradigm. You can now have multiple nested categories
• One click extension updates via Extension Manager | Update | Find Updates. This was a glaring flaw in Joomla 1.5. One of the main reasons for Joomla websites being hacked is the use of out of date extensions. The old system required site administrators to constantly monitor what versions of what extensions were used on each of their websites and keep them updated manually by downloading installers and uploading them via the administrator. The new Joomla follows in WordPress’s footsteps and allows one to query for updates and install via the extension manager’s Find Updates feature (note that with 2.5 notifications will be automatic).
• More secure installer, e.g. change your admin username during install and use of a random db table prefix
• Better core SEO / SEF support
• A much better Media Manager
• Access to improved / updated 3rd party extensions, e.g. I much prefer the new JCE to the one I used on Joomla 2.5. Complete with drag and drop image uploading!
• Built in redirect handler

So what does this mean for me?

Well it depends on what you use Joomla for, but for me it means:

• More control over my websites
• Streamlined security workflow (due to the core and extension update features)
• Better search engine visibility
• Improved administrator user experience for my clients
• A more flexible development platform due to the ACL improvements
• Revived excitement for the Joomla project!

Do I need to migrate / upgrade to Joomla 2.5 from Joomla 1.5?

Well that’s a matter for you but it is highly recommended. The Joomla 1.5 series will be officially decommissioned in April 2012. That means no more security patches from that point on which will be a concern for most of you. Your current website will continue to work, however I would urge anyone who runs a Joomla 1.5 website dealing with eCommerce, forums or any sensitive information to take the plunge and migrate their websites to Joomla 2.5. It’s a it of work but it’s worth it for the peace of mind and there is nothing more time consuming than trying to clean a hacked Joomla installation (except maybe for a hacked WordPress installation!!!)

How can I upgrade to Joomla 2.5?

This post is getting a bit long to please see my follow up post here for more information But as a summary I use either the free JUpgrade component by Mattias Aguirre or SP Upgrade, a commercial component that provides a similar feature set.

By the way, if you have any questions, comments, corrections, etc, do feel free to comment.

Well there we have it. Joomla 2.5 has finally been released and with a bunch of new features too. Well done team Joomla and thanks for a great CMS!