Code freeze for Elgg 1.7

SVN is officially in a code freeze pending the Elgg 1.7 beta release. Wow, it feels good to say that!

This means that all new functionality is finalized and only bug fixes will be made in SVN. We think all major bugs have been resolved and the core is ready to be beta tested, but want a few more days of testing before we are comfortable releasing a beta to the general public. If you have a spare minute, please grab the latest SVN and give it a try. Note that this is not yet ready to be used on a production server!

It will especially be helpful for plugin and theme developers to download the latest SVN and check that their plugins work correctly. One part that plugin authors should especially check are the actions tokens. As stated in my previous blog post, action tokens are required in Elgg to ensure the security of Elgg sites.

It is not difficult to add security tokens to your plugins. Two input values need to be set for actions: __elgg_ts and __elgg_token. There are a few helper views and functions to simplify this:

elgg_view('input/form')
elgg_view('output/confirmlink') - When is_action is passed as true in $vars
elgg_view('output/url') - When is_action is passed as true in $vars
elgg_view('input/securitytoken') - For forms
elgg_validate_action_url($url) - For URLs

If setting the fields manually, use the current time stamp to generate the token.

$ts = time();
$token = generate_action_token($ts);

$action_url = "server/action/myaction?__elgg_ts=$ts&__elgg_token=$token";

Again, tokens are required for the security of Elgg sites. Please update plugins accordingly. If you have any problems implementing security tokens, please post to the development list or community site and I will do my best to answer your question.