Pawtucket version working with php8

atzemaej

Hi All,
I had to reinstall my dev/php8 install of Providence and Pawtucket after an annoying hack. I had no problems with Providence, but the dev/php8 branch for Pawtucket is not the same that I had installed earlier and which worked fine. The READ.MD for that version claimed that it worked with php8.2 and it did. The READ.md of the current version explicitly says it does not work with php8* and it indeed does not seem to work (error 500). Am I overlooking something? I installed the dev/php8 from a zip file that I got by downloading https://github.com/collectiveaccess/pawtucket2/archive/dev/php8.zip. I have a vague recollection that perhaps somebody suggested a very specific download, but I cannot find any record of that.
Thanks,
Eisso

seth

The readme is indeed wrong (I've just changed it). We will be rewriting the readme's in the next few days in any event as part of the release process.

I can confirm that the dev/php8 code does indeed work with PHP 8.x. However, it no longer supports PHP 7.. If you are getting 500 errors I would take a look at the logs for errors. It's possible that you're still running PHP 7.4 on your server, even if the command line versions are 8.x. Some service providers have multiple versions of PHP present, which can make things very confusing. Another source of 500 errors on hosted machines is file permissions. Make sure all of the Pawtucket code is readable by the web server. I'd also take care that all composer dependencies are installed and up-to-date. Try running composer up. If that fails make sure you're running it with the correct version of PHP. We had a user on here just the other day where that was the issue.

atzemaej

Hi Seth,
Thanks. Now that I know the version should work, I did some more checking and ran into some more issues:

1) the first issue is that dev/php8 complains about there not being a views/system folder in my OTM custom them. I thought that in case files are missing in a theme, Pawtucket was supposed to fall back on the corresponding files in the default theme. This is not happening here.

2) Once I copied over the views/system folder to the OTM theme, I got the expected error message about missing vendors. However, clicking on "update here" (or whatever the exact text was), resulted in another error message:

Automatic installation of the required vendor libraries failed: Library installation failed: Composer could not detect the root package (collectiveaccess/pawtucket2) version, defaulting to '1.0.0'. See https://getcomposer.org/root-version; Installing dependencies from lock file (including require-dev); Verifying lock file contents can be installed on current platform.; Warning: The lock file is not up to date with the latest changes in composer.json. You may be getting outdated dependencies. It is recommended that you run composer update or composer update.; - Required package "phpoffice/phpspreadsheet" is in the lock file as "1.22.0" but that does not satisfy your constraint "v1.29.1".; - Required package "phpseclib/phpseclib" is in the lock file as "2.0.46" but that does not satisfy your constraint ">=2.0.47".; This usually happens when composer files are incorrectly merged or the composer.json file is manually edited.; Read more about correctly resolving merge conflicts https://getcomposer.org/doc/articles/resolving-merge-conflicts.md; and prefer using the "require" command over editing the composer.json file directly https://getcomposer.org/doc/03-cli.md#require-r...

I am not sure what to make of all this, but "composer update" (which I now think you meant to suggest in your response from yesterday) does not work, as dev/php8 does not come with vendor/composer. I can find it in my (now tainted) old install and in the dev/php8 version of Providence, but not in Pawtucket's dev/php8.

This is where I am at right now. Please advise.
Thanks,
Eisso

monica

composer update (or composer up) is what populates the /vendor directory with the required third party libraries.
What error do you get when you run this from inside the pawtucket home directory?

If you delete the composer.lock file and then click the 'update here' on the web side, the complaints should go away.

As for the custom theme, there are certain directories and files that you need to have in place for it to work. There is a theme directory called 'copyme' that gives you the starting point for a new custom theme.

Just one more point that Seth mentioned is the PHP versions. You can have one version running on the command line and another running for the webserver, you need to make sure these are the same version, otherwise you will face issues.

seth

@atzemaej The system directory is an exception for inheritance. Every theme should define it.

Regarding composer, you might also try installing and running it manually. Follow the instructions to install here: https://getcomposer.org/download/

Once installed you can use the download copy of composer.phar to update the vendor libraries. This is pretty much what the installer does - downloads composer and runs it.

atzemaej

Hi Monica,
Not sure that I get where the composer executable is or how it functions, but removing "composer.lock" did do the job. The site is up now and seems to function as intended.

When I run "composer up" in my Pawtucket directory, the error message that I get is that the Debian app "composer" has not been installed, while it would appear this is the app I need. I do not have the privileges to install it myself, but should I ask for my provider to install it?

It must be a relatively new feature that a theme requires that many folders and files. I only had four folders under views (About, Details, Front, and pageFormat) and everything worked fine previously.

Thanks,
Eisso

atzemaej

Never mind. I followed Seth's instructions. Not sure what composer did, but I get the following output:

Composer could not detect the root package (collectiveaccess/pawtucket2) version, defaulting to '1.0.0'. See https://getcomposer.org/root-version
Loading composer repositories with package information
Updating dependencies
Nothing to modify in lock file
Writing lock file
Installing dependencies from lock file (including require-dev)
Nothing to install, update or remove
Package laminas/laminas-zendframework-bridge is abandoned, you should avoid using it. No replacement was suggested.
Package php-http/message-factory is abandoned, you should avoid using it. Use psr/http-factory instead.
Generating autoload files
74 packages you are using are looking for funding.
Use the composer fund command to find out more!
Found 4 security vulnerability advisories affecting 1 package.
Run "composer audit" for a full list of advisories.

Does not sound to worrisome, but who knows...
Thanks,
Eisso

atzemaej

One more thing. I just got shut out of my own site with the message:

We think you might be a robot
We have a hunch that you might be a robot scanning this site for data. If you're a real, live sentient human being please contact the site administrator at admin@theoldtownmuseum.org to regain access.

Since I am the admin here, I wonder what I am supposed to do here. I am assuming it has something to do with the robots.txt file, but that is as far as it goes. I have never had this happen before.
Thanks,
Eisso

seth

Copy the ban_hammer.conf file from the default theme conf/ directory to your theme and set enabled = 0. By default it now filters for bots. Not sure why it tagged you on the first try. You should also clear any existing bans by running caUtils clear-bans

atzemaej

Now that our site is up again, I have one more, somewhat related thing. I went over the nightly sql dumps for the various databases of our site and compared those before and after the breach (which happened on October 2). The CollectiveAccess database is actually the only one where I see something unusual. I am copying the full 89 lines below. This is the only part in which the dump from before the breach differs from the dump after the breach (aside from different dates). I have no idea what is going on here and I am just wondering if any of you could tell me if this could mean that some stealth code might have been uploaded to mysql. After all, whoever hacked the site would have been able to retrieve our mariadb database as well as I do not think there is a way to hide that information. However, it seems unlikely this happened, as doing so would seem to assume more familiarity with the inner workings of CollectiveAccess than your run-of-the-mill hacker likely has and the other damage the hackers did was easily fixed and does not suggest that they were all that tech-savvy to begin with. But then, I just want to make sure...
Thanks,
Eisso

===89 line of mysql dump code===

INSERT INTO ca_persistent_cache (cache_key, cache_value, created_on,
updated_on, namespace) VALUES ('1d4a604adebe7458e5cfdf842b7daf85',binary
'
YTo0OntzOjY0OiJkNmY4Mzg2YTEwZWRhYTQ5MTJmNzQwMjI4MDVmNjgwZjdjNDVkNTgzODQ2NGZkZjJkMTg3N
DEzZWQ1MmE1ZmU5IjtpOjE3Mjc3NzI4OTQ7czo2NDoiYTZiYTM2NDQ4NTIxZDhlMzY5YTUyZjQ5ZTQ0Yzg2OW
I2N2MxNDIzZjc3YzI5MTc2ZjQ2ZDE5NDRiMTFhMzY1ZiI7aToxNzI3NzcyODk0O3M6NjQ6IjI2NWY5ZjBiNjJ
mNTdiY2E5MTk3OTg0NWU1NjIzMjRlNmZhYmFiYTgzM2JlNjUzMjU1NDYwNmEyZGM3NmFhNTMiO2k6MTcyNzc3
Mjg5NDtzOjY0OiI2ZThiOGM3NTEyNjQ4NjVhYTkxNGIxNjM5MDAyMTViM2I5NzhkM2UwZDhjMzRiYzZmMzYzN
TcxNTA3OTU5YzIyIjtpOjE3Mjc3NzI4OTQ7fQ==',1727772894,1727772894,'csrf_tokens'),('
371f88c256f7ac60d1f91a09a719ef9f',binary
'
YTo0OntzOjY0OiI4YWY4ZjNkYzY2NjU4MTVjYTI3NDNiMWI0NzQ0ZDlhY2ZjMTZlMTc3Nzg5Y2NhOTA5NWU4O
TIyNjIyOTQxZDI1IjtpOjE3Mjc3OTUwMTk7czo2NDoiZjU1Y2I0NDc3NzY0N2M3NmY5NDM1Y2FmNTZhMzdlNG
FmNTExZWRkYzljZDVkNGI0ZmM0Y2JhZGMzYzQ3M2JjZiI7aToxNzI3Nzk1MDE5O3M6NjQ6ImE4ZDhjMjU2NTV
mOGJjN2QzNGI2ZTZiZDk2YWY1YmNhYmRlZjMzZjk5ZWM2MmJmNTA3YWE3YzY4Njk5MDNjN2YiO2k6MTcyNzc5
NTAxOTtzOjY0OiIxZjlhZWU4YWNmYWUxZTk1MzM5NmI2NDljOGIyMWNlYzc1ZDVlMDQwYzZhOTExMDZkYmIwM
DMyYTZmNDM4NjE3IjtpOjE3Mjc3OTUwMTk7fQ==',1727795019,1727795019,'csrf_tokens'),('
3d821b9d2c0077b15015cb5650987f0d',binary
'
YToxMjp7czo2NDoiOTJlYjBmMGM1OWNhZGU1NDQwMjUzN2QxOTczNzk5NTViNmY2MGI2YTdlYTg1NjY2YWQzN
zkxMThiY2ZiMDdiNiI7aToxNzI3NzkxMDg2O3M6NjQ6IjJiMTc4OTE1Njg5ZjIwNmI2Mjg3ODk1YjAxMGFkZj
gxMTdjOTU5MDY3ZDE5NWY4MmVhMWJhMjc0NjdmMzExZmQiO2k6MTcyNzc5MTA4NjtzOjY0OiIwMjVhNjZjNGQ
2NDg2ZDYzNTc3NmI3MDVkMTY5NDk4NzRjOWQ5ZmM2N2E0NmQ3YzUxYTMyN2Y2YzNiOWU3NTc2IjtpOjE3Mjc3
OTEwODY7czo2NDoiYjljMDA3OTY0Zjc1MTFkOWMzZjZmYTI5MDVkMjA5YmQ5YzE4NzMyOTlmYTliNjBjYjYwZ
DcxZTU2ZTVmZjY0MSI7aToxNzI3NzkxMDg2O3M6NjQ6ImM1MTAwZDFmNGFkY2JlMWRiYjQzYTkwN2IwZjczNT
VhNDAyY2M3NjlhMmJiN2FmZGUxNTg4NzUzMWQ1OTVmMmYiO2k6MTcyNzc5MTA4NjtzOjY0OiI0OGQxZjdmN2N
mZDZjODA3MzdiNzQ5Nzc5NTNhM2JlMWM4MDlmZGY4NDQ0OTc5YmU5YzE2MDhmZTNlZDU2ZGVjIjtpOjE3Mjc3
OTEwODY7czo2NDoiYjg0N2VhMjhiNDRlMWM0OGMzNTllOTU0ZmFhYTg5OTU5YmNmNDU1NjA3N2QxNDYyYThiM
DAyZGMxNTEyNzA0NyI7aToxNzI3NzkxMDg2O3M6NjQ6IjU4NGYwOGU4YjljODgwZWMzYTBmODRmNzg4MGFhMW
RhMjJlNTk0NzA3Y2I4NWVhOWY3NjRmNmIxOWJlMTZlYTAiO2k6MTcyNzc5MTA4NjtzOjY0OiJiMDQxNjQyNGI
0OWI3Zjk3MGYzZjQxMTIwMzU0OWUwYmMyNjAxN2VjMGJjYTg3NTZkNTczMTE2NDA1NjQ2MmI0IjtpOjE3Mjc3
OTEwODY7czo2NDoiZWZjMjE4ZWJmYzNlOTViMzk2MTc4YWRhOTc0YjdmNzEyYzkxZTllMzBkODRkM2E0NjllN
2RlN2ZjMmZiMjRmZCI7aToxNzI3NzkxMDg2O3M6NjQ6ImYwZjEyYTM2N2U4MjY1M2ZhNzFmNTA3ZTE0OGIyYz
Y1YjJjZDlmNDY3ZjkxZjcwZDEyOTYzNWVjZTUyZmRlNmUiO2k6MTcyNzc5MTA4NjtzOjY0OiJmMDgxMjQ3Mjl
lZDIwMTljYWJiZTI4ZGM5M2Y5OWI4ZDM5MDI4NDc2MDkyODIyYWIxYWZlY2IzNDA4ZGIzYjcyIjtpOjE3Mjc3
OTEwODY7fQ==',1727791086,1727791086,'csrf_tokens'),('4235175658dbbdd78ce5f72002f4a76c
',binary
'
YTo0OntzOjY0OiIyZjkzMGZhMzgzMGMxYjNlZmY1Y2JkNjUyMWI0MWU4YWNlMTUzNzk1MWZlYmMyOGIwNmYyM
zk0YTUyYzBjMTgwIjtpOjE3Mjc3OTg3MDc7czo2NDoiMTYyNTMyOTMyMWZlYjYxNGI4OTBkMWE1MjFkMzIyZD
k3YzQ3MDA2ZGU1ZWIyZWExNmMzZTdjOGFjZDJhODAwYyI7aToxNzI3Nzk4NzA3O3M6NjQ6IjBmZDA4ZTlkYjA
3YTczNWRiNGYzMmY1NDhiNGQxOWUxNTY0NDRmNGM2ZDNmNjYzOGMzNmNjZDA4ODBjNDI3MmMiO2k6MTcyNzc5
ODcwNztzOjY0OiI2YjVkNmIwN2UxY2M4ZTE5YTlkZGYxZTc1ZGFlZDM4MGI0ZWVkMGM4Zjc3M2M0MDM4MDkyZ
TgzZDliNDlkOTQ5IjtpOjE3Mjc3OTg3MDc7fQ==',1727798707,1727798707,'csrf_tokens'),('
51c469f9dce1f9295ac6e257128bf10a',binary
'
YToxOntzOjY0OiJkYzRkYTc0NmJhMzg5MDdlMmZmYjJlYzdjMWI0ZGQ4ZGY1YTlhMzk4N2Q4MjI2ZGE3ZGIwN
jUyYzU5NzAwZDliIjtpOjE3Mjc3NzY4ODM7fQ==',1727776883,1727776883,'csrf_tokens'),('
66c182eb52082a340142cb5fdae17ea6',binary
'
YTo0OntzOjY0OiIyZDQ0NWZiMDJhZWEyZGQwOGJjMTg2OWE2NDI5Yzg3NzU5YjgxYTc1OTViYWY3ZmY2NDJiM
GFkODEyNDQ0YTZhIjtpOjE3Mjc3OTM2MjE7czo2NDoiM2I5OGNlOTc4YWEzMDc3MmM1YWUzNDgwNjJiYmY5Y2
Y5ODZjMWI4OGRkMjdiMzZiZGY1MDkwOGRmYzZiZGFiMCI7aToxNzI3NzkzNjIxO3M6NjQ6ImY5ZTQ3MWFjZGE
3OGU5NzAwMWI5OWViZjkzMjc5MGUxOWJmODgyNjcxMmRkYzUwNTU3ZWJjNDUyYmY4OWM1YmYiO2k6MTcyNzc5
MzYyMTtzOjY0OiI4YjJkNjU5YzhmNjMyMDJkMjEwZTRmY2E4NDczNTU1ZjA1Mzk3YjQzNmIwMDhlZTA1ZTA3M
Tk5NjJmZGU1ZGYzIjtpOjE3Mjc3OTM2MjE7fQ==',1727793621,1727793621,'csrf_tokens'),('
71379bed6ad405d45edb84c6ab6d48f3',binary
'
YTo4OntzOjY0OiI4MjE2ZDk3ZTU2NmViOTU0ZTdkMTQ5MzkwNmEyMTNhMTE0N2NlZGRhODM2Zjc2ZTMzYWYzM
jhkZWU2OWJkMmUyIjtpOjE3Mjc3Njg0ODU7czo2NDoiMGI1YmNmNjY2ZGVjYzkzNTUyYWUyMzBjYzA5YzkxOW
U0NGFhNzQ2YTdlNzVmNzZjMzRjYWUwYTVmMjBiMGFiYiI7aToxNzI3NzY4NDg1O3M6NjQ6Ijk5ODQzMWJiZmQ
yYjUwZDQ1MjUyZWFhODQzODY0OTM0YTFlMThhOTlmODZhYjg5MzU0NTZhYWIyYTA1NzE4ZWIiO2k6MTcyNzc2
ODQ4NTtzOjY0OiI3YWM2OGQwMjgzYzEwNzU3ZTg3ZDY5ZDMwYWFlYmVjZmM3Mzg5ODA1YzkxNzAxMTViY2IwY
2FkOTNkZDBlZGM5IjtpOjE3Mjc3Njg0ODU7czo2NDoiZTIyY2JmODg0Y2YxYzczOGNkZjA0MWQ1YjYzNDRjZm
Q5YWYzOGMwMGQ5M2M3ZWJkZGI3MWZjZDBjZWU4NTYxYSI7aToxNzI3NzY4NDg1O3M6NjQ6IjExMGNmNDQ0YzQ
3ODdhNTQzZjhlOTI3MjljNGQ2NmI3NWM0NWRiYTEwODNmODQ2MWY4YmEyOTNhNTc5NzJmM2YiO2k6MTcyNzc2
ODQ4NTtzOjY0OiJjNGIzNTkxM2IxOTYyYTcyZGRiNjYxNzkyNTdhNjdkODdjNDhiZmNlMmQ2OTI3YzhhMTc0N
jA0YzVkM2EyZmExIjtpOjE3Mjc3Njg0ODU7czo2NDoiYzlkMjQ3ZGE3NWMxNmJlNGZjY2MyNTlmMzdiY2JmZD
AxOWZiNzRlNzllM2E2NmExYzUxMjZkNDg0YzU4NDY3YyI7aToxNzI3NzY4NDg1O30=',1727768485,
1727768485,'csrf_tokens'),('84de7ba5585a206b37f2dd2e77b8f20b',binary
'
YTo0OntzOjY0OiJhNTVkNWQxOTExMzQwMzhiZDU3YmRhNmZlZmU0MmMyZGJkZjU1NjQzZmNkZDU1ZjY0Mjg1Y
zcxYmIyMWZmNTBjIjtpOjE3Mjc3OTQyOTg7czo2NDoiZDE3MTBjMjlmNTNjMzc1MmY5MDg1MjU3NDNmMmQ4ND
FmZGFiYmM1NTFiNjljZGIzODM5NzdiOWRlYzI4OThjOCI7aToxNzI3Nzk0Mjk4O3M6NjQ6IjU5ZDdhMTA3YjI
5MDk3ZTUxMmMxNzI3Mzc4N2MyYmM3MDNlYTUyZDY3NjhmMmFiOWM0Y2RjMjUzN2MzMjYxZmQiO2k6MTcyNzc5
NDI5ODtzOjY0OiJhZmYxMTgxYWNhY2I1MDkyYTEzZjE4OTFlNDQzNTlhM2NlMzdlYjM0YWYwOTRiOWZiMGRkO
GRhNGFjOWUxNmE0IjtpOjE3Mjc3OTQyOTg7fQ==',1727794298,1727794298,'csrf_tokens'),('
aa82538edf41e8d2343e39bc28475d54',binary
'
YTo0OntzOjY0OiJkOTIzNTA5M2VlZmVlOTBmNjRiMmZmMWFiM2ZlYmNmYmUyOWNlNDEzNmZmYjRhZjVlZjg5N
jI3YzQxNDAxNDQ3IjtpOjE3Mjc3ODA0MTk7czo2NDoiYTdmZjAxZDI0Zjc1MjhkNTkzMTQ2OTdiMjlmYzBiZT
AyMzVkYTBmNDJmYjYzNzdjMWQ3NTBhN2FmNzZiZjI2YiI7aToxNzI3NzgwNDE5O3M6NjQ6IjI0YjQ5YjNjYjk
2YjEyNTM3OGRkMTlkOTc1NWQzZmUwZmE4ZmFmMzIwY2Q4ODcxMGIxODk1NjVjYTQ3OThkNjMiO2k6MTcyNzc4
MDQxOTtzOjY0OiI2MzYxNGJjMjZjZDA2ZmNiZjBmMDQ2MDQzYzhkYzk5NTc1ODZmNWMzMjQ1ZmZlZDQ2NGJhY
mJiZjkwNjYwMzU0IjtpOjE3Mjc3ODA0MTk7fQ==',1727780419,1727780419,'csrf_tokens'),('
bf29f5a196428280d72e7de4677e4262',binary
'
YToxOntzOjY0OiI5NDg1N2Q0YmIxNDNiOWE0NTUxOTE4Y2VhMTBiODgwNWE2ZDFlNTUzNzcyNDAyOTIwMjJhM
zlmMTNmNzcwMzRkIjtpOjE3Mjc3Nzc2MTg7fQ==',1727777618,1727777618,'csrf_tokens');

seth

That table is present in the dev/php8 version of CollectiveAccess. It's not suspicious.

atzemaej

Ok. Thanks!
Eisso