Add config file -- includes a lot of config options!

[ulikoehler]

This pull request adds a config.inc.php which is used to add configurable expire times. For example, a pastebin provider could disable "Never" expiration to avoid clogging up the disk.

Editing index.php and page.html is not a good practice for this, not only because users will need to re-apply changes after each update.

In the future, the config file could be used for further configuration options.

Merging would be highly appreciated!

EDIT: More config options have been added. See comments below.

[ulikoehler]

I also added an option to enable default-selected burn-after-reading - I hope you don't mind if I add the relevant commits to this config-related pull request instead of creating individual ones for each feature.

I want to create an application to create partially-securable email by pasting the text into a ZeroBin-like pastebin.
Because I don't want features like discussion or syntax-highlighting, I could either fork ZeroBin or (what I'm currently trying to do) make features optional in ZeroBin to disable them via config and just use a different template for my application.

[ulikoehler]

I found http://sebsauvage.net/wiki/doku.php?id=php:zerobin_todo and added the configurable rate-limiting including an option to disable rate limiting altogether.

(Hope you're going to merge this soon, but I don't want to rush ;-) )

[ulikoehler]

Vizhash on/off now works as well.

[ulikoehler]

... so does enabling or disabling the discussion system.

Basically this pull request should cover most of the config TODOs from
http://sebsauvage.net/wiki/doku.php?id=php:zerobin_todo

[ulikoehler]

It is now possible to disable syntax highlighting

[ulikoehler]

Sorry for self-bumping, is this project still active? There are relatively view commits in the last months and I'm just wondering if there will be any further development on this.

[Hexalyse]

You're totally right to self-bump yourself. The last pull-request which was considered by the author of this project was about the "password protection" option #23, but it was rejected because it lacked some confinment (comments were possible on password-protected paste).
Since then, every pull request has stayed without any response. It's a shame because this project is a very good idea, but seems to be abandonned by its original author. I think it might be a good idea to fork it on another "unofficial" but maintained github (maybe yours, Uli ? Because you seem to have made a lot of additions to it).

I also merged the password protection and tweaked it a bit on my repo to avoid some bothering side effects happening in the suggested pull-request : if a comment were posted with an empty nickname on a paste, it would ask you for a password when it shouldn't.
(There is still this problem with the possibility to post comments on password-protected paste, because I did not take time to completely disable them in this particular case. But I'm sure it wouldn't be too hard to do the modification.)

EDIT : I just saw you added the option to disable comments - discussion - in commit f02d062
I'm sure it wouldn't take long to disable comments on password-protected pastes. You can check my profile to get the password-protected version of zerobin, consisting of an optionnal password field on the page, and a slight modification in the JS decrypting the pastes.

[ulikoehler]

Thanks @Hexalyse for your feedback, I really appreciate it!
Even if I'd like (in the long term) only one, maintained official repository, I totally support your idea of using an unofficial fork for now. Using mine is fine for me (I can't guarantee daily merges, but I'm usually pretty fast) if it is for you! Right now it's pretty hard for me to keep all my pull-requested branches merged into one production-branch, and it will only get worse if I start to use features from other branches like your password protection.

My plan for the future of ZeroBin is:

• Refactor it to a more MVC-like framework that supports databases (I'm not absolutely convinced the IP rate limiting algorithm is reentrant and properly supports concurrent access), and (optionally) support SQL/NoSQL (for higher-volume pastebins)
• Make templating more dynamic. I've worked on a Bootstrap template (with very limited success).
• Write docs telling people how to install it
• Tell more people about it, after all the idea is really good ;-)
• Write specifications about internal data formats
• Refactor the entire code. It's pretty monolithic right now.

Regarding your password protection feature, I really like the idea of it, and I have no objections supporting password protection with discussion on password-protected pads disabled (--> the main password-protection changes are merged then, but we have time to think about how to support password protection.)

What do you think about this plan?

@sebsauvage If you read this, don't get me wrong, I have no intention to split development in two separate repositories unless absolutely neccessary, but even if it's only been 20 days since my first pull request, maintaining multiple PRs (there are 11 open PRs right now!) is getting incredibly difficult. I can completely understand if you don't have enough real-life time to review code all the time -- if that is the case, have you considered asking someone you trust to help you maintain the repository? ZeroBin deserves, in my opinion, more maintenance than you're currently able to donate. If you have some spare time in the future, I'm sure we can figure out a solution that does not involve more forks than neccessary.

[ulikoehler]

Thanks @nitmir for your suggestion! I'll fix that as soon as possible!

[ulikoehler]

@nitmir I hope 3e5c8b9 solved the issue!

[nitmir]

Great, that work perfectly !

[Hexalyse]

You're welcome @ulikoehler .
I can only agree with you, duplicating the repository can lead to confusion. But we don't know what has keep @sebsauvage away from github. I must say I'm not a git (and github) expert, but I'm sure we could use a fork to make changes and go through this todo list, then make a big pull request to the main sebsauvage's repo when he'll be available to handle it.
It sure will require a long review before it's merged, but hey... better than waiting in this "Alpha 0.19" state !

You seem to be way more skilled than me for web development. I'm not really into web-dev, but I think I might be able to help doing some little additions or bug fixes.

Right now, the feature that has my interrest is this password-protection thing. I love the idea of Zerobin, but I think that embedding the key in the anchor part of the URL can sometimes negates the purpose of the tool : this key is impossible to remember, and anyone stumbling upon the complete link can then see the paste. Adding a "password" to the end of this generated key allows you to send paste to somebody with whom you'd have previously agreed about a password.
Then only the persons aware of this password can retrieve the paste, yet we don't compromise the security of the paste because we keep a good entropy by concatenating the generated key to this chosen password (am I wrong about this part ?).

Anyway I think your plan is good. I'm not sure about the need of writing a documentation for installation as the wiki maintained by @sebsauvage features a part about installation, and it's pretty straightforward.
A description of the dataformat and general architecture of the project seems pretty useful to me for more clarity, though :).
The configurable options is also a very good idea. It would allow to change the possibilities without directly altering files, making the merges a daunting task.

I hope this project will be on tracks again soon :)

[elrido]

@ulikoehler Regarding MVC and database: I have a fork that did just this and also features unit tests, some documentation, theming, etc. If you would like to participate I will commit some of my time too and start to implement your patches into it. This offer of course goes to anybody who wants to join in. You find my work here https://github.com/elrido/ZeroBin and the test instance is at https://snip.dssr.ch/

[ulikoehler]

@Hexalyse Thanks for your feedback! Are you generating a random key plus a password (i.e. a salted password)? What do you use a password-based key derivation function? I think that's a really valuable feature, however I think it should by default be turned off (by config.php).

@elrido That's really interesting & good to hear, I'll try to take a look at it towards the weekend when I finally have some spare time :) Of course I'm interested in participating

[nbraud]

@ulikoehler Regarding this push request (and while I'm not ZeroBin's developper), I believe adding the option relevant to a PR that wasn't merged yet should be done it the PR itself, not by add a new PR containing options for everything but the kitchen sink.

Regards,
Nicolas

[ulikoehler]

@nbraud Of course you're right, I was just referring to the possibility of adding a config option to enable/disable it, at the moment I think it's best to do it after both Pull Requests have been merged, because it might be good if they can be merged independently.

[nbraud]

Oops, indeed.
Sorry, I shouldn't comment while flu-addled :(

[ulikoehler]

No problem, get well soon ;-)

[Ypnose]

I'm also interested about this pull request. I'll try to bump the author on Twitter.

[ulikoehler]

Thanks @Ypnose ! I'll also try to email him, but right now I literally don't have a single minute to spare...

[Ypnose]

If he doesn't answer before tomorrow, I can send him an email if you want.

[ulikoehler]

@Ypnose That would be really great! Thanks a lot!

[Ypnose]

No worries.

[Ypnose]

Seb answered me. The project is not dead. He'll examine the "pull requests", but he doesn't know when.
Here the news :)

[ulikoehler]

Thank again @Ypnose for mailing @sebsauvage ! I'm really happy to hear this, as it will, hopefully, lead to a single, maintained ZeroBin version in the future!

@elrido Sorry, I didn't have time to review your changes yet, but I promise I'll make up for that once university doesn't eat up all my devtime!