Posts about Open Source

Update: 101 ways to optimize Magento for speed

Less than two weeks ago I did a blogpost about ‘101 ways to speed up your Magento e-commerce website‘ that made my blog stats skyrocket. Guess Magento and it’s speed is a hot issue :).

This blogpost is a quick update about two things: more tips and a Magento site to prove to you Magento can be fast.

To begin with the first: thanks for all the great reactions to my list. I know I cheated a little with the title (I only started out with 30 tips), but with your help the list is now up to 43 tips and some additional bonus tips. That’s great! Thank you guys for sharing and showing all those people complaining about Magento speed that there just plain wrong. Read more

magento-logo-transparent

Possible security issue with Magento roles

One of the wonderful things about Magento is it’s advanced ACL (Access Control Level): you can offer colleagues or external parties with access to small parts of your Magento backend. For example: you can create a user role with general access to all orders or very specific access to only orders on hold. You can provide access to only Reviews and Ratings, or combine that with access to certain Reports, CMS pages and promotional features. In total, you have 196 (Enterprise) or 156 (Community edition) functions you can either enable or disable for a certain role. You can than appoint users to a role and voila: Magento ACL.

The issue

Two of those 196 (or 156) functions give users access to the Roles and Users permission system, which basically means that these users can create and edit roles and users.
Today I found out these users can manage ANY role and can assign it to ANY user. Starting to feel the problem here…?

A user with very limited access but with at least access to manage permissions can give himself access to the complete website. And it doesn’t stop here. This user is also able to change the role of all other administrators (with more or all rights) or even set them to inactive. I have no idea about how many shops have users with limited access including access to roles and users, but I can think of situations this might apply to certain roles within a company. And although this is not a bug in the code, in my opinion this definitely qualifies as an unwanted ‘feature’.

I’ve searched for the issue in the Magento bugtracker but it seems it hasn’t been reported yet so I created this ticket for the issue.

What you should do

If you’re the only user in your shop: nothing. If you have multiple backend users with different permissions you might want to check the permissions for the Roles and User section and change them accordingly, or at least be aware of how Magento functions with these permissions.

What Magento could do

I think it would be best to restrict a users ability to create or edit roles to be restricted to the permissions that the role itself has. You shouldnt be able to create a role with more rights than your own role. You also shouldn’t be able to disallow permissions on other roles for features you don’t have access to in the first place. Users should be able to create roles and add users with permissions that (at best) matches their own. And they should definitely not have the permission to deactivate or remove administrators with all/ more permissions.

I hope this helps you in preventing a hostile takeover from other users… Well, I don’t seriously think it will go that fast, since I don’t think you will give just anyone access to your Magento backend. But if you have a large company with multiple backend users from different departments and maybe third-parties that are able to login, this is definitely something to check and be aware of until this is fixed.

Help! I’m going Mac! (blame Office)

Sounds kinda desperate, but maybe that’s a little true… I switched to an all-open-source ‘strategy’ on the desktop (and laptop for that matter) for the last couple of years (after many years of using MS Windows) and that worked quite nice for me. I used Ubuntu, OpenOffice and lots of more good open stuff. And when I make a choice for a software program I heavily (expect to) use, I always look at it being cross-platform (either as a native program or web-based), because of 1) I might want to switch to another OS or use the program on another PC and 2) The people I work with that use another OS need to be able to use it as well when needed.

But my job requires me to work closely with our clients and (sub)contractors. And they all use MS Office…. For the last half-year I really tried to work with Office docs both through OpenOffice and Office in a WinXP virtualbox environment, but both didn’t work out. The first one doesn’t because it’s not as compatible as I would like it to be, the second one worked terribly slow.

So I need an OS that can run Office natively, that leaves two options: a windows solution or a mac solution. Both are against my private policy for being open, but apparently the (work) environment in The Netherlands isn’t ready for that so I’m willing to compromise… for a few years…

Read more

design_arrow_website_224315_l.jpg

Top 8.5 tips for getting started in ecommerce

At my daily job, some of the people who come to us for a Magento webshop run companies that already have a webshop and know what is involved with it. Some other people though have a retail store or a complete new business model but have little to no experience in the e-commerce field. This post tries to hand some tips to the second group.

Tip 1: Time and money estimates

Thought about a rough budget for the project startup, the maintenance costs and how much time it will take you to run the website? Good. Now triple that and I will assure you it will be a lot closer to reality then your own estimates.

Tip 2: Crawl before you walk

It’s great to think big. It gives your team a goal to work towards and keep in mind what the big picture is. But don’t start running before you can walk or even crawl. This is new to you, take the adventure on but do so step by step. Slice the big picture into smaller parts, there is no shame in starting small. No-one expects you to start an e-Bay or Amazon sized business overnight. Besides, being small gives your company agility, something bigger companies don’t have so you can move faster. In every project we see people having some for of hindsight. If you start big, you can’t always use that hindsight anymore because processes are now fixed and hard to change. If you start small, you can optimize processes and products much more easily. Read more

joomladagen-small-195.jpg

Joomladays 2009

joomladagen-small-195On Friday 12th and Saturday 13th of June the fourth edition of the Dutch Joomladays will take place in the Mercure Hotel in Nieuwegein, The Netherlands. And this year, I will be the main organizer of the event!

Hundreds of open source experts and business users will attend the event to gain knowledge, exchange experiences and to meet al the (in)famous people in the Joomla community. We have well know speakers from all over the world like Johan Janssens, Brian Teeam, Fotis Evangelou, Gary Brooks and Hannes Papenberg presenting on different interesting subjects. Every day will end in a small party with music, ‘Joomla Jeopardy’ and of course some drinks!

Luckily, I don’t have to do this all on my own, I have a wonderful team of Dutch Joomla enthusiast who help bringing this event to greater hights. New this year are the training courses and the ‘Doctor Joomla‘ sessions. We also have 7 world premiers at our event, one of them being the first view at the next major Joomla edition (version 1.6) by core team member Hannes Papenberg.

Ofcourse we have a (Joomla) website with more information about the event and how to get your tickets: www.joomladays.nl.

Joomla!days Netherlands - 12 & 13 June 2009, Nieuwegein

Review nieuwe phone: Android G1

Al een tijdje geen echte blogpost meer gedaan dus laat ik weer eens wat schrijven…

In de nacht van maandag op dinsdag heb ik dan eindelijk (na er lang twijfelen) toch een HTC G1 telefoon met Android OS gekocht. Voor degenen die me nu al kwijt zijn: HTC is een fabrikant van smartphone/ PDA’s (net zoals bijvoorbeeld het bekendere Nokia, Sony Ericsson en ook Apple), G1 is het type nummer (wat in dit geval staat voor de eerste Google phone) en Android is het besturingsysteem waar de telefoon op draait (net zoals er andere telefoons zijn die bijvoorbeeld draaien op Symbian of Windows Mobile).

Waarom een nieuwe telefoon?

Wat ik zocht was een opvolger van mijn HTC P3300 die na bijna 2 jaar echt wel aan vervanging toe was. Slijtage van de case, Windows Mobile 6.1 draait er echt ontzettend traag op (downgraden is geen optie) en de batterij viel zeer regelmatig op willekeurige momenten uit (zonder daadwerkelijk leeg te zijn). Ik deed ook steeds mee online en dan loop je toch snel tegen de beperkingen van de GPRS verbinding aan. Verder gebruik ik veel Google producten en met name de mail en kalender wilde ik graag ook met mijn phone synchroniseren (over the air). Mail is geen probleem (via imap) maar met de agenda was het echt een ramp, het moest sowieso via outlook (en niet over the air) en ging geregeld verkeerd. Tijd voor wat anders dus, hier viel niet echt lekker meer mee te werken. Read more

Houston, we have liftoff!

Dutch Open Source B.V.Vandaag was het zover: mijn nieuw opgerichte B.V.’s zijn vandaag officieel opgericht!

Na bijna 3 maanden stilzwijgen dan weer eens een post van mij! Ben al die maanden behoorlijk druk geweest met het maken van plannen voor mijn eigen organisatie waar ik fulltime mee aan de slag zal gaan. Compleet bedrijfsplan schrijven, mee langs bedrijven, is er interesse voor mijn plannen? Lijkt het allemaal haalbaar? En zo ja, hoe ga ik dat dat aanpakken? Doorgaan met mijn eenmanszaak of toch over naar een B.V.? Één B.V. of dan toch maar meteen twee (voor een holdingstructuur)? En dan meteen maar van start gaan of eerst wachten?

Vragen, vragen, vragen… Dat is wat die plannen bij mij vooral opriepen. Maar ik geloof in mijn plan dus besloot ik er vol voor te gaan. Dan denk je: keus gemaakt, nu kan ik beginnen met ondernemen. Maar dan komen gesprekken met het belastingadviseur, de notaris en een administratiekantoor, het aanvragen van een verklaring van goed gedrag bij het Ministerie van Justitie, bankverklaring, weer naar de notaris, de Kamer van Koophandel en de Belastingdienst… En omdat ik voor de holdingstructuur gekozen heb moet alles dus dubbel en ben je na een paar weken zéér goed geoefend in het zetten van je eigen handtekening….

Maar vandaag was het dan eindelijk officieel zo ver :D. Niet dat het heel spectaculair was, ik kreeg slechts de akten van oprichting van de notaris door de brievenbus, zonder vuurwerk, champagne of taart erbij. Maar toch, die taart koop ik dan zelf wel ;).

Mocht je willen weten wat ik dan daadwerkelijk ga doen dan kun je terecht op de website van mijn B.V. (dat klinkt nu best cool ;) ) : Dutch Open Source B.V.

Engelse Duif

In het kader van de door mij te starten onderneming (daarover later meer) heb ik vandaag een infosite opgezet rondom het open source (MSN) messenger alternatief ‘Pidgin’ (leuk woordgrapje natuurlijk.. duif… post… :) ).

Voor meer info kun je terecht op www.pidgin.nl.