I came into work this morning with literally no idea what the video was going to be about today. I have a list of topics, but nothing felt right and then I realized we haven’t really talked about currencies much. It’s part of a larger topic, Internationalization, and with what we’re doing with language support and the translator it only makes sense that we should discuss currencies.

Of course, a big part of currencies is multi-currency support and v2.5 has it, but it’s much improved in v3. In v2.5, multi-currency has to be explicitly enabled and everything revolves around the default currency. While v2.5 can accept payments in many currencies, clients are billed based on the exchange rate to the default currency. So, the biggest difference between v2.5 and v3 is that prices can be specified at the package level for each individual currency, effectively fixing prices. Only when a price is not available for the currency does the exchange rate come into play.

1. Prices can be set for each currency at the package level, which overrides the exchange rate.
2. Multi-currency doesn’t need to be enabled, just use it if you want to use it.
3. Exchange rates can be fetched from Foxrate, Yahoo Finance, or Google Finance.
4. Exchange rate updates can be disabled and exchange rates manually updated.
5. New package period options Day, Week, and Year in addition to Monthly and One Time.
6. Cancellation fees can be assessed and configured at the package level.

Interesting fact! With Day, Week, Month, and Year package period options now available, terms can range between 1 and 65535 (2¹⁶ – 1) which equates to 65535 * 4 + 1, or 262,141 possible service terms available. So much for just monthly, quarterly, semi-annual, and annual huh? Do your own thing.

The video is below, as usual you can make the video full screen, and be sure to turn on your sound.

Tags: currencies | multi-currency | pricing | v3 | version 3

In January we announced the availability of a language crowdsourcing project, the Blesta Translator. The goal of the project is to facilitate the translation of Blesta into many languages, and to ship these languages with Blesta, starting with version 3.

This week we made a few additional changes live, and they are –

1. Added Nederlands, NL (nl_nl) to the list of available languages
2. Added a machine translation (Google) for reference
3. Added “In Order” and “For Confirmation” translation methods
4. Added some context to language strings including terms, filename, and type

#2 Machine Translation

The machine translation is available for all translation methods, “Random”, “In Order”, and “For Confirmation”. By default it is not displayed, but will be shown when a link is clicked. The idea is that it may be useful to see the Google translation, but that it shouldn’t be relied on, or copied without forethought.

#3 Additional Translation Methods

The goal of the translator isn’t simply to get translations, but to get good translations.

When different people translate a term identically, it has a higher weight than terms that are only translated by one person. Such terms become “confirmed”, and are trusted to be more accurate. So, the “For Confirmation” translation method displays the best possible translations by other people. One of these translations can be accepted by clicking on it. Alternatively a different translation may be entered like normal.

The “In Order” translation method is pretty self-explanatory, terms are given in alphabetical order with the goal of completing a translation. This means that some terms may be skipped initially until the translation is completed as a whole. Once the translation is completed, terms that were intentionally skipped will be presented.

The end goal is to make several translations available. A version translated wholly by a specific person, a confirmed only translation that may be missing some terms (missing terms are shown in the default language), or a complete translation consisting of confirmed only or both confirmed and unconfirmed terms. The latter are the ones we will include with Blesta by default, but all will be available for direct download in the future.

Thanks for reading! If you know another language, please sign-up and contribute

Video next week? Probably.

Tags: blesta 3.0 | language | translator | version 3

Part of my job in the development of v3 is to take a step back and consider how each and every feature in Blesta can be improved over previous versions. Lots of thought, and many discussions surround even the simplest details of both the external and internal workings of Blesta, the visible and invisible.

Today I want to compare and contrast, and reveal how we handle automation in v3.

v2

Version 2 has a Cron Status & Setup page, under Settings > API/Cron Settings. The intent of this page is to show you when the cron last ran, how to set up your cron, and provide a method by which to run the cron manually. We were the first to secure the cron with a key, preventing it from being run by unauthorized users. Overall very basic, and it works pretty well.

v3

Version 3 does everything mentioned above, but in a simpler, more intuitive way — with the addition of being able to update the cron key right here. This key is now separate from the API key, which it shared in v2.

This is a good replacement for v2, and we could have stopped there.. but like I said in the opening, a lot of thought, many discussions.. and I’ll add, a lot of planning and development time goes into each and every feature.

One thing that bothers me a lot with v2 is that I can’t set exactly when I want a particular task to execute. Some tasks run once daily, some run every x minutes. The daily tasks run every day at midnight, and for the most part, the more frequent ones are at the mercy of how often the cron is scheduled to run.

This creates some issues, first of all is that midnight emails probably don’t have the highest read rate. Secondly, midnight account suspensions for non-payment result in emergency tickets at a time when most of your staff is sleeping or in the shower.

So, the actual cron job should run every 5 minutes, and you should be able to schedule when each task runs. Right? We think so. It’s almost common sense, but nobody has done it until now.

…

Above is what Invoice Creation and Auto Debit tasks look like. In this case, we have them both set up to run at 2pm daily. These are 2 tasks out of more than a dozen.

What about more frequent tasks?

This option illustrates how paid pending services, such as exist when a new order is placed, are provisioned.. every 5 minutes.

In addition to being able to schedule each task, they can also be explicitly disabled.

Developer Candy: Plugins can register automation tasks.

Another important thing to note is that all the times are in your local timezone — or whatever you set your timezone to be, regardless of the server time. Additionally, all dates and times in Blesta everywhere are stored in the database as and converted from UTC, which means you can change your timezone without affecting the stored value.

The default options will be perfect for most people, and there will be no real necessity to dig in and tweak these around.. Really, it’s not that important, but I wanted to show you for two reasons. 1. It’s a neat, practical feature and more importantly.. 2. It gives you a glimpse into how we work, how detail oriented we are, and how serious we are when it comes to usability.

Hope you have a nice weekend. Speaking of weekends…

Nerd Alert: If you play a game called Minecraft, we’ve got a Minecraft server up and running at 74.80.216.146. Come join us, some of our friends, and some of their friends as we build random stuff. HostMaster = Me, Awesomisitist = Tyson, Codelphious = Cody.

Tags: automation | blesta 3.0 | cron | v3

Cody posted an article last week on Software Licensing, which I found amazing. Be sure to check it out if you haven’t already.

This week I’ve got another video, and it’s all about options available for invoices. There are many improvements in v3 when it comes to invoices, so I thought you might like to see what we’ve got cookin.

1. Two all newly designed invoice templates available.
2. Invoice formats are now available. Add a prefix, suffix, and/or the year to invoice numbers.
3. Set or change the next invoice number anytime.
4. Have invoice numbers increment 1 at a time or in multiples, ie Invoice # 5, 7, 9.
5. Pad invoices to a specific length, ie Invoice # 00001, or xxxx1.
6. Add your logo, a background image, and company name and address to invoices.
7. US Letter, and A4 paper sizes now supported.
8. A PAID watermark can now be displayed on paid invoices.

Invoices are flexible yet simple, fully internationalized, clean, and they print beautifully. I’m really happy with the changes we’ve made to invoices since 2.x and I hope you are too!

The video is below, as usual you can make the video full screen, and be sure to turn on your sound.

Tags: blesta 3.0 | customization | invoice | pdf | version 3

Software licensing offers software developers a means of ensuring their product is not installed without prior authorization (generally by purchasing the product). Some competing products offer licensing modules to facilitate the deployment of such software, but their designs are critically flawed in a number of ways. Today I’ll describe the software licensing scheme we use in Blesta 3.0, and why it works. But first, let’s take a look at the problem.

To ensure an installation is allowed to run it needs to established its authenticity. This is generally done by “calling home.” That is, by contacting the licensing server. Information returned from the licensing server varies, but generally contains data about how, when, and where the software can run.

The naive approach

It goes without saying that if the license data can be tampered with one can easily bypass the license check. To resolve this, others have devised a scheme whereby the data is hashed using a shared secret salt know by the licensing server and by the product. When the product receives the license data it creates a hash from the data using the shared secret salt and compares that hash with the one that accompanied the data. If the two hashes match the data is trusted, otherwise the data is rejected.

Some systems don’t even bother sending the original hash of the data and instead compute and store the hash upon arrival for future reference. These systems are even less secure.

There are a number of exploits with these systems:

• Because the same shared secret is used to generate the hash across all installations it may be possible to obtain the shared secret
• Because the hashing method generally used is insecure it may be possible to tamper with the data and still produce the same hash (i.e. a hash collision)
• Because the data passed across the line is unencrypted or poorly encrypted it may be intercepted and the licensing server may be tricked into returning data regarding a separate valid license, or the licensing server may itself be spoofed

Exploiting it

Some may argue the dangers of revealing how insecure systems can be compromised, just as a magician might jeer at the sight of someone exposing their trickery. Those that argue from that position fail to realize that security does not arise out of obfuscation. Shannon’s maxim teaches that one must always assume that an attacker understands exactly how a system operates.

1. Determine where the software calls home to. This can be done by monitoring network traffic or guessing the license server domain.
2. Spoof the licensing server by modifying the server’s DNS or hosts file to resolve to a “license server” you create.
3. Capture the data sent to the licensing server to a log file.
4. Capture the data returned from the licensing server. This can be done by manually passing the data from #3 to the licensing server. Note that if you do not have information to obtain a valid response from the license server, you may be able to obtain that information from another user with a valid license or from a public demo of the application.
5. Return the license data you capture from the license server, or modify it to ensure it continues to function ad infinitum.

The solution

A digital signature allows us to verify the authenticity of a message through the use of an asymmetric key cipher, which uses one key (the private key) to encrypt data and an entirely different key (the public key) to decrypt data. Meaning that an attacker can not reproduce signature data since they do not have the private key.

How it works

1. The license server generates a unique public/private key pair for the installation and delivers the public key securely to the installation
2. The license server then encrypts the license data, generates a hash of the data and encrypts it using the private key to produce the signature
3. The license server then delivers the data and signature to the installation
4. The installation verifies the signature by decrypting the signature with the public key and comparing it with the hash it generates from the data

In the event that the signature can not be verified the license data is rejected and the license becomes invalid. Attempting to spoof the license server does nothing because only the license server can sign messages and the installation will only be able to verify signatures from the license server.

Additionally, at any time the license server may choose to generate a new key pair. This is especially useful because as attacks on asymmetric key ciphers becomes computationally cheaper it becomes increasingly important to cycle keys and/or increase key lengths.

Why are we telling you all this?

It would be great if there were no need for software license validation, but there is and there’s a market for it. Our philosophy is if you’re going to do something you ought to do it right. At the moment, thousands of developers put their software in the hands of licensing systems that provide illusory protection at best, and that’s unfortunate.

So, why are we telling you all this? Because we’re building a licensing plugin for v3 that does it right. We don’t mind sharing with everyone how it works because even licensing systems should be transparent. And, if our competitors decide to rework their licensing systems and do things right — then everyone is better off. And that’s what it’s all about.

Tags: blesta 3 | encryption | licensing | plugin | plugins | v3

It’s been a while since I posted a video, I missed you. So, today — a new video, about the Staff Calendar. Staff Calendars feature the following:

1. Mini dashboard calendar with badges that indicate the number of events for each day.
2. Full size monthly, weekly, and daily calendar.
3. Shared events, staff members can share events with everyone on their team, or keep them private.
4. Multi-day, whole day, and time based events are supported.
5. Intuitive drag-n-drop interface to create and edit events.

We hope you like the calendar, I know our team will be using it! Developer tidbit: Yes, you’ll be able to add events to the calendar from your custom plugin. I know people are going to ask so I’ll tell you.. recurring events are planned for a future release.

The video is below, as usual you can make the video full screen, and be sure to turn on your sound.

Tags: blesta 3.0 | calendar | staff calendar | version 3

A lot of effort has gone into designing and interfacing with the database in version 3, so I thought I’d share a little insight into some of the improvements we’ve made over version 2.

We’ve beefed up the database by making use of transactions, which allow us to add, edit, or remove items from the database with the ability to undo those changes should something go wrong. Because of this we’ve made the switch from a MyISAM storage engine to InnoDB (the default for MySQL as of version 5.5), making Blesta ACID-ic.

Another major improvement is the use of UTF8 collation, which will now allow users to more easily search the database in their native tongue as well as input and output data without conversion. This is a huge improvement for developers, and we are all about developers with version 3.

Speaking of developers, another great improvement is the introduction of the Record component. The record component is a database access object that creates queries using a series of method calls. Never again will you have to worry about which comes first, GROUP BY or ORDER BY.

In addition, the Record component uses the PDO library, making queries safe and secure. But that’s not the only benefit of PDO. Can we say “multi-database support”, as in MSSQL, PostgreSQL, and others? Well, no, not at the moment, but that’s definitely a possibility.

From the Developer Documentation:

Tags: blesta 3.0 | database | minphp | Record | v3

One thing we haven’t really talked about much is the client area. We have a good excuse: The vast majority of functionality is built into the staff/admin interface. But, the client experience is important too, arguably much more-so.

In v2.x the client interface is identical in overall design to the admin interface with a slight color change. In v3 we went a different direction. While there are similarities between the client interface and the admin interface they are completely different designs and you log into them independently.

Important notes to make about the client area in v3..

1. The client interface has a new, clean & unique design.
2. The client interface can be easily themed & integrated into an existing site.
3. The client interface now consists of a Portal, Account Management, and Order System.
4. The client interface is more intuitive and user friendly, and takes advantage of a lot of new features introduced in v3.
5. Developers will be happy, Plugins can affect the client areas too.
6. Mystery feature — yes I just did that, more details in a future post.

Portal, Account Management, and Order System. All tied together, all themed the same, all easily integrated into an existing site design.

I can’t not leak some eye candy in a post, so above is a cropped segment of the default order template. I hope you agree, it’s a nice and clean design, yet fairly neutral in terms of color. Though the header is not shown here, it does have color and the color is easily changed.

There’s a lot more I could show you, but we’ll cover more in a future post. And to all a good weekend!

Tags: blesta 3.0 | client area | order | order system | portal | v3

We’ve shown you a fair amount of the staff interface, but I want to show you the staff login page today. Overall this video touches on three things..

1. Staff Login Page: This is a first, no one outside our team has seen this login page before now.
2. Two-Factor Authentication: This was originally developed for v3, then back-ported to 2.5.
3. Resource Preservation: Session expire? Blesta remembers where you were headed.

The staff login page has previously never been shown, although I designed it before much of the interface. Two-Factor Authentication was originally developed early on for v3, and then back-ported to 2.5. As far as we know, no one else supports two-factor authentication, making Blesta uniquely secure. We don’t blame them though, it took plenty of R&D and most solutions are proprietary. Resource preservation is just a fancy term we coined to say that Blesta remembers where you were going, and takes you back there if your session expires and you get logged out and login again.

The video is below, as usual you can make the video full screen, and be sure to turn on your sound.

Note: Cody tells me, and I realized after that OATH is pronounced “oath”, not “oh-auth”, which is something completely different.

Tags: authentication | blesta 3.0 | login | motp | staff login | TOTP | two-factor | version 3

So, let’s keep it real. I didn’t have the time to make a video this week. I’ve been doing a lot of graphic design work on Blesta, some awesome stuff you’ll get to see soon. But that doesn’t mean I can’t share something, right?

Plugins. Are. Amazing. Plugins can do a lot, we’ve talked about them before in passing while describing other features. Plugins can register widgets on the Dashboard, on the Billing Overview, on the Client Profile. Plugins can create entirely new pages, with new functionality, with their own nav links. Plugins can register themselves into the ACL. Plugins can create their own email templates. Plugins are mini-applications. Plugins are POWERFUL.

I know people are going to shock us with what they develop for Blesta using the plugin system. I can’t wait to be blown away.

This post is the tip of the tip of the iceburg, we will have a lot more to say about plugins as we get closer to release.

Oh yeah, plugins can be installed, and uninstalled, upgraded and managed. Here’s what the installed plugins window looks like. These are all plugins that will come pre-installed with Blesta (there will be more too, don’t worry). These ones create widgets on the Dashboard.. and since we wrote them, they got slapped with the Blesta logo. Slap your logo on your own plugin!

Maybe a video next week? We’ll see!

Tags: blesta 3.0 | plugin | plugins | version 3

I hope you’ve had a chance to check out the Blesta Translator that I posted about and that we released last week. The previous week Cody posted a developer commentary video on our RESTful API that you may want to check out as well.

This week’s video is about themes. We mentioned themes briefly a while back, but here it is in action. You can do the following with themes:

1. Select from different color themes that are included with Blesta.
2. Create and save your own color themes, and fine tune colors to match your brand.
3. Use your own logo, rather than the Blesta logo.

In the future we may add additional options that affect the direction and style of gradients, add additional options, and provide a way to share themes.

The video is below, as usual you can make the video full screen, and be sure to turn on your sound.

Tags: blesta 3.0 | themes | version 3

Blesta is in use in well more than 50 countries, and our friends abroad speak many different and wonderful languages. Blesta has always supported multi-language and some of our users have made their translations available to the community, but it has only ever shipped with English support and translations have been spotty at best. That’s all about to change.

Today we announce the availability of Blesta Translator, a collaborative, community driven effort to provide full, accurate, and up to date translations in as many languages as possible.

The success of this project depends on you. If you are fluent in another language and would like to contribute to the translation of Blesta into your language all you need to do is sign up and start. Contribute as little or as much as you like as often as you like. New and updated language will be added to the translator in advance of software releases and it’s our hope that the new language will be translated in advance of and ship with official releases.

While this is still a beta version, we will be adding a few new features in the coming weeks. Ultimately a daily snapshot of translations will be available for download. We realize this is a continual effort and nobody should have to wait for the next Blesta release to take advantage of the latest translations. Partial translations will fallback to English. Additional stats, graphs, and context for translations will come as well.

So, what are you waiting for? Head on over to translate.blesta.com and get started! You’ll be translating version 3.0.0_dev. While it’s not complete, now’s a good time to get a head start! Contributors are given credit for their efforts.

And, of course, if you have a suggestion to make this tool better please let us know.

Here are the languages currently available for translation:

1. العربية, SA (ar_sa)
2. Deutsch, DE (de_de)
3. Ελληνικά, GR (el_gr)
4. English, UK (en_uk)
5. Español, ES (es_es)
6. français, FR (fr_fr)
7. עברית, IL (he_il)
8. italiano, IT (it_it)
9. 日本語, JP (ja_jp)
10. polski, PL (pl_pl)
11. português, PT (pt_pt)
12. Română, RO (ro_ro)
13. svenska, SE (sv_se)
14. 中文, CN (zh_cn)

Tags: blesta 3.0 | language | translate | translator | version 3

In this developer commentary, I give a behind the scenes look at the API in version 3.

What we’ve done is create a controller to make available all of the various models in a RESTful manner, using the four primary HTTP verbs (GET, POST, PUT, DELETE). All this controller needs to do is handle parameter passing and output formatting, which we’ve done here in just 342 lines. Available output formats are JSON, XML, and PHP serialization, but more may be added in the future.

The API supports an unlimited number of users, so you can delegate users for specific tasks. In addition, the API may be extended by plugins. The format for those requests is /api/pluginName.modelName/method.format.

Currently the API supports HTTP Basic authentication, but we’re looking to add Digest authentication in the future as well. In addition, we’ve added command line interface (CLI) support which is bound to make API development easier for you programmers out there.

Click the icon in the bottom right of the video player to go full screen.

Tags: api | behind the scenes | blesta 3.0 | cli | developer commentary | minphp | version 3

It’s the end of the year and I can hardly believe it. I hope everyone had a nice Christmas, and has a nice New Years!

This weeks video is about emails, largely email templates and here are some of the highlights:

1. Email Signatures are new to v3, and were highly requested.
2. Tons of data available to templates besides just strings, such as objects, and arrays.
3. Conditionals, loops, and filters are now supported for powerful template control.
4. Improved layout and usability overall.

Here are some examples of conditionals, loops, and filters.

Conditionals

{% if id > 3 %}
    This will print out if $id is > 3
{% endif %}

Loops

{% for user in users %}
    Name: {user.first_name} {user.last_name}
{% endfor %}
 
This Assumes:
 
$users = array(
    array(
         'first_name'=>"First name",
         'last_name'=>"Last name"
    ),
    array(
         'first_name'=>"First name 2",
         'last_name'=>"Last name 2"
    )
);

Loops can also take advantage of limits. This would only cycle through the loop 1 time:

{% for user in users limit:1 %}

Filters

{past_due | default 'Not past due'} // Produces "Not past due" if past_due is false

Multiple filters can be applied in succession:

{past_due | default 'not past due' | capitalize} // Produces NOT PAST DUE if past_due is false

You get the idea, a lot can be done with templates and all of this and more will be in the documentation.

The video is below, as usual you can make the video full screen, and be sure to turn on your sound. Alright — as we head out for the weekend, see you next year! It’s going to be a good one!

We take backups seriously and always tell people to back things up before performing an upgrade. An upgrade issue is rare, but backing up your data should be standard practice for any software upgrade. Regular automatic backups are important too — critical, if you ask me.

The current release supports automatic backups but we wanted to take things a little further in v3.. so, we’ve replaced normal FTP backups with SFTP backups and added Amazon S3. That’s two available backup methods. Both are secure.

Additionally, On Demand backups now have two options: Force Offsite Backup & Download Backup

This is particularly useful when you’re about to perform an upgrade or do system maintenance and want a fresh backup before you do so. Clicking “Force Offsite Backup” will send a backup to your Amazon S3 bucket, or SFTP server, or both, right away.

When configuring your backup method, it’s super easy to test your settings.

In this case, we have backups going to our Amazon S3 bucket, which you can see below.

This is just the beginning. We have plans to add additional backup methods and more in a future post-3.0 release. In v3, you can rest assured that your data is being backed up securely, and regularly, offsite.. well, as long as you configure it first!

Tags: amazon s3 | blesta 3.0 | s3 | secure backups | SFTP | version 3