The Left Side of Normal Airplanes, The Internet, and Everything Else

I just realized that I have some catching up to do.  At work I spend my days looking after a fairly large number of ColdFusion applications running on ColdFusion 7 and 8.  Most of the underlying code in these applications was written back in ColdFusion 5 and subsequently adjusted to work in newer versions, but it's rare that we need to update the framework in a really fundamental way.  It does a great job and has lots of little whiskers all over it from where it's been ammended and beaten into doing whatever we need it to do.  However, it's all procedural code and scantly makes use of any of the newer features offered by the ColdFusion engine.  In my off-hours (if there is such a thing), I'm doing a lot of the same except for other clients who are also running older versions of ColdFusion or have applications originally written for older versions.  Then, I read a blog post from Terrence Ryan inviting ColdFusion skeptics to give the platform a try.  In the post, he outlines some of the concepts and features that we all know and love about ColdFusion.  He also links to some recent CF code on GitHub showing what "modern" ColdFusion can look like (in an attempt to show that not all ColdFusion code has to resemble your favorite pasta).

When I first clicked the link, I began to wonder if it was directed to the wrong place.  That doesn't look ANYTHING like what I'm used to seeing ColdFusion code look like.  I recall reading that components (ColdFusion's answer to classes in other languages) could now be written entirely in script form (as opposed to the usual tag form), but I had never actually seen one in practice.  Furthermore, ColdFusion 9 has made just about every tag available in script form, so we end up with code such as:

var httpObj = New http();
httpObj.setUrl(variables.apiUrl & "translate");
httpObj.addParam(name='v',type='url',value=variables.v);
httpObj.addParam(name='q',type='url',value=arguments.q);
httpObj.addParam(name='langpair',type='url',value=arguments.from & "|" & arguments.to);
var result = httpObj.send();

This was pulled from Ryan's sample on GitHub.  Usually this would be done with the CFHTTP and CFHTTPPARAM tags, but this is the first I've seen someone using the script form.  It all looks alien to me, which means that I need to take my own advice and re-read the tag and function references (my number one piece of advice to new CF programmers at Annex ten years ago).  Hopefully I will be able to find some time to refresh myself and convince my employer or a client or two that an upgrade to ColdFusion 9 is necessary so I can get some hands-on experience.  I do have CF9 installed on my laptop for development purposes, but the code all gets deployed to older servers, so I can't use the new features and put them into production just yet.  It's one thing to toy around on the local system, and another thing entirely to actually put code into production.

Pete Freitag, of HackMyCF fame, has written an informative guide on securing Adobe ColdFusion Server.  The guide is available from Adobe.  It covers how to lock down the ColdFusion Server installation and limit the attack surface that the server software itself presents.  It also talks about how to lock down the administrator so that it is only available to those who need access.  The guide makes great suggestions for those who run production ColdFusion servers that want to minimize their attack surface.  The guide also discusses how to remove functionality you're not using from the server, makes suggestions for various ColdFusion administrator settings and their impacts, as well as some suggestions for developers to improve the security of their code.  Overall, a nice guide for anyone who administers a ColdFusion server.

I've been using Mango Blog on and off for quite a while, but recently I've really began to dig my heels in and use it as a platform to base entire websites on.  Part of the magic of Mango Blog is its extensibility.  Laura has done a fabulous job of providing hooks into the core engine.  My goal is to write code around it that does what I want but never actually modifies the core engine.  This is easier said than done, but Mango makes that goal a lot easier to reach.  Now, one of the things that comes up often is creating new posts automatically.  They could be coming from an RSS feed, another content management system, or user submissions.  The first thing that springs to mind would be to write the data directly to the database.  That, however, would be a Very Bad Thing(tm).  Mango may change the database structure with a new release, or move to some other means of storing posts entirely.  That would also bypass the event announcements that plugins are looking for.  That would ruin your whole day!  So what are we to do?

Enter the API.  Mango provides a pretty decent set of APIs into the core functionality.  One of these is the ability to create a new post through code in a way that lets Mango handle the data storage and preserves the event announcements and all the other "work" that goes on in the background.  The API says, "Give me the data and I'll take care of the dirty work for you."  How do we use the API?  It's simple, really.  Here's an example:

<cfscript>
// Get the API
mangoAPI = createObject("component", "api.api");
// Set up the post attributes.
myPost = structNew();
myPost.username = "admin-username";
myPost.password = "admin-password";
myPost.title = "API Post Title";
myPost.content = "This is a post through the API";
myPost.publish = true;
myPost.blogID = "";
// Call the API.  Returns the post ID or an error string.
postID = mangoAPI.newPost(argumentcollection=myPost);
</cfscript>

Wasn't that easy?  The username and password would be the login credentials of the admin user you want to "own" the post.  The publish setting determines whether the post will be published on the site or put into "draft" mode.  The blogID is ignored as of this writing (perhaps it's reserved for a future release where Mango supports multiple blogs on the same install).  The API will return either a UUID which is the new post ID, or an error string letting you know what isn't right.  Hopefully this will help anyone who's trying to automate their Mango a bit.  Cheers!