enlivenapp/pubvana

Pubvana CMS v2 — a modern blogging and content management system built on CodeIgniter 4 and Shield.

Maintainers

Details

github.com/enlivenapp/pubvana

Homepage

Source

Issues

Installs: 398

Dependents: 0

Suggesters: 0

Security: 0

Stars: 20

Watchers: 5

Forks: 7

Open Issues: 0

Type:project

pkg:composer/enlivenapp/pubvana

v2.1.1 2026-02-24 23:13 UTC

Requires

Requires (Dev)

MIT 7ecc395fcd230e0ebb93f0babee0eb9091807bc6

blogcmsshieldcodeigniter4

This package is auto-updated.

Last update: 2026-02-24 23:14:49 UTC

README

License: MIT Release PHP CodeIgniter Installs Stars Contributions Welcome

Blogging and Small Business CMS

Pubvana is a re-brand of Open Blog v3 (with added functionality). v2 is a full rewrite on CodeIgniter 4 with a modern admin UI, dual content editor, theme & widget system, and built-in marketplace.

Installation

git clone https://github.com/enlivenapp/pubvana.git
cd pubvana
composer install
cp env .env
# Edit .env: set app.baseURL, database credentials, CI_ENVIRONMENT
php spark key:generate
php spark migrate --all
php spark db:seed DatabaseSeeder

Point your web server DocumentRoot at the public/ folder.

Default admin loginadmin@example.com / Admin@12345 — change immediately after first login.

Theme assets symlink After installation, activate your chosen theme via Admin → Themes. This automatically creates the symlink public/themes/{folder}themes/{folder}/assets so CSS, JS, and images are served correctly. If you deploy to a server where the symlink is missing (e.g. after a fresh git clone), either re-activate the theme in the admin or run:

ln -s /path/to/pubvana/themes/default/assets /path/to/pubvana/public/themes/default

The web server user (typically www-data) must be able to write to public/themes/ to create symlinks when switching themes. Set this once after installation:

chown www-data:www-data public/themes/

Media / uploads symlink Uploaded images (avatars, featured images, media library) are stored in writable/uploads/ which is outside the web root. To serve them, create a symlink once after installation:

mkdir -p public/writable
ln -s /path/to/pubvana/writable/uploads public/writable/uploads

Only the uploads/ subdirectory is exposed — sessions, cache, and logs remain inaccessible.

CLI Commands

Command Description
php spark wp:import <file> Import posts/pages/tags from a WordPress WXR export file
php spark posts:publish Publish scheduled posts whose publish date has passed
php spark links:check Scan all published posts and pages for broken external links
php spark marketplace:revalidate Re-validate installed premium item licences against pubvana.net
php spark pubvana:update [--dry-run] Check for and apply Pubvana core updates

Cron Jobs

Scheduled post publishing requires a cron job. Add to crontab:

* * * * * php /path/to/pubvana/spark posts:publish >> /dev/null 2>&1

Run links:check as needed (e.g. weekly) — results appear in Admin → Broken Links.

Requirements

  • PHP 8.2+
  • MySQL 5.7+ / MariaDB 10.3+
  • Composer
  • Apache mod_rewrite (or Nginx equivalent)
  • PHP extensions: intl, mbstring, json, mysqlnd, gd, zip

Stack (v2)

Layer Technology
Framework CodeIgniter 4.7
Authentication CodeIgniter Shield
Admin UI SB Admin 2 (Bootstrap 4 + jQuery)
Public theme Bootstrap 5 + Font Awesome 6
HTML editor Summernote
Markdown editor SimpleMDE

Features (v2)

  • Posts & Pages with draft/published/scheduled workflow
  • Dual content editor — WYSIWYG HTML or Markdown, selectable per post
  • Theme system with widget areas, theme options, and asset symlinking
  • 8 built-in widgets with drag-and-drop area management
  • Configurable front page — blog index or any static page
  • Marketplace — browse and install free themes & widgets (live API + cache + mock fallback)
  • Role-based access — superadmin, admin, editor, author, subscriber
  • Media library with auto-generated thumbnails
  • Navigation manager with drag-and-drop reordering
  • Comment moderation — approve, spam, or trash
  • SEO — per-post meta, sitemap.xml, RSS feed, Google Analytics
  • 301/302 redirect manager
  • Social links manager
  • Author profiles with bio cards on posts
  • Social OAuth login (Google, Facebook)
  • Social auto-share on publish (Twitter, Facebook)
  • WordPress importer (admin UI + php spark wp:import CLI)
  • Post revision history with one-click restore

Security

Reporting a Vulnerability

Please do not open a public issue for security vulnerabilities. Email security reports to cs@pubvana.net. We aim to respond within 48 hours and will credit reporters in the changelog.

hCaptcha (Spam Protection)

Pubvana uses hCaptcha (privacy-respecting, non-Google) to protect comment forms and the contact form from spam bots. hCaptcha is free for most sites.

Setup:

  1. Sign up at hcaptcha.com (free)
  2. Create a new site and copy the site key and secret key
  3. Add to your .env:
HCAPTCHA_SITE_KEY = your-site-key
HCAPTCHA_SECRET_KEY = your-secret-key

If these keys are not set, hCaptcha is silently skipped — safe for local development. Once configured, the widget appears automatically on the comment form and contact page.

Production Hardening Checklist

Before deploying to a public server:

  • Set CI_ENVIRONMENT = production in .env — disables stack traces and debug output
  • Change the default admin password (admin@example.com / Admin@12345) immediately after first login
  • Set app.baseURL to your actual domain in .env
  • Set app.forceGlobalSecureRequests = true in app/Config/App.php to enforce HTTPS and send HSTS headers
  • Enable CSP: set app.CSPEnabled = true in app/Config/App.php and configure a policy appropriate to your theme
  • Ensure only writable/uploads/ is web-accessible (via the symlink above) — never symlink or move writable/ itself into public/, as it contains sessions, cache, and logs
  • Ensure .env has permissions 600 and is not committed to version control
  • Run php spark key:generate once per installation — do not reuse encryption keys across sites
  • Set chown www-data:www-data public/themes/ so only the web server can create theme symlinks

Content Security Note

Post, page, and widget content is stored and rendered as raw HTML. This is intentional — administrators are trusted to write HTML directly. If your site allows editors or authors to submit HTML content, consider adding server-side HTML sanitization (e.g. HTML Purifier) to your post-save pipeline before rendering untrusted content.

Security Fixes Log

Version Fix
2.0.2 Marketplace ZIP installs: download URL restricted to pubvana.net; ZIP entries checked for path traversal
2.0.2 WordPress importer: switched to LIBXML_NONET to block XXE network fetches
2.0.2 User profile IDOR: profile and saveProfile now verify ownership or users.manage permission
2.0.2 Theme options: options and saveOptions now require admin.themes permission
2.0.2 Navigation: store, delete, reorder now require admin.navigation permission
2.0.2 Settings .env writer: key whitelist prevents arbitrary env key injection
2.0.2 Post list status filter validated against whitelist before use in query
2.0.2 Comment parent_id validated against same post to prevent cross-post injection
2.0.2 RSS feed: ]]> escaped inside CDATA sections
2.0.2 WordPress import: 50 MB file size limit to prevent DoS via XML parse

Bug Reports & Feature Requests

Please use the Issues Tracker.

Links

pubvana.net — Home & Addon Store (Themes, Widgets, and other Addons)

User Docs

Facebook Page

License

Pubvana is released under the MIT Open Source License.

Contributors & Team Members

  • Enliven Applications

Translators & Translations

Translators Wanted!

If you would like to help translate files, please fork this repo and send a PR.

  • French, Indonesian, and Portuguese need updates.

Please include a README.md update under 'Translators' with your name and a link to your site/GitHub (optional).

Roadmap / Todo

Pubvana Core

Built-in Widgets

  • Recent Posts
  • Tag Cloud
  • Categories List
  • Archive List
  • Search Form
  • Social Links
  • Text Block
  • Recent Comments
  • Table of Contents
  • Related Posts

Platform Features

  • Author Profiles & Bio Card
  • Social OAuth Login (Google, Facebook)
  • Social Auto-Share on Publish (Twitter, Facebook)
  • Marketplace API with cache + refresh
  • WordPress Importer (admin UI + php spark wp:import CLI)
  • Post Revision History
  • Maintenance Mode toggle
  • Core update notifications + php spark pubvana:update CLI
  • Content Preview Links (shareable draft URLs)
  • Bulk Post Actions (publish / unpublish / delete many)
  • Schema.org Markup (Article, BreadcrumbList, Author JSON-LD)
  • Image WebP Auto-Convert on Upload

Pubvana Premium

Premium Core Features (pubvana.net — license required)

  • Scheduled Post Queue (calendar view)
  • Content Analytics (page views, popular posts, referrers)
  • Advanced SEO (OG image generation, schema breadcrumbs, news sitemap)
  • Two-Factor Authentication (TOTP)
  • Backup & Export (DB + uploads zip)
  • Membership / Paywalled Posts
  • Affiliate Link Manager (/go/ short links + click tracking)
  • Broken Link Checker
  • Activity / Audit Log

Premium Widgets (pubvana.net/store)

  • Author Bio (sidebar)
  • Ad Unit / Custom HTML
  • Social Follow Buttons
  • Tip Jar / Per-post donations
  • Reading Progress Bar
  • Enhanced Search (AJAX live preview)
  • Email Opt-in / Lead Capture
  • Countdown Timer
  • Advanced Login
  • Gallery (masonry + lightbox)
  • Google Calendar & Maps
  • YouTube Channel Feed

Premium Plugins (pubvana.net/store)

  • E-commerce (products, cart, checkout, orders)