Most people will give you a confused look when you talk about User Access Control, but really, a simplified explanation is that it’s a system that tells Nova who can and can’t do stuff.  Starting with SMS 1.2 all the way up through SMS 2.4.4, Anodyne employed a rudimentary access system that consisted of static levels.  If you had level 5, you could do everything, but if you had level 4, you couldn’t do things X, Y and Z, but you could do everything else.  Obviously such a system is pretty limited and doesn’t give game masters much control.  To combat that, SMS 2.5 introduced a new system where admins could choose exactly what pages a user had access too, but even that was too bulky because each user was their own access entity.  SMS 2.6 added the ability to set the defaults for pre-defined groups, but that doesn’t help when you want to change the access for all standard players in the system.  Nova takes the best of these ideas to create a role-based access control system.

Roles are simply a series of pages and, in some cases, access levels that are grouped together.  For instance, a power user may have access to 15 admin pages while a standard user only has access to 8.  Instead of assigning those pages to a user’s access like SMS does, those items are tied together into a role and that role is then assigned to the user.  This has the advantage of storing less information in the user table, but also allowing admins to change the access levels for everyone in a group simply by updating the role itself.  The next time the user logs in, those changes are reflected because every time a user authenticates to the system, it goes out and gets a fresh copy of the role pages to use in the access array.

So what if you have a user who’s acting up and needs to have their permissions scaled back?  Roles can be duplicated with the click of a button, meaning that Joe can have his own access role that is unique to him and his needs.  Once you’ve duplicated the role, simply make the changes and save it then assign that role to Joe and the next time he logs in, he’ll have those restrictions applied to him.

The new User Access Control system in Nova is far more powerful and flexible and provides ample opportunity to build on the system later for even more power!

I’d be remiss if I didn’t spend at least a little time talking about the major security overhaul that happened in Nova.  While most of it is under the hood and handled by CodeIgniter, we’ve taken our own measures to secure your site even more than SMS.  Security starts with the foundation and we’ve chosen a framework that, while fast, put security at a premium.

At the very base, it starts with comprehensive SQL injection protections to make sure a malicious user can’t destroy your database from the outside.  Using CI’s built-in Active Record database class, we’re assured that all inputs are properly escaped before any attempts are made to put them into the database.  Anodyne focused heavily on this type of vulnerability in SMS 2.6 (and subsequently dropped support for SMS 2.5 because of the same issue) and using the framework’s built-in tools has allowed us to maintain protection against such attacks.

One area that received a lot of attention as well is in the area of Cross Site Scripting attacks (XSS).  Some of the most common vulnerabilities in web applications are their vulnerability to XSS attacks.  Again, we relied on CodeIgniter to do the heavy lifting here with a whole slew of XSS filtering done before any data is handed to the database.  This helps us ensure that all of your information and your database is safe!

A final item we addressed during the course of development was brute force attacks.  Hackers will sometimes set up servers to cycle through a dictionary and attempt repeated logins of a web application in hopes of finding a username and password they can use to get in.  Not only is that a drain on server and network resources, but it potentially exposes your data to hackers if you don’t have a very secure password.  Nova addresses that issue head on by limiting the number of logins a user can attempt to 3.  If there are 3 unsuccessful attempts, the system will lock the user out for 30 minutes before they can try logging in again.  It may seem annoying if a legitimate user runs in to this, but in the long run, it’s worth it to prevent hackers from brute force hacking your site.

As you can see, security was a pretty important issue for us, but we wanted to make the additional security as transparent as possible.  We don’t want the system prompting you for everything it has to do; it should just be secure from the start and that’s been our goal since day 1.

Maybe the single most requested feature for SMS, adding the ability to allow users to upload their own character pics carries with it some tricky stuff, but thanks to the framework powering Nova, allowing user uploads was a feature that only took a few hours to build!

When SMS came out in 2005, one of the most novel features about it was the fact that users could update their own biographies.  Anyone who’d run a sim that required the CO to update the bios knew how big a feature like that was for a game master.  We’re applying that same concept to character images now.  Sure, a user can host their images on an image hosting site, but why not make it faster and just leave them on the server the site is on?  User uploads does just that in a simple interface.  From the edit character bio page, users have a link to upload files to the server.  Simply select a file and click upload and Nova takes care of the rest.  Once the file’s been uploaded, the user can go back to edit their bio and they’ll see a complete list of images to use.  Anything they’ve uploaded will be grouped together at the top of the page.  A couple clicks later and the user has uploaded and used their images for their character.

We didn’t stop there though.  Why should users have all the fun?  Admins can now use the built-in uploader to push award images, mission images and tour images up to the server as well.  From their respective edit pages, admins will be able to select the images to use without ever having to fire up their FTP client!

Private messaging is a great feature of SMS, but honestly, it’s pretty limited.  There are times where you need to carry on a conversation with a couple of people, but in those instances, you need to copy and paste the content of your message so that after you’ve sent it to the first person you can send it to anybody else who should get it.  Annoying to be sure as I’ve experienced on more than one occasion.  No more with Nova!

One of the things we set out to do with Nova was make significant improvements to private messaging and the first place we started was adding the ability to send private messages to a lot of people.  It really is as simple as picking the people you want to send the message to, filling in your subject and content and away you go.  Each of them will be notified of the private message and have the opportunity to reply just to the author to reply to everyone involved in the private message!  Further to that, you can now forward private messages to other people, which is handy in the event you accidentally left someone off the list.

Undoubtedly though, you spend some time playing one character but decide to change to another character.  In SMS, you’d lose all of your private messages, but because Nova separates characters and users, those private messages go wherever you are!  Private messaging in Nova is really a much improved experience that you’ll love using.