anestv / pa Goto Github PK

Some functions are declared and called in a file prepended to all scripts. That file is not included in this repo. It will be uploaded in /autoprepend. profileAppearance.dcss.php will have to be moved to / so that the prepended file is in the same relative path.

Using a CDN would improve loading speed a lot.

We should also change the CSP header (even though it is not currently used) in the .htaccess file so that it allows those sources

With copyright notices, ToS, contact data, info about PA

For example when a user asks himself, or tries to load more questions after logging out.

Fix: at profile.js
If it was a client error, remove() that element.
Else, reenable it and give it its original text

Suppose someone allows everyone to ask him questions, but only allows his friends to see the questions. If a not logged in user goes to that profile, notLoggedIn.php will terminate before profile.php prints the scripts. This means that AJAX will not be used when adding/removing a friend or submitting a question.

Solution

• Do not die when something goes wrong or
• Print the scripts before calling die

I think the first solution is better (also see #13 )

When viewing a profile, the check whether the viewer can actually see the questions takes place at profile.php and NOT in loadquestions.php. Someone can find out the link for loadquestions.php by looking at the source of a profile

if (showMore) showMore.onclick = function(){
  var page = 'loadquestions.php?user=' + owner + 
      '&offset=' + offset;
  xhrb.open('GET', page, true);
  xhrb.send();
}

Then anyone who visits loadquestions.php?user=someuser can freely view the Qs and As. Oh no!

I think that by using a framework (possibly MVC) the code would be more organised and possibly easier to maintain.
I have this one in mind https://github.com/simple-mvc-framework/v2

There will be some basic classes (User, Question) and some to serve as models (e.g. Settings).
In this gist there is an example of what I am thinking.

We should set up an automatic tester for the project. Tracis CI looks good, but the matter with this project is that it is not an executable or script. It is a server.

How we could test

I have started a new repo, server-test written in Python, which reads a file and sends the instructed requests to a server. So far, it only outputs files with the http code, headers and response.

I could make the script exit with an error code if the response does not meet some expectations defined in a file.

Travis CI instructions

1. Download Apache, PHP, MySQL and any other required software (if not installed)
2. Start Apache and MySQL
3. Import database structure from privateask.sql
4. Run server-test with test cases specified in a file
5. Clear database
6. Shutdown Apache ad MySQL

Currently, when any error occurs, whether it is caused by a user's mistake or a server goof-up, terminate($error, $respCode) is called, which outputs something like:

This, however, is usually not the behaviour we want, as the user has to go back and find out what's wrong. Ideally, the message should be displayed in a way that the content of the page is visible.

At all pages add tag for site name and page title.
At profiles, add type:profile and profile:username as shown at https://github.com/niallkennedy/open-graph-protocol-examples/blob/master/profile.html

Add radio buttons or dropdown list at the questions form.
Possible options could be:

• By touser
• By timeanswered

Both in ascending and descending order

I think uploading a .sql file with the structure should be OK.

Of course, the real data (i.e. the rows of the tables) will not be uploaded

Description

If the input box is empty or has an already entered username (or the user's username) and Enter is pressed, after showing the alert the browser tries to submit the form. Calling e.preventDefault() or anything similar don't work.

Tested on

Using Chrome on Windows. On Firefox on Ubuntu this doesn't happen.

Solution

Instead of calling addFriend() on $('form').keydown, schedule it for 5ms later using setTimeout(addFriend, 5);

As of now, friends work one-way, i.e. Alice can have Bob in her friends even if Bob does not.
This way users have more control over their privacy settings.

As of now, the friend list of a user is stored in JSON string format, in the DB table users. This make it easy to see if one can ask/view a user (at profile.php sent.php viewq.php) and change the whole list at once (at friends.php)

We could also store the friends in another table (user, friend). Then it would be easier to add/delete a friend and see if a particular user is a friends of another user (for example "Add Friend" button at profiles). Would this be better, and in what way?

According to HTTP/1.1, GET is considered a safe method. So I think that a POST request should be used to delete a question (at deleteq.php).

The confirmation form at deleteq.php should have method="POST" and the AJAX requests from profile.js should also be POST.
Note: when changing the AJAX type, we should also change the way we detect which request ths was on the global AJAX error handler.

The 'Delete' link should send an XHR to the delete page and if the question is deleted, it should be removed from the qContainer.

In some casaes, the server owner way want to not use captcha for new accounts and login through Facebook (e.g. for CI / testing, or because they have no keys for that service).

So, we should check: if there are no captcha/facebook app keys available in secrets.ini, then those features should be disabled.

Links to:

• user profile
• questions asked to him
• settings page
• logout page
  Search bar

If you have any suggestions on what should be included, please comment here.

Currently there is no way to format the text of a question or answer whatsoever (bold, italics, headers, images). Not escaping HTML charachers would lead to unwanted security problems (such as XSS).

I consider using Markdown, especially Parsedown which seems to be better in many ways would be a desirable feature. Of course, we should inform users that it is available.

The way that I think of implementing it is:

1. Change the limit of characters in the asking textarea in profile.php and answer.php to 300
2. Change the limit of characters in the database to 500
3. On sent.php and answer.php:

• Trim the Markdown text to 300 chars
• Convert it to HTML
• Filter it using HTML purifier
• Optionally trim it to 500 characters
• After real_escape() INSERT it in or UPDATE the database

The user MUST be able to view the results (i.e. do not show private stuff)

When someone searches for questions/answers, the selected tab at the results page is not the QA, but the Users one.

Html opening tags should start after PHP. This way, we will be able to set custom HTTP headers.
Possibly, the html opening tags could be in a PHP variable, so that they can be printed in terminate().

Example:

<?php
function terminate($msg, $code){
  global $htmlHead;
  echo $htmHead;
  //here do what it now does
}

$htmlHead = '<!DOCTYPE html><html>
 ...
</head><body>';
// PHP code
echo $htmlHead;
?>
.. HTML ...
</body></html>

Should one be able to ask himself?
If yes, do not swear the user when he tries to do so.
If no, do not let the user do so.

Search by

• asker (if public)
• user Q was asked to
• time answered
• question / answer text

Especially in this page, it is not very clear that the user has to save the changes, and it is also very easy to leave from the page (by clicking a link to a profile).
So I think we should use window.onbeforeunload and check whether there are changes (of course, the order of the friends does not have to be the same)

As of now, if a user searches for questions they asked themselves, AND publicasker = 1 is not added to the SQL query. However, the query says fromuser LIKE '$fromuser%'

What does this mean?

Say we have the user aaron. He has asked some questions anonymously and some eponymously. Someone else registers the username aaro. When aaro searches questions from aaro, aaron's questions are also returned, even those asked anonymously!

How to fix it

One approach would be to change fromuser LIKE '$fromuser%' to fromuser LIKE '$fromuser' if $fromuser === $user. But I think that % is not even what we want here. The exact username should be provided and used to search, or users might get confused.

Let users change passwords

We should use version 1, and customise it so that there are common fonts, colors etc in all the pages

There are some fonts that are not installed in most browsers. Up to at lease v0.2 there was a folder (res/) with these fonts and some images. If you cannot find it that's because it was in .gitignore.

These fonts should be included again. They will be used in profiles and settings.

• by username
• by real name

At the top bar there should be an icon showing how many new questions the user wad asked since the last time he checked.
Also, if he wants to (add it as a setting) show how many new questions his friends have answered since the last time he checked.

I'm thinking of using server sent events and the notifications api and update a number at the top bar.

Confirm that the user wants to delete a question.

When a user deletes his account, the username does not get removed from the lists of the people who have him as friend. This is because in the way that friendships are stored now #8 , the check whether all the friends of a user are registered occurs only when the user changes his friends (i.e. in friends.php).

Potential security issues

Someone could wait seven days from a user's deleteion and then quickly re-register with the excact same username, so that he can basically do what the "previous account owner" could.

Solutions

I think the best solution would be to change the way friendships are stored.
Other solutions may be:

• On every login check whether all of the user's friends have accounts
  • Will not fix the problem if a user stays logged in for a long time
• Using mySQL add an event listener on when a user is deleted, find users WHERE friends LIKE '%"{username of deleted}"%' and then do some magic (??) to remove the "{username of deleted}"
  • I don't know if such a thing is possible
  • We must be sure that the value remanins valid JSON
• Using PHP, on deleteacc.php after warning the user, find users WHERE friends LIKE '%"{username of deleted}"%' and then remove the to-be-deleted username with PHP
  • If someone changes his mind, he will have to ask his old friends to add him again.
  • Prepared statements may come in handy when updating the friend lists.

It should be under the Qs/As list

I have already done some work, but now I officially make it an issue.

I created the branch "semantic" for the changes that will be needed.

Currently at the root of the site (/) a logged in user sees only the top navigation bar and the footer. I think this is not really good, we should show them something they might care about.

I think a question feed (i.e. questions asked to people that the user has friended, sorted from newest to oldest) would be a quite good idea. It's also pretty easy to implement once we find out the query for the questions.

Make a new QuestionSet, pass the data to the view $data['questions'] = $qset->members and print them all foreach ($data['questions'] as $q) $q->writeOut()

A problem is how many question should we load. More then 20 could be too much, but some users may want to keep scrolling. Do it like profiles? Maybe in a later version

This is how I think of implementing it:

1. Store friendships in another table (see #8 )
2. Change POST handling at friends.php. There should be an argument, do which takes one of these values:
   • set: argument friends must be present and contain a JSON encoded array of all the user's friends
   • add: argument friend must be present and contain the username to be added in the user's friendlist
   • remove: similar to add
3. Add a button (possibly ui toggle button) in the profiles' headers if ($user and $user !== $owner) and use JS to handle click and send AJAX POST. To handle noscript we could either:

• have the button inside a <form> and prevent its submission from JS
• have a <noscript> saying "To change your friends visit [link to friends.php]"