Fall 2007

Milestones under Relationships

• Sat down with Corey and talked about the Authority relation and watched him stub getters and setters in the Entity interface
• That's all.

It's not at all clear which milestones are yours. If you're responsible for something, please assign it to yourself. --Chelsea

Here are my milestones for this week.

- I have re-written the search method to create search tree for both contents and users.
- I have temporarily set the default page to do a search that returns a lot of results (i.e. search for contents that contain "a" in name or tag) so it looks random and we can put it as featured contents. However this will not be kept and so I would not consider this achievement for this week.

My milestones for this week can be found over over here.

Of these milestones, I have made progress on the following:

• I have created a frame for the preferences section. This also involved reorganizing the frontend a little to make an account section and a user profile section.
• I again began thinking about the payment interface. I still have to think of it from a coding perspective but I have a fair idea of how it's going to work from a UI perspective.
• I reorganized the frontend as outlined above.
• I added more information to the search results, including author, tag and creation date information.

From a team perspective, our milestones also included designing a message interface and getting more information for basic search (getting multiple return types).

Here's a link to the Team Milestones.

We have the basic framework for the authority system set up, but it was not completed in time for UI to use it. This doesn't sound like much, but it was our most important task.

Dave was also tasked with working with the backend to finish the access control system & groups.

Milestones appear here.

My main work item this week has been testing the site, especially with security tests. I've been working on XSS and SQL injection attacks this week. I have found some XSS holes, some which have been patched and others that we are still waiting on fixing. To do this testing I've been using online resources mostly and compilation sites that list 'all' known XSS/SQL injection tricks. However, these are never exhaustive, but I'm getting a better feeling for how these attacks work and the tricks they use. The number of holes is really quite frightening, however, and it looks like we might be going to a restricted tag system (only a small known subset of tags and fields allowed.) However, not even that is bullet proof with things like href data fields and other tricks. I really must wonder if it is possible to get this really bulletproof...

Also, I have found a few other bugs while testing things. I'll switch to finding more of these kind of bugs after I become more satisfied with the security on the site.

On Monday, Brad sent my documentation on the notification system, as it is what I am taking over since search has become
mostly dead. I read through documentation Brad gave me on the notification system, and have begun to try to understand/move
forward with it. I have nothing concrete yet, however, as I am still trying to get my tablet back up ad running (it crashed Friday, and
I am having to re-set it up and reinstall VS, as I didn't have it installed anywhere else.)

I have begun implementing video tags and I have figured out a way to interact with the silverlight.

In addition, I created a document detailing the process for implementing support for new kinds of content (surprisingly easy to do actually)

Also, I met with Luke and Bethany to discuss suggestions for the Content/UI teams.

My milestones are here.
I implemented a system to count the number of times a user views a piece of content.

1. Fixed currently known XSS Vulnerabilities reported by Derek
I closed all unclosed tags, removed all invalid tags and attributes.
2. Enabled search in EmbedContent
3. Removed scripts in Tag
4. Removed Scripts in Content Name
5. Added frame around embedded content
This part is done naively. Now I just added <div> tag around embedded content.
6. Fixed the bug that image GUID changed in properties window

My milestones are here.

- Created Category class in backend
- Created tables for categories in database
- added Category creation and retrieval methods to backend interface
- added methods to create suggestions to backend interface, using the tag system
- added methods to internal backend interface for permanently deleting Content and Entity

None. Kind of similar to Kevin, but progress was made all the same.
There were two things that needed to be done:

1. Get groups modeled and coded
2. Access controls desperately need to be implemented

This was a nigh unproductive week (410-wise). Hubert, unfortunately was stuck doing malloc until Friday(!), and furthermore was stuck with SAS practices/shows Friday and Saturday night. Beyond this, my own schedule was lit afire with exams, projects, and homeworks alike. During this time we were able to get groups modeled and sent on over to Matt and Aaron for approval/commenting, and as of this moment Aaron is taking over the implementation.
Access controls...not so fortunate this time around. However, I am still committed to doing them, and will work with Hubert Monday, Tuesday, and Wednesday (if need be from my house) to get it completed before next milestone.

Out of curiosity, why do you need implementation details to document the interface? --Chelsea

- The re-written search method still works for contents as before, but I get zero results for searching for users. The search trees generated seem correct, so something's getting broken by the time it gets to the backend.
- Search by rank is still a work in progress, and I would probably use it for the featured content on the default page in the future. It will be more complex than just "top 10 rated contents" but I will have to work with Rae to come up with a good algorithm for this.

See my comment on Kevin's report. Also, picking up someone's slack isn't the way it ought to work. Everyone should do exactly their share as promised at the beginning of the week--the point isn't that the average work is the same from week to week. --Chelsea

Indeed that is how it would work in an ideal world, but I thought that in a team environment it would be useful to help each other out in times of need. I guess this shouldn't be the case...?

There are a number of bugs in Trac that we didn't get fixed, either because we didn't know how to fix them or just didn't have enough time to get to them.

Also, while the authority system should now be usable in terms of setting up an authority relationship, and then getting that information, the real guts is the part of the system that re-evaluates users' authority levels and moves them up or down as appropriate. This won't be ready for another week or two.

I would have liked to revamp some of the ways sorting and searching works, but this was lowest on the priority and it didn't happen. (It didn't happen on Derek's end either).

I have not been working much on notifications, but that is mostly Rae's domain (I think. I'm not quite sure exactly whose responsibility this is. I'm kinda defaulting to that I should learn it, but I've just been working on security this week). For the most part, all of my milestones this week were deferred (i.e. visualization tool was pushed off to UI, no beta caused a lot of milestones to be null and void, etc.) My main focus has been security testing.

I'm more worried about this recurring theme of late/changing/nonexistent milestones than about your percentage (for this week, anyway). Be proactive and get this problem solved--it seems to affect you more than others, so you're in a good position. It's been several weeks, and weekly milestones are one of the few mandatory concrete parts of this class. --Chelsea

I haven't worked on fixing bugs in the tagging interface.

I haven't done much at all with Sohum's new Account/Profile separation.

I still keep beating myself over the head for not being able to move to AJAX based tags. I try something new every week (I have up to TagContentAjax4.aspx...) and have very marginal success.

Most of my intended milestones for this week were to tweak/maintain/keep up to date our production servers. Since the customer has decided that we won't use the system I set up for my milestone last week, these vanished. It's fortunate, in some ways, since I was very busy with other work in other classes this week.

Use AJAX to save and load content in WYSIWYG editor
The problem is content can be saved to backend but the WYSIWYG editor will not load properly after save command

- methods for deleting content and entity need to be integrated with the new access control system (although leaving those records in the database shouldn't hurt anything - aside from wasting space)
- although not specifically part of the task, a method for deleting Category objects was stubbed, but not yet implemented since the semantics of what should be done with child categories need to be discussed with the team

Access controls. Access controls. Access controls. Oh god.
When Matt brought it up during the meeting, I felt really bad that it still has yet to be fully implemented. But unfortunately the two people assigned to do it have been kind of deadlocked with other work. As I understand it everyone else has as well - so I'm very disappointed with how this week turned out, but suffice to say now that there's more free time I'm definitely going to turn my attention to it, and let Sohum know I can start working on UI once it's done. No, I'm not working on thanksgiving...Friday afterwards maybe.

These hectic weeks happen--that's why you have a PM rather than a timeline on a piece of paper! It's your responsibility to get a lighter load for weeks when you have two tests, a major project, and 3 problem sets.

I've allocated the majority of my time this past week to malloc :(((.

See my comment on Kevin's report. --Chelsea

This has probably been one of my most unproductive weeks from a Comp410 perspective, mainly due to SAS commitments. Speaking of which, everyone should go to the show on Friday/Saturday night at 6.30 pm!

See my note on Kevin's report. --Chelsea

The percentage I give is kind of random. I have no idea how to actually rank the percentage due to the change in milestones and the vague concept of "Test the site," especially in terms of security where the important problems are the ones you don't know about... Thanks for the clarification. It should be noted that the staff has been having trouble with this, too...and that's no so good for grades... --Chelsea

All in all, I based the number off of the idea that security testing/general testing was my major concern, and the number of tests for known holes that I ran through the system.

Bad week....between no beta, switching to notifications so late in the week, and my tablet crash (on top of work for other classes & powderpuff playoffs), I haven't really been productive for 410. Sorry guys...I'll try to get more in this week to make up for it.

I sincerely apologize for the lateness, a detailed explanation can be found on my journal entry. Short and sweet - last week was HELL, and now I'm up at 630 am after having slept off an egregious headache/coughing fits/god-i-hope-this-all-goes-away-by-Thursday situation, left awake, but groggy all the same.