FB live module is build as an add-on to Drupal for Facebook module. It's main purpose is to give other modules the possibility to cache some information exchanged with Facebook servers (see here).
If you have a Facebook application that, for example, shows it's users at some point their list of friends, with this module, you can subscribe to Facebook live-updates and make it possible to cache the list. Next time the user opens that page the list can be loaded from cache instead making another query to Facebook for it.
For now, it's only available for Drupal 7.x.

Project home: http://drupal.org/sandbox/asavin/1460432
Git: git clone --branch 7.x-1.x http://git.drupal.org/sandbox/asavin/1460432.git fb_live

CommentFileSizeAuthor
#4 report.txt12.47 KBalex dicianu

Comments

Gerben Spil’s picture

Gerben Spil commented
Status: Needs review » Needs work

You should run the module through coder (install the coder module with drush dl coder) and review your module (click on the review link on the modules page of your Drupal installation). Coder reports the following:

Coder found 1 projects, 2 files, 1 critical warnings, 13 normal warnings, 12 minor warnings, 0 warnings were flagged to be ignored

Don't forget to set Coder to use the most strict setting, so it will report everything.

The critical warning (fb_live.module):

Line 132: Potential problem: confirm_form() only accepts filtered text, be sure all !placeholders for $variables in t() are fully sanitized using check_plain(), filter_xss() or similar. (Drupal Docs)

Alex Savin’s picture

Alex Savin commented

Thanks! I'll install it right away!

And about the error ... I'll just get rid of confirm_form and add a normal submit. Anyway it's useless there.

EDIT: I'll also add a README.txt file with some usage example.

Alex Savin’s picture

Alex Savin commented
Status: Needs work » Needs review

OK! Try it now. I've made some code cleaning, added some new functionality and also added a README.txt file that tries to explain everything and that also has a working example.

alex dicianu’s picture

alex dicianu commented
StatusFileSize
new report.txt12.47 KB

There are still files other than README.txt in the master branch, make sure to remove them. See also step 5 in http://drupal.org/node/1127732
Review of the 7.x-1.x branch:

This automated report was generated with PAReview.sh, your friendly project application review script. You can also use the online version to check your project. Get a review bonus and we will come back to your application sooner.

I've attached the report.

In the .module file:
Line 50 you implemented hook_form_alter, but your function name is

/**
 * Implementation of hook_form_alter
 */
function fb_live_form($form, &$form_state, $fb_app) {
...

Line 136 function _flip_array($array). You should namespace your function in order to avoid name collisions. I'm sure there is a drupal function that does exactly this, but I just can't remember the name.

alex dicianu’s picture

alex dicianu commented
Status: Needs review » Needs work
klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented
Status: Needs work » Closed (won't fix)

Closing due to lack of activity. Feel free to reopen if you are still working on this application.

Alex Savin’s picture

Alex Savin commented
Status: Closed (won't fix) » Needs review

I cleaned the code and now I only have 3 issues left that I don't find very important (if parsed with PAReview.sh).

dharam1987’s picture

dharam1987 commented

Suggestions:

git clone --branch 7.x-1.x http://git.drupal.org/sandbox/asavin/1460432.git fb_live

put this command in your issue summery, as the other one asks for a password and the reviewers may thing something else and skip reviewing the project.

http://ventral.org/pareview/httpgitdrupalorgsandboxasavin1460432git

Though you have mentioned, I would suggest you to fix these errors before applying for review bonus tag, as this defenitely will be pointed out while reviewing your project.

FILE: ...-pareview/sites/all/modules/pareview_temp/test_candidate/fb_live.module
--------------------------------------------------------------------------------
FOUND 3 ERROR(S) AFFECTING 2 LINE(S)
--------------------------------------------------------------------------------
265 | ERROR | Function comment short description must be on a single line
337 | ERROR | Function comment short description must be on a single line
337 | ERROR | Function comment short description must end with a full stop
-------------------------------------------------------------------------------

Also it looks like you are setting a variable while installing and not deleting it while uninstalling the module.

Thanks

Alex Savin’s picture

Alex Savin commented

Thanks dharam1987!

Check! Check! Check! Now everything should be ok. I tested it again with pareview and didn't get any warning and I also add the delete code for that var.

Alex

cubeinspire’s picture

cubeinspire commented

Regarding this:

Also it looks like you are setting a variable while installing and not deleting it while uninstalling the module.

I see that there are 4 variables created on .module, but just one deleted on un-install. Those 4 variables shouldn't be deleted too ?

Alex Savin’s picture

Alex Savin commented

Thanks! Updated!

caseyc’s picture

caseyc commented

A few suggestions I have:

1) When you install this module, it's not really clear which it is out of the many Facebook modules that the fb module provides. I might suggest you name the module in the .info file something like "Facebook Live Updates" as anyone would likely just search for "facebook live" on the modules page to find it.

Otherwise, you should probably put what the module is actually named in the README file, rather than saying just "-Copy the module into the appropriate modules subdirectory and enable it.".

2) I might suggest actually putting it in its own fieldset on the modules page so it's not burried amidst all the fb modules - as although it does expand on the fb module, it is a different module obviously. But point #1 would likely be enough.

3) I notice you have several misspellings in your text. I found some on lines 78, 79 and 109, but there may be more. You may want to do a spell check.

4) You may want to say in the README that your module requires the fb module. Perhaps you could make it the first step in your "Installation and configuration". (-make sure you have the FB module installed: http://drupal.org/project/fb)

5) In general, it's not good security practice to ever have 'access callback' => TRUE in your hook_menu. It's the same thing as giving it a permission and then granting that permission to anonymous (put in your README) and gives you the option in the future to restrict this if the user should ever see fit. I understand that in this case you may override me on that as it's supposed to listen, but just throwing that out there.

Nice work on the module!

Alex Savin’s picture

Alex Savin commented

Thanks for the review!

I've changed the module name to Facebook Realtime Updates as this is the name of Facebooks' feature. I've done some spell checking fixes and also enhanced the README.

To change the 'access callback' => TRUE to an actual permission would mean that the user will have to check that permission for anonymous users after installing the module. I could put it in the installation steps but I find it redundant because for the module to work it needs this permission and admins might forget to check it. I'll wait for more feedback about this and I might enable it eventually.

subhojit777’s picture

subhojit777
he/him
Primary language Bengali
commented

There are some coding standard mistakes you have done http://ventral.org/pareview/httpgitdrupalorgsandboxasavin1460432git

You could use some comments in the module. For example:

function _fb_live_flip_array($array) {
  foreach ($array as $key => $val) {
    $array[$val] = $val;
    unset($array[$key]);
  }
  return $array;
}

You have given a description for this function, but that does not explains what this function actually does.

Also I have seen that you are using the PHP ternary if operator in module file. For example:

$print_subs['items'][$i]['children'][] = '<strong>' . $type . '</strong>:&nbsp;<em>' . (is_array($s) ? implode(', ', $s) : $s) . '</em>';

In module file you do not need to use ternary operators, AFAIK ternary operators reduces code readability and maintainability. Ternary operators may look simple and should not be used for complex conditions. Also if you want to see which is faster PHP ternary if operator or if-else condition refer this page

brycefisherfleig’s picture

brycefisherfleig commented
Status: Needs review » Needs work

Looks like a great module. However, automated review issues are still outstanding: http://ventral.org/pareview/httpgitdrupalorgsandboxasavin1460432git.

Changing status to needs work.

Alex Savin’s picture

Alex Savin commented
Status: Needs work » Needs review

OK ... I fixed the last automated review issues. Please, check it out:
http://ventral.org/pareview/httpgitdrupalorgsandboxasavin1460432git

brycefisherfleig’s picture

brycefisherfleig commented
Title: FB Live » [D7] FB Live
davidam’s picture

davidam commented

I'm seeing an error:

DrupalSecure has found some issues with your code (please check the Writing secure core handbook).

FILE: /var/www/drupal-7-pareview/pareview_temp/fb_live.module
--------------------------------------------------------------------------------
FOUND 1 ERROR(S) AFFECTING 1 LINE(S)
--------------------------------------------------------------------------------
352 | ERROR | Printing unsanitized input from $_GET
Alex Savin’s picture

Alex Savin commented

That's in the the check that Facebook does to verify that the server is the one that is supposed to be.

This module is in sandbox mode for a year now ... can we just skip this puny little problems and let others use it?

This is not really a problem as I make sure that is fasebook who makes that request. Check the code:

/**
 * Listens for Facebook live updates calls to our app.
 */
function fb_live_listen() {
  $method = $_SERVER['REQUEST_METHOD'];

  // In PHP, dots and spaces in query parameter names are converted to
  // underscores automatically. So we need to check "hub_mode" instead
  // of "hub.mode".
  if ($method == 'GET' && $_GET['hub_mode'] == 'subscribe' &&
      $_GET['hub_verify_token'] == variable_get('fb_live_verify_token', '')) {
    if (fb_verbose() == 'extreme') {
      // Some debug info.
      watchdog('fb_live', 'Live-update hailing received from Facebook:<br />'
          . '<pre>%chalange</pre>',
          array('%chalange' => $_GET['hub_challenge']));
    }
    // Say Hi! to Facebook.
    echo $_GET['hub_challenge'];
  }
  elseif ($method == 'POST') {
    $updates = json_decode(file_get_contents("php://input"), TRUE);

    // Act on received updates.
    fb_invoke(FB_LIVE_OP_UPDATE_RECEIVED, $updates, NULL, 'fb_live');

    if (fb_verbose() == 'extreme') {
      // Some debug info.
      watchdog('fb_live', 'Live-update notification received from Facebook:'
          . '<br /><pre>%updates</pre>',
          array('%updates' => print_r($updates, TRUE)));
    }

    drupal_exit();
  }
}
kscheirer’s picture

kscheirer
Primary language English
Location Vallejo
commented
Assigned: Unassigned » kscheirer
kscheirer’s picture

kscheirer
Primary language English
Location Vallejo
commented
Assigned: kscheirer » Unassigned
Status: Needs review » Reviewed & tested by the community

How is setting a random value in the install file variable_set('fb_live_verify_token', $rand); useful?

You should have spaces between items in an array, especially in the giant DEFINEs at the top of the module. Speaking of which FB_PATH_ADMIN_APPS and FB_PATH_ADMIN_APPS_ARGS don't seem to be defined anywhere. You shouldn't call exit() in a drupal function - just drupal_not_found() and then returning from the function is sufficient. Can you use PHP's array_flip() instead of _fb_live_flip_array()?

Some of those aren't minor, like the missing defines, but there aren't any security problems or critical issues. Marking RTBC from me.

Alex Savin’s picture

Alex Savin commented

How is setting a random value in the install file variable_set('fb_live_verify_token', $rand); useful?

I need it to be unique for each module installation.

You should have spaces between items in an array

True! Will add.

Speaking of which FB_PATH_ADMIN_APPS and FB_PATH_ADMIN_APPS_ARGS don't seem to be defined anywhere.

They are defined in the main "Drupal for Facebook" (fb) module which is a dependency for "FB Live" module (this module). So, if this module is enabled that means that fb is enabled and that means that they are in fact defined.

You shouldn't call exit() in a drupal function - just drupal_not_found() and then returning from the function is sufficient.

True! I will change that.

Can you use PHP's array_flip() instead of _fb_live_flip_array()?

I need to transform it from $array[KEY] = VALUE to $array[VALUE] = VALUE.

kscheirer’s picture

kscheirer
Primary language English
Location Vallejo
commented
Status: Reviewed & tested by the community » Fixed

Thanks for those fixes, looks good to me. This issue has been waiting for quite some time, thanks for sticking with it.
Can you sanitize 352 echo $_GET['hub_challenge']; before printing it? Using check_plain()?

Thanks for your contribution, Alex Savin!

I updated your account to let you promote this to a full project and also create new projects as either a sandbox or a "full" project.

Here are some recommended readings to help with excellent maintainership:

You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and get involved!

Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

Thanks to the dedicated reviewer(s) as well.

----
Top Shelf Modules - Enterprise modules from the community for the community.

Alex Savin’s picture

Alex Savin commented

Thank you for the account update and feedback.

Regarding the sanitisation of that echo, I don't know how good of an ideea is. The workflow there is this:

Subscription Verification

Firstly, Facebook servers will make a single HTTP GET to your callback URL when you try to add or modify a subscription. A query string will be appended to your callback URL with the following parameters:

hub.mode - The string "subscribe" is passed in this parameter
hub.challenge - A random string
hub.verify_token - The verify_token value you specified when you created the subscription
The endpoint should first verify the hub.verify_token. This ensures that your server knows the request is being made by Facebook and relates to the subscription you just configured.

It should then echo just the hub.challenge value back, which confirms to Facebook that this server is configured to accept callbacks, and prevents denial-of-service (DDoS) vulnerabilities.

I cannot alter the output of that challenge because FB server might reject it. The emphasised text in the previous quote is what interests you. The facebook creates the request using the token (hub.verify_token) uniquely created by the module at installation thus I am dead sure that I'm replying to facebook.

Please correct me if you see something wrong in my logic.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

(not verified) commented
Issue summary: View changes

Changed git path to remove the username from it