Purpose
The module delayed ownership allows anonymous users to create content and to keep their authorship when logging in within a certain (configurable) period of time.
Technically, in order to assign a node's authorship to a user logging in, the module checks which nodes were created by this (previosly anonymous) user and assigns authorship to her.
- Git:
git clone --recursive --branch 6.x-1.x http://git.drupal.org/sandbox/organicwire/1800776.git delayed_ownership
- Project page
- Working version for Drupal 6 and Drupal 7. D8 version is planned.
Any similar modules?
There's a module called Lazy Registration which has a slightly similar purpose but not the same. For each anonymous user, a user is created and deleted if not confirmed after a certain time. This module was abandoned after version 5.x-1.x-dev.
However, Lazy Registration didn't make us happy in our project, as we didn't want to have thousands of unconfirmed user profiles on our site. Instead we chose a lean and fast way for transferring authorship (see above for details).
Comments
Comment #1
klausiWelcome,
please get a review bonus first. Then try to fix issues raised by automated review tools: http://ventral.org/pareview/httpgitdrupalorgsandboxorganicwire1800776git
Comment #2
Frank Ralf CreditAttribution: Frank Ralf commentedIs the D7 code also available for testing purposes?
Comment #3
Frank Ralf CreditAttribution: Frank Ralf commentedI would like to help making this an official project soon. Could you list me as a co-maintainer?
Comment #4
parwan005 CreditAttribution: parwan005 commentedHi,
here are the responses to your manual review done by me:-
.module file.
1) Remove $Id$. It is no longer required.
2) Remove commented code this should not be here.
3) @file doc comment missing though details are there. I believe @file should also be there.
4) Proper formatting of the code has not been done. Please refer this.
5) Global variables like $user etc. should be mentioned at the top. That is good practice.
6) true or false should always be caps. Though it dont makes a difference, but thats the standard.
7) Rather than drupal_goto in nodeapi you should be using $_REQUEST['destination']
8) HTML content should not be generated in the .module file. That work should be done in .tpl file. So you should remove this.
.install file.
1) Remove $Id$. It is no longer required.
2) Delete variables used in your module after your module is uninstalled.
.info file.
1) Remove $Id$. It is no longer required.
Comment #5
Frank Ralf CreditAttribution: Frank Ralf commentedAll these issues seem to have been already fixed in the D6 branch from http://drupal.org/project/1800776/git-instructions
What has to be done to move things forward?
Comment #6
parwan005 CreditAttribution: parwan005 commentedAfter fixing issues, if any you should mark the status to needs review again.
Thanks
Parwan
Comment #7
organicwire CreditAttribution: organicwire commentedI fixed the remaining issues complained by ventral.org. See the review log.
The review still complains three issues, all of them text formatting, which I do not want to change as this would break documentation's readability.
Comment #8
Frank Ralf CreditAttribution: Frank Ralf commentedA Drupal 7 branch is now also available via Git at http://drupal.org/node/1800776/git-instructions/7.x-1.x
Comment #9
jnicola CreditAttribution: jnicola commentedThis sounds really cool... and reading the code it seems well thought out and written. Cool functionality!
Curisoity question: On line 142 you make the session ID available as a form element. Does this present any potential issues for some one being able to get your session ID and jack it? Just something I was randomly thinking about...
One thought on wording:
Line 397 -- '#title' => t('Allow delayed ownership on'),
Maybe consider a different wording there such as 'Enable delayed Ownership'. The words "allow" and "on" are redundant in that situation.
Choice of wording: You decided to call the anonymous node form followup page a feedback page. Not sure if this is a Drupal term or your own, but it doesn't really seem feedback related since the user isn't really being asked to submit anything to you about quality. "Anonymous Follow Up Page" is what I'd go with. Not that it matters, especialy if it's a Drupal term :)
Something Positive: I just reviewed two modules prior to this. Both of them had almost non-existant project pages and their readme files were similarly devoid of content. Yours is much better! Congrats! Maybe consider pulling some of your stuff from readme into the project page as well though?
Comment #10
asgorobets CreditAttribution: asgorobets commentedHi,
Great job so far,
I don't know if Drupal 7 version should be reviewed in this Project application issue, but anyway. I really like the idea and want to contribute to review:
Review of 7.x-1.x branch:
1. Line 6: Replace anymous with anonymous.
2. Line 48: You don't have to specify 'access callback' => 'user_access' as this is the default callback. It can be removed.
3. Line 196: Maybe it would be better to use #markup for $form['links'] element instead of #value.
4. Line 229: You can use $form_state['redirect'] to redirect forms instead of drupal_goto. It will allow other users to alter your form and specify their own redirect of they have to.
5. In delayed_ownership_feedback_page() looks like a theme function with a template or preprocess will be better for HTML output. The $output .= 'something' in your case is not readable and hard to maintain.
Also please take a look at review script issues here:
http://ventral.org/pareview/httpgitdrupalorgsandboxorganicwire1800776git
I'm not changing status to needs work since the issue contains (D6) in title and reviewed branch is D7. Correct me if i'm wrong.
Good job!
Comment #11
Frank Ralf CreditAttribution: Frank Ralf commentedThanks to both of you for the feedback!
@ jnicola (#9)
The form element code is a remnant from the D6 code. In fact it isn't used anymore in the D7 version and will be removed in the next round of refactoring :-)
@ asgorobets (#10)
Thanks for your helpful suggestions! We hope to soon get the full project status so we can open a proper D7 issue.
Comment #12
Frank Ralf CreditAttribution: Frank Ralf commentedJFTR
There's an interesting recent article on "Registration Through Site Engagement".
Comment #13
organicwire CreditAttribution: organicwire commented@ jnicola: Thanks for your detailed feedback. About the wording I agree. I changed the labels you mentioned. Hopefully, it's a little more clear now.
About your security consideration: I don't think, exposing the session id in the form is any problem. It's exposed anyway as the browser's http requests contain it anyway. To be safe here, you'd need https.
Comment #14
Frank Ralf CreditAttribution: Frank Ralf commented@organicwire
The session id in the hidden form field code can be removed from the Drupal 7 version as it isn't used any more.
Comment #15
organicwire CreditAttribution: organicwire commented@Frank Ralf: I removed the hidden form field.
Comment #16
Frank Ralf CreditAttribution: Frank Ralf commentedThanks!
Comment #17
jibranI found some issues at http://ventral.org/pareview/httpgitdrupalorgsandboxorganicwire1800776git...
Comment #18
PA robot CreditAttribution: PA robot commentedClosing due to lack of activity. Feel free to reopen if you are still working on this application.
I'm a robot and this is an automated message from Project Applications Scraper.
Comment #19
organicwire CreditAttribution: organicwire commentedThe issues from ventral.org are fixed (except a couple of very silly ones which don't make sense in this context). Check the ventral log for reviewing
Comment #20
organicwire CreditAttribution: organicwire commentedChanged issue title. The sandbox contains a D6 and a D7 branch.
Comment #21
kscheirer6.x branch review:
'#type' => 'hidden'
, which actually renders a form element for the user, use type value, which won't show anything to the user, but will still be available on validation/submission. Also, you can move the condition($user->uid == 0)
above the foreach() block - then you will only check the form ids if the user is anonymous. If the user is not anonymous you don't have to do any work.time() + (60 * $minutes)
?variable_get('delayed_ownership_nodetype_' . $node->type, TRUE)
default to FALSE instead? That would be a little safer. In fact, couldn't this code for $op = 'insert' all be moved over to _delayed_ownership_node_form_submit()? You've already done the work to make sure your custom submit function gets called when a anon user submits a node of the right type, no need to check all nodes again.7.x branch review:
drupal_save_session(TRUE);
like that - if the sessions arent being saved there's probably a good reason for it. I think Drupal's default is to always save sessions. Can you explain a bit more?There's an inherent security problem - using session id's + IP address is probably the best method you can use, but that info is all passed via plaintext and if intercepted could allow a user to have someone else's nodes assigned to themselves. I don't think it's a major issue, but if you could add something to the project page to let users know what the implications are, that would help.
----
Top Shelf Modules - Enterprise modules from the community for the community.
Comment #22
Frank Ralf CreditAttribution: Frank Ralf commented@kscheirer
Thanks for your thorough review.
Actually, I went through a lot of session related documentation while upgrading the module. Session handling with regard to anonymous users is a bit tricky. If I remember correctly, the following comment from the API documentation for drupal_session_inititalize() was the reason for using drupal_session_start():
drupal_session_initialize(): "Initializes the session handler, starting a session if needed."
Here are some more relevant session functions:
HTH
Frank
Comment #23
PA robot CreditAttribution: PA robot commentedClosing due to lack of activity. Feel free to reopen if you are still working on this application (see also the project application workflow).
I'm a robot and this is an automated message from Project Applications Scraper.
Comment #24
organicwire CreditAttribution: organicwire commented@kscheirer: Thanks indeed for your detailed review.
FIXED
DEFERRED/REJECTED
I'm opening a separate task for this: #2109197: Use #type = hidden in anonymous form
This would affect the actual functionality. Please open a feature request issue for this.
I created an issue for this: #2109221: Add theme function for D6
--> I created a separate issue for discussion: #2109205: is calling drupal_save_session(TRUE) a good idea?
Seems that there's no clear coding style for this. I won't fix this as I prefer to avoid repetition and to keep defaults in one place.
Isn't this an inherent security issue of every session based access grant system (used by every website that provides a login)? When stealing a session id from someone, you can hijack this user account (and get his or her permissions). The only solution is to use SSL for your website.
-> Why is this actually required? Is it part of Drupal's coding standards?
Comment #25
lolandese CreditAttribution: lolandese commentedI have the D7 version running on a proposal website (not public yet) where it works as expected.
The only minor issue I had found #2084719: D7: Change path of configuration page to admin/config/content (instead of admin/config) has been fixed.
Comment #26
kscheirerThere are still a few style issues reported here: http://pareview.sh/pareview/httpgitdrupalorgsandboxorganicwire1800776git. You've addressed all my blocking issues though, so this is RTBC from me. It's not required to remove .gitignore, just a general practice.
----
Top Shelf Modules - Crafted, Curated, Contributed.
Comment #27
organicwire CreditAttribution: organicwire commentedThanks to @lolandese and @kscheirer for your feedback! What is the next step I've to do?
Comment #28
kscheirerNo further action is required, but the best thing you can do is get a Review Bonus by reviewing other applications. That will get you to the top of the list of projects to get reviewed (and hopefully approved). Only manual reviews count, just using http://pareview.sh is not enough.
Or if you wait a month and no one else raises any issues, I will send this application to "fixed" myself, which grants you "git vetted user" status and the ability to promote your sandboxes to full projects (including this one).
----
Top Shelf Modules - Crafted, Curated, Contributed.
Comment #28.0
kscheirerChanged headline level, updated the information on D7 version.
Comment #29
organicwire CreditAttribution: organicwire commentedUpdated D7 status
Comment #30
yannickooThis needs work because of #2130351: Comply with coding standards.
Comment #31
klausiMinor coding standard errors are not application blockers, any other major problems you found in your manual review?
Comment #32
kscheirerIt's been a month without any problems reported, so I'm promoting this myself as per https://drupal.org/node/1125818.
Thanks for your contribution, organicwire!
I updated your account to let you promote this to a full project and also create new projects as either a sandbox or a "full" project.
Here are some recommended readings to help with excellent maintainership:
You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and get involved!
Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
Thanks to the dedicated reviewer(s) as well.
----
Top Shelf Modules - Crafted, Curated, Contributed.