Closed (fixed)
Project:
Drupal.org security advisory coverage applications
Component:
module
Priority:
Normal
Category:
Task
Assigned:
Unassigned
Reporter:
Created:
1 Apr 2013 at 18:04 UTC
Updated:
6 Oct 2013 at 00:31 UTC
LiveHelpNow is a responsive, reliable, and extremely affordable Help Desk Software for your website. The live chat button plugin adds click-to-chat functionality to your website, allowing you to interact directly with website visitors the same way you would in a traditional retail store. You wouldn't ignore customers in your store, so don't ignore the ones visiting your site every day!
Chat with customers using any computer or mobile device and monitor website visitors in real-time using our Top Rated Chat System. Invite visitors to chat automatically or proactively, help them with product selection, and increase sales! When you're unavailable the chat button plugin switches to an 'offline mode' that allows visitors to leave you messages.
This plugin is exclusively for the LiveHelpNow Chat System & also integrates seamlessly with:
• LiveHelpNow Ticket System
• LiveHelpNow Callback Request System
http://drupal.org/sandbox/livehelpnow/1279670
http://drupalcode.org/sandbox/livehelpnow/1279670.git
Comments
Comment #1
PA robot commentedWe are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and we will take a look at your project right away :-)
Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).
I'm a robot and this is an automated message from Project Applications Scraper.
Comment #2
ericwitchin commentedI have reviewed and tested this module. Everything is functioning as expected and works great.
Comment #3
patrickd commentedI'm afraid I got to push this back to needs work.
package = "LiveHelpNow Help Desk -- Chat Button"Is too specific! Please use the package to describe the type of module. for example "Live chat", etc. I would suggest you have a look at other chat-modules and see what package they are using, so it won't fill up the modules page with tons of different package names for just one module.You must use the same name for your project files as you use for the project shortname!
lhnchat.module should be livehelpnow.module and so on
An automated review of your project has found some issues with your code; As coding standards make sure projects are coded in a consistent style we please you to have a look at the report and try to fix them. Anyway, note that issues found are possibly false positives and fixing all issues is not a requirement for getting through the application process.
After you renamed your files, please run all of your code through the coding-standards check at http://ventral.org/pareview and try to solve as many issues as possible.
And please don't register any accounts just to set your own application to RTBC.
Comment #4
livehelpnow commentedHello patrickd,
Thank you for reviewing our project and providing your feedback. I appreciate you providing links with how to fix the errors, they helped a lot. I believe I have corrected the issues you brought to our attention. As for the package name, I changed it to LiveHelpNow as we will be releasing more modules in the future. All of the modules will use that package name and be grouped together as desired. If you could be so kind to review the project again and see if there are any additional issues I may have looked over, it would be greatly appreciated.
Thanks,
LiveHelpNow
Comment #5
livehelpnow commentedComment #6
patrickd commented"update" is a very bad commit message - commits are for changes, for sure you updated something. It would be much more useful if you explain *what* you changed in the commit. Also have a look at Commit messages - providing history and credit.
As a general best practice you keep data type correct and clean until you print it to the page.
If you have an integer in a variable use it as integer (
0) not as string ('0').If the javascript requires it to be a string - cast it.
(string) 0;I know it's very annoying but when you'r using a default value
variable_get('livehelpnow_buttonid', '35'),in your form, you have use it everywhere else for this variable too!
variable_get('livehelpnow_buttonid', '');<-- set 35 as default valueRather than putting javascript directly/inline into a block you could make use of the inline option of drupal_add_js()
At the moment your printing out the javascript options completely unfiltered. Someone with the proper permissions could put anything into these options (like malicious javascript). You have to properly sanitize your output or validate the module setting values.
For example
If it must be numeric - enforce it!
add:
Anything else that can not be validated this way / or contains un-validated user input --> put it into check_plain() before printing it into the page / using it as inline javascript options!
It's a checkbox? use booleans!
(Also - avoid putting HTML into t()-functions, this makes the live of translators harder than it should)
In your 6.x-1.x branch you are not deleting all used variables on uninstallation.
Read about removing your existing tags here: http://nathanhoad.net/how-to-delete-a-remote-git-tag (Don't create tags until you can actually create releases)
I also recommend that you might have a look at https://drupal.org/writing-secure-code
Sorry, kicking back to needs work because of the security issues mentioned above.
Comment #7
livehelpnow commentedHello patrickd,
I apologize for the bad commit messages, I thought they were only stored on my local git repo. I have started using the [Issue] by [Name]: [Description] format.
I have converted all variables to an integer with the exception of the livehelpnow_clientid, which is treated as a string throughout the entire code. As a quick explanation of why the (*must be numeric) is on that field, most standard users it will only be numeric, however certain clients will have the ability to place text characters within that field to modify the displayed button.
I did attempt to use the drupal_add_js, however it broke the code as the javascript must be placed in a certain order along with the html link. Since I am now validating the form options I am hoping this is no longer an necessary as this could cause us a big issue.
While I did not use the #element_validate like you suggested, I have now added all the fields (with exception to the checkbox) to the livehelpnow_form_validate function where I am checking for numeric and other things, along with outputting custom error messages.
I have switch the checkbox to use FALSE instead of 0.
I have updated the 6.x-1.x uninstall function to delete all of the variables.
As far as I can tell all local and remote git tags have been removed.
Once again, thank you for adding the links for me to reference. It seems to me there is a lot of great documentation for drupal that takes quite some digging to find. I have checked out api.drupal.org, along with some tutorials I was able to find. Do you have any other general links for a page containing important links that may help us on future development?
I apologize for the issues, but truly appreciate you being thorough in the approval process to help find security issues and to meet the Drupal coding standards. Please review the updated git repos and let us know of any additional issues you may find.
Thanks,
LiveHelpNow
Comment #8
kscheirerThe links Help Desk Software and Ticket System on your project page doesn't go anywhere.
The url
admin/config/user-interface/livehelpnowshould be admin/config/livehelpnow.Wait,
livehelpnow_clientidmust be numeric say the #description, but in validate it accepts "lhn" and "-1" as valid? Can you make that clearer? Also, is_numeric() will happily accept any number, including floats like 3.14159. Maybe you want ctype_digit() or a regex instead?drupal_add_js() was already mentioned for livehelpnow_block_view(). I guess it's fine how you have it, but I think you can still use drupal_add_js() with the 'inline' option and it should print in the same place directly in the page. The parameters look safe now that they're being validated on form submission.
Those seem like minor issues.
----
Top Shelf Modules - Enterprise modules from the community for the community.
Comment #9
livehelpnow commentedI have changed the validation to use the ctype_digit and I have also changed the config location as you requested. The reason I allow lhn in the account number is due to a lot of our clients accidentally putting the lhn in there, so I just strip it later. As for the -1, certain client will have the ability to add that to perform an extra task within the button. Not all clients will use this (hence the numeric only) and the ones who do will know that they can use it.
Thank You,
LiveHelpNow
Comment #10
kscheirerThe code seems fine. But,
All user accounts are for individuals. Accounts created for more than one user or those using anonymous mail services will be blocked when discovered (see Get a Drupal.org account).
Please change your account information and enter your realname.
The application was created by user livehelpnow (who did include a real name), but that user only has a 1 line initial commit. The module looks like it was written by Eric Witchin. We can only grant Git Vetted User status to 1 person for this module. Signing posts as "LiveHelpNow" is not helping - that just makes it look like you're sharing a single account.
Also, should we be reviewing the 6.x or 7.x branch? I think I did 7.x last time, but now I'm not sure anymore.
Please post more information and set this issue back to "needs review".
----
Top Shelf Modules - Crafted, Curated, Contributed.
Comment #11
livehelpnow commentedI am looking for both the 6.x and 7.x branch to be reviewed. As for the username, I am the only user using this account and I have also built the plugin being reviewed. I took this account over from someone who no longer has access to it so if I need to change something in the account to continue, please let me know.
Thanks,
Eric (LiveHelpNow)
Comment #12
kscheirerSending to klausi, he may have time to help figure this out.
Comment #13
klausi@livehelpnow: I'm confused, you are writing as Eric but your profile says Michael Kansky? So this is in fact a shared account? And that shared account did all the git commits.
Please note that organization accounts cannot be approved for git commit access. See https://drupal.org/node/1966218 and https://drupal.org/node/1863498 for details on what is/isn't allowed. Please update your user profile so that we don't have to assume that this is a group account.
Proposed solution: rename the livehelpnow account to something individual like eric_xyz? And make the profile consistent please.
Comment #14
livehelpnow commentedSorry for the confusion everyone. I have changed my username to eric_livehelpnow and changed the contact name to my actual name. I would like to state again I was the only person who did development/git commits and I am the only person who has access to this account. Thank you all for your help.
Comment #15
kscheirerThanks for clearing that up!
----
Top Shelf Modules - Crafted, Curated, Contributed.
Comment #16
kscheirerAccount issues are resolved, and it's been a month without any problems, so...
Thanks for your contribution, eric_livehelpnow!
I updated your account to let you promote this to a full project and also create new projects as either a sandbox or a "full" project.
Here are some recommended readings to help with excellent maintainership:
You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and get involved!
Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
Thanks to the dedicated reviewer(s) as well.
----
Top Shelf Modules - Crafted, Curated, Contributed.