[D7] Field Wistia

We are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)

Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).

I'm a robot and this is an automated message from Project Applications Scraper.

Outside of what's mentioned in http://pareview.sh/, the code itself looks pretty solid. One thing I noticed on line 36 in field_wistia.admin.inc is that the value of @url has parentheses wrapped around it. Did you intend to wrap this value in url()?

You may go to http://pareview.sh/ and submit a review of your site using http://git.drupal.org/sandbox/joetoday/2191943.git.

Here are the main takeaways:

1) You will need to switch your module's default branch over to a non-master branch and remove master. Make sure to set the correct default branch: http://drupal.org/node/1659588 . Then remove the master branch, see also step 6 and 7 in http://drupal.org/node/1127732 .

2) You will also need to set a param type in your documentation on line 73 of field_wistia.theme.inc. Param types are technically optional for D7 modules, but they are still required to pass this review. The param type in this case would likely be string.

Hi joetoday,

First off, this module looks great!

I noticed that the permissions of all the module files except field_wistia.admin.inc are set at 755 (the default mode for folders). They should be set to 644 so that they don't have execute permissions.

You should also remove the trailing whitespace in the files as per https://drupal.org/coding-standards#indenting. Your editor should be able to do that automatically for you so you won't ever have to worry about it again. :)

I'm looking forward to seeing your module out in the wild!

That's weird. I wonder if it ignores comments and multi-line strings.

Here's the list of places I found trailing spaces:
- field_wistia.admin.inc: 17
- field_wistia.info: 2, 5
- field_wistia.module: 90, 91
- field_wistia.theme.inc: 7

Awesome! I love sublime. If you're having problems with that whitespace plugin, you might try adding "trim_trailing_white_space_on_save": true to your preferences.

Everything looks good to me. Hopefully someone will promote it to a full project soon. Thanks for sharing your module!

Automated Review

Review of the 7.x-1.x branch:

• Coder Sniffer has found some issues with your code (please check the Drupal coding standards). See attachment.
• DrupalPractice has found some issues with your code, but could be false positives, and may be duplicate results from Coder Sniffer. See attachment.

This automated report was generated with PAReview.sh, your friendly project application review script. You can also use the online version to check your project. You have to get a review bonus to get a review from me.

Minor things, but fix when you can.

Manual Review

The duplication/collaboration issue is tricky with the video modules. There are two general purpose video modules that
I know about, Media and Video Embed Field. There are also some modules that provide fields for a particular
video provider. Media and Video Embed Field both provide hooks for adding different providers, which this module
does not implement. Long term, I would suggest adding support for these through submodules.

field_wistia_field_schema(). No primary key for your table? These are usally a good idea.

(+) Avoid building HTML in t(). In field_wistia_settings_form(), build the link with l(), and then pass this in
to t() as a placeholder.

(*) In field_wistia_field_widget_form(), pass in the ID as a parameter to t() (line 336). This is XSS vulnerable. If I schema
alter to make the field longer, I can set the URL to http://www.wistia.com/medias/<script>alert('XSS')</script>
and get the alert on the edit page. In addition, I would see if you can validate the ID, but validation is not a
substitute for output sanitization.

field_wistia_get_video_id() should probably return FALSE if the URL wasn't valid.

(+) field_wistia_get_remote_image() should use the File API for the thumbnail. See system_retrieve_file().

(+) It doesn't look like there is any cleanup of the thumnails when a video field is removed. This should be addressed.

(+) In theme_field_wistia_video(), don't build the URL manually, use url().

In _field_wistia_request_embed(), use drupal_json_decode().

The custom dimensions in the setting form can probably use some validation, and casting to int when you use them.

The starred (*) issues are blockers. Please don't remove the security tag, we keep that for statistics and to show examples of security problems.

The plussed (+) items are high priority, but not blockers.

Ignore my comment in #18 about "Avoid building HTML in t(). In field_wistia_settings_form(), build the link with l(), and then pass this in to t() as a placeholder." I forgot this was the preferred practice so the link title gets translated.

Looks RTBC to me after a manual review! Removing review bonus tag, you can add it again if you have done another 3 reviews of other projects.

Assigning to heddn as he might have time to take a final look at this.

Manual Review

Individual user account

Yes: Follows the guidelines for individual user accounts.

No multiple applications

Yes

No duplication

Yes

Master Branch

Yes: Follows the guidelines for master branch.

Licensing

Yes: Follows the licensing requirements

3rd party code

Yes: Follows the guidelines for 3rd party code.

README.txt

Yes: Follows the guidelines for in-project documentation and the README.txt Template.

Code long/complex enough for review

Yes: Follows the guidelines for project length and complexity.

Secure code

Yes. If "no", list security issues identified.

Coding style & Drupal API usage

Place code review here using this format:

• .module seems to assume a size of 640x360 but .inc file seems to allow various sizes.
  See field_wistia_field_formatter_settings_summary & field_wistia_size_options

The manual review comments in the code walkthrough are recommendations.

Thanks for your contribution, Joe!

I updated your account so you can promote this to a full project and also create new projects as either a sandbox or a "full" project.

Here are some recommended readings to help with excellent maintainership:

• Dries' post on Responsible maintainers
• Best practices for creating and maintaining projects
• Maintaining a drupal.org project with Git
• Commit messages - providing history and credit
• Release naming conventions.
• Helping maintainers in the issue queues

You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and stay involved!

Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

Thanks to the dedicated reviewer(s) as well.

Congratulations Joe!