Description of project, including difference:
Trebutra is an integration of Trello into Drupal 7 with the express purpose being a bug tracker that sends to a Trello board list. Unlike the "Trello" module, this module is specific in function and immediately useful out-of-the-box for those who share the same need, with minimal configuration required.
Project page:
https://drupal.org/sandbox/mattwithoos/2268803
git clone link:
git clone --branch 7.x-1.x http://git.drupal.org/sandbox/MattWithoos/2268803.git trebutra___trello_bug_tracker
Reviews of other projects:
https://drupal.org/node/2269851#comment-8791329
https://drupal.org/node/2241231#comment-8791339
https://drupal.org/node/2264647#comment-8791343
https://www.drupal.org/node/2300627#comment-9046721 <- coding standards
https://www.drupal.org/node/2315539#comment-9046733 <- coding standards
https://www.drupal.org/node/2309489#comment-9046753 <- identified serious jQuery conflict
(+3 new reviews to reobtain review bonus)
PAReview link:
http://pareview.sh/pareview/httpgitdrupalorgsandboxmattwithoos2268803git...
Comment | File | Size | Author |
---|---|---|---|
#27 | submit_bug_404.png | 9.82 KB | er.pushpinderrana |
#23 | coder-results.txt | 2.1 KB | klausi |
#21 | error.png | 7.36 KB | er.pushpinderrana |
Comments
Comment #1
MattWithoos CreditAttribution: MattWithoos commentedComment #2
MattWithoos CreditAttribution: MattWithoos commentedUpdating branch to conform.
Comment #3
PA robot CreditAttribution: PA robot commentedThere are some errors reported by automated review tools, did you already check them? See http://pareview.sh/pareview/httpgitdrupalorgsandboxMattWithoos2268803git
We are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)
Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).
I'm a robot and this is an automated message from Project Applications Scraper.
Comment #4
Ruslan PiskarovHello MattWithoos,
I can't clone your repo.
Comment #5
MattWithoos CreditAttribution: MattWithoos commentedComment #6
MattWithoos CreditAttribution: MattWithoos commentedRuslan, please try this link:
git clone --branch 7.x-1.x http://git.drupal.org/sandbox/MattWithoos/2268803.git trebutra___trello_bug_tracker
My apologies, I provided the wrong git command.
Comment #7
MattWithoos CreditAttribution: MattWithoos commentedComment #8
MattWithoos CreditAttribution: MattWithoos commentedComment #9
mpdonadioManual Review.
Edit the description to add a link to http://pareview.sh/pareview/httpgitdrupalorgsandboxmattwithoos2268803git... This will make it easier for future reviewers.
Your CHANGELOG.txt has version numbers, but these don't exist yet.
Your hooks don't have the proper docblock. See https://drupal.org/coding-standards/docs#drupal, eg
You have a settings form that defines variables, but no hook_uninstall to delete them().
You aren't using the second parameter to variable_get() to define a default value.
You should really move your setting form to a .admin.inc file
I would define my own permission for administering the module. This allows finer grain control for larger organizations.
Long term, I would also implement a hook_requirements() to warn about the configuration values.
Long term, you may want to move the settings into the block itself, in case you ever add support for multiple blocks to allow it to be used for multiple projects in a single site.
Why are you using cURL directly and not drupal_http_request()?
Your form has a submit handler, but that is not how you are actually submitting to Trello?
You are defining an #action for the form, but no path to handle it?
trebutra_api_call_to_trello() is calling mail() directly and not drupal_mail().
In trebutra_block_view, the second argument to drupal_get_form() is supposed to be an extra argument that gets passed to the form builder function. You are using this for a side effect to actually post to Trello.
You have unfiltered user input going to output (well, mail in this case). You need to filter this with check_plain(), and don't forget that this also needs to be done for any settings that come from the UI. And please don't remove the security tag, we keep that for statistics and to show examples of security problems.
This looks like it could be a useful module, but you have some big problems with the Form API, and you are also bypassing the Drupal API as mentioned above.
Comment #10
MattWithoos CreditAttribution: MattWithoos commentedmpdonadio, fantastic feedback, thank you very much for taking the time to go through it in such depth. I greatly appreciate it! Will start implementing asap.
Comment #11
MattWithoos CreditAttribution: MattWithoos commentedadding pareview link
Comment #12
MattWithoos CreditAttribution: MattWithoos commentedThanks to mpdonadio for the recommendations which have been implemented successfully and tested, as follows:
- updated CHANGELOG.txt to remove version numbers
- fixed docblock to drupal coding standard
- moved from mail() to drupal_mail()
- added hook_uninstall()
- added @TODO list for future-facing suggestions from mpdonadio
- cleaned all user input with check_plain() except admin
- moved API function call to Trello into hook_form_submit
- Moved hook_uninstall() into trebutra.install
- added notification for user if they don't set the configuration
Plus some minor tweaks.
Comment #13
mpdonadioMathew, looking better.
Your check_plain() usage is wrong. You need to do something like
$title = check_plain($_POST['title']);
and then use $title in the code below. In other words, check_plain() returns the sanitized string, not modify it directly. See https://drupal.org/node/101495 and https://drupal.org/node/28984 for more info.
The alternate PHP syntax should really only be used in template files, so convert these control structures to use braces.
A comment in trebutra_api_call_to_trello() to the API docs for that endpoint would be nice.
Could you use https://drupal.org/project/trello as a dependency? Does your module duplicate any of this functionality?
You still have an no-op action in trebutra_bug_form():153. I think this can go.
I would rename trebutra_form() to trebutra_settings_form() to make it obvious what its function is
The email subject line should be run through t().
Your drupal_set_message() on line 103 should probably use the second argument to show it as a warning.
The check_plain() usage is a blocking issue; the rest are suggestions.
Comment #14
MattWithoos CreditAttribution: MattWithoos commentedWow, thanks again! The alternate PHP syntax - I started using that after PAReview said it's the standard for template files. I moved a template file back into the .module and enjoyed using the alternate (I hadn't used it yet). Good to know that a best (better?) practice is using the standard curly braces for the .module files and alternate for .tpl.php.
Comment #15
MattWithoos CreditAttribution: MattWithoos commentedFixed final item per review (proper usage of input sanitization function)
Comment #16
klausiPlease describe the differences to the existing trello project on your project page, so that users can make an educated decision which module to use in which case.
Comment #17
MattWithoos CreditAttribution: MattWithoos commentedHave updated the project description page to clearly distinguish between Trebutra and Trello modules. Thanks Klausi for the review!
Comment #18
MattWithoos CreditAttribution: MattWithoos commentedChanging to "needs review" as I'm not sure if I'm supposed to set "Reviewed & Tested by the community"
Comment #19
er.pushpinderrana CreditAttribution: er.pushpinderrana commented@Matt Withoos, first of all thanks for contribution!
Getting close!
Some minor suggestions, as @mpdonadio suggested above,
Still in your .module file you are using these in following function:
You should move your setting form to a .admin.inc file as suggested by @mpdonadio also.
Your help is too small, try to extend this little bit more. And also move this function to top of module as this is general practice to keep hook_help in top of .module file.
Rest looks good to me, please fix these changes and I'll move this to RTBC.
Thanks Again!
Comment #20
MattWithoos CreditAttribution: MattWithoos commented@er.pushpinderrana - all done, thanks for the feedback!!
Comment #21
er.pushpinderrana CreditAttribution: er.pushpinderrana commentedWhen I am trying to access
admin/config/content/trebutra
page, it is showing me following error.Please fix this issue to review it further.
In module file, it should be something like this:
Comment #22
MattWithoos CreditAttribution: MattWithoos commentedOops, completely missed that! Thanks, I've added that back in.
Comment #23
klausiReview of the 7.x-1.x branch (commit 103e992):
This automated report was generated with PAReview.sh, your friendly project application review script. You can also use the online version to check your project. You have to get a review bonus to get a review from me.
manual review:
The usage of $_POST is a pretty severe API misuse and a blocker right now. Removing review bonus tag, you can add it again if you have done another 3 reviews of other projects.
Comment #24
MattWithoos CreditAttribution: MattWithoos commentedThanks for the review, Klausi!
1. done, plus found and fixed some more.
2. done, plus found and fixed some more.
3. done, no more $_POST variables - it's all $form_state['values']['TheValue']
4. updated todo list + formatting
misc: fixed coding standards from PAReview
Comment #25
MattWithoos CreditAttribution: MattWithoos commentedComment #26
MattWithoos CreditAttribution: MattWithoos commentedComment #27
er.pushpinderrana CreditAttribution: er.pushpinderrana commentedAutomated Review
Best practice issues identified by pareview.sh / drupalcs / coder. Few minor issues.
FILE: /var/www/drupal-7-pareview/pareview_temp/trebutra.module
Manual Review
I gone through your form code and found
$form['#action'] = url('submit-bug');
butsubmit-bug
page is not there in your code, that's why it producing 404. Also fix the noticeNotice: Trying to get property of non-object in trebutra_api_call_to_trello() (line 87
.trebutra_api_call_to_trello
form you are using PHP cURL to send http get request, I would recommend you to use drupal_http_request() to hit the external URL.json_decode
, use drupal_json_decode.The starred items (*) are fairly big issues and warrant going back to Needs Work. Items marked with a plus sign (+) are important and should be addressed before a stable project release. The rest of the comments in the code walkthrough are recommendations.
Currently first point looks blocker and stopping me to move it to RTBC, rest looks good to me.
Thankyou Matt Withoos for you hard work and patience!
Comment #28
MattWithoos CreditAttribution: MattWithoos commentedThanks for all your reviews so far er.pushpinderrana!
Re: no. 1, I had made the module assume every user would use a page called "submit-bug"! Woops, that's fixed now, so the bug tracker form can go on any page. I've tested it locally on a unique Drupal install.
As for drupal_http_request and drupal_json_decode, I have put it in my todo list!
Cheers
Comment #29
klausimanual review:
But that are not critical application blockers, otherwise I think this is RTBC.
Assigning to mpdonadio as he might have time to take a final look at this.
Comment #30
MattWithoos CreditAttribution: MattWithoos commentedThanks for moving to RTBC Klausi.
1. Link to successful PAReview - I must have forgotten to commit the Automated Review changes because I had them locally.
2. I would like to clean the values upon introduction to the custom function so that in future I can play with the values in other ways, so I've taken your alternative suggestion and used the "!" placeholder in the t() instead. It stores the values in Trello and also sends it via email so thought it's best to clean it upon introduction rather than mid-script.
3. Good point and thanks for the suggestion - I'm now calling $form_state['values'] into the function as $form_state_values so only the essential values make it in.
Cheers
Comment #31
mpdonadioAutomated Review
Review of the 7.x-1.x branch (commit 592632a):
This automated report was generated with PAReview.sh, your friendly project application review script. You can also use the online version to check your project. You have to get a review bonus to get a review from me.
Manual Review
Could be expanded.
Remove the .gitignore from the repo
Is there any validation you can add to trebutra_settings_form()?
Your code is a little dense. Some blank lines at appropriate places would make it easier to read, such as between the form elements in trebutra_settings_form()
trebutra_api_call_to_trello() has a bunch of variable_gets() w/o default values.
drupal_http_request() is preferred over curl().
drupal_http_build_query is preferred over http_build_query().
I would have a separate permission for you settings page.
The starred items (*) are fairly big issues and warrant going back to Needs Work. Items marked with a plus sign (+) are important and should be addressed before a stable project release. The rest of the comments in the code walkthrough are recommendations.
If added, please don't remove the security tag, we keep that for statistics and to show examples of security problems.
This review uses the Project Application Review Template.
Agree with @klausi's points. Not seeing any blocking issues.
Comment #32
mpdonadioThanks for your contribution, Matt Withoos!
I updated your account so you can promote this to a full project and also create new projects as either a sandbox or a "full" project.
Here are some recommended readings to help with excellent maintainership:
You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and stay involved!
Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
Thanks to the dedicated reviewer(s) as well.
Comment #33
MattWithoos CreditAttribution: MattWithoos commentedThank you Klausi, mpdonadio and er.pushpinderrana for all your work in reviewing this module.
I'm very excited to begin contributing in a real way to Drupal.org's modules and have really enjoyed helping the Project Application queue so I will continue to help as much as I can here (I see so many people get approved or get the Review Bonus and not put in any extra effort to help the community).
Thanks again for moving me to a vetted git user!