Wikimania Scholarships app/Cleanup sprint

Sprint 1: Cleanup existing code

 * Duration
 * 2013-10-23 through 2013-11-08


 * Team
 * Bryan Davis, Chad "^demon" Horohoe (consultant), Katie Filbert (consultant)


 * Sprint Goal
 * Have a functioning version of the existing application running in Labs with major code cleanliness and security concerns addressed.


 * Scope
 * Core functionality of the existing application, namely providing a data entry form with validation for requesting a scholarship and supporting a simple workflow for reviewers to triage and approve/decline requests.


 * Sprint review
 * 2013-11-12T19:00Z via google hangout

Primary concerns to be addressed

 * Robust and secure data access layer
 * PDO or possibly Doctrine DBAL
 * Robust and secure template layer
 * Twig is a likely candidate
 * Minimize number of files exposed via document root
 * Strong separation of code from configuration
 * Secure password storage for reviewers
 * Current unsalted md5 is unacceptable

Tasks

 * ✅ Move index.php and static content into a directory
 * ✅ Cleanup database schema
 * ✅ Make everything use routes
 * ✅ Move session initialization to router script
 * ✅ Securely delete session on logout
 * ✅ Format with code-utils/stylize.php
 * ✅ Change passwords to use crypt with Blowfish
 * ✅ Convert database calls to PDO
 * ✅ Implement Twig template engine & Slim framework
 * ✅ Convert application form
 * ✅ Convert public facing collateral pages (credits, privacy, contact, translate)
 * ✅ Convert reviewer pages
 * ✅ Convert user management pages
 * ✅ Move PHPMAILER to vendor directory
 * ✅ Convert to use autoloading
 * ✅ Change the way that Lang finds/loads localization files
 * Set include_path externally (not needed after other refactoring)
 * ✅ Custom 404 page
 * ✅ Deal with unhandled exceptions
 * Still possible to break things with an error in the error handler :(

Backlog
The backlog is a list of tasks that could/should be done discovered during the sprint. These are considered stretch goals and any unfinished at the end of the sprint will be considered for inclusion in the next increment.


 * Make sure l10n files and workflow is compatible with translatewiki
 * Make language choice sticky via session storage of selected language
 * Use ISO country codes instead of a random numeric id to reference countries
 * Add logging for errors and warnings (monolog? or just a nice wrapper around PHP's error_log?)
 * ✅ Monolog is now available in the slim configuration and exposed to controllers
 * Expose logger to form, dao, etc in a reasonable way (DI?)
 * Create some tests!
 * We should have at least a happy path round trip test for filling out an application
 * Find out if it is the app's responsibility to ensure that php.ini is setting up sessions securely (good hash, http-only, etc)
 * Css and markup could be cleaned up (bootstrap?)
 * Navigation for reviewers is confusing
 * Create Twig filter/function to handle string localization
 * Additional SQL query cleanup is needed.
 * There is a lot of cut-n-paste subquery code
 * Hardcoded constants in scoring formulas seem problematic for tweaking models
 * Auth layer is barely implemented. Authentication is handled reasonably well but authorization is ad hoc and fragile.
 * Create a basic "grid display" controller that handles the plumbing for paging and displaying results (and sorting?)
 * Replacement/requirements for bulk mail functionality
 * Legacy code for this was ... less than ideal (eg manual editing of php source to put the template message in).
 * It also looks like every year they invented a new way to decide which applications should get which message.