web2project Status Update: Object Refactoring

This is the first of a series of weekly updates that I plan to give on the status of web2project development.  Don't worry, these should only come out on Tuesdays which works well since I do most of my review, updates, and development on Sundays.  These will all be tagged with the category "web2project" and the corresponding feed is available here.

I have a few goals in doing this:  First, it should help the community stay up to date.  Second, it will let people know the project exists and some interesting details about it.  Finally, it will apply a bit of friendly peer pressure to make sure I have something to talk about.

First, one of my biggest priorities with web2project is to make it easily extensible through custom modules, etc.  In dotProject previously, the vast majority of people simply followed the example of core and put their queries on whichever pages used them.  Sometimes the developer used raw SQL, but sometimes they used the built in DBQuery class.  Either way, you end up with a variety of queries strewn across the Views and Controllers often duplicating code from other Views and Controllers.  As a fan of Fat Models and API builder, I started to move these things back to their proper Models.

With some creative grep'ing, I was able to track down 600+ references to the DBQuery class outside the core Models, so my goal has been to eliminate those.  In the last 8 days (not a week, I know) from revision 296, I've been able to reduce this to just over 300 references.  While this has removed a lot of duplicate a lot of code and centralized common functions, it should also provide a clean way for new add-on modules to perform these functions.

Second – entirely by accident! – I was able to further lock down permissions.  There were a number of places in the old code where relatively trivial permissions were not checked during the object load itself even though the Views/Controllers themselves performed the check as required.  It may seem silly to move the checks back to the Models, but it makes quite a bit of sense since we can never know exactly how users will access the objects.  Even more interestingly… the major security vulnerability that happened last year with specially crafted url's is rendered impotent with this change.  Go ahead, construct all the nifty url's you want to do whatever you want.  Since you can only call actions on the Model and it's doing the check, the potential vulnerability is significantly smaller.

While this update only covers things I've accomplished in web2project this week, it's not entirely fair.  Pedro and Bruce – significant major contributors in their own right – have simply been busy in the last week.  That's what happens with Open Source projects.