Merge lp:~vasilev/psiphon/sprint3-579678 into lp:psiphon
Proposed by
Robert Vasilev
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | Adam Kruger | ||||
Approved revision: | 124 | ||||
Merged at revision: | 139 | ||||
Proposed branch: | lp:~vasilev/psiphon/sprint3-579678 | ||||
Merge into: | lp:psiphon | ||||
Diff against target: |
338 lines (+215/-16) 4 files modified
trunk/www/config.php (+1/-0) trunk/www/includes/lang.php (+65/-0) trunk/www/user-edit.php (+22/-2) trunk/www/users.php (+127/-14) |
||||
To merge this branch: | bzr merge lp:~vasilev/psiphon/sprint3-579678 | ||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Rod | Pending | ||
Review via email: mp+35380@code.launchpad.net |
This proposal supersedes a proposal from 2010-09-04.
Description of the change
Paging, sorting and filtering have been implemented in users.php.
Upd:
Rod's comments on 2010-09-09 have been implemented.
To post a comment you must log in.
This was a team review. Here are our comments:
- After trying the new functionality, we have some minor changes that weren't in the original spec.
1. Display the total number of users in all cases, even when no filter.
2. Add the paging controls to the top of the page (but also leave at the bottom).
3. Originally when add/edit user and return to list, the new/modified user was shown in bold. Now it returns to the default with no filter and page 1. Can you make it return to the page with the new user, shown in bold? This isn't required: please make a bug to backlog it if it's too much work.
- For code readability, don't mix access control check and input validation ("if (!user_ has_permission( $config, $record_user, "accounts") || (isset( $_GET[" ord"]) && (abs($_GET["ord"]) > count($ column_ number_ to_field_ name))) )"
Also, this check won't catch all cases. the logic is mixed in with the later if condition: "if (!$_GET["ord"] || !is_numeric( $_GET[" rod"])) ". It would be easier to review and maintain if the input validation and normalization is in one place.
Should validate same value used, even if we can reason that it's safe and/or equivalent: e.g., abs((int) $_GET[" ord"]) is used vs. abs($_GET["ord"]) is validated.
- Always escape user input in output, even if we don't think it's a risk: "$filterby_string = "&filterby=" . $_GET['filterby'];" and "$ord_string = "&ord=". $_GET["ord"];"
Also when making the page number links below:
if (isset( $_GET[" ord"])) {
$ord_string = "&ord=". $_GET["ord"];
}
See other files for examples of escaping. We use the helper function escape_html.
- "SELECT COUNT(*) AS cnt FROM user WHERE {$query_where_sql}" is repeated twice in a row; could keep result in variable. Even though MySQL caches results. If you always display the user total (filter or no) then: 1. always get total; 2. get filtered count when filter.
- Please use a more descriptive variable name: "echo ($pn);"