-
Notifications
You must be signed in to change notification settings - Fork 26
/
TODO
88 lines (79 loc) · 4.49 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
=TODO items for OpenResty
== Bugs
* remove the unique constraint on _views's definition column.
* http://ced02.search.cnb.yahoo.com/=/model/Post/~/~?user=agentzh.Admin&password=blahblah gives
error: "Syck parser (line 313, column -1): syntax error at /home/es/share/htdocs/es/openapi-1782/bin/../lib/OpenAPI/Backend/PgFarm.pm line 57." [fixed]
* qyliu reports that PUT /=/model/Foo/bar/word does NOT quote the "word" part, resulting in a sql injection point. [fixed]
* Captcha ID should not saved in a cookie and get expired during login. [fixed]
== Implementation
* Remove the support for _charset=guessing.
* Added no-cache headers to the responses:
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
* Renamed the column "table_name" in _columns to "model".
* Role inheritance support.
* Allow invoking views via POST.
* XML/RDF support (in addition to JSON and YAML support).
* Shortcut for row_count sub.
(laser++ said "select count(*)" is expensive in Pg.)
* Implement updating role meta info.
* Check for joining too many models in minisql's select statement.
* Cache meta info in OpenAPI::Cache for faster access.
* Basic SQL injection detection code in OpenAPI::Backend.
* Sane logging facility (or use stderr and lighttpd's logs?)
* more DWIMmy in the captcha solution comparison code:
lc($user_sol) and 全角 => 半角
* Use true config file rather than a big set of env vars.
* A functional query langauge as an alternative to minisql.
* move all initialize SQLs into a independent file [laser]
* add a global default PostgreSQL user, named by anonymous/public etc., to act as a read-only role in PG (clusters) [laser]
* make OpenAPI into a database interfaces [laser]
** add proc support
* make OpenAPI meta data store in another special meta-schema, naming by prefixing '_' to username, e.g. "_username", then
we create 2 schema when creating a user: _username & username, and create 2 different database roles (PostgreSQL role)
when creating user, one for access meta data, we could call it meta-user, the other for access user data; all meta data,
like _models, _columns, _views will be keep in meta-schema, thus we could use PostgreSQL security model to make maximum
protection for us. [laser,leiyh,angentzh]
* add a per-model PostgreSQL user/role, act as writer for all permitted write from the roles of model itself.
* mv Backend from OpenAPI to lib, seems it belongs there [laser]
* move some work (like has_somethig()) into store procedore into store procedure to minimum c/s interact [leiyh,laser]
* use a status machine to recognize different url pattern [laser] [done]
* use $self->select() instead $Backend->do() in OpenAPI.pm [laser] [done]
* different URL mode for view implementation, should clearify the url path meaning [laser] [canceled]
* Design and implement the login interface (i.e. /=/login/user/...) [done]
* Design and implement roles and ACL, /=/roles/... [done]
* Captcha support in the login interface. [done]
* Hook laye++'s PCR-based miniSQL parser into OpenAPI. [canceled]
== Documentation
* A set of OpenAPI tutorials in both en and cn.
* An English version for the OpenAPI spec.
* Reorganize the spec according to the latest test suite.
* Add diffs regarding Google Data API and Amazon SimpleDB.
* Added Apache config directives to README.
== Utilities
* Monitor potential memory leaks in lighttpd/apache fastcgi processes.
* bin/export-model.pl and bin/import-model.pl for exporting/importing user's model records.
* Client-side OpenAPI libary in various programming languages:
JavaScript, Perl, Java, Python, Ruby, C#, PHP
* Admin site for OpenAPI.
== Test suite
* Create pg_XXX tables in sql injection tests.
* Tests for unknown HTTP methods (like TRACE, OPTIONS, and CONNECT).
* Tests for common SQL injection patthers.
* Coverage testing for the test sutie.
* Review and polish the existing test suite (under t/)
* Backup and Restore data for promotion [working]
* Tests for session manager on login [shangerdi]
* Tests for 'select * from a,b,c,d,e....' [shangerdi]
* Tests for 'select * from ... where ???????' [shangerdi]
* Tests for count('select * from ...... where ......') [shangerdi]
* More tests for _op=lt/ge/gt/eq/contains
* Work out the empty test cases in t/03-model.t [done]
* More tests for t/10-limits.t.
(i.e. INSERT_LIMIT, POST_LEN_LIMIT, PUT_LEN_LIMIT, and MAX_SELECT_LIMIT)
[done]
* Prerequiste groups in Makefile.PL. [done]
* Tests for PUT method in Role [shangerdi] [done]
* Tests for captcha [done]
* Tests for logout [done]