# Sanasto Wiki TODO ## Authentication & Authorization - [x] **Authentication system** - [x] Sessions controller and views (login/logout) - [x] Email/password authentication with session management - [x] Login redirects (admin vs regular users) - [x] Logout functionality - [x] Password reset flow (email-based, 1 hour expiry) - [x] Rate limiting on login attempts (5 attempts, 15 minute lockout) - [x] Session management (remember me for 2 weeks, 30 minute timeout) - [x] Sign in status in the site header - [x] **Invitation system** - [x] Invitations controller (create, list, cancel) - [x] Invitation token generation - [x] Registration via invitation link (acceptance flow) - [x] Token expiry validation (14 days) - [x] Invitation mailer - [ ] **Authorization & roles** - [x] Role-based access control middleware (Admin::BaseController) - [x] Admin permissions enforcement - [ ] Contributor permissions enforcement (for entry editing) - [ ] Reviewer permissions enforcement (for review queue) ## Security & Vulnerabilities - [x] **Fixed user-controlled method execution** (HIGH) - Added language code validation in EntriesController - Prevents arbitrary method execution via `public_send()` - [x] **Fixed SQL injection in Entry model** (MEDIUM) - Replaced string interpolation with Arel safe column references - Changed `Arel.sql("#{language_code} ASC")` to `arel_table[language_code].asc` - [x] **Fixed mass assignment vulnerabilities** (MEDIUM) - Added role validation in admin invitations and user management - Only allows valid enum role values - Prevents users from modifying their own role - [x] **Fixed SQL LIKE injection** (MEDIUM) - Added `sanitize_sql_like()` for email search in UsersController - Prevents wildcard injection attacks **Status:** All Brakeman security warnings resolved ✓ ## Core Features ### Search & Browse - [x] **Full-text search** across all languages (FTS5 integration) - [X] **Filter by category** (word, phrase, proper_name, title, reference, other) - [x] **Alphabetical browsing** per selected language - [x] **Live search** (AJAX updates without page reload) ### Entry Management - [x] **Create entry form** with all language fields - [x] **Edit entry form** (contributors only) - [ ] **Delete entries** (admin only, with confirmation) - [ ] **Bulk actions** (select multiple, bulk edit/delete) - [x] **Entry validation** (at least one language required, category required) ### Suggested Meanings - [ ] **Submit alternative translation** form - [ ] **Review queue** for reviewers - [ ] **Approve/reject** workflow - [ ] **Display approved alternatives** on entry view - [ ] **Notifications** when suggestions are reviewed ### Comments & Discussion - [x] **Add comment** form on entry view - [ ] **Edit/delete own comments** - [ ] **Comment threading** (optional: replies to comments) - [ ] **Comment notifications** for entry contributors ## User Management - [x] **Setup** adds the first user - [x] **Admin dashboard** - [x] Send invitations interface (with email delivery) - [x] Manage users (list, edit roles, delete) - [x] System statistics (users, entries, contributions) - [ ] **User profile page** - [ ] Edit name, email, password - [ ] Set primary language preference - [ ] View contribution history - [ ] Personal statistics ## Import/Export - [x] **XLSX export** of all entries - [ ] **CSV import** for bulk entry creation - [ ] **CSV export** as alternative to XLSX - [ ] **Import validation** (check duplicates, validate data) ## UI/UX Improvements - [ ] **Mobile-responsive design** (translators use phones during services) - [ ] **Typography optimization** (easy to read quickly) - [ ] **Visual distinction** for verified vs unverified entries - [ ] **Keyboard shortcuts** (navigate search results, quick edit) - [ ] **Loading states** and progress indicators - [ ] **Error messages** and validation feedback - [ ] **Toast notifications** for actions (saved, deleted, etc.) ## Performance & Infrastructure - [ ] **Database indexes** review and optimization - [ ] **N+1 query prevention** (check all controller actions) - [ ] **Caching strategy** (page caching, fragment caching) - [ ] **Background jobs** setup (Solid Queue for emails) - [ ] **Database backup** strategy (Litestream configuration) ## Testing - [ ] **Controller tests** for all actions - [ ] **System tests** for critical user flows - [ ] Public browsing and search - [ ] Contributor creates/edits entry - [ ] Reviewer workflow - [ ] Admin user management - [ ] **Integration tests** for authentication flows - [ ] **Performance tests** for search queries ## Deployment - [x] **Kamal configuration** (see docs/DEPLOYMENT.md) - [x] **Production environment** setup (automated via Kamal) - [x] **SSL certificate** configuration (Let's Encrypt via Kamal proxy) - [x] **Backup automation** (documented: manual and cron strategies) - [ ] **Monitoring** (error tracking, performance monitoring) - [ ] **Litestream setup** (optional: SQLite replication to S3) ## Future Considerations - [ ] **API endpoints** (REST API for mobile app) - [ ] **PDF/print export** for offline use - [ ] **Audio pronunciation** recordings - [ ] **Mobile app** (native or PWA) - [ ] **Offline mode** with sync - [ ] **Additional languages** (requires schema migration) --- ## Completed (Not Tracked Above) - [x] **Admin layout design** updated to match entries page style - [x] **Dynamic navigation** (Admin button for logged-in admins, Sign In for guests) - [x] **Controller tests** (40 tests with 160+ assertions for authentication) - [x] **Search input loses focus on filter change** - [x] **Mismatched enum syntax** in models - [x] **Replace hardcoded LANGUAGE_COLUMNS** with dynamic query - [x] **Improve fixture quality** (resolved foreign key violations) - [x] **Database schema** implementation (all models and migrations) - [x] **Supported languages** table with seed data - [x] **Filters do not update with new search results**