Soverein/sanasto-wiki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7b6e059da628f4dc282cc84ca737b1332f860ca6
sanasto-wiki/docs/TODO.md
Runar Ingebrigtsen e48b386b54 update todos
2026-01-31 15:55:02 +01:00

168 lines
6.5 KiB
Markdown
Raw Blame History

# Sanasto Wiki TODO
## Authentication & Authorization
- [x] **Authentication system**
- [x] Sessions controller and views (login/logout)
- [x] Email/password authentication with session management
- [x] Login redirects (admin vs regular users)
- [x] Logout functionality
- [x] Password reset flow (email-based, 1 hour expiry)
- [x] Rate limiting on login attempts (5 attempts, 15 minute lockout)
- [x] Session management (remember me for 2 weeks, 30 minute timeout)
- [x] Sign in status in the site header
- [x] **Invitation system**
- [x] Invitations controller (create, list, cancel)
- [x] Invitation token generation
- [x] Registration via invitation link (acceptance flow)
- [x] Token expiry validation (14 days)
- [x] Invitation mailer
- [ ] **Authorization & roles**
- [x] Role-based access control middleware (Admin::BaseController)
- [x] Admin permissions enforcement
- [ ] Contributor permissions enforcement (for entry editing)
- [ ] Reviewer permissions enforcement (for review queue)
## Security & Vulnerabilities
- [x] **Fixed user-controlled method execution** (HIGH)
- Added language code validation in EntriesController
- Prevents arbitrary method execution via `public_send()`
- [x] **Fixed SQL injection in Entry model** (MEDIUM)
- Replaced string interpolation with Arel safe column references
- Changed `Arel.sql("#{language_code} ASC")` to `arel_table[language_code].asc`
- [x] **Fixed mass assignment vulnerabilities** (MEDIUM)
- Added role validation in admin invitations and user management
- Only allows valid enum role values
- Prevents users from modifying their own role
- [x] **Fixed SQL LIKE injection** (MEDIUM)
- Added `sanitize_sql_like()` for email search in UsersController
- Prevents wildcard injection attacks
**Status:** All Brakeman security warnings resolved ✓
## Core Features
### Search & Browse
- [x] **Full-text search** across all languages (FTS5 integration)
- [X] **Filter by category** (word, phrase, proper_name, title, reference, other)
- [x] **Alphabetical browsing** per selected language
- [x] **Live search** (AJAX updates without page reload)
### Entry Management
- [x] **Create entry form** with all language fields
- [x] **Edit entry form** (contributors only)
- [ ] **Delete entries** (admin only, with confirmation)
- [ ] **Bulk actions** (select multiple, bulk edit/delete)
- [x] **Entry validation** (at least one language required, category required)
### Suggested Meanings
- [ ] **Submit alternative translation** form
- [ ] **Review queue** for reviewers
- [ ] **Approve/reject** workflow
- [ ] **Display approved alternatives** on entry view
- [ ] **Notifications** when suggestions are reviewed
### Comments & Discussion
- [x] **Add comment** form on entry view
- [ ] **Edit/delete own comments**
- [ ] **Comment threading** (optional: replies to comments)
- [ ] **Comment notifications** for entry contributors
## User Management
- [x] **Setup** adds the first user
- [x] **Admin dashboard**
- [x] Send invitations interface (with email delivery)
- [x] Manage users (list, edit roles, delete)
- [x] System statistics (users, entries, contributions)
- [ ] **User profile page**
- [ ] Edit name, email, password
- [ ] Set primary language preference
- [ ] View contribution history
- [ ] Personal statistics
## Import/Export
- [x] **XLSX export** of all entries
- [ ] **CSV import** for bulk entry creation
- [ ] **CSV export** as alternative to XLSX
- [ ] **Import validation** (check duplicates, validate data)
## UI/UX Improvements
- [ ] **Mobile-responsive design** (translators use phones during services)
- [ ] **Typography optimization** (easy to read quickly)
- [ ] **Visual distinction** for verified vs unverified entries
- [ ] **Keyboard shortcuts** (navigate search results, quick edit)
- [ ] **Loading states** and progress indicators
- [ ] **Error messages** and validation feedback
- [ ] **Toast notifications** for actions (saved, deleted, etc.)
## Performance & Infrastructure
- [ ] **Database indexes** review and optimization
- [ ] **N+1 query prevention** (check all controller actions)
- [ ] **Caching strategy** (page caching, fragment caching)
- [ ] **Background jobs** setup (Solid Queue for emails)
- [ ] **Database backup** strategy (Litestream configuration)
## Testing
- [x] **Controller tests** for all actions
- [x] EntriesController (index, show, edit, update, download, filters, search)
- [x] PasswordResetsController (new, create, edit, update, token validation)
- [x] Existing tests: Sessions, Invitations, Setup, Admin controllers, Comments, Requests
- [x] **System tests** for critical user flows
- [x] Public browsing and search
- [x] Contributor creates/edits entry
- [ ] Reviewer workflow (pending feature implementation)
- [x] Admin user management
- [x] **Integration tests** for authentication flows
- [x] Sign in/sign out flows
- [x] Remember me functionality
- [x] Session timeout
- [x] Rate limiting
- [x] Password reset flow
- [x] Invitation acceptance flow
- [x] **Performance tests** for search queries
- [x] Full text search benchmarks
- [x] Language-specific search
- [x] Alphabetical browsing
- [x] Category filtering
- [x] Combined filters
- [x] XLSX download performance
## Deployment
- [x] **Kamal configuration** (see docs/DEPLOYMENT.md)
- [x] **Production environment** setup (automated via Kamal)
- [x] **SSL certificate** configuration (Let's Encrypt via Kamal proxy)
- [x] **Backup automation** (documented: manual and cron strategies)
- [ ] **Monitoring** (error tracking, performance monitoring)
- [ ] **Litestream setup** (optional: SQLite replication to S3)
## Future Considerations
- [ ] **API endpoints** (REST API for mobile app)
- [ ] **PDF/print export** for offline use
- [ ] **Audio pronunciation** recordings
- [ ] **Mobile app** (native or PWA)
- [ ] **Offline mode** with sync
- [ ] **Additional languages** (requires schema migration)
---
## Completed (Not Tracked Above)
- [x] **Admin layout design** updated to match entries page style
- [x] **Dynamic navigation** (Admin button for logged-in admins, Sign In for guests)
- [x] **Controller tests** (40 tests with 160+ assertions for authentication)
- [x] **Search input loses focus on filter change**
- [x] **Mismatched enum syntax** in models
- [x] **Replace hardcoded LANGUAGE_COLUMNS** with dynamic query
- [x] **Improve fixture quality** (resolved foreign key violations)
- [x] **Database schema** implementation (all models and migrations)
- [x] **Supported languages** table with seed data
- [x] **Filters do not update with new search results**
Reference in New Issue View Git Blame Copy Permalink