sanasto-wiki/docs/TODO.md

Sanasto Wiki TODO

Authentication & Authorization

• Authentication system
  • Sessions controller and views (login/logout)
  • Email/password authentication with session management
  • Login redirects (admin vs regular users)
  • Logout functionality
  • Password reset flow (email-based, 1 hour expiry)
  • Rate limiting on login attempts (5 attempts, 15 minute lockout)
  • Session management (remember me for 2 weeks, 30 minute timeout)
  • Sign in status in the site header
• Invitation system
  • Invitations controller (create, list, cancel)
  • Invitation token generation
  • Registration via invitation link (acceptance flow)
  • Token expiry validation (14 days)
  • Invitation mailer
• Authorization & roles
  • Role-based access control middleware (Admin::BaseController)
  • Admin permissions enforcement
  • Contributor permissions enforcement (for entry editing)
  • Reviewer permissions enforcement (for review queue)

Security & Vulnerabilities

• Fixed user-controlled method execution (HIGH)
  • Added language code validation in EntriesController
  • Prevents arbitrary method execution via public_send()
• Fixed SQL injection in Entry model (MEDIUM)
  • Replaced string interpolation with Arel safe column references
  • Changed Arel.sql("#{language_code} ASC") to arel_table[language_code].asc
• Fixed mass assignment vulnerabilities (MEDIUM)
  • Added role validation in admin invitations and user management
  • Only allows valid enum role values
  • Prevents users from modifying their own role
• Fixed SQL LIKE injection (MEDIUM)
  • Added sanitize_sql_like() for email search in UsersController
  • Prevents wildcard injection attacks

Status: All Brakeman security warnings resolved ✓

Core Features

Search & Browse

• Full-text search across all languages (FTS5 integration)
• Filter by category (word, phrase, proper_name, title, reference, other)
• Alphabetical browsing per selected language
• Live search (AJAX updates without page reload)

Entry Management

• Create entry form with all language fields
• Edit entry form (contributors only)
• Delete entries (admin only, with confirmation)
• Bulk actions (select multiple, bulk edit/delete)
• Entry validation (at least one language required, category required)

Suggested Meanings

• Submit alternative translation form
• Review queue for reviewers
• Approve/reject workflow
• Display approved alternatives on entry view
• Notifications when suggestions are reviewed

Comments & Discussion

• Add comment form on entry view
• Edit/delete own comments
• Comment threading (optional: replies to comments)
• Comment notifications for entry contributors

User Management

• Setup adds the first user
• Admin dashboard
  • Send invitations interface (with email delivery)
  • Manage users (list, edit roles, delete)
  • System statistics (users, entries, contributions)
• User profile page
  • Edit name, email, password
  • Set primary language preference
  • View contribution history
  • Personal statistics

Import/Export

• XLSX export of all entries
• CSV import for bulk entry creation
• CSV export as alternative to XLSX
• Import validation (check duplicates, validate data)

UI/UX Improvements

• Mobile-responsive design (translators use phones during services)
• Typography optimization (easy to read quickly)
• Visual distinction for verified vs unverified entries
• Keyboard shortcuts (navigate search results, quick edit)
• Loading states and progress indicators
• Error messages and validation feedback
• Toast notifications for actions (saved, deleted, etc.)

Performance & Infrastructure

• Database indexes review and optimization
• N+1 query prevention (check all controller actions)
• Caching strategy (page caching, fragment caching)
• Background jobs setup (Solid Queue for emails)
• Database backup strategy (Litestream configuration)

Testing

• Controller tests for all actions
• System tests for critical user flows
  • Public browsing and search
  • Contributor creates/edits entry
  • Reviewer workflow
  • Admin user management
• Integration tests for authentication flows
• Performance tests for search queries

Deployment

• Kamal configuration (see docs/DEPLOYMENT.md)
• Production environment setup (automated via Kamal)
• SSL certificate configuration (Let's Encrypt via Kamal proxy)
• Backup automation (documented: manual and cron strategies)
• Monitoring (error tracking, performance monitoring)
• Litestream setup (optional: SQLite replication to S3)

Future Considerations

• API endpoints (REST API for mobile app)
• PDF/print export for offline use
• Audio pronunciation recordings
• Mobile app (native or PWA)
• Offline mode with sync
• Additional languages (requires schema migration)

---

Completed (Not Tracked Above)

• Admin layout design updated to match entries page style
• Dynamic navigation (Admin button for logged-in admins, Sign In for guests)
• Controller tests (40 tests with 160+ assertions for authentication)
• Search input loses focus on filter change
• Mismatched enum syntax in models
• Replace hardcoded LANGUAGE_COLUMNS with dynamic query
• Improve fixture quality (resolved foreign key violations)
• Database schema implementation (all models and migrations)
• Supported languages table with seed data
• Filters do not update with new search results