Commit c82f8d29 authored by Florent Chehab's avatar Florent Chehab

opening the beta

parents

Too many changes to show.

To preserve performance only 1000 of 1000+ files are displayed.

# top-most EditorConfig file
root = true
# Unix-style newlines with a newline ending every file
[*]
end_of_line = lf
insert_final_newline = true
# Matches multiple files with brace expansion notation
# Set default charset
[*]
charset = utf-8
# Tab indentation (no size specified)
indent_style = tab
.DS_Store
application/cache/*
!application/cache/index.html
!application/cache/.htaccess
application/logs/*
!application/logs/index.html
!application/logs/.htaccess
application/config/cas.php
application/config/config.php
application/config/email.php
application/config/database.php
composer.lock
user_guide_src/build/*
user_guide_src/cilexer/build/*
user_guide_src/cilexer/dist/*
user_guide_src/cilexer/pycilexer.egg-info/*
/vendor/
# IDE Files
#-------------------------
/nbproject/
.idea/*
## Sublime Text cache files
*.tmlanguage.cache
*.tmPreferences.cache
*.stTheme.cache
*.sublime-workspace
*.sublime-project
RewriteEngine on
RewriteBase /form-UT/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L,QSA]
Redirect "/user_guide" "/codeigniter_stuff/user_guide"
This diff is collapsed.
<mxfile userAgent="Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0" version="7.1.3" editor="www.draw.io" type="device"><diagram name="Page-1" id="1edceaaf-4c90-ac5e-3ef4-ec7475a2e73c">7V1bc6M2FP41nmk7kwwgEPAYO5vtw7bd2exO20cCiq0uRi7I66S/vgIkLpKwcQxetyYvgYOEQOf2naMjPAOL9cv7NNisfiERimeWEb3MwP3MskzoWexfTnktKZbhmSVlmeKIt6oJj/gfxIkGp25xhLJWQ0pITPGmTQxJkqCQtmhBmpJdu9kzidujboIlUgiPYRCr1N9xRFfixRyrvvAzwsuVGNqEfnnlKQi/LlOyTfiAMws8F3/l5XUgbsbfNFsFEdk1SODdDCxSQmh5tH5ZoDifXTFvoh99FQ87A/MVXcfsxGSHxeWHjs5mn87s7VKU0OZwXfeDbgQBjCLfejYsM3BuTD7CtyDe8hEeSLrOlHGzHV7HQYLa4z+ThD7yRvl5EONlwo5D9jwoZYRvKKWY8emOX6Bkw6jhCsfRh+CVbPOnzijjgTibr0iK/2G3DcQY7HJKuchZsNXiMe/JyAajpihjbT6KqTAr0ocgo7xNSOI42GT4qXrgdZAucTInlJI1byTe9AHH8YLEJC0mQEhF+c4PwRrHubIsyDbF7E0t41e0yy82OiWkmC6VR2LO2dyglwaJ8+w9ImtE01fWhF/1PbfswvXzxrVhSdjV0l6J2qop6A7gWsY1bFndvBYTdsAlpa/UAEVqFIGJsSwsGU3J10o/Tf1sCQmK0TPVyM8aR1E+wjzbBCFOlp9zebq/MWvKh6LjPagpn/h05KSU0IAGJf9zZsfBE4o/kgxTTPL7p2Xb+YbghBZT5sxnzn1BSemCJOwlAlwwEjG52qFctvaLhMr/bi08LBHCQvfkvzcA9x0jCmH4ZD5FIEARe1oN82Es5qElBfDvLREXbrJCh+9YA9vbvNQX2dGS/z/qLgDq7vLw26dfbr58ZtfLVswvhSneFPzlA7A3Lsdoj/uUyhSloSTjjFm0LeOFyWnIlypHwZaS8h1aFrND3kt72RZ2+3iJO9riOLbRtjimKSgNkbM9jcgJMTxF5oCjzDWKmMfnp0wVV2RJkiB+V1PnhRdHUWXr1zjkxw0GsSlJX//g9OLkz/zk1hGe5i6HI7U9Kmi5KxDeoemNrOIekdSFURod2Fmz+V+I0ldOyEWBkeq3+UAKDneYxhbPf0bxN5SLCr/Q8FRG8ZcP/YJp8aq3rsNP/+wEDgJqMFkK+ZRzK5/P/F6ZSVEcUPytjcV07OddP+ZK0ZA1w2nLmiObrfKheLdaiti8B6+NZlzZOgdyHa89kM3N6ENHByb0zt4e7KB8iP79rfarMXFaIqq8WqEg1RT30xnFLH/JcqMwAbnLAXLQlIAchJZiVU3P0wA5YwBX7kyw7QTYBnpzuxukaXk7AGcBmBzmkA6zt7+UnKPGgZ7qL4/2ciKaEDYG2Md6OanHAS8HPQkrQluCgB3+u4+/BNKthvOXIoSWUh+M8rh9WuMsY6ZlyoNclPvUyIfnKDa2IxEyQFhie5MDPcGBVhp3iWkOR03UNj0oip/I7njnyR2KOC5dp6X4zggHa5JEn1c4kVyoovkX7kJVYe/U+6an7EyJjR18mpYSFAqTcsDlHOuX2UhynOsfFUxacpxcxbMH/OwbnKNYOGlYup8U/biQ9FcfsRzC+VhQwjmOqabEdNZpiIyYsx/gn2aepASRIZun7wzteznQ4USiZZe4ypU24Ly26mjgb0n2wfP2A39gygbF3N/BAceOoJisAyO4UB4BHhjBkzpAb49RfYslVJMm75lybW6ey2DhU8HTfHFhihQuJ1KAvuTVPdfVQElXNdbQHcBYq6Fl9yIT826JZuGpTT7oeUsbKdvEo+OMlsPlIYWthhQ5abfCFD0yev5MuzTIOxJ2v+e4cAArFrGgRBN6tDHBnPnGRZ5vYejAWrBzsz4fOv6oVPm0+EMjNJY9gNC4GqGZgsvxmOto0JuOuUMEl96I6K0dXF5aXnYc8BYF2aqYn94RprDJYweUvhzlCYw0dDypDrQva/sG5CPCnYZBMm9vVaBzZWGg4UhhoOtqKiNGCgOhWnxz9XG5L62paqHeWPyY8iRqkl4Al2o5CWiS9GMxRC2DUItor4sh0JNiIUdTyjUaP/Yjn1MWprWLtdUqdTOvVa1aXwU26gWH/kuJLYZ12gLsH6zbkn20v69u6w3YyFWNyuBirRTtNeTamuS6v1yPU8d4tBS7toQbgblXiiHc3+F0gN+R2pyqHi4ql2nKtdieYyr+23Q1hWX+EOX/U1rqpL0eQ+QctcwdgLeuGuFP0YucVtGF92OhZVfVraFhxUypROmEFZX9nWAF0KBl5yJghaksgPJou19ViSOQbL1+2q948y2g2Z7MjRybu3Iy0TijtVHx37XzQ0kmanfajsUPddn42nNXji/Xlgvccw5+qND32vXDkmv9XVGYdg5+qOXX184PYMmxoavGhmPxw7PHRqvq0nbXdiT3Ota93wxWv1d9tetIudu++FJd75aBblXvOPTCuvy1Dcj3Xg6Vd/NU3BWmKKBolmslDNa5fbnoLw6cybp5cgYUAkuxbnAs66aisWv3Nr4ja8YZVxI9FY1dOzr2eDV1Qz/OF614KhrL90/ehSHKphWEoVcQFKHQiM6epKbsO31PAxN1xY/uHo/fW1J8RVKmcmi9PRq7HPqAGJU6fXI5NBigHNpX1yYUvk/rTgMyF2pc+Ujl0L7+q4PFvntKWXA4eY8L8h7KR2uA1XPTPXQGkBVrsgPD2gH/Yvbc+/pvVhVFKHdZRsJiZ90EJi/KHNimnHI07X6eAw6AJX11DXHCkheJJf2Orx99h611/vThs/My94xb63ztXtsyh8oV3hDZ1f96sugkuw0MeSlVg/jHSqaKZfVBN0D+/5d7WtscG3VaSplWObvKx+g02cXmqlCXFp/6QVd5UdIFfvseA63UKANB35ekcm/tk4xkXPlrc8PVPvlj7AC+WgWYtdZ+nTcrQJmZHFwBTANIkuWP9VEpdST7mPI/TX/Z3A+oA/4IOlDvl7Gu7xtGmm3wfVSgWSzQlQ04dd1ftq3AN0bRACh/lQtA4wgFgJZ/C+s/OdPlgFuzcVnsLh1eN0xDzXejCOdPusLZ7J018+Yzz1kVQP3/ViRwEq71fKlIwNZsj/FHwrWmofk1DHf+wzZD+S8nWYv8K1E4+vErep259wqnslWwQYX+U9QR9zfdPeeP3ckRiW1tBkERP86r3zw6nNT4Lhy1pQ3Lledo7okRhYctlh6fcGan9a83lYpb/0gWePcv</diagram></mxfile>
\ No newline at end of file
# Application architecture
This is a short introduction to the architecture used for this application.
## Simplified schema
Here is a simplified schema of the application structure (mainly concerning the database) :
![UML of the application](../data/images/schema.png)
## Anonymous
So users can be anonymous when they answer a form.
The logic behind it is quite simple : because a user should be able to answer a form only once, **we need to store the data about the fact that he/she has answered a form**. The *anonymous* characteristic will take place when creating a link between knowing that a user has answered a form and what is exactly his/her form submission. Therefore, when answereing as an *anonymous user*, the `formSubmissionId` **is not stored** in the `formSubitted` table ! To enable editing of anonymous form submissions, the `uid` of the form submission is given to the user, so that he/she is the only one that can access it again.
- For this to work safely, a **secure** client/server connection should be used.
*About the cool feature of PGP encryption, the encryption is done entirely on the server, only using PHP.*
Conclusion : in the *anonymous case* **It is possible to know if a user has answered a form**. If there has only been one answer to a form the user is only *virtually* anonymous. Otherwise, the user is *technically* anonymous !
## Talk about security
**Making the app as secure as possible has been a big challenge.**
- Besides tradionnal SQL checks to see if a user can do what he/she is about to do, the security relies heavily on the `session` system by setting temporary *checkpoints* forcing the user to have passed the previous *checkoint(s)* or preventing the user from going back to a previous *checkpoint*.
- None of the apps interface (**ajax included**) should *talk* to an unauthorized person. So, for example, throwing a random ajax request will get you nowhere.
- Concerning ajax :
- the user has to be logged-in for any interactions to take place and there systematic checks before sending data back to the user.
- A token system is used so the system cannot answer unlimited *requests*.
## Form valiation
This comes right after security, because the app relies on exactly the same form system as the one the user can use. **So it must be robust...**
- There is of course a client side validation of the form-submissions.
- There is also a server side validation of the form-submissions (**using only data on the server**). This validation will take into account all the constraint available to the user and the *coherence* of their answers (was this answer possible).
**There is also a server side validation for the form created by the users. To make sure only authorized fields are used... and that they are well used.**
This validation enables an *expert mode* for form creation : you can create form element (or entire form) 100% through JSON. *This should be usefull when dealing with a lot of options in a select for example.*
## A small description of the `Answer` controller
Because the structure of this controller might be a little bit complicated to understand, here is a summury :
- To answer a form, the function `form` is used as a switch : if the user has already answered the form he/she is redirected to the `getAccess` function directly. If he/she hasn't answered the form yet, he/she is redirected to the `init` function.
- The `init` function is there to get the user approval on what info is associatted to his/her form submission.
- On success the user is redirected to the `getAccess` function with some cached data so that `getAccess` will redirect the user directly to `edit` function.
- (Otherwise) the `getAccess` function will check if the form submission for this form (and this user) was anonymous, if not we have access to the `submissionId` directly in the database. Otherwise, we have to retreive it.
- So if the user was anonymous, he/she is redirected to the function `anonymousAccess` where he/she is able to type the `uid` he/she was given. If the `uid` is valid (for the `formid`), the original submissionId is retreived from the database, and he/she goes back to the `getAccess` function and then directly to the `edit` function.
# Database : description
## Introduction
For this project, a postgres SQL databse has been use.
The full SQL script can be found [here](./data/code/crea_base.sql).
## Comments on the model
Explanation on the tables :
- `Users`
For this table their is nothing crazy. A `userId` with serial, a `login`, an `email`, a `type` (deducted from the CAS) and a `language` (this attribute is not yet used). `Email` and `type` can be `NULL` to handle group *populating* easily (we accept all logins and create a user for every login that isn't in the db ; this will be done until we can access to the *demeter* infos)
- `Groups`
Nothing crazy either. If `active` attribute is set to `false`, access deducted from this group won't be granted.
Two groups are automaticly created, one containing every user, the other for the Admins, if someday we need such a group.
`preventDeleteMasterAdmins` is here to prevent delation of those groups.
- `UserGroupAssocations`
Table for storing the association between a user and a group.
- `Forms`
Table for holding all the data of the forms : `id`, `title`, `infoJson` (not yet in use, maybe if one day there is translation), the `creator`, `formJson` (the form architecture), is the form a `draft`, the `creationDate`, the `lastModificationDate` (not really used), the `closeDate`, are the results public (`publicResult` - not yet used), is the form architecture public (`publicJSONsource`), what kind of information on the user we store (`anonymous` and `personnalInfo`), the `finalResult` (not yet used), `tmp` if the user hasn't changed the title (those form will be deleted on login/logout for db cleaning).
**Comments on `anonymous` and `personnalInfo`**
For `anonymous` :
- if set to `2` : those who answer will be anonymous,
- if set to `1` : those who answer can choose to be anonymous or not,
- if set to `0` : those who answer can't be anonymous.
For `personnalInfo` :
- if set to `2` : the CAS info of those who answer will be anonimized,
- if set to `1` : those who answer can choose to share their CAS info or not.
- if set to `0` : those who answer have to share their CAS info.
- `GroupFormRelations`
Table holding data on what kind of access is granted to a group for a form. Only `canSeeResults` is used in the app currently : `canAdministrate` is not.
- `FormAccess`
A quite similar table but this one is dedecated to storing the info on the groups that can answer a form.
- `FormSubmissions`
A `uid` is attached to each FormSubmission, this string will be used for identifying anonymous user (enabling them to edit the submissions). `results` is a JSON string containing the results as determined by the js saveFormLib. `answers` is a JSON string containing the serialization of the formSubmission for easy repopulation of the form. `userInfo` store the info related to the user info and CAS groups. Those info are stored on creation of the a submission for homogenous form-submission handling (anonymous or not).
- `FormSubmitted`
A table to know what forms have a user answered : if the user is not anoymous we also store the uid of the form submission.
I am a little bit lazy to comment all the views. But one is really nice : `userFormRightsRecap`. It gives a recap of all the rights a user have *per-form*.
# Description of how the (important) files are organized for this project
This description follows the structure of the repo.
## `application`
This is the folder containing all the Codeigniter and backend related stuff.
- `assets` : this is the folder for all *outside* PHP libraries
- `config` : this folder contains all the Codeigniter/libraries realted config files. __All the `.expample` files have to be changed depending on your installation !__
- `controllers` : this folder contains all the Codeigniter controllers, they are the main entry from the web.
- `core` : this folder contains *overloaded* Codeigniter PHP class : mainly for easy handling of restrective access, Ajax and SQL queries.
- `libraries` : this folder contains all the PHP libraries developped for this project and few others copied from the web (`CAS` and a bit of `PGPlib`).
- `models` : this folder contains every database related functions.
- `views` : this folder contains all the views used for this project, they are "template ready". If you want to create a new template, duplicate the default folder and change the template name in the `layouts.php` library.
## `assets`
This folder holds the assets for the frontend:
- `css` : main css files for the site.
- `js` : all the js libs developped for this project.
- `lang` : some language files for `node_modules` translation.
## `Codeigniter_stuff`
Well some stuff related to Codeigniter.
## `Documentation`
This folder contains all the documentaiton related files.
## `node_modules`
This is the folder storing the **NUMEROUS** js libs tacken from the open-source world for building this awesome project.
# Install tutorial
1. Copy the whole repo on your server (PHP ≥ 7.0 is needed).
- Setup the database and run `crea_database.sql` file.
- Configure the config files of Codeigniter (/application/config). This concerns the `.example` files.
- Mess up with `.htaccess` files and *stackoverflow* for making it works.