This module uses BACnet Web Services to retrieve data from building automation and control networks (BACnet) and displays it in a Drupal block.
Project page = https://www.drupal.org/sandbox/dbt102/2237027
Git clone command = git clone --branch 7.x-1.x http://git.drupal.org/sandbox/dbt102/2237027.git bacnet
List of links to reviews (in progress)
Reviews of other projects:
1. https://www.drupal.org/node/2215325#comment-9073149
2. https://www.drupal.org/node/2338257#comment-9155971
3. https://www.drupal.org/node/2335141#comment-9156359
(more reviews...)
4. https://www.drupal.org/node/2341577#comment-9166585
5. https://www.drupal.org/node/2341315#comment-9166763
6. https://www.drupal.org/node/2340725#comment-9166947
(and even still working on more)
Comment | File | Size | Author |
---|---|---|---|
#16 | BACnet_Code_review.pdf | 212.85 KB | dbt102 |
Comments
Comment #1
dbt102 CreditAttribution: dbt102 commentedComment #2
PA robot CreditAttribution: PA robot commentedThere are some errors reported by automated review tools, did you already check them? See http://pareview.sh/pareview/httpgitdrupalorgsandboxdbt1022237027git
We are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)
Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).
I'm a robot and this is an automated message from Project Applications Scraper.
Comment #3
dbt102 CreditAttribution: dbt102 commentedThe pareview warnings/errors are insignificant.
The third party Flot js library has been taken out of code and a link to it has been placed on the BACnet project page.
Comment #4
Sachini CreditAttribution: Sachini commentedHi dbt102,
The module shows errors with coder and pareview. (http://pareview.sh/pareview/httpgitdrupalorgsandboxdbt1022237027git) You can easily fix most of them using the phpcbf command after installing the coder module.
Please change the git clone command to
git clone --branch 7.x-1.x http://git.drupal.org/sandbox/dbt102/2237027.git bacnet
. The one you have given is for the maintainer.Comment #5
dbt102 CreditAttribution: dbt102 commentedComment #6
Michael Hodge Jr CreditAttribution: Michael Hodge Jr commentedAutomated Review
There are a lot of issues pointed out by paravew.sh, please correct http://pareview.sh/pareview/httpgitdrupalorgsandboxdbt1022237027git I opted not to include things in the manual review that appear in the automated review for berevity. You mention that the errors are insignificant, but it's important that your module follows the Drupal coding standards.
Manual Review
1. I would suggest changing the admin path to admin/config/services/bacnet and adding the appropriate configure directive to your .info file
2. in your hook_init function, you have to if statements that don't do anything.
3. LIne 251, your missing a t() around "Offline". Same on 257
4. in bacnet_soap_get_value(), you are always setting cache_set and cache_get. I'd suggest doing cache_get first, and if it returns false, then run the query against the soap server to get the value, and caching that result. If cache_get returns false, use the request from the soap server, otherwise use the cached response.
5. in bacnet_soap_get_value() your retrieving data from a third party. That party shouldn't be trusted, and you should sanitize your data using check_plain for filter_xss as appropriate before saving that into the cache. The same goes for bacnet_soap_get_trend()
6. Throughout your code you have a lot of commented out items as well as unused variables. I'd suggest going through your module and cleaning up the unused variables as well as any commented out lines of code such as
Note for other reviewers: I did not review the views integration as that was one area I'm not comfortable reviewing.
Comment #7
dbt102 CreditAttribution: dbt102 commented@ Sachini - Thank you for your comments.
I have gone thru and fixed most of the errors generated by codesniffer using the phpcbf command. To track progress for this I created a ticket to log the details at https://www.drupal.org/node/2316443 .
Also, I changed the git clone command to git clone --branch 7.x-1.x http://git.drupal.org/sandbox/dbt102/2237027.git bacnet.
Comment #8
dbt102 CreditAttribution: dbt102 commentedHi Michael,
Thank you for your review comments. I think I have addressed all the issues you raise (and several others) under the sandbox issue que at https://www.drupal.org/project/issues/2237027?status=All&categories=All . Following is a summary of the enhancements made per your comments ...
1. Change admin path - The path has been changed as you suggest and the configure directive has been included.
2. Remove unused if functions - The if statements have been updated.
3. Missing a t() around "Offline" - t() has been added
4. refactor bacnet_soap_get_value - This is a very good observation. I went back and made the changes per your request, however after testing those changes on real systems discovered that in this use case, it seemed better to leave the code as is. Please refer to issue comments for more discussion.
5. sanitize your data using check_plain for filter_xss - The use of check_plain was giving poor results when rendering views. However, in the use case(s) for this module, the BACnet server third party device is considered to be trusted. Please refer to issue comments for more discussion.
6. Cleaup unused variables - Cleaned up and removed those noted and all others I could find that are not part of planned additional features.
Please know that I very much value your time (and your comments!). If you have any other suggestions for improving this module I would love to hear about them.
[edit: I've changed my position on Item #5 above and have updated code to perspective that "third party device is NOT trusted" ]
Comment #9
dbt102 CreditAttribution: dbt102 commentedComment #10
dbt102 CreditAttribution: dbt102 commentedHi @ Sachini ,
As a reviewer for this module could you please "validate the changes/response, and repeat the process if you identify any new issues and/or questions".
I really appreciate you taking the time time to review this module, so thanks again!
Comment #11
tkuldeep17 CreditAttribution: tkuldeep17 commentedhi dbt102 ,
I have gone through your code and found following issues;
Here you are giving path of views_plugins, But there is no directory with this name in your module. and
bacnet-meter
template file also does not exist. So please correct it.Here you are not using
$user
variable anywhere, so what is purpose of writing it.You should drupal way of showing message to user, so use 'drupal_set_message' instead of echo.
Here please correct php syntax, use colon instead of semicolon case
bacnet_node_form;
Comment #12
tkuldeep17 CreditAttribution: tkuldeep17 commentedComment #13
dbt102 CreditAttribution: dbt102 commentedHi @tkuldeep17
Thanks for your comments. I have fixed them as you recommended and have added details under the sandbox issue que here .
I continue to run coder PHP_Codesniffer on my local ubuntu dev box and have substantially reduced the pareview issues, however http://pareview.sh/pareview/httpgitdrupalorgsandboxdbt1022237027git does not seem to be updating with the new commits I am making. This even when updating the review here http://pareview.sh/node/558382/repeat .
Have you any idea what's up with that?
Comment #14
dbt102 CreditAttribution: dbt102 commentedComment #15
tkuldeep17 CreditAttribution: tkuldeep17 commentedHi @dbt102
There is no need of curly braces here.
Comment #16
dbt102 CreditAttribution: dbt102 commentedHi @tkuldeep17
I completed all code cleanup marked by Coder for checks by Codesniffer, Drupal Coding Standards, Drupal Commenting Standards, and Drupal Security Checks. Now ...
I have printed out the complete details of this Coder report and attached it to this comment for review/comment.
I have also taken out the curly braces as you recommend.
Thank you for your help!!!
Please let me know if there is anything else that is required for this module to pass review.
Comment #17
dbt102 CreditAttribution: dbt102 commentedComment #18
er.pushpinderrana CreditAttribution: er.pushpinderrana commented@dbt102, thankyou for your contribution!
Automated Review
Best practice issues identified by pareview.sh / drupalcs / coder. Yes, http://pareview.sh/pareview/httpgitdrupalorgsandboxdbt1022237027git reported number of issues, there is possibility might be some issues can't be fixed but as I analyzed most of the issues can be easily fix related to Line indentation and other minor issues.
Manual Review
Issue, your form element name is
login_name
and you are fetching value forbacnet_login_name
to set it default value.You are using following submit function but it never called.
You are trying to set number of variables in this function that you are also using further because this form never called complete flow broken.
admin.inc
file.bacnet.css
anddrupal.bacnet.js
through .info file. Due to this, both will added on all the pages rather use #attached to add the JS/CSS file to the form render array or page render array where these actually required.bacnet-view-row-bargraph.tpl.php
template file, better to use recommend approach mention here https://www.drupal.org/coding-standards.The starred items (*) are fairly big issues and warrant going back to Needs Work. Items marked with a plus sign (+) are important and should be addressed before a stable project release. The rest of the comments in the code walkthrough are recommendations.
Please don't remove the security tag, we keep that for statistics and to show examples of security problems.
As I am not a git administrator, so I would recommend you, please help to review other project applications to get a review bonus. This will put you on the high priority list, then git administrators will take a look at your project right away :-)
Thanks again for your hard work!
Comment #19
dbt102 CreditAttribution: dbt102 commentedHi @er.pushpinderrana
Thank you for your review, and my apologies because it looks like I added in a feature branch by mistake when making a recent commit.
Its a great review, and I will fix things as I'm sorting thru my git issues.
Comment #20
dbt102 CreditAttribution: dbt102 commentedComment #21
dbt102 CreditAttribution: dbt102 commentedHi @er.pushpinderrana
Again, Thanks for your review.
I've changed things around a bit to simplify and clarify user interaction with the module and in doing so fixed your one comment marked (*)
I've cleaned up the pareview security review comments and modified the bacnet_block_view function in a manner I think addresses the security issues identified.
I've also learned a lot by completing three reviews for the bonus! : )
Comment #22
ram0108 CreditAttribution: ram0108 commented1 - on setting form validation is not proper working. There is no need to put submit function for this".
You must use variable_get to fetch the value on the form.
2 - There are a lots of files where i can see curly braces after "case:" like following
function bacnet_block_help($path, $arg) {
switch ($path) {
case 'admin/help#bacnet_block' :{
$ret_val = '
' . t('About') . '
';
$ret_val .= '
' . t('The BACnet Block module makes it easy to get data from a BACnet - Advanced Operator Workstation (B-AWS) into a Drupal block.') . '
';
return $ret_val;
}
}
}
3 - There are a lots of error in coding standard. i checked it on http://pareview.sh/. please check following url.
http://pareview.sh/pareview/httpgitdrupalorgsandboxdbt1022237027git
Comment #23
dbt102 CreditAttribution: dbt102 commentedHi @ram0108,
Thanks for taking the time to review. I've addressed your comments as follows...
1. The setting_form_validation is part of a new BACnet Site map feature that is not quite ready for a prod. so I've moved it out into its own feature branch and will merge it back into origin when it is ready. You can follow that progress under this issue https://www.drupal.org/node/2329205 .
2. I've removed the curly brace that you found, and have looked around for other places where they might be. Started another issue to try and track where others, if any may be.
3. WRT pareview, there are only a few items that crop up , I'll list them here and hopefully someone can tell me how to fix them without breaking the rest of the code,
a. WARNING | Are you accessing field values here? Then you should use LANGUAGE_NONE instead of 'ind' .
b. ERROR | Class name must begin with a capital letter
c. ERROR | Class name must use UpperCamel naming without underscores
d. ERROR | Visibility must be declared on method "init"
e. ERROR | Method name "bacnet_plugin_row_text::uses_fields" is not in lowerCamel format, it must not contain underscores
Its weird, I've tried to correct these errors and warnings, but when I do, it breaks the code. The code works at this point, so I'm not sure what I should do about it. Do you have any suggestions?
Comment #24
klausibacnet_block_view(): This looks vulnerable to XSS exploits. bacnet_soap_get_value() directly retrieves values from an untrusted third party source, so the return value must be considered user provided input. You need sanitize that in t() by using the correct placeholder with "@" or "%" instead of "!". Make sure to read https://www.drupal.org/node/28984 again.
Comment #25
dbt102 CreditAttribution: dbt102 commentedHi @klausi
Thanks for the review. Per your comments ... I have
1. Sanitized the bacnet_soap_get_value() with "%". (Thanks for that!)
2. I have also gone thru and reduced the feature set for now in order to eliminate ALL Pareview errors and warnings.
3. Additionally, I have added in bacnet.test for testing basic functionality.
Think that about sums it up for now.
Comment #26
dbt102 CreditAttribution: dbt102 commentedComment #27
er.pushpinderrana CreditAttribution: er.pushpinderrana commentedAutomated Review
Best practice issues identified by pareview.sh / drupalcs / coder. None.
Manual Review
admin/config/bacnet/manage
and in .module file it isadmin/config/services/bacnet
bacnet_admin_settings_submit
never called, need to remove it.The starred items (*) are fairly big issues and warrant going back to Needs Work. Items marked with a plus sign (+) are important and should be addressed before a stable project release. The rest of the comments in the code walkthrough are recommendations.
Comment #28
dbt102 CreditAttribution: dbt102 commented@er.pushpinderrana,
A big thanks to you for taking out time to review my project application.
As per your manual review, I have fixed all three issues you identified as follows...
1. Fixed the configure link
2. Removed bacnet_admin_settings_submit because it was never called.
3. Added function bacnet_uninstall() to bacnet.install .
I highly appreciate the feedback, advise, corrections and observations you have made on the bacnet module.
Please let me know if there is anything else you find that is important and should be addressed before a stable project release.
Comment #29
er.pushpinderrana CreditAttribution: er.pushpinderrana commentedIf it is ready to review then please change the status of this issue to Need Review.
Comment #30
dbt102 CreditAttribution: dbt102 commentedComment #31
klausiRemoving review bonus tag, you have not done any manual review, you just copied the empty review template. Make sure to read through the source code of the other projects, as requested on the review bonus page.
Comment #32
dbt102 CreditAttribution: dbt102 commentedOK.
As this is really my first foray into the realm of Drupal project reviews, I've been reticent (if not negligent) to really understand the importance of the "manual review" requirements for bonus tagging. I did spend a lot of time setting up fresh installs of Drupal, downloading modules from the "needs review" que, understanding and documenting what was actually going on. I tried to select those applications needing review where the template had NOT been applied, because I found that to be very helpful in kicking off my own application.
As a reviewer newbie, the template gives the kind of structure to the review process that I need, without having to present myself as an expert, which I'm not because I'm new.
Having said that, I want to thank you for the rejection. Really. Now I can go back and focus on manual review of the code in an effort to help the applicant better comply with doing things the Drupal way, and in so doing, better understand it myself. So this is good for me and will help to make me a better Drupal programmer AND reviewer.
In the meantime, I am encouraging friends and supporters in both the BACnet and Drupal communities to review and test this BACnet module so I can contribute the best possible product thru Drupal. For more on how to test this module, check out the Testing BACnet module issue. There is also a Roadmap to explain where the project is "frozen" while the application is vetted by you, the community. Finally, the BACnet Group's Demo Site lets you test drive the module. It also give some background info, if you simply can't wait, so you can contact me directly and get setup for a Live demo!
Comment #33
jonreid CreditAttribution: jonreid commentedI conducted an automatic and manual review.
1. Contains a working repository link.
Non-duplicate
2. Repository has code with proper branch/tag naming
3. No license.txt file present.
No non-GPL code present.
4. Project page has a clear description of purpose.
README.txt present.
Module file has @file and per function docblocks.
5. No results returned from pareview
6. Reviewed code against coding standards - passed.
Correct use of t() function.
7. Output is being sanitized with t() and a filter_xss function is used for the cache statement.
Check_plain is in use where t() is not applicable.
No direct use of GET or POST. No outstanding security issues found.
Comment #34
dbt102 CreditAttribution: dbt102 commentedHi @jonreid
Thank you very much for the review!!!
As a result of the demo site and issues box at the BACnet sandbox I have been getting a fair amount of additional feedback from the BACnet-Drupal community. Several really wanted me to implement Support for Future BACnet Standards as part of a refactoring effort, so I moved forward with these changes NOW so that the module would be prepped for migration to D8 AND BWS2.
Hopefully, by adding in some more varied techniques into the application it might help garner support from more Drupal reviewers, and increase excitement in the BACnet-Drupal community. So I'm changing the status back to "need work" for now, because after loading up the refactored code, I see there are a fair amount of Pareview comments that I still need to address.
Comment #35
dbt102 CreditAttribution: dbt102 commentedPareview reports
Not sure why, because $version really is being used.
Changing status back to "needs review".
Comment #36
adTumbler CreditAttribution: adTumbler commentedOpen4Energy is a community resource that exposes consumer energy scams, publishes directories of emerging technologies for energy monitoring, and promotes discussion on renewable energy sources. The site is sponsored by adTumbler, Inc - serving in excess of 2 million visitors since being released.
http://open4energy.com/
One of the biggest issues facing those of who who care about reducing our energy footprint is the capital cost of new equipment, retrofitting buildings, and implementing energy control equipment. We and others have proven time and time again, that NO energy is saved by merely monitoring the use of energy.
To actually save energy something has to change. Something has to be replaced, or switched off, or used less. We have toiled for 3 years in the consumer segment to raise awareness, find technologies that show the use of energy in a home, even to encourage families to "engage" in energy saving as part of educating their kids etc etc etc.
In the commercial and Government sector is has been even harder. There are many significant cultural and interests - let alone the complete lack of standards.
At the same time communities (schools, districts, government agencies etc) have proven that up to 35% of total energy used, can be saved when the community can be informed of their energy footprint, and updates as it changes. We are mostly good at saving when it affects our pocket book. We are notoriously poor at saving when it affects our community, or employer, or local government department - until we become aware and informed.
BACnet has emerged as a NIST standard that allows the energy footprint of a building, or a school, to be accessed. Drupal is the community standard that allows any organization to provide a secure web site for the reliable providing of information.
This project, although technically simple in it's functional capability of setting up a block, and presenting an energy value in the block, has immense potential for extending the role of Drupal as the open source standard for information sharing, to that of the open source standard for affecting change in the amount of energy we use.
adTumbler, Inc and Open4Energy have engaged with dbt102, to manually review this project for Pareview compliance, for functional excellence, and support of the BWS1 (SOAP) and BWS2 (REST) BACnet standards.
The current version of the module meets all our requirements for inclusion in the production site Open4Energy - it has been implemented on the site - from which we hope to encourage a community of innovators supporting Drupal and the Energy Dashboards BACnet and this module enable.
Comment #37
dbt102 CreditAttribution: dbt102 commentedhi @adtTumbler
WOW!!! THANKS FOR THE GREAT REVIEW!!!
Did you mean to change the status to "reviewed and tested by the community"?
Comment #38
PA robot CreditAttribution: PA robot commentedGit clone command for the sandbox is missing in the issue summary, please add it.
I'm a robot and this is an automated message from Project Applications Scraper.
Comment #39
adTumbler CreditAttribution: adTumbler commentedOpen4Energy is a community resource that exposes consumer energy scams, publishes directories of emerging technologies for energy monitoring, and promotes discussion on renewable energy sources. The site is sponsored by adTumbler, Inc - serving in excess of 2 million visitors since being released.
http://open4energy.com/
The current version of the module meets all our requirements for inclusion in the production site Open4Energy - it has been implemented on the site - from which we hope to encourage a community of innovators supporting Drupal and the Energy Dashboards BACnet and this module enable.
Refer comment at #36 above for details
Comment #40
dbt102 CreditAttribution: dbt102 commentedComment #41
dbt102 CreditAttribution: dbt102 commentedComment #42
dbt102 CreditAttribution: dbt102 commentedComment #43
dbt102 CreditAttribution: dbt102 commentedComment #44
dbt102 CreditAttribution: dbt102 commentedseparating Issue tag terms with a comma, not a space
Conducted more reviews ( per https://www.drupal.org/node/2312955#comment-9134871 )
Adding in the review bonus tag ... again. If the reviews are not good enough, please ping me on it again. : )
Comment #45
D34dMan CreditAttribution: D34dMan commentedYou seems to be almost there, looking forward to see a release soon. Good Job.
Comment #46
klausiReview of the 7.x-1.x branch (commit 5482608):
This automated report was generated with PAReview.sh, your friendly project application review script. You can also use the online version to check your project. You have to get a review bonus to get a review from me.
manual review:
Removing review bonus tag, you can add it again if you have done another 3 reviews of other projects.
Comment #47
dbt102 CreditAttribution: dbt102 commentedHi @klausi,
Thanks for the review! I have gone thru and corrected each item you noted above, and summarize the revisions below.
1. Removed unused variable $version in the two instances noted in pareview and added comment.
2. Added comments to describe BWS1 & BWS2.
3. Removed @ and added comment.
4. Removed filter_xss from bacnet_soap_get_value .
5. Removed bacnet_schema() .
6. Changed to query the cache at the beginning of the function before invoking the SOAP request.
7. Removed the redundant use of check_plain, leaving “%” placeholder in bacnet_block_view().
8. Clarified $usage with [0], [1] for bacnet_block_view(), and quit checking $usage when it was just assigned the line before.
9. Changed form_set_error() calls to drupal_set_message.
10. Applied check_plain() to the result of var_export() in the pre tags.
and pareview runs clean.
Comment #48
dbt102 CreditAttribution: dbt102 commentedComment #49
dbt102 CreditAttribution: dbt102 commentedComment #50
dbt102 CreditAttribution: dbt102 commentedComment #51
dbt102 CreditAttribution: dbt102 commentedComment #52
dbt102 CreditAttribution: dbt102 commentedComment #53
dbt102 CreditAttribution: dbt102 commentedConducted three more reviews so tagging for priority review again.
Comment #54
klausimanual review:
Comment #55
dbt102 CreditAttribution: dbt102 commentedHi klausi,
I'm confused about your last comment
I'm pretty sure that I had this fixed (commit [b7627bc]) but then pareview didn't like it. So I changed it back.
Think I captured snapshot of before/after code along with pareview warning @ https://www.drupal.org/node/2335581#comment-9166031
Comment #56
dbt102 CreditAttribution: dbt102 commentedHi Klausi,
Per your most recent review at https://www.drupal.org/node/2312955#comment-9167565 , I have ...
1. documented @return
2. added check_plain back in ( I'm thinking your manual review takes precedence to automated review)
However, now pareview is telling me this again
Comment #57
pingwin4egIt's OK, because of "!" placeholder. Seems PAReview tool doesn't know about that.
Comment #58
adTumbler CreditAttribution: adTumbler commentedCloned module
Reviewed changes implemented per #56
Installed on http://open4energy.com - block reporting updated "now" energy value of 124kW - across all pages.
Comment #59
dbt102 CreditAttribution: dbt102 commentedComment #60
klausiYep, those issues were false positives from DrupalPractice sniffer, this is now fixed in the dev version. It clearly says that they could be false positives though, so better trust your own knowledge ;-)
manual review:
But otherwise looks good to me now.
Thanks for your contribution, dbt102!
I updated your account so you can promote this to a full project and also create new projects as either a sandbox or a "full" project.
Here are some recommended readings to help with excellent maintainership:
You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and stay involved!
Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
Thanks to the dedicated reviewer(s) as well
Comment #61
D34dMan CreditAttribution: D34dMan commentedCongratulations @dbt102. Looking forward to work with this module soon.