[D7] Mailman Integration

We are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)

Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).

I'm a robot and this is an automated message from Project Applications Scraper.

Manual Review

Individual user account

Yes: Follows the guidelines for individual user accounts.

No duplication

Yes: Does not cause module duplication and/or fragmentation.

Master Branch

Yes: Follows the guidelines for master branch.

Licensing

Yes: Follows the licensing requirements.

3rd party assets/code

Yes: Followsthe guidelines for 3rd party assets/code.

README.txt/README.md

No: Does not follow the guidelines for in-project documentation and/or the README Template.
There is no hook_help().

Code long/complex enough for review

Yes: Follows the guidelines for project length and complexity.

Coding style & Drupal API usage

1. (*) You don't need to explicitly uninstall your database schema. install-schema
2. mailman_integration.module:30:
   

       'template path' => drupal_get_path('module', 'mailman_integration') . '/views',
   

   no need to implement template path when you don't use templates

3. mailman_integration.module:38:
   

   /**
    * Implements hook_init().
    */
   function mailman_integration_init() {
     module_load_include('inc', 'mailman_integration', 'mailman_integration_admin');
   }
   

   I don't think it's a good idea to add this in a hook_init. I think it's better to add it only where you need it because hook_init gets called for every page.

The starred items (*) are fairly big issues and warrant going back to Needs Work. Items marked with a plus sign (+) are important and should be addressed before a stable project release. The rest of the comments in the code walkthrough are recommendations.

If added, please don't remove the security tag, we keep that for statistics and to show examples of security problems.

This review uses the Project Application Review Template.

My review:

Manual Reviews:

When I create a role based mailman list, I am getting warning : array_flip().

Warning: array_flip(): Can only flip STRING and INTEGER values! in mailman_integration_add_rolelist_form_validate() (line 619 of /var/www/vigneshpr/sites/all/modules/mailman_integration/mailman_integration_admin.inc).

Need to be fix this issue.

Manual Reviews:

mailmanMakeCurlCall(), why cURL is using here instead of drupal_http_request()?

mailman_integration.inc - > line no 155 : curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);

verifyhost should always be 2

This is a security problem and is the blocking issue in this application.

Need to be address this issue.

Git errors:

• Git default branch is not set, see the documentation on setting a default branch.

Review of the 7.x-1.x branch (commit 6c64fe9):

• Coder Sniffer has found some issues with your code (please check the Drupal coding standards).
  

  FILE: /home/klausi/pareview_temp/mailman_integration.inc
  ----------------------------------------------------------------------
  FOUND 1 ERROR AFFECTING 1 LINE
  ----------------------------------------------------------------------
   150 | ERROR | [x] Whitespace found at end of line
  ----------------------------------------------------------------------
  PHPCBF CAN FIX THE 1 MARKED SNIFF VIOLATIONS AUTOMATICALLY
  ----------------------------------------------------------------------
  
  
  FILE: /home/klausi/pareview_temp/mailman_integration_admin.inc
  ---------------------------------------------------------------------------
  FOUND 0 ERRORS AND 3 WARNINGS AFFECTING 3 LINES
  ---------------------------------------------------------------------------
    611 | WARNING | Do not concatenate strings to translatable strings, they
        |         | should be part of the t() argument and you should use
        |         | placeholders
    876 | WARNING | Do not concatenate strings to translatable strings, they
        |         | should be part of the t() argument and you should use
        |         | placeholders
   1022 | WARNING | Do not concatenate strings to translatable strings, they
        |         | should be part of the t() argument and you should use
        |         | placeholders
  ---------------------------------------------------------------------------
  

• DrupalPractice has found some issues with your code, but could be false positives.
  

  
  FILE: /home/klausi/pareview_temp/mailman_integration.inc
  ----------------------------------------------------------------------
  FOUND 0 ERRORS AND 2 WARNINGS AFFECTING 2 LINES
  ----------------------------------------------------------------------
   135 | WARNING | Unused variable $return_transfer.
   136 | WARNING | Unused variable $custom_request.
  ----------------------------------------------------------------------
  

• Codespell has found some spelling errors in your code.
  

  ./mailman_integration.module:61: Dont  ==> Don't
  

• No automated test cases were found, did you consider writing Simpletests or PHPUnit tests? This is not a requirement but encouraged for professional software development.

This automated report was generated with PAReview.sh, your friendly project application review script. You can also use the online version to check your project. You have to get a review bonus to get a review from me.

manual review:

1. project page: what are the differences to the 5 already existing mailman modules? https://www.drupal.org/project/mailman https://www.drupal.org/project/mailman_manager https://www.drupal.org/project/user_mailman_register https://www.drupal.org/project/mailman_groups https://www.drupal.org/project/mlist ? Please add that to the project page. Module duplication and fragmentation is a huge problem on drupal.org and we prefer collaboration over competition. Please improve an existing project on drupal.org instead if creating yet another new one.
2. mailman_integration_cron(): why do you check the mailman connection on every cron run? So this will run every 5 minutes on my site, what for? Please add a comment.
3. mailman_integration_form_alter(): if you ar eonly targeting one specific form ID then you should use hook_form_FORM_ID_alter() instead.
4. mailman_integration_form_alter(): why do you need to store this in the session? Please add a comment. hook_user_role_delete() is invoked for every role anyway, so you have the role ID available there?
5. mailman_integration_404_page(): why do you need this function and cannot use drupal_not_found()? Please add a comment.
6. mailman_integration_list_page_callback(): this function can be removed if you use "drupal_get_form" as page callback directly in hook_menu(). See https://api.drupal.org/api/drupal/modules!system!system.api.php/function...
7. This module has a security vulnerability and as part of our git admin training I'm assigning this to Manjit so that he can take a look. If he does not find anything within a week I'm going to post the vulnerability details. And please don't remove the security tag, we keep that for statistics and to show examples of security problems.

Since Manjit didin't get to it - now revealing the security vulernability:

mailman_integration_search_list_form() is vulnerable to XSS exploits. The list description is printed unsanitized to HTML in the table. If I enter <script>alert('XSS');</script> as list description I can trigger a nasty javascript popup on the page. You need to sanitize user provided text before printing, make sure to read https://www.drupal.org/node/28984 again.

manual review:

1. "Code Review Changes" is not a useful git commit message. You should describe what you did, see https://www.drupal.org/node/52287
2. Warning: Missing argument 1 for mailman_integration_add_user_callback() in mailman_integration_add_user_callback() (line 953 of mailman_integration/mailman_integration_admin.inc). I think you forgot the "%" placeholder in hook_menu() for this?
3. mailman_integration_subscribe_user_form_validate(): this is vulnerable to XSS exploits. "form_set_error('list_mail_address', $mail . ' - ' . t('Email address appears to be invalid.'));" is not using safe placeholders with t(), thereby printing arbitrary user input to HTML.
4. mailman_integration_list_users(): don't call theme() here, just return the nested render array. Drupal core will render later for you, see https://www.drupal.org/node/930760

Review of the 7.x-1.x branch (commit 3c2bf5b):

• Codespell has found some spelling errors in your code.
  

  ./mailman_integration.module:61: Dont  ==> Don't
  

• No automated test cases were found, did you consider writing Simpletests or PHPUnit tests? This is not a requirement but encouraged for professional software development.

This automated report was generated with PAReview.sh, your friendly project application review script. You can also use the online version to check your project. You have to get a review bonus to get a review from me.

manual review:

• mailman_integration_admin.inc: still contains "form_set_error('list_mail_address', $mail . ' - ' . t('Email address appears to be invalid.'));" where you use t() wrong and print an email address unsanitized. Please check all your t() calls.

Looks good to me now, assigning to er.pushpinderrana as he might have time to take a final look at this.

Automated Review

Best practice issues identified by pareview.sh / drupalcs / coder. None

Review of the 7.x-1.x branch (commit 90d9a87):

• No automated test cases were found, did you consider writing Simpletests or PHPUnit tests? This is not a requirement but encouraged for professional software development.

This automated report was generated with PAReview.sh, your friendly project application review script. You can also use the online version to check your project. You have to get a review bonus to get a review from me.

Manual Review

mailman_integration_list_users_submit(): Using drupal_goto() in a form submission handler() is hacky, and it should be avoided, since it stops the other form submission handlers from being called.. See http://drupal.stackexchange.com/questions/94578/drupal-goto-usage

mailman_integration_select_list_data(): why do you call check_plain() here, if I understand correctly entity_id always hold integer value so no XSS danger? Same for mailman_integration_select_list_roles() for role_id.

The starred items (*) are fairly big issues and warrant going back to Needs Work. Items marked with a plus sign (+) are important and should be addressed before a stable project release. The rest of the comments in the code walkthrough are recommendations.

Nothing major jumped out to me as it's already set to RTBC so....

Thanks for your contribution, Selva Gajendran!

I updated your account so you can promote this to a full project and also create new projects as either a sandbox or a "full" project.

Here are some recommended readings to help with excellent maintainership:

• Dries' post on Responsible maintainers
• Best practices for creating and maintaining projects
• Maintaining a drupal.org project with Git
• Commit messages - providing history and credit
• Release naming conventions.
• Helping maintainers in the issue queues

You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and stay involved!

Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

Thanks to the dedicated reviewer(s) as well.