About the module

Not taxable users module offers the possibility to exclude sales taxes from users orders throughout the managing users list on module's amdinistration page. In some cases there are no taxes needed in online stores for example, if a customer has a sales permit, the order for him is not taxable. It can be done using Not Taxable Users module.

Project page

https://www.drupal.org/sandbox/anatolii88/2575281

Git clone command

git clone --branch 7.x-1.x http://git.drupal.org/sandbox/Anatolii88/2575281.git not_taxable_users
cd not_taxable_users

Links to my reviews

https://www.drupal.org/node/2591935#comment-10456357
https://www.drupal.org/node/2575109#comment-10461409
https://www.drupal.org/node/2594679#comment-10463861

Comments

Anatolii88 created an issue. See original summary.

Anatolii88’s picture

Issue summary: View changes
PA robot’s picture

We are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)

Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).

I'm a robot and this is an automated message from Project Applications Scraper.

Anatolii88’s picture

Issue summary: View changes
Anatolii88’s picture

Issue summary: View changes
Anatolii88’s picture

Issue summary: View changes
Issue tags: +PAreview: review bonus
kporras07’s picture

Status: Needs review » Needs work

1. Basic application checks
1.1 Ensure your application contains a repository and project page link: OK
1.2 Ensure your project is not a duplication: OK

2. Basic repository checks
2.1 Ensure the repository actually contains code: OK

3. Security Review.
3.1 Ensure the project does not contain any security issues: It looks OK for me.

4. Licensing checks
4.1 Ensure the repository does not contain a ‘LICENSE.txt’ file: OK
4.2 Ensure the repository does not contain any 3rd party (non-GPL) code: OK

5. Documentation checks
5.1 Ensure the project page contains detailed information: I think it could be improved. Please take a look to https://www.drupal.org/node/997024. I'll add more details from README file.
5.2 Ensure the repository contains a detailed README.txt: OK
5.3 Ensure the code contains a well-balanced amount of inline-comments: Maybe you need to add some inline comments.

6. Coding standards and style
6.1 Run an automated review and ensure there are no major issues: OK

7. API and best practices Review
7.1 Ensure you are using Drupals API correctly: OK

Some other notes:
- There is an extra space in some "Implements hook_*()" comments.
- .module in line 15 is trying to use README.md file; but this doesn't exist and it's not going to exist if you don't add it. I'm not sure if it would be good to remove that reference if you're not planning to add it in order to make the code clearer.
- JS file has a very generic name (my_module.js); please rename it to something module-specific.
- It's preferred to use #attached to drupal_add_js/drupal_add_js. It would be great if you could change it on not_taxable_users_admin(). However; I don't think of this as a blocker.
- Hook_form is something different than you did in some functions in admin.inc file (https://api.drupal.org/api/drupal/modules!node!node.api.php/function/hoo...). I'll change the comment, function is OK.
- There is a comment for hook_menu in admin.inc that doesn't correspond to what is there.
- In rules.inc file, maybe it would be easier to read to just create a hook_rules_condition_info function and put the condition inside that instead of having a big condition and write twice the same function.

Besides this notes; great work! Thanks for your contribution.

Anatolii88’s picture

Status: Needs work » Needs review

Hi @kporras07,

Thank you for review. I fixed all off the issues you mentioned:

- Project page has been updated. Added more information;
- I have added more inline comments;
- An extra space in some "Implements hook_*()" - fixed.
- I deleted code that tries to use README.md file. If I add README.md, I will add those lines to the code that tries to use it.
- JS file name has been changed.
- I added .js file using #attached instead of drupal_add_js/drupal_add_js.
- I have changed the comments to the functions that uses hook_form().
- A comment for hook_menu in admin.inc has been fixed.
- Fixed issue regarding the conditions in rules.inc file.

Please check the changes.

_KurT_’s picture

First i found function not_taxable_users_search_form_validate(), line 200 and thought that it would be possible to select users to check in one query, but then i found that you are maybe use not optimal table configuration.

Why do you need to store users.name in your custom tabel?

If it is not necessary, you should get rid of it. In case you don't need user names it would be better to use users.uid in your not_taxable_users.taxid, instead of having own ids. Thus you could make one query instead of two and don't store unnecessary data in db.

Don't you think it would be better to use db_select instead of db_query everywhere?

klausi’s picture

Assigned: Anatolii88 » Manjit.Singh
Status: Needs review » Needs work
Issue tags: -PAreview: review bonus +PAreview: security

@_KurT_: using db_query() is perfectly fine for simple static queries, see https://www.drupal.org/dynamic-queries

manual review:

  1. not_taxable_users_schema(): could you add a description to all columns?
  2. not_taxable_users_admin(): do not call drupal_render() here, just return one render array that collects all elements of the page. Makes it way easier to alter things on that page. See https://www.drupal.org/node/930760
  3. not_taxable_users_search_form(): do not call check_plain() here on the $label variable which is a static string and not user provided. So sanitizing it does not make sense. Make sure to read https://www.drupal.org/node/28984 again. Also elsewhere in not_taxable_users_change_form() for example.
  4. not_taxable_users_schema(): the problem with your data schema is that you save the user name instead of the user ID. What happens if a user changes their user name? Then the reference breaks down?
  5. This module has a security vulnerability and as part of our git admin training I'm assigning this to Manjit so that he can take a look. If he does not find anything within one week I'm going to post the exploit details. And please don't remove the security tag, we keep that for statistics and to show examples of security problems.

Removing review bonus tag, you can add it again if you have done another 3 reviews of other projects.

Anatolii88’s picture

Thank you for your reviews @klausi and @_KurT_. I'll fix all of the problems as son as I have free time.

klausi’s picture

Assigned: Manjit.Singh » Unassigned

now revealing the security vulnerability:

not_taxable_users_page(): this is vulnerable to XSS exploits. User names are user provided text before printing to HTML. Usually they are validated for special characters by Drupal, but they could also be migrated from third party system, so they need to be sanitized before printing to raw HTML table markup. Make sure to read https://www.drupal.org/node/28984 again. You could use #theme = 'username' in a render array which will also sanitize and link the user account.

PA robot’s picture

Status: Needs work » Closed (won't fix)

Closing due to lack of activity. If you are still working on this application, you should fix all known problems and then set the status to "Needs review". (See also the project application workflow).

I'm a robot and this is an automated message from Project Applications Scraper.

Anatolii88’s picture

Status: Closed (won't fix) » Needs review

@klausi thanks for the review. All known problems were fixed. Please check the changes.

LiamPower’s picture

Automated Review

No issues

Note that perfect adherence to Drupal Coding Standard is NOT a reason to block an application, except for total disregard of them. However, modules should follow them as closely as possible.

Manual Review

Individual user account
[Yes: Follows] the guidelines for individual user accounts.
No duplication
[Yes: Does not cause] module duplication and/or fragmentation.
Master Branch
[Yes: Follows] the guidelines for master branch.
Licensing
[Yes: Follows] the licensing requirements.
3rd party assets/code
[Yes: Follows] the guidelines for 3rd party assets/code.
README.txt/README.md
[Yes: Follows] the guidelines for in-project documentation and/or the README Template.
Code long/complex enough for review
[Yes: Follows] the guidelines for project length and complexity.
Secure code
[Yes: Meets the security requirements.]
Coding style & Drupal API usage
[List of identified issues in no particular order. Use (*) and (+) to indicate an issue importance. Replace the text below by the issues themselves:
  1. Just a recommendation
  2. In not_taxable_users_admin() I would recommend adding css using #attached instead of drupal_add_css as that's the way it is going with Drupal 8.
  3. In not_taxable_users_search(), not_taxable_users_change() and not_taxable_users_page() you have hard coded a date format. I would recommend using format_date and select one of the default styles, which will allow the users to change the format within the CMS and allows for consistency.
  4. The starred items (*) are fairly big issues and warrant going back to Needs Work. Items marked with a plus sign (+) are important and should be addressed before a stable project release. The rest of the comments in the code walkthrough are recommendations.

If added, please don't remove the security tag, we keep that for statistics and to show examples of security problems.

This review uses the Project Application Review Template.

Anatolii88’s picture

@LiamPower thank you for the review! Your recommendations were added to the module code.

spacetaxi’s picture

Status: Needs review » Reviewed & tested by the community

Manual Review

Individual user account
Yes: Follows the guidelines for individual user accounts.
No duplication
Yes: Does not cause module duplication and/or fragmentation.
Master Branch
Yes: Follows the guidelines for master branch.
Licensing
Yes: Follows the licensing requirements.
3rd party assets/code
Yes: Follows the guidelines for 3rd party assets/code.
README.txt/README.md
Yes: Follows the guidelines for in-project documentation and/or the README Template.
Code long/complex enough for review
Yes: Follows the guidelines for project length and complexity.
Secure code
Yes: Meets the security requirements.
Coding style & Drupal API usage
[List of identified issues in no particular order. Use (*) and (+) to indicate an issue importance. Replace the text below by the issues themselves:
  1. (+) Typo on line 13 of not_taxable_users.rules.inc. Actually, a better title would be "User is taxable"
  2. Consider changing title of admin menu item "Administer users list for taxes charging" to "Not taxable users" or "Tax exempt users." Might be easier to find in that menu.
  3. Kudos for creating a module that works with both Ubercart and Commerce.

The starred items (*) are fairly big issues and warrant going back to Needs Work. Items marked with a plus sign (+) are important and should be addressed before a stable project release. The rest of the comments in the code walkthrough are recommendations.

If added, please don't remove the security tag, we keep that for statistics and to show examples of security problems.

This review uses the Project Application Review Template.

Anatolii88’s picture

Status: Reviewed & tested by the community » Active

@spacetaxi thank you for the review. I will include your recommendations before promoting to a full project.

Anatolii88’s picture

Status: Active » Reviewed & tested by the community
Anatolii88’s picture

Hi @spacetaxi,

I've fixed bugs and added proposed recommendations. Thanks.
P.S.Kudos will be added later.

spacetaxi’s picture

Priority: Normal » Major

Hi @Anatolii88, looks great! I'm going to see if I can raise the status to Major, maybe the project application folks will take a look and give this their blessing.

Anatolii88’s picture

Hi @spacetaxi,

Thanks a lot.

mlncn’s picture

Priority: Major » Normal
Status: Reviewed & tested by the community » Fixed

Thanks for your contribution! Congratulations, you are now a vetted Git user. You can promote this to a full project.

When you create new projects (typically as a sandbox to start) you can then promote them to a full project.

Here are some recommended readings to help with excellent maintainership:

You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and stay involved!

Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.