[D7] About.me Widget

Fixed the git clone URL in the issue summary for non-maintainer users.

We are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)

Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).

I'm a robot and this is an automated message from Project Applications Scraper.

Manual Review

Individual user account

Yes: Follows the guidelines for individual user accounts.

No duplication

Yes: Does not cause module duplication and/or fragmentation.

Master Branch

Yes: Follows the guidelines for master branch.

Licensing

Yes: Followsthe licensing requirements.

3rd party assets/code

Yes: Follows the guidelines for 3rd party assets/code.

README.txt/README.md

Yes: Follows the guidelines for in-project documentation and/or the README Template.

Code long/complex enough for review

Yes: Follows the guidelines for project length and complexity.

Secure code

Yes: Meets the security requirements.

Nicely coded module :)

1. @ line #202 return $block_data; should be inside the if condition, because it dose not make much sense there.
2. Should have the provision to change the ABOUTME_CLIENT_ID

Module does what it advertises, unfortunetly I identified a security issue otherways I would have passed this.

Manual Review

Individual user account

[Yes: Follows] the guidelines for individual user accounts.

No duplication

[Yes: Does not cause] module duplication and/or fragmentation.

Master Branch

[Yes: Follows] the guidelines for master branch.

Licensing

[Yes: Follows] the licensing requirements.

3rd party assets/code

[Yes: Follows] the guidelines for 3rd party assets/code.

README.txt/README.md

[Yes: Follows] the guidelines for in-project documentation and/or the README Template.

Code long/complex enough for review

[Yes: Follows / No: Does not follow] the guidelines for project length and complexity.

Secure code

No: List of security issues identified.]

1. Security: Possible Code Injection. All data from about.me is directly put into the Block array, this shold be treated as user unput and passed through a t() string to protect against malicous use. (Mitigated by about.me, they filter input on there service. Still should be fixed.

Coding style & Drupal API usage

1. (*)Security issue, see above.
2. (+)Line(140)[aboutme.module]"$data = json_decode($result->data);" use drupal_json_decode()

The starred items (*) are fairly big issues and warrant going back to Needs Work. Items marked with a plus sign (+) are important and should be addressed before a stable project release. The rest of the comments in the code walkthrough are recommendations.

If added, please don't remove the security tag, we keep that for statistics and to show examples of security problems.

This review uses the Project Application Review Template.

@malavya I believe you are confusing a Drupal variable (from the variables array) with external input. Coding standards indeed dictate that you do not mess with a Drupal variable and that we store input as given to us that we validated.

What you are doing is trusting the external service (with there API) to always have correct values. a service which may or may not be running on php and may or may not have the same security measures in place as Drupal does.
Since you are using an external provider you should consider all values passed on by them the same as if they were user input, and we never blindly put user input back in the page (we validate it and possibly impose a formatter on it to limit treats)

To have a similar protection in place without implimenting a full formatter implementation, you can use the t() functino to atleast have sane output.

Closing due to lack of activity. If you are still working on this application, you should fix all known problems and then set the status to "Needs review". (See also the project application workflow).

I'm a robot and this is an automated message from Project Applications Scraper.

Manual Review

Coding style & Drupal API usage

1. Please use sanitization functions for data that you display from about.me service

Could you please consider possibility of using hook_block_configure function instead of custom menu item for about.me settings?

Hi jdrichmond

Manual Review:

I reviewed your module, following thing have need to fixed.
1. If I have enter integer value for Your about.me User Name and submit the form it will accept this value, so please ad validation for Your about.me User Name.
2. Please include hook_help.
3. In hook_menu, missing the t() in description text
4. have you also read the comments on Proper way to bulk-delete variables on module uninstall? You should not delete variables directly from db.
Please reffer following code

global $conf;
$module_string = "meet_our_team";
$vars = array_intersect_key($conf, array_flip(preg_grep("/^{$module_string}.*/", array_keys($conf))));
foreach (array_keys($vars) as $var) {
  variable_del($var);
}

Looks fine,
Let's wait for a git admin to look in this.

@NitinSP, apologies if you've already taken this to heart, but in the order i've gone through the issues you've been corrected about recommending t() in hook_menu and asking for the unnecessarily complex way of deleting variables on uninstall more than once, so please, stop making those recommendations ;-)

Thanks for your contribution! Congratulations, you are now a vetted Git user. You can promote this to a full project.

When you create new projects (typically as a sandbox to start) you can then promote them to a full project.

Here are some recommended readings to help with excellent maintainership:

• Dries' post on Responsible maintainers
• Best practices for creating and maintaining projects
• Maintaining a drupal.org project with Git
• Commit messages - providing history and credit
• Release naming conventions.
• Helping maintainers in the issue queues (here you get to ask fans of your project to help you!)

You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and stay involved!

Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.