TODO list of non-essential things

[Pa3u3u]

The list of things that should be done at some point in time but are not essential, just polishing:

• cooler /403 would be nice,
• also, link to home / back from /403 ?
• @FiXerCz , can you add similar note that is in Trips to Excursions that cannot be deleted?
  • note that it only shows up for STAFF and if there are excursions that cannot be deleted,
• under logout or generally somewhere on main page there should be links to delete and edit the account (currently there is no way for USER|STAFF to do that except directly typing /accounts/edit/<my_id>)
• favicon! :cake:

You are welcome to propose your own ideas.

[FiXerCz]

@FiXerCz , can you add similar note that is in Trips to Excursions that cannot be deleted? note that it only shows up for STAFF and if there are excursions that cannot be deleted,

Done (for customers too). You should probably change "distribution" of BR tags around "new" button and note for trips to the same way I did it for customers and excursions. Currently if the note is not shown, the "new" button is glued to the trip listing table (no space).

I am studying for an exam, but sometime during the day I can take a look at the 403 page and prepare some JS dropdown menu for edit and delete links at the logout link.

If I come up with some other stuff, I shall post it here.

[Pa3u3u]

Ok thanks.

Btw, you don't have to waste your time with dropdowns, simple links would be enough I think...

[FiXerCz]

Well it is a matter of couple of minutes for me :) I just don't know how the top row (navigation + auth links) look at the monitors with smaller resolutions (I am viewing it at full hd res.). Is there still space for another links placed next to each other (when ADMIN logs in, it may be quite crowded there :smile: )? I am lazy to pull out my NTB to check it and changing resolution at desktop would mess up my desktop icon placements :D:D

[Pa3u3u]

Can't you place it under the logout link then?

[FiXerCz]

I could. If it will look weird, I'll make that menu. It won't kill me.. Many web page elements have tried and failed..

[FiXerCz]

Ok, so edit/remove account links are in place, but I kinda failed with 403 error page. It is still boring as crap. I guess I was not feeling very creative.. If you want to, you can change it (I really won't be offended :smile: ) to sth else. That Gandalf stuff maybe..

[Pa3u3u]

Well... I think the page is funny :D And the links are good to, well done!

Is it possible to hide or disable "delete account" link for root? You can leave it be if it would be too much work; he will simply get 403 in the worst case. I doubt someone will try it :smiley: but just in case...

[FiXerCz]

Is it possible to hide or disable "delete account" link for root?

All done ;)

[Pa3u3u]

Thank you.

Is there anything from Security (except CLI) that needs to be finished?

[FiXerCz]

AFAIK it is just that hard-coding auth to rest api. Everything else should be done already.

[Pa3u3u]

Hard-coding is overrated, I have something else (yet easy) in mind :smiley:

[FiXerCz]

Okey doke, surprise me :-)

[Pa3u3u]

Mmm, btw, on the login screen, can you move the Submit button under the password field? Everywhere else the buttons are under fields, so it would be nice to keep it consistent.

[FiXerCz]

Sure. I am currently not at home, but I will do it when I get back.

[Pa3u3u]

Summary of things yet to be finished

• REST authentication (I'm currently revising for Grass Seory, but I will try to finish it today),
• you all should test the Web Application with different roles, do some random stuff around to see what fails or should behave differently and report it ( :arrow_right: :bug: )
• better (and more) trips and excursions worth of the name of Surreal-Travel :smiley: (I will do tomorrow),
• @FiXerCz , can the content of the main page (the bulletin etc.) be moved to separate *.xhtml.(en_US|cs_CZ) files that can be referenced from *.jsp without too much effort? I fear that it should not be a part of *.properties when deploying. But we will manage without it if it would be too much work...
• and also, there is not a mention of diagrams in the final requirements, but we changed roles (originally there was only admin and user), do you think we should change the diagrams to reflect that?

[FiXerCz]

Yo, point 2: already tested it and I could not find any problems. point 3: feel free to remove the bullshit I created there for testing purposes (customers, trips I added there etc.) point 4: no problem, I'll do it sometime today. I may add couple more phony messages there and make the bulletin look a bit better point 5: I don't know, there is no mention of keeping those diagrams up to date. Still it is better that we have added features that are not in diagrams, than have features in diagrams that are not implemented :D If we decide to alter diagrams, I cannot be of help. Since new year I have no solid internet connection at home (lawsuit between service provider and network infrastructure provider) and I am doing everything over my carrier network and that has really tight FUP, so I cannot download VP.

[Pa3u3u]

I see. You should file your own lawsuit against the both of providers :smiley: I hope it will resolve soon, I mean, no fast internet for a month? You poor thing...

I think I might download it somehere, or do something similar tomorrow

[Pa3u3u]

Isn't it funny, that one day before finish I finally managed to configure CLI's pom.xml so that it can create executable .jar file that starts up just about 1500x faster that mvn exec:... ? :smiley: (And yes, I grew tired of waiting while the maven finds all classes and shit...)

[Pa3u3u]

@FiXerCz , I have a working "solution" for REST API as well as using CSRF. After several hours, it seems it required only a SINGLE EXTRA FUCKING LINE.

springsecurity.xml: before first <http...>

<http pattern="/rest/**" auto-config="true" use-expressions="true"/>

This will de-facto exclude CSRF and AuthInterceptor only for REST and will leave it on for the rest of the pages. How cool is this? :smiley:

[FiXerCz]

Executable .jar for cli is great news. Now I can remove those stupid custom maven goals from netbeans. Though it is interesting, that we have been told it was impossible to create executable file - maybe you can add mention to readme.md, that is is in fact working - if we've got sth to gloat about, why not do it :D:D

You gotta be kidding me about that damn REST. I have tried really all sorts of stuff - I have tried to use interceptor, disect request object to obtain csrf token and then somehow set it to response -> all of that failed (spring security check sequence was fired before interceptor). And you solve it with 1 line of code??!!! :)

But seriously, great work, it is good that we can keep the csrf on! :)

[Pa3u3u]

I will push it in a moment... I'm just testing some extra features :smiley:

[FiXerCz]

OMG, I must share this. I am creating some made up articles for the bulletin and I needed some hobbit names - there is a freaking hobbit name generator!! Check it out, it is hillarious!! http://www.chriswetherell.com/hobbit/index.php

[Pa3u3u]

That's insane.

Btw, I have an idea how to obtain new user names... ;D

[FiXerCz]

I have noticed, that logged in staff/admin can see a bit deformed table with listing of excursions (3 buttons next to each other). In Chrome it is ok, but Firefox requires probably a bit more space. Changing the width of a last table column from 200 to 210 solves the issue in Firefox.

[Pa3u3u]

oh god ... I don't really remember where these numbers are, can you fix it, please?

[FiXerCz]

Sure thing. I will do it in the morning.

[Pa3u3u]

Mmm, I tried it here on Firefox, but the buttons showed OK. Anyway, I increased the width.

[Pa3u3u]

What about this /403?

The White Wizard has 403 reasons not to let you see you this page. That rascal is probably up to something.

The problem is that I used ffmpeg to create frames from FullHD film and even when I resized it to 320x240, the size is still 3.3 M :sad:

---

EDIT: After some optimizations I was able to make it 1.8M ... it won't be better I fear :disappointed:

[FiXerCz]

Yeah, that will be great :-) Maybe the 403 page should contain just that video, message and return link, i.e. it should not be based on layout tag, which would add menu, titles etc. That way the elements could be centered on the page and it would not look weird. What do u think?

[Pa3u3u]

Sorry, I forgot to mention that it's not a video, but GIF (but 1.8M GIF is not very far from actual video :smiley:). I will try to add it and see how it looks.

[Pa3u3u]

I have managed to decrease the size to 800K, which is almost perfect :smiley: I have also "generalized" your bulletin and reused it (it's a good component :smiley:) and I have created this

What do you think? Should I change something before I push it?

EDIT: I have decreased the size of that "403" number

[dvori]

I think it's great, I like it ... I wouldn't change anything :smiley:

[Pa3u3u]

While I'm at it, any ideas for 404 and 500? :smiley:

[FiXerCz]

I concur with dvori, it looks great!! :smiley:

point 404: "This is not the page you are looking for" and yoda? :) EDIT: Or "The answers you seek will not be found here" and Saruman with palantir? :D

point 500: no idea yet

[Pa3u3u]

Ad 500: I'd use Daenerys' Sake of Astapor (lots of fire, explosions etc.) Ad 404: I thought about it, but it's already overly used. I want to be original :smiley: But I will probably use Yoda if I can't think of anything else

[FiXerCz]

Alright, 500 error message sounds good. I have edited my previous post, github does not notify about that :)

[Pa3u3u]

Aaa, Palantir ... that sounds great :D I just need to create GIF from the film ... :smiley: EDIT that's from the same scene as 403, right?

[Pa3u3u]

Ok, I tried to be original :D what do you think about this 404?

The GIF is from the 2001: Space Odyssey

[FiXerCz]

Yep, I bet no one has that yet :)

[Pa3u3u]

and finally

Close Encounters of the Third Kind (The GIF from Game of Thrones was too bad of quality :disappointed: )

EDIT: I will change the subtitle to "We and our servers ..."

[FiXerCz]

Nice. Do you realize that we should deliberatly do sth wrong during live demo of our presentation just so we could show those messages? :-D It would be shame not to.

[Pa3u3u]

Oooooo ... well, I don't know about any errors (I would repair them :smiley:) but when I deploy the app to my work computer, I can add the mapping to "/fail" to throw an exception and show this page (it will NOT be in the "official" source of course)

[Pa3u3u]

Btw, do you think we should add some legal information somewhere that we do not own these pictures?

[FiXerCz]

We can show 403 and 404 pages easily at the end of presentation, by changing url to access eiher restricted or non-existent content. Just as a "borec na konec" ending :-)

Yeah, I think legal information should be at the bottom of all error pages. Sth like "we do not own any rights for the image material. Content is owned by appropriate-movie-studio-title."

[Pa3u3u]

I added this

<br/>
<small>
    The Surreal-Travel does not own rights for the image material on this page.<br/>
    The content from <i>2001: A Space Odyssey</i> (film) is owned by Metro-Goldwyn-Mayer.
</small>

to ends of the pages, hope it will be enough.

Also, I pushed it! Now I'm going to create some nice entities :smiley:

[FiXerCz]

I have a question/improvement proposal regarding creating new ROLE_USER accounts.

Question first: a) If a visitor, who is not authenticated wants to create account, we can assume, that that person wants a Customer account, right (Customer included)? b) If we want to create account, that will not have customer (staff or admin), we would be probably logged in as an ADMIN or ROOT (employees do not usually create their accounts from a scratch - they receive login info and can change account details l8r). Am I correct in thinking this?

Now proposal: Users are generally stupid. It may be harsh, but it is true. Having in new-account form checkbox "is customer?" may lead to situations, when visitor creates account without customer (deselects checkbox) - such account is useless for him, since he cannot create reservations. My proposal is this: Lets hide checkbox from new-form for anyone who is not authenticated or less than admin. Logged in admins would see new-form as it is now.

This can be achieved easily:

Adding this just below taglib imports:

<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>

<sec:authorize access="not hasRole('ROLE_ADMIN')">
  <input type="hidden" name="customer" id="customer" value="1"/>
</sec:authorize>

And replacing table row with checkbox with this:

<sec:authorize access="hasRole('ROLE_ADMIN')">
  <tr>
    <td class="left">  <f:message key="account.customer"/>:</td>
    <td><form:checkbox path="customer" id="customer"/></td>
  </tr>
</sec:authorize>

If you see any flaws in my assumption or just do not want to do this (it is quite last minute proposal), then disregard this. It is just an idea.

[Pa3u3u]

I have no objections against this. If you have a working copy, test it and push it please (we are quite running out of time :smiley: so I can't do it myself)

[FiXerCz]

Okey, doke I will also fix a return value for 403 method in AuthController to point to new template location.

[Pa3u3u]

use address /403, this will get mapped to the right page... so that if (someone, someday) decides to move error pages, he won't have to search the whole code, but will only change the mapping in the Controller :smiley:

[FiXerCz]

Oh, lol I can even remove method with that mapping. It is probably done by Spring Security now :D