melophonic
commented
8 years ago Excellent work, @carmentang. The code is clean, well-organized, and readable; the requirements are implemented well and show good attention to detail. Nice job. Just a few notes:
One issue with the final (bonus) requirement ("Nest the CMS for states inside of the Staff CMS for countries...") is that the link to add a state to a country is not present in countries/show.php (compare to states/show.php where you can see a list of territories and have a link to add one). Currently, to add a state to a country, the user would have to know the country id--nesting the states CMS inside the countries CMS avoids this.
With regard to the Penetration Testing items, think about specific vulnerabilities in this code. For instance, you point out that specific values need to be sanitized, but can you think of an example of input that would be harmful if a field had been left unsanitized? For example, if the Country Code field accepted any input instead of verifying length and characters, what's an example of a string that could be used to cause unexpected behavior in either the browser or the database?
Some of the other examples you list (man-in-the-middle and eavesdropping) are really classes of attacks more than specific vulnerabilities. It's similar to the distinction between strategy and tactics. For example, consider how a cross-site-scripting vulnerability could enable a man-in-the-middle attack, or how eavesdropping could reveal a vulnerability to a possible attacker.
One more minor note: to get the README markdown formatting to display correctly, you need to make sure the file has the .md extension (i.e., it should be README.md instead of README)
carmentang
/cc @codepath @codepathreview