Technical question about FA

[ColonThree]

At the moment, it seems one of the biggest reasons why FA isn't getting outside help for the UI is because of trust issues, because it would involve seeing the code, which I'm assuming is because the UI and backend are intertwined. Would it not be relatively simple to export such code into external files, so that instead of the PHP for the UI having "select blah from blah and do some magic", it would just call something like GetLatestSubmissions(24)/GetUnreadJournals() and whatnot? Then once the UI is separated from the back end, anyone working on the UI only needs to know what these functions are, how they're called, and in what format the data is returned. An FA UI API, if you have an acronym fetish. At the same time, the back end can be fiddled about with endlessly just as long as the functions still accept and return the same data in the same way.

It sounds simple enough - just cutting and pasting and adding some intermediate variables, maybe massaging the data into a more suitable format for passing between functions - but if that were the case I'm sure it would've already been done. Am I gravely underestimating how difficult it would be? Is there something I'm overlooking or misunderstanding? Is the code just that awful? I wouldn't think it would be that bad, since even the user pages say it only uses 25 different queries, with about 10 of those probably being the ones for the top bar that are the same on every page.

Apologies if I abused any terminology. You get the idea though.

[RickyBobbyMew]

Almost every web application these days follows the MVC pattern, which is sort-of-not-really what you're describing. You can still have XSS holes with purely client-side code; not ever exploit is server-side. But yes -- most applications these days separate the business logic from the views.

As far as FA -- I have no clue. I haven't looked at their code, ever, and it's not always easy refactoring an entire web application to use a standardized framework. That said, it's not a very complicated web application compared to other enterprise apps I've worked on.

The "trust issue" doesn't make any sense in not having people help with the code. We have contractors work on shit all the time and you can have people work in a branch and review the code before merging it down and deploying it.

[ColonThree]

You can still have XSS holes with purely client-side code; not ever exploit is server-side.

Obviously the code would still need to be checked, but at least they would have some new code to check.

Almost every web application these days follows the MVC pattern, which is sort-of-not-really what you're describing. ... As far as FA -- I have no clue. I haven't looked at their code, ever, and it's not always easy refactoring an entire web application to use a standardized framework. That said, it's not a very complicated web application compared to other enterprise apps I've worked on.

From what I gather I everything is all bundled together in one big smelly mess. Perhaps it's been done already. Who knows. Certainly it's never been made public.

[Pi]

The code is a gigantic shitshow. There's also no review to speak of. Basically, what they need is a complete rewrite, by someone competent, in something not PHP, but that's not really gonna happen.

[RickyBobbyMew]

...and we both know plenty of people who fall into that category have offered to help.

They might have a hard time judging competency, but I think the reason they are not taking people up on offers for FREE HELP falls into the realms of drama and paranoia. The paranoia might be a little understandable since somebody took the time to exploit the site on at least a few occasions but if they were doing things right and using a framework that prevented these types of problems (or at least using best practices and reviewing code) it shouldn't have been a problem in the first place.

I think Inkbunny is making the right decision going open source... Or, at least I heard that was the plan.

I'll definitely help them out. I usually need some kind of project on the side, anyway.

[Silvermink]

I'm not sure I'd want to see FA's codebase. What's that thing about the abyss gazing also into you?