bdoms / gae_blog Goto Github PK

It's getting to the point where there's too much to justify keeping it inline. Not having a front end framework is nice, but the blog-specific stuff can still be moved out into a single file.

The posts and images pages both really need to be paginated.

To combat spammers do a quick AJAX call to the server to get a token or something like that. Then attach it to the form and use it to validate the actual request.

Right now it's only the title of the blog.

Right now whenever a new page of images is requested when editing a post the JS always goes to the server. It would be pretty easy to just build an array of the images to use so the user could navigate pages quickly.

So that we can see what they'll look like before being published.

The builtin deferred system sets up a task queue automatically for doing things like sending email asynchronously. The response should not have to wait for the mail API to return.

The blobstore URL can expire, so we should request it via AJAX when the form is submitted instead of just putting it in the template.

Exactly like the index, but only for their posts.

We can override 500 errors and the like, which is something the blog should do.

See http://webapp-improved.appspot.com/guide/exceptions.html

The post, author, etc. controllers can handle a 404, but if the URL falls through all the others there's no support for it. So we need a general error controller.

Consists of two parts:

1. Adding RDF to the page as seen here: http://www.movabletype.org/documentation/trackback/specification.html
2. Building a POST action to handle the trackbacks, parse the XML, and then do something with them. That most likely means adding trackbacks as specially flagged comments, including going through the spam verification process.

http://www.schema.org/Blog

Be great if the number of posts to show was a blog configuration variable with a default like 10.

Some spammers try to put newline characters in normal text inputs. The datastore errors on these trying to be added as string properties, so we should make sure they're caught in the validation.

The column for number of comments on the posts page in the admin section should be hidden if comments are not turned on for the blog.

There's already some HTML purification going on there, but it needs a bit more. I think the tags themselves are gone, but everything in between them actually stays - which is good for h3 or p, but bad for style or script.

If we receive a POST with data in fields that does not encode to UTF-8 (therefore including ASCII) then this will cause an error. Of course that wouldn't happen normally as browsers would submit it in UTF-8, but spammers will often post directly to the URL by some other means. Here's a real example of a traceback from a live site:

'utf8' codec can't decode byte 0xa5 in position 0: invalid start byte
Traceback (most recent call last):
File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 570, in dispatch
return method(*args, **kwargs)
File "/base/data/home/apps/s~disciplinesystem/1.369627811828057272/lib/gae_blog/controllers/post.py", line 37, in post
name = self.request.get("name")
File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 175, in get
param_value = self.get_all(argument_name)
File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.2/webapp2.py", line 212, in get_all
param_value = self.params.getall(argument_name)
File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webob-1.1.1/webob/multidict.py", line 327, in getall
return map(self._decode_value, self.multi.getall(self._encode_key(key)))
File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webob-1.1.1/webob/multidict.py", line 301, in _decode_value
value = value.decode(self.encoding, self.errors)
File "/base/data/home/runtimes/python27/python27_dist/lib/python2.7/encodings/utf_8.py", line 16, in decode
return codecs.utf_8_decode(input, errors, True)
UnicodeDecodeError: 'utf8' codec can't decode byte 0xa5 in position 0: invalid start byte

It may make sense to make an email address mandatory for authors. They're needed for these more advanced features.

Receiving them works, and while sending them out manually is possible, it'd be nice to do it automatically.

Basically once there are a sufficient number of images in the system trying to write a post or edit one causes a deadline exceeded error. This needs to be cleaned up (and probably paginated).

Right now it doesn't, and this can create issues for clients when, for example, they expect ASCII but get UTF-8.

https://github.com/bdoms/gae_blog/blob/master/controllers/feed.py#L38

It should just be a drop down to select either "everyone" or a specific author of the blog, a field for an email address, and a text area for the body. These should then be used to forward the body as an email from the address to the author's (or everyone's) email.

Most of the spam seems to be automated, so adding in a honeypot (to both comments and the contact form) would probably solve most of that. First try would just be an extra field that's invisible to the user. If that doesn't work, we try making it seem like it's visible (i.e. jquery's .is:visible would pass) but it still isn't actually visible to a human user (camouflage). If that doesn't work then a javascript AJAX call to get a hash to include at the time of submit would help defeat bots without JS.

File "gae_blog/controllers/post.py", line 84, in post
url = self.validate(URL(add_http=True), url, "URL")
TypeError: validate() takes exactly 3 arguments (4 given)