kevin/portfolio
1
0
Fork 0
Code

Compare commits

base: kevin:1dd913146274e0811b83b3a2e77958b3409dcfd5
Branches Tags
kevin:main
..
compare: kevin:9d46a12a701ba2cfa51f85d04700aeed3c2740ee
Branches Tags
kevin:main

No commits in common. "1dd913146274e0811b83b3a2e77958b3409dcfd5" and "9d46a12a701ba2cfa51f85d04700aeed3c2740ee" have entirely different histories.
1dd9131462 ... 9d46a12a70

8 changed files with 14 additions and 105 deletions
Show Stats Expand all files Collapse all files

7
portfolio/en/software.html
View File

@ -1,7 +0,0 @@
---
title: Software
logosub: Software
language: "en"
---
$partial("templates/software.html")$

7
portfolio/jp/software.html
View File

@ -1,7 +0,0 @@
---
title: Software
logosub: Software
language: "jp"
---
$partial("templates/software.html")$

7
portfolio/nl/software.html
View File

@ -1,7 +0,0 @@
---
title: Software
logosub: Software
language: "nl"
---
$partial("templates/software.html")$

41
portfolio/pages/en/software/projects/attachment-module.md
View File

@ -1,41 +0,0 @@
---
logosub: "Software developer"
language: "en"
title: "Attachment module"
---
Sometimes a project owner wants a feature implemented in their project that the developers somehow are unable to realize. The project was a website containing a form that customers would enter text data on. The project owner asked for a feature which allowed customers to attach files to this form.
As a "temporary" solution, I suggested creating a stand-alone server that would handle file uploads that would be linked to the ID number of the form. This consisted of 2 servers. One server would be a simple web interface, the other a database server that hosted a simple API.
Both servers were VMs running <a href="https://en.wikipedia.org/wiki/Red_Hat_Enterprise_Linux" target="_blank" rel="noopener noreferrer">RHEL</a>.
The web server used the <a href="https://en.wikipedia.org/wiki/Nginx" target="_blank" rel="noopener noreferrer">Nginx</a> engine and the <a href="https://en.wikipedia.org/wiki/Django_(web_framework)" target="_blank" rel="noopener noreferrer">Django</a> framework. Python handles the HTTP requests with <a href="https://en.wikipedia.org/wiki/Gunicorn" target="_blank" rel="noopener noreferrer">Gunicorn</a>, a <a href="https://en.wikipedia.org/wiki/Web_Server_Gateway_Interface" target="_blank" rel="noopener noreferrer">WSGI</a> gateway.
The database server used a <a href="https://en.wikipedia.org/wiki/MySQL" target="_blank" rel="noopener noreferrer">MySQL</a> server to host uploaded file data. To expose this data, <a href="https://flask-restful.readthedocs.io/" target="_blank" rel="noopener noreferrer">Flask RESTful</a> was used to serve a simple API.
This was the first separate project I created for the company, so I set up a <a href="https://en.wikipedia.org/wiki/Web_Server_Gateway_Interface" target="_blank" rel="noopener noreferrer">GitLab</a> server for version control.
## Workflow
* The website hosting the forms, would serve a hyperlink to the "attachment module", along with the form's ID.
* The user is redirected to the website with a simple input field and browse button where a file can be uploaded.
* The file is validated by type, size and upload time.
* The file is copied to the database server.
* The file is also cached for 2 weeks on the web server, for quicker access.
* The database server creates a database entry.
* A link to the file is created for access on the website.
* After a file is uploaded, someone else will want to access it.
* The user accesses the website and clicks on the link with the file name.
* If the file is cached on the web server, then this file is opened.
* If the file is not cached, the web server downloads the file from the database server and then opens it.
## Lessons learnt
The project owner did not want the users to separately log in to the web server of the attachment module. So a big security issue is that anyone with the link, can access uploaded files. At the time this was agreed to be a "temporary" solution. The project was deployed in 2017 and in 2021 this project was still running though. After all, the business must go on and if the problem's symptoms seems fixed, why bother with it further...
Because other users could access other uploaded files using the right link, it was decided that users could only upload and never delete any files.
A big learning point for me was that not to compromise security, even for projects that are considered temporary. A problem never occurred. This compromise caused silly decisions to not allow users to delete their own files. I will defend my standpoint much more and use this project as an example.
The actual problem here though, is why the other developers were not able to create a simple file upload feature.

38
portfolio/site.hs
View File

@ -87,19 +87,6 @@ main = hakyll $ do
>>= loadAndApplyTemplate "templates/default.html" extendedCtx
>>= relativizeUrls
match "pages/en/software/**" $ do
route $ setExtension "html"
compile $ do
identifier <- getUnderlying
metadata <- getMetadata identifier
let language = lookupString "language" metadata
pandocCompiler
-- >>= loadAndApplyTemplate "templates/software-post.html" (postCtx language)
>>= loadAndApplyTemplate "templates/default.html" (postCtx language)
>>= relativizeUrls
create ["archive.html"] $ do
route idRoute
compile $ do
@ -174,31 +161,6 @@ main = hakyll $ do
>>= loadAndApplyTemplate "templates/default.html" japanCtx
>>= relativizeUrls
match (fromList
[ "nl/software.html"
, "jp/software.html"
, "en/software.html"
]) $ do
route idRoute
compile $ do
identifier <- getUnderlying
metadata <- getMetadata identifier
let language = lookupString "language" metadata
let lang = fromMaybe "en" language
projects <- loadAll "pages/en/software/projects/*"
let softwareCtx =
listField "projects" (postCtx language) (return projects) <>
langDict lang <>
defaultContext
getResourceBody
>>= applyAsTemplate softwareCtx
>>= loadAndApplyTemplate "templates/default.html" softwareCtx
>>= relativizeUrls
match (fromList
[ "index.html"
, "nl/index.html"

13
portfolio/templates/default.html
View File

@ -10,6 +10,19 @@
<link rel="stylesheet" href="/css/custom.css" />
</head>
<body>
<!-- Bootstrap icons. -->
<svg xmlns="http://www.w3.org/2000/svg" class="d-none">
<symbol id="check-circle-fill" viewBox="0 0 16 16">
<path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0zm-3.97-3.03a.75.75 0 0 0-1.08.022L7.477 9.417 5.384 7.323a.75.75 0 0 0-1.06 1.06L6.97 11.03a.75.75 0 0 0 1.079-.02l3.992-4.99a.75.75 0 0 0-.01-1.05z"/>
</symbol>
<symbol id="info-fill" viewBox="0 0 16 16">
<path d="M8 16A8 8 0 1 0 8 0a8 8 0 0 0 0 16zm.93-9.412-1 4.705c-.07.34.029.533.304.533.194 0 .487-.07.686-.246l-.088.416c-.287.346-.92.598-1.465.598-.703 0-1.002-.422-.808-1.319l.738-3.468c.064-.293.006-.399-.287-.47l-.451-.081.082-.381 2.29-.287zM8 5.5a1 1 0 1 1 0-2 1 1 0 0 1 0 2z"/>
</symbol>
<symbol id="exclamation-triangle-fill" viewBox="0 0 16 16">
<path d="M8.982 1.566a1.13 1.13 0 0 0-1.96 0L.165 13.233c-.457.778.091 1.767.98 1.767h13.713c.889 0 1.438-.99.98-1.767L8.982 1.566zM8 5c.535 0 .954.462.9.995l-.35 3.507a.552.552 0 0 1-1.1 0L7.1 5.995A.905.905 0 0 1 8 5zm.002 6a1 1 0 1 1 0 2 1 1 0 0 1 0-2z"/>
</symbol>
</svg>
$partial("templates/navbar.html")$
<div class="container">

2
portfolio/templates/navbar.html
View File

@ -18,7 +18,7 @@
<a class="nav-link disabled" aria-disabled="true" href="/$language$/radio.html">$title-radio$</a>
</li>
<li class="nav-item">
<a class="nav-link" href="/$language$/software.html">$title-software$</a>
<a class="nav-link disabled" aria-disabled="true" href="/$language$/software.html">$title-software$</a>
</li>
<li class="nav-item dropdown">

4
portfolio/templates/software.html
View File

@ -1,4 +0,0 @@
<h2>Projects</h2>
$for(projects)$
<p><a href="$url$">$title$</a></p>
$endfor$