Status September 1

[Thomas Levine]

Hi,

I imported a dump of the database to my local computer and have
figured out where user information is stored. In case your curious, it
looks like everything we need for population of the array in
truefan_badge.php is here:

> select uid,name from users;

We can include the role (I think that corresponds to the donation
level.) like so:

> select users_roles.uid,name,rid from users inner join users_roles on users.uid=users_roles.uid;

My next step is to call this within Drupal, potentially using the
Drupal 7's object-oriented database API.
http://www.lullabot.com/articles/simplify-your-code-with-drupal-7s-database-api

Tom

[Nikolay Georgiev]

Hi Tom,

thanks for the update. Yes, we will need to get the Ids and Names but
only of the Drupal users with the role "True Fan". You have the
database, when you have a working example, can you share it?

Best would be to implement it in:
http://microfundingtest.openfarmtech.org/mywebsite.php

Short update on the other work:
- Edu is working still on the Share and Invited Page

Nick, what happened with the Recognition Page?

Greetings,
Nikolay

--
Nikolay Georgiev
Open Source Ecology Supporter

Website: http://www.nikolay-georgiev.net/blog/
Skype: nikolay.h.georgiev
Facebook: http://www.facebook.com/nikolayhg
Address: Darmstadt, Germany

[Thomas Levine]

The truefan_names array in truefan_badge.php now gets populated as you
had requested. I also changed it to select only the truefan role,
which I guessed is role ID 3 rather than role ID 4 since alistar is in
the role with ID 3.

In doing this, I came to think that the DRUPAL_ROOT setting is
incorrectly configured. Maybe someone could look into that?

You can see it working here
http://microfundingtest.openfarmtech.org/mywebsite.php

I only changed one number in mywebsite.php; did you intend for me to do more?

Tom

[Thomas Levine]

Actually I spoke too soon regarding the selection by role. (I only just
started on that a few minutes ago after reading your email.) I'll
continue working on that.

And I actually didn't change mywebsite.php at all.

[Thomas Levine]

My previously too-soon speech is no longer too-soon. But I still

didn't change mywebsite.php at all.

[Nikolay Georgiev]

Hi Tom,

the code looks good.

1) Can we show the first and last name of the person (including the
checks if some of it is missing)?

2) When you are ready with the role, can you make it in such a way, that:
- When an Id is requested which is not of a True Fan, then an HTML is
returned with the text "Become a True Fan" linking to
http://opensourceecology.org/join.php (later we can adjust the HTML).

3) When everything is ready, can you optimize the performance of the
Javascript call, by saving all data in 1 CSV file which is generated by
a PHP script (cron job runned every 1-2 minutes)? And then mywebsite.php
will read the data from the CSV.

Thank you for the progress!

Nikolay

[Thomas Levine]

1) I don't remember seeing the last name anywhere in the database. I
guess I'm using the username rather than the firstname and lastname.
I'll look for those later.

2) The selection by roles is ready.

3) I never saw the point of putting this all in a client-side script
layer, and I think it'll be easier and faster not to use one. So,
instead, instead, I adjusted the embed code such that no Javascript is
needed. You can compare the methods here.
http://microfundingtest.openfarmtech.org/mywebsite.php?id=4

I'll do 2 (without Javascript) later.

Tom

On Fri, Sep 2, 2011 at 4:16 PM, Nikolay Georgiev

[Nikolay Georgiev]

Hi Tom,

On 09/02/2011 10:47 PM, Thomas Levine wrote:
> 1) I don't remember seeing the last name anywhere in the database. I
> guess I'm using the username rather than the firstname and lastname.
> I'll look for those later.
>
> 2) The selection by roles is ready.
>
> 3) I never saw the point of putting this all in a client-side script
> layer, and I think it'll be easier and faster not to use one. So,
> instead, instead, I adjusted the embed code such that no Javascript is
> needed. You can compare the methods here.
> http://microfundingtest.openfarmtech.org/mywebsite.php?id=4

Javascript is a standard approach due to few reasons:

a) changing the html on the server side structure will not change the
client code! (The user does not have to take care of changes, our server
does)
b) the user can manipulate the html harder if it comes from Javascript
than if it comes as a plain text. (a bit more secure)

Vimeo and Youtube use even iframe, which are maybe more secure than
Javascript, but we can leave this option for now.

Are the reasons understandable?

Nikolay

[Thomas Levine]

I wrote caching to a json rather than a csv. This page calls badge.js, both of which are served statically. badge.js is generated by cache.sh (potentially a cron job) from the database and from badge_function.js. All of the files you need are in this directory.

On the reasoning for using Javascript
a) To make sure that I understand: The advantage of calling an external resource is that we can change the style of the badge after the user adds it to his website.
b) Since we are only embedding images, rather than flash plugins, I'm not sure why security is such an issue.

If we are going to call an external resource, I'd suggest that we use iframe rather than Javascript so that it works on browsers without Javascript and so that we don't have to escape all of the quotation marks.

Back to the issue of calling an external resource in order that we can change things later: I don't see what we would want to change, and it might be helpful for truefans for the embedded badge to be stable.
http://www.w3.org/QA/Tools/Icons

[Thomas Levine]

Oops one more thing.

"Badge" implies just a static image to me, like the W3C badges I mentioned. Are you thinking that this will be more like a widget?

[Nikolay Georgiev]

yes, it is more like a Widget. The data can grow, depending on what we want to present. Even right now it is not only an image. It is image + name of the person. And the name (saved as HTML) can be easily manipulate by hand, if you just give the HTML as embeddable code. So I hope this point is clear.

This website blank for me:
http://hacks.thomaslevine.com/ose_badge_demo/mywebsite.html
I am using Firefox under Ubuntu.

If you can implement it with iframe then do it.

[Thomas Levine]

I only just registered that subdomain a couple days ago, so let's first make sure the issue isn't just that that hasn't propagated yet before I confuse myself; is this page also blank?

[Nikolay Georgiev]

this page is listing the files.

the blank page contains:

<div id="badge"></div>
<script src="badge.js"></script>
<script>ose_badge(3);</script>

[Joe Hudson]

Hi there,

I know I've been very much out of the loop the last few weeks. I've been moving house (and trying to scrape a living). Anyway, I had a few thought about the badge as something a truefan can embed on other sites.

I assume the data is kept in the drupal DB in a custom table and badge.js uses AJAX or JSONP to call a menu_callback drupal page (as a webservice), which accesses data from that table (or a cache of the table, e.g. memcached, or those cron generated csv) and returns json which is then rendered by badge.js

Regarding security and making it hard for people to fake a badge, or make someone else's look like theirs, I guess you could use md5 hashes with the call to ose_badge, so ose_badge(badge_id, badge_hash), where badge_hash could be the md5(user's email + account creation time), or something along those lines. Then you just need another column in the DB table to store those hashes.

I hope that's of some use. 

Joe

--
-----------------------------------------------------------------------------------------------
http://pepol.cc    http://www.healthylovingrelationships.com

recommended: http://350.org   http://ted.com

---------------------------------------

[Thomas Levine]

Nikolay: Perhaps your browser doesn't support HTML 5. I've since
converted the page to HTML 4.

Joe: It's actually way simpler than that right now, and my current
approach might not scale well. (I'm not doing much more than I'm told
to because I'm not really clear about what we're looking for.)

On security: I'm still puzzled as to what the security issue beyond
the ability to fake a badge. Maybe I don't know enough about what is
going into the badges.

If there are mockups or plans for the badges, could someone add them
to the wiki page?
http://opensourceecology.org/wiki/OSE_Microfunding_Proposal

[Nikolay Georgiev]

Hi Tom,

there is not much to security:
1) secure the reading of the IDs in the PHP script.
2) the embeddable code should be Javascript or iframe rather than pure HTML.

That's it. Simple.

The badge is good enough now. We need the first and last name.

For the script: Can you make only one script call? Like badge.js?id=3

  <script type="text/javascript" src="badge.js"></script>

  <script type="text/javascript"  >ose_badge(3);</script>

Greetings,
Nikolay

[Joe Hudson]

Hi Tom, Nikolay,

I think having a hash as well as the id could help to protect the privacy of truefans (so someone can't just call ose_badge with a series of consecutive ids to scrape user info) and also means using the wrong id by mistake is impossible. But perhaps the extra effort of implementing the use of hash plus id, outweighs the benefits at the moment..

Joe

[Thomas Levine]

On security
1) This part makes sense to me.
2) You explained that this makes it harder to modify the embedded
code. I don't see why it's a problem if clients modify the embedded
code.
3) Joe's idea for a hash seems easy and useful.

We'd have to generate badge.js dynamically (we can cache it of
course). My approach allows us to put badge.js on a cdn.

I just realized that you had wanted me to write a php script that
would generate the javascript from a csv rather than a javascript
script that would generate the html from a csv. Oops.

I also figured out that the CiviCRM stuff is in a different database
from the drupal stuff, which is why I couldn't find the first and last
names. My inclination modify my bash script accordingly, but I should
do all of this in PHP with the CiviCRM API. (In case you're confused
as to how it took me so long to realize this: I haven't used CiviCRM
before.)