The user is directed to the home page which includes a welcome message for all users and links to categories the posts are under.
Guest users can browse the features available to them by doing the following:
In order to access more site functionality, users will need to sign up for the site. They can do this by clicking the signup button on the site's header. Doing so will take the user to our signup form page.
Users can sign up for the site by filling in the required fields and pressing submit. If the tester wishes, they can try to enter incorrect information like an email that is formatted incorrectly or a wrong repeated password, and the form's error handling messages will instruct the user what they did wrong.
Once the user successfully registers for the site, they will be redirected to the login screen where they can enter the credentials they just used for signup to login as a user of the site. This page is also available in the site header from all pages when a user is not logged in.
Once logged in, the user will be redirected to the home page.
To make a post, logged in users can navigate to the category they wish to post under and select the create post button which will now be visible at the top of the category page they are currently viewing. Go ahead and give it a try!
Users can make comments as well by navigating to a post and creating a comment under the comment button. Create a comment under the post you created.
Users can edit their posts and comments inside a post, but only if they were the user that created the specific post or comment. If this is the case, there will be two buttons that pop up: Edit and Delete. Go ahead and edit the comment you just made, then delete it. After that, delete the post you made as well.
Users can access their profile via the profile button on the site header. Click this to view/edit their profile.
Users can change their profile picture on this page, change their password, edit their profile information, and can also delete their profile.
There are designated accounts that are set up as administrator accounts. To sign in as an administrator, you have to know the administrator credentials:
Administrators can edit and/or delete all posts and comments. Additionally, when viewing profiles, they can enable and disable the user. Test out some of the added features that an admin wields:
Our website uses HTML, JavaScript, CSS, and PHP. The JavaScript is used exclusively for account creation/authentication in reaction to HTML document events. The HTML is used as scaffolding for the website, and CSS is implemented through Bootstrap and some custom CSS. Our PHP files can be separated into two categories: includes and non-includes.
Includes do not have any on-screen features. They are pure code and are mainly used to run SQL queries to the database and change session variables; they are an intermediate between non-includes. Some examples are: functions.inc.php, login.inc.php.
Non-includes are almost entirely HTML files, with some use of PHP for small queries or retrieving session variables. They are visible and accessible to users. Some examples are: home.php, account.php.
Security implementation is mostly done with PHP, both client and server-side. The client-side security for creating and logging into an account uses JavaScript to check for empty fields. However, all other error checking, both in the account authentication and everywhere else on the website, uses PHP, which is mostly accomplished through the use of the strcmp PHP function and boolean expressions. Compared objects are retrieved via query strings and form submissions occasionally. However, the majority of all variables that are used for security purposes are stored in the session state. As some of these variables are used in queries, we also use the mysqli library to check for illegal characters in certain user entries to prevent low-level SQL injection attacks.
Another security measure included in this website is a wait time on form submissions to prevent mass attacks designed to crash the database and website hosting server.
The discussion threads in the database are stored as categories, posts, and comments, with both the post and comment tables containing a foreign key that links to the user who created it. Additionally, comments have a foreign key that links to the post it belongs to. The post objects have a category_id foreign key that links them to the category table, which classifies the posts by category.
Registered users, regardless of their access level, have their profile information stored as a user object. This object includes two fields, is_admin and is_enabled, which differentiate between admins and users whose accounts have been disabled by admins. Figure 1 illustrates the relationships between all of the database objects.
Testing was done manually by checking both the database values and error handling messages on the site when both correct and incorrect values were submitted using forms on the site. For example, when testing the signup features, the developers would try to input incorrect values to ensure that the error handling messages worked properly and would check the database so that it would not input improper values. We used this approach as it was a simple website with not too many features, and it was easier to test each feature manually at the time of implementation than it was to build test cases.
We used a GitHub repository for version control, which we made branches off of and created pull requests that required both users to review new code before it was updated to our main branch that matches what we host.
Maintaining a simple, user-friendly website can be challenging. However, by relying on Bootstrap as our primary source of CSS, we can create more complex features without worrying about whether users will understand the function of a particular component.
Implementing a breadcrumb bar through session variables is a feature that is not specific to Bootstrap, however, it is made much easier with the predesigned framework.
Using PHP for most of our security implementation requires strong error checking/prevention, as bad inputs in PHP can cause website execution to cease entirely. As such, the website always checks that user inputs exist and that they do not contain any forbidden characters.
When there is an error caused by user input or other factors, the website will navigate back to the previous page using a query string to display an error message. Being unable to progress is extremely frustrating and is made worse when the cause is unknown. We have tried to minimize this as much as possible.
The structure of the website does create some boundaries with the following limitations at the forefront:
In conclusion, our project 'Surf - forum' is a simple discussion forum website that allows users to create accounts, post threads, comment on threads, and interact with other users. The website has been manually tested, and security measures have been implemented to ensure the protection of user data. While there are some limitations and areas for improvement, we believe that the website fulfills its intended purpose as a platform for users to engage in discussions.
Thank you for taking the time to review our project!