Zinc12 mechanics

From DISI
Jump to: navigation, search

Here is the question

1. What is the preferred MySQL database to use for visitor logging? And what are the credentials?

2. we want to elicit captcha only when Predictions are called in annotations.php. I was thinking about calling another form in the 'search_forms' array of search/advanced.php which set an empty table as a div target, then using an onblur() function to AJAX load a js based captcha into the div target, which then set a variable which indicated authentication before the form post. But that means that even if someone types in the predictions box and then clears it, the captcha is still triggered.

Here is the response

1,2,3,?) On ZINC we actually store users in a PostgreSQL database (since this is what we use on docking.org). This has a couple of added benefits and "features" as well as being just different enough from mysql to cause the occasional urge to chew off one's own arm. The most notable difference is the ability to use stored & parameterized queries for added SQL injection prevention. While this is handled through infrastructure for ZINC queries, for the user database it allows us to just write straightforward SQL and not worry about security.

We freely add table to this database, so we can add quotas there.

This database accessible as one of the built-in database objects that I've written by doing the following (as an example):

$userDB = ZincDatabases::users();
$userDB->store('get_something_cool', "SELECT name FROM users WHERE coolness=$1");
$coolness10 = $userDB->execute('get_something_cool', array(10));
// They also wrap SQL query results in native PHP objects so you don't have to do the while($row = fetch($result)) nonsense.
echo "There are " . $coolness10->count() . " super cool people:\n";
foreach($coolness10 as $person) {
    echo "{$person['name']}, ";
}

However for users they are already a whole host of available objects, methods, etc. To get the current user you only need to do:

$user = ZincAuthentication::current();

That will either be a ZincUser object or a ZincAnonymousUser object (both have the same interface). One of the available methods on this is "hasPermission". This is currently used now to test if a user can view everything in ZINC (in the following way):

if($user->hasPermission('view full zinc')) {
    $query->useNonPublicCatalogs();
    fire($missiles);
}

I propose we test if we should use limits captcha etc. by testing for the permission "unthrottled zinc" (I will give this to all UCSF users) and it will be more or less automatic. In the ZincUser object we would add some code to load quotas if the user does not have unthrottled zinc and a few methods to access those. Things like: $user->hasQuoats (basically a one-liner: return $this->hasPermission("unthrottled zinc");) $user->getQuota, $user->getUsed() etc.

We can make it test these and require captcha when certain kids of requests are made. On the search/results.php page we can test with (somewhere in that cluster....)

if($request->has('prediction')) {
/// test quotas and captcha
}