Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+1 vote
687 views
in Q2A Core by
edited by

 

Our team has evaluated Q2A and following are some feedback , I will be thankful if Gidgreen can comment on modifications suggested and other observations
 
1. For scenario where we will not be using native search app but will be using classification by tags and also use related questions widget, the following line can be commented
 
qa_db_contentwords_add_post_wordidcounts($postid, $type, $questionid, $contentwordidcounts);
 
This is in qa-search-basic. php
 
Advantage : Smaller database and faster indexing,faster performance
 
2. Many configuration variables are set at run time for every page load, they can be easily moved to a master global list. This will enhanche performance. However, such a change will mean incompatibility with future releases and hence have put it on hold. 
 
I am not a developer to give further details, but this is the gist that they have shared. Will this be incorporated in future releases as apparently it will markedly improve performance
 
3. For immediate performance, when traffic is not expected to be high, APC is adequate. Script is well written for hardware scaling as and when required which will be cheaper.
While true Cache is not there, simple mysql caching will be adequate for reasonably large website. 
 
Is native cache  in pipeline for the application?
Security
----------
4.Built in adequate protection for sql injection attack.
XSS and other first level defence, performance optimization can be enhanched with simpler htaccess modification as below
 
#Standard htacess file for all apache-php
ServerSignature Off
 RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
 RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR]
 RewriteCond %{HTTP_REFERER} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 RewriteCond %{HTTP_COOKIE} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999} [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
 RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} (winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} (libwww-perl|curl|wget|python|nikto|scan) [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]
 
#client side cache
<IfModule mod_expires.c>
   # Enable expiration control for better cache management at client end
   ExpiresActive On
   # CSS and JS expiration: 1 week after request
   ExpiresByType text/css "now plus 1 week"
   # Image files expiration: 1 month after request
   ExpiresByType image/gif "now plus 1 month"
   ExpiresByType image/jpeg "now plus 1 month"
   ExpiresByType image/png "now plus 1 month"
   ExpiresByType image/ico "now plus 1 month"
   ExpiresByType image/icon "now plus 1 month"
</IfModule>
########## Begin - Redirect index.php to / for SEO
## Note: Change domain.com to domain name being tested
RewriteCond %{THE_REQUEST} !^POST
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$
RewriteRule ^index\.php$ http%2://www.domain.com/$1 [R=301,L]
########## Redirect non-www to www for SEO
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
########## First Level defence against File injection attack
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]
## Disallow access toconfiguration file and php.ini
RewriteRule ^(qa-config\.php|php\.ini)$ - [F]
 # Return 403 Forbidden error.
 RewriteRule .* index.php [F]
 
Htaccess modification with server hardening can be adequate to go ahead without fear of security breach.
Note,  there is no history of any targeted attack on this script. Asa precaution,remove all explicit references  to script source to prevent future targeted attacks. Concern: HTML class  reference cannot be easily removed but risk is low. 
Author will be best to identify other no so obvious fingerprints for which we can take adequate protection.
 
Minor Performance changes
5.1 Remove version number suffix from CSS and JS requests to implement apache gzip or better use minify by modifying URI reference in the script.:
qa-theme and qa-page
 
5.1.1 Jquery is not used for most pages - where all is it used?
Can it be replaced with smaller script for voting(if yes, which one)
If future version uses Jquery extensively, we could put it back.
 
5.1.2 If Jquery is needed,can we replace  with Google API version for better performance without loss of any fuctionality by making chage in qa-theme
 
6. Licencing :  In the future, will there be one edition of the software  always available under GNU General Public License version 2? Any possibility of paid version (better) along with community edition?
 
7. Some third party plugins were not efficient - is there a curation of third party plugins? If no central curation, vet every plugin for security and performance. 
 
8. Summary of positives
8.1 Theme and layer support - making it easy for inhouse enhanchements without loss of future upgradability. Consequent,performance degradation can be set right with many other levers - APC and hardware
8.2 Canonical support 
8.3  all queries are SQL injection attack proof
8.4 Simple to manage, enhanche and administer with basic PHP skills
8.5  Right trade off between maintainability and performance essential in early stages of website
8.6 Withstood Jmeter test but with search totally disabled. Now, we need to search module back for tag and related question support. Not storing words should be adequate
Negatives
- No native cache
-
Q2A version: 1.5.2
by
I'll just mention:
#2 - Yes interesting point. Joomla stores most config in a PHP file that is written to when you change options in the admin interface.
#5 - jQuery seems to be used for the AJAX and animation effects. For some reason it still uses things like "document.getElementById" when using jQuery would make the code shorter. And it's good practice to use unobtrusive Javascript instead of all the "onclick" attributes Q2A uses now.

1 Answer

0 votes
by
Thanks. I will answer each point in brief where I have something interesting to say:

2. You should be able to sort this out with a plugin with a process module that calls qa_load_options_results(...) with your pre-cached options.

3. Native cache - maybe, but it only makes sense if no user is logged in.

4. I think this is best set by each site, not as part of standard .htaccess.

6. No plans to change licensing model at this time.

7. Not viable in terms of my time, I'm afraid.

Hope this is helpful.
...