research-school-2024/writeups/task.md

The task

Students were asked to create a web system using Python and the Flask framework to perform the following tasks:

1. Registration: Register users through a form containing email, password, user description, and a checkbox that confirms the acceptance of system policies. The data filled in this form should be stored in a database while granting regular user rights upon registration.
2. Login: Create user login with a landing page which then shall ask for email and password. If the credentials match with the database, then login and redirect the user to the dashboard.
3. Dashboard: Create a dashboard with menu items: logout, add record, view statistics, search my results, and system users. This last menu will show up only for admin users.
4. Logout: Allow the logging out of the user. It should take the user to the landing page upon selection.
5. Record addition: Design a form for users to input their sleep record, including date, hours slept, dreaming or not, and the quality level of sleep. Store such information in the system.
6. Statistics: Create the functionality for viewing user-specific and total average sleep statistics.
7. Search: Provide the searching facility for users to get sleep results for any given date and the last nine preceding days.
8. Administrators: Admin users are supposed to be able to view the other users and should have the ability to delete/promote these same ones through delete and promote user options.
9. Delete user: System shall remove users from the database after clicking delete.
10. Promotion: Provide functionality for promoting users to admin which should update the rights in the database for this user.

After I reviewed the task and I had a few comments (quote from a response email):

1. Typos, clarity, and wording. You probably want to rephrase the intro as "Use Python with the Flask framework to implement a web application with the following functionality", and you may want to correct some typos such as "wat" => "what". It doesn't make a huge difference but makes the work seem more polished and minimizes the room for confusion.

2. I'm confused about point 10. Is any user supposed to have the rights to promoting users to admin? This sounds like it should be an administrator-only functionality or something. Lacks clarity, so you should probably specify the required privilege level or conditions required for promoting users.

3. Maybe it should be requested that they use session management? As in, using cookies to keep users logged in if a checkbox is checked. This could provide another security pothole to fall into if the session is composed of like the username and the user id or something.

4. The term "system users" is too abstract I believe, does it mean *all users* (as in no clause) or only the unprivileged users (for instance, SELECT * FROM users WHERE admin=1). May cause confusion among the students, so I think it's better to consistently and clearly use terms such as "administrator users" and "normal users" or something.

5. Maybe we should require an admin panel or render all users on the index page? This would also open opportunities for FE security, I don't believe this has much BE implications though.

Overall, the task seems fine for the most part, but it could use some clarity improvements as well as some possible extra functionality :) I'd be happy to edit it if you send me the (La)TeX file or whatever document you exported as PDFs. If you used a PDF editor and give me the task of editing it, let me know so I could edit the PDF, although, that usually ends up with a sloppy edit job so just in case there's a cleaner route I'd be happy to help.