Create a generic search full text search index which can be filled with data by an individual zefiro project.

Search form fields required (simple variant):

• text
• optional: datatype
• optional: AND / OR switch
• optional: fuzzy on/off switch

Database fields required:

• text
• caption (for list output)
• datatype (for list output / filtering)
• url (for linking)

Other functions required:

• search index trigger (generic)
• indexing routine (individual)

Prepared statements should be used also in autocomplete.php, can you implement that?

Commit 9ffbc8d introduced some bugs by

1. deleting ending RegExp delims
2. not declaring intended usage of parent-scope variables in anonymous functions

Additionally, we might want work against HTML injection / CWE-79 Type 2: Stored XSS (or Persistent), dependent on whether the CMS defines the database contents as HTML or not and which promises it wants to make to its users.
$row->{$matches[2]} should be probably be htmlspecialchars($row->{$matches[2]},ENT_HTML5)

Please always use prepared statements instead of self-made string-concatenation to guard against SQL injection. Prepared statements are the only easy way to check and prove that no injection is possible.

Currently, permission is checked in each PHP file separately, i.e. if a user opens z_log for example, $dbi->requireUserPermission ('admin') is executed.

This makes auditing and managing groups, permission and access unnecessarily hard.

ListType and StringType constructors are invoked with argument despite they take none in layout.php#L78 and layout.php#L88

Does the CMS provide a function to HTML-escape a string?

E.g. > --> >

How would you display results from database queries?

Entry points für: (1) Zefiro-Basisfunktionen (Nutzerverwaltung etc), Skripte in ein Subverzeichnis; (2) projektbezogene Skripte, die alle in einem Unterverzeichnis im Custom-Ordner liegen. Dort kann ggf. schon Parameterprüfung und -filterung stattfinden. In der Folge ist dann leichter zu trennen zwischen allgemeinen und spezifischen Skripten.

Momentan fehlt eine Menüleiste. Es wäre ohnehin schön, die einzelnen Layout-Elemente in einer Objekthierarchie zu bringen (Breadcrumbs, Menüleiste, Optionen, Content, Barline, whatever).

rename Z_ to D_ to distinguish zefiro system constants (Z) to dictionary constants (D). otherwise this causes confusion and/or minor bugs.

Mail-Benachrichtigung und Passwortzurücksetzen implementieren.

Ein Policy/Aufgaben-Management wäre angebracht ...

Bei Verwendung mehrerer Instanzen auf einem Client kann es zu Verwirrungen kommen (z.B. plötzlicher Logout), da die Flotilla-Session immer gleich benannt ist.

Für Datenbank-Zeilen, die gerade bearbeitet werden, sollte ein LOCK gesetzt werden (mit Timeout?) oder ein Hinweis eingeblendet werden.

Some constants aren't defined in the default config, nor is there a hint that they should be defined.

• DBI_DATABASE_STATUS
• DBI_ADMIN
• DBI_DATABASE
• Z_SEPARATOR_SYMBOL
• Z_BREADCRUMB_SYMBOL

Currently there is a global configuration variable Z_LIST_ROWS_PAGE defining the number of entries per page. However, this is a matter of taste and can be probably easily supported for each user or request individually. This is how it is done in MediaWiki.

New template engine required (object-oriented).

Die Template-Logik sollte so umgestickt werden, dass sie als selbständiges Modul (ähnlich Flotilla) eingebunden werden kann.

Could we make the log in page show a green check mark with a text "You are logged in as ..." when the user is logged in and hide the log in form?

after editing a textblock, user is redirected to an error page, bc textblocks list page required system privileges.