CakePHP e-learning website

Version 1 of this website is being used by a 150 students at a school to do some limited e-learning. Teachers can add new questions, and students provide answers. I now need to make a version 2 of the site, object-oriented, using CakePHP and web standards - I need your help to do this please Essentially, users will either be students or teachers. Students should be able to: login, change their profile, choose a question to answer, enter an answer Teacher should be able to: login, add/edit/delete questions, view students' answers. ## Deliverables The regular user should be able to: - register as a user - login (and be able to change personal profile details ??" email address, password etc.) - choose from a list of questions to answer. - Store the answer to the question. Using admin routing, an administrator should be able to: - add/delete/edit users - assign roles to users - add/delete/edit roles (student, teacher, contributing teacher, school administrator, superadmin) - add/delete/edit groups - assign students to groups (students can belong to one or more groups) - add/delete/edit subjects - associate subjects with groups - add/delete/edit questions - assign questions to subjects Sample group data (hierarchical) - Key Stage 3 - Year 7 - Group71 - Group72 - Group73 - Group74 - Year 8 - Group81 - Group82 - Year 9 Principles Security essentials: - The site may store some limited personal information about users under the age of 18 (name, email address), and also some record of their educational progress ??" answers to questions etc. With current scrutiny over loss of personal data, this site must be reasonably secure (as an aid to marketing). - Minimises XSS (cross-site scripting) by escaping all HTML and SQL characters in input - Uses sessions, not cookies. - Only requires user log-off to terminate session (i.e. can’t guarantee that browser will be closed. May be used in school computer labs ??" want to minimise students editing their friends’ accounts for fun). - Will run under SSL. - Not vulnerable to user spoofing ??" i.e. if logged on a student 1001, can’t change URL from [login to view URL] to [login to view URL] and get results for the other user. Interface essentials: - Should validate as (at least) XHTML 1.0 transitional, and CSS 2.0. - Lightest page weight possible (i.e. can scale to 1,000,000 page views / month without racking up the bandwidth). - Unobtrusive Javascript ??" i.e. could still function with Javascript turned off. Lack of Javascript should degrade nicely (i.e. shouldn’t solely rely on AJAX etc.) - Pagination, which is configurable as an option for the user (e.g. the student set an option for viewing 25 questions per page). Interface nice to have: - Scriptaculous AJAX ??" type-ahead for looking up e.g. student names - Style sheet which will work on cellphone-sized screen. - Javascript client-side validation Code essentials: - Should degrade with useful error messages - Should e.g. check for existence of all files, plugins, sql results before including them / relying on them. - Lots of explanatory notes ??" a large part of the project is documenting it so that I would be able to make small changes. Code nice to have: - phpDocumentor tag blocks ([login to view URL]) ??" like in lines 18-27 of /app/config/[login to view URL] in 1.2 beta. - Support for internationalisation (i18n) Database essentials: - MySQL, with ISAM tables. - Normalised, with consistent table and column naming conventions (this should not be a problem with CakePHP) - Use Modified Preorder Tree Traversal for storing hierarchichal data ([login to view URL]) ??" data is highly hierarchical, but will be selected much more often than added/deleted/modified. - All tables should have created and modified columns (for CakePHP automatic updates). Database nice to have: - Ideally, tables would have a LastModifiedBy column, which associates the user ID. - Has ID columns which will handle a very large number of users (100,000 users, potentially answering 2,000 questions) - Relational hierarchy enforced in code (i.e. when deleting a student, should delete the associated answers for that student) - Database should use a deleted or hidden Boolean value for records ??" i.e. no data is actually deleted, just marked as so. This has a couple of benefits ??" 1) the database account can run without permission to delete records, and 2) data retention. Cross-site scripting prevention - PHP Input filter - [login to view URL] Javascript form validation: - [login to view URL]~sbpoley/webmatters/[login to view URL] Input / collaboration - I have a vision for how the site will work, but want to see how a professional coder would do it. Although I am quite technical (I work in server / network administration), I know that a lot of the code I wrote for version 1 could be improved.