• Add a permission for admins to edit site-wite config
• Add a page to the /cp/
• Config options belong in their own table with a UID.
• Config options should belong to groups which also have their own table.
• Initial config options
  • Moderator options
    • Maximum ban length (default 30d)
  • Post options
    • Maximum file size (allow 0, which disables)
    • Thumbnail dimensions

General cleanup of the code base. Will log work as I go.

Right now, navigation is constructed by the View and directly translates the boards with what is to be shown. This is improper and too select..

• Expand the navigation menus so that non-boards can be linked.
• Improve the way views are constructed so that we do not need to call SQL in the View.
  • As a part of this, resolve the issue where the same query is ran twice.
• Try to match this really great design.

Content on Larachan should be grouped into boards.

For this to happen, we need:

• A MySQL table for boards.
• An index page for boards that is accessed with an uri.
• A list of threads created for that board (#4).

Content will be pushed to Larachan in individual posts written by the user.

• MySQL table for posts.
• Posts belong to a board. (#3)
• Can be their own thread.
• Can be a reply to a thread.

infinity-next should implement srnd integration so that it can act as a frontened for nntp-overchan.

right now i am working on stubs for this in srnd in the event that upstream cares to merge this functionality in.

Allow for users to create their own boards.

• Accounts
  • Registration must work.
  • Emails must send for password resets.
  • Reset links yield the correct form and reset the password.
  • Users can create accounts without emails that do not have automatic password resets.
• Board Creation
  • Accounts can create multiple boards.
  • Site config for maximum number of boards.
  • Site config for wait time between board creation.

• Deletions
  • Single Deletions
  • Board-wide Deletions
  • Site-wide Deletions
• Bans
  • Ban table
  • Ban reason table
  • Ban creation page
  • Bans prohibit posting
  • Inline ban message
  • Ban+Delete
  • Ban+Delete+All
  • Ban+Delete+Global

The vendor we use for captcha work will sometimes be hijacked by the board router trying to find a board named /captcha/.

Because of general lack of customization in this plugin, @ctrlcctrlv and I believe it'd be better to take the code (licensed under MIT) and make it an official part of the codebase.

A response needs to be set up to insert posts.

• This form needs to appear on two pages.
  • Thread list.
  • Reply list.
• The form needs to press posts into the database.
  • Replies should appear under their OP.
  • New threads should appear in the board list.

Add the ability to pin threads to the top of the page.

The config is very presumptuous and caters only to my local environment. Flesh out environment options so that it's easier to make your own.

• URL
• Stripe Settings

The current tripcode system, first written by 2ch in the 90's, is implemented like this:

https://github.com/ctrlcctrlv/infinity/blob/master/inc/functions.php#L2751-2785

In short, it works by using a publicly known salt and the thoroughly busted PHP crypt() function which implements the so called "Data Encryption Standard", first written by IBM in the 1970's.

DES is thoroughly broken.

A program exists that can crack entire tripcodes in 48 hours or less on modern GPUs.

Even less advanced users who only have CPU power at their disposal can crack the beginning 4-5 characters of a trip in hours, which is enough to fool most people as they don't have the whole trip memorized.

The nice thing about the 2ch system was that tripcodes on 2ch work everywhere: 2chan.net, 4chan, 8ch, 7chan...unfortunately, they're very broken already and it won't be long until completely inadept users can track any trip on an hour.

I will implement Overchan-style message singing in infinity-next using ED25519. Since this is a signing algorithm and not symmetric encryption like trips, it is even possible (but of course not default) to sign your message offline and not even trust the site with your key. This is suitable to even be used for admin messages.

In order to be easy for inexperienced users, [a pure PHP fallback will be used by default](https://github.com/trianglman/sqrl/blob/master/
src/Trianglman/Sqrl/Ed25519/Crypto.php). Users will be recommended to compile the PHP libsodium for best security though!

I want to be able to add files by dragging and dropping. Navigating from file open dialog is tedious when I can use a superior file manager.

Passwords can currently only be reset with an email. This should work from within the CP as well.

• Reduce the number of queries.
• Introduce basic caching.

I need to rename all FKs to be object_id to distinguish them from relationship methods $this->object. Having them called just object is causing a lot of issues with Laravel's autoloading.

The base of Larachan is Laravel. Install it to start off the repository.

add file from url, limit to one url at a time.

• Board view
  • Paginate threads based on a setting
  • Added an "omitted" text.
• Posting interface
  • Compact design
  • Deal with smaller monitors

Copypaste has 2 300x250 ads and 1 720x90 ad. Find some room in our default template for this.

The /cp/ directory is being reserved for anything that requires authentication to do. It is the control panel for login, registration, password manipulation, board creation, board management, site management, etc. This is for three reasons:

1. /cp/ can standard for Control Panel.
2. /cp/ can be for user, moderator, or administrative controls.
3. /cp/ is usually a blacklisted directory anyways. :^)

Right now most of the Laravel default controllers and views are tagged as Auth and listed under /Auth/ directories. This definition tends to be mostly about handling logins and registrations, so the organization needs to be handled to deal with a larger and more broad definition.

copy was frustrated setting up the database because of a lack of seeding.

Seeds are easy to create, so lets create them.

If a password is the length of SHA256 + 1 + 32, then the pass algorithm needs to be different.

If the password is the length of 60, then use BCRYPT comparison.

Bots are the natural enemy of imageboards. Add a captcha service.

• Captcha added.
• Request password form secured.
• Post form secured.

We'll revisit this in another issue to determine when it is appropriate to have captcha. That is not this issue.

• logs table
• Actions commit to the logs table
• Public table with all moderator actions
• Logs clearly show who did what when.
• Actions translate and access extra information when populating logs table.

The repository Wiki needs to outline the following in detail.

• Purpose
• License
• Contribution requirements.
  • Coding standards

• Add table for storing files.
• Add table for file to post association
• Add form element for uploading images
• Render image inline with post
• Render compressed thumbnails

Much to @jaw-sh's disapopintment, it is a definite requirement to have a board_id that autoincrements along with a global ID that auto increments.

Kusaba X, one of the original chan engine and the one that Tinyboard rewrote provides us with this schema:

CREATE TABLE `PREFIX_posts` (
  `id` int(10) unsigned NOT NULL auto_increment,
  `boardid` smallint(5) unsigned NOT NULL,
  -- snip
  PRIMARY KEY  (`boardid`,`id`),
  -- snip
) ENGINE=MyISAM DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;

Psql supports it as well. SQLite does with a CREATE TRIGGER. Unfortuantely, in MySQL in only one engine InnoDB this is impossible.

Looping forever like (psuedocode):

while ($error && $error->isDuplicateIdError) try_again();

hits the database far too often and is assuredly bad practice. In very active threads this could potentially loop ten times with a busy DB. I've done tests before of this on live software for a project and it was a disaster, but it 'worked' and I got paid. Let's try to do better than just get paid and do a good job as well.

We cannot just use global IDs and we cannot just use IDs based on position in the thread (>>1, >>2 etc) due to familiarity reasons. We need to keep this hack from KX, without just devolving into a million post tables like Tinyboard/vichan/infinity stable. I will write a migration for it.

Add font awesome because everyone loves font awesome

• Font awesome

Right now, I am building a lot of forms and pages with raw text. Laravel has a built-in translation system that I need to take full advantage of.

• Understand the translation architecture more comprehensively.
• Wrap all text in a translation function and properly use the architecture.
  • Board, thread, and post views.
  • /cp/

Separate from #47.

• cp/boards/ area shows a list of boards where board.config privileges exist.
• cp/board/{board} shows the config panel.
• Config
  • Basic
    • Title
    • Description
    • Language
    • Indexed
    • Overboard
    • Worksafe
  • Transparency
    • Public logs
    • Public logs without usernames
    • Ban logs
    • Ban logs without usernames
  • Moderators
    • Allow for users to be added as moderators on a board.
    • Allow for users to be created for moderator positions on a board.
    • Allow for unique casts to be added for moderator roles.
    • Allow for users to be assigned castes with roles.
  • Style
    • Custom CSS

More to be added as featured are implemented.

I see a line of cars and they're all painted blue.
With flowers, and my love, both never to come back.
I see people turn their heads and quickly look away.
Like a new born baby, it just happens every day.

The contribution pages are now in the way. Normal users cannot adequately fork the Infinity Next codebase because they're in the way.

Move Contribution stuff to neatly organized areas so that they can be ignored and eventually removed.

Right now, CSS and JavaScript is all over the place.

CSS

• Make sure all CSS is properly organized.
• Add a way for CSS to be compiled into a single file for live applications.

JavaScript

• Make sure all JS is properly organized.
• Add a way for JS to be compiled into a single for live applications.
• Build a window.ib object that handles every single script relating to larachan.

@majestrate takes issue with the way that files are distributed.

Right now, files are accessed via this route:
/board/file/md5/filename.ext

I think it would be possible to reserve this URL, or change it slightly, and continue to use PHP to distribute it -- but, also create Apache/nginx/Lighttpd masks that will serve the /storage/app/attachments/md5 file with the filename.ext name. If these masks are not present (i.e. because the environment is poorly configured), PHP will distribute as normal as a failsafe.

@majestrate claims that doing doing this may work but it may also break as content-type will not be set by the web servers unless the file itself has an extension, such as md5.ext. Needs some investigation.

PR #25 will do exactly what @majestrate has proposed, but I'm reluctant to pull it until my idea is tried out.

Issue pertinent to @ctrlcctrlv as this is mostly an issue for high bottlenecks on big sites.

I don't know what Unit Tests are but they sound really great.

• Learn about Unit Testing.
• Implement PHP Unit Testing.

Be sure to write #1 Proper Documentation on them, too.

Laravel Doc: http://laravel.com/docs/5.0/testing

Any and all instances of Larachan are to be removed as official sponsorship is added from the Infinity Development Group.

Auth::user() currently returns a \App\User if the user is authenticated. I have organized the controller structure so that MainController inherits Controller and automatically binds authentication to every page on the application. All other controllers either directly inherit MainController, or (in the Auth controllers), inherits a controller which inherits MainController.

What would improve this system is an Anonymous user. If a user is not authenticated, there is no model which exists to pose challenges against. By splitting out permission challenges into a new trait and implementing it both on the \App\User and another, non-inherited class, we can easily share logic between the two and yield reliable information.

A synopsis of this issue is: "Add a system to check if a person can do something."

This is my current proposed model.

This is a lot to digest so I'll explain how this process would hypothetically work.

The Seeder
When the database is originally seeded, you will end up with four Roles and a few permissions.

An example of permissions, for instance, would be board.post.delete.self and board.post.delete.other. One is the traditional permission to delete your own message, the other is a conventionally staff-only permission for deleting anyone's post.

With our seeded information, the Role table would look something like this:

Our permission table would look like this.

And finally, the pivot table between roles and permissions would look like this.

What is a permission value?
The answer to a "can?" question in programming is boolean, but when composing a permission mask it's a bit more complicated.

By default, an anonymous, unaffiliated user can delete his own post. On a board like /cow/, you cannot delete your own post. The answer to "can anonymous delete a post on /cow/" is no, despite the answer to "can anonymous delete a post" being yes. To represent this in a model, it is assumed that:

• If a value is 1, you can do something.
• If a value is null, you cannot do something, unless given permission.
• If a value is 0, you can never do something.

So, if a user was setting up their board and defined the role "anonymous","cow" with the permission "board.post.delete.self",0, it would override the base_value of that permission.and kill the anonymous user's ability to delete his own post.

Conversely, the value for board.post.delete.other is 0 by default, which means that you cannot delete another IP's post.

A null value comes from a lack of a pivot row between a role and a permission and it defaults to the base_value of the permission.

Inheritance
Much like how a Post can reply_to another Post, a Role can inherits another Role. The most succinct example of this I can give is in a case where we define a specific permission mask for the DNSBL. If a user is on Tor or a known proxy server, we can modify their permission masks to this affect in a case where board.post.delete.self.base_value is 1

With this inheritance, the answer to "can dnsbl user delete posts from the same ip?" is "no". However, in all other regards, it is treated as an anonymous user and permissions applied to "anonymous" will also apply to "dnsbl".

Assignment
The user_roles table FKs the roles table using the joint PK role,board. Instances where board is set to null mean that it is a global mask. Where it is set, it affects only one board. Assignments work the same way.

The following route styles need to be handled.

• /operate/catalog.html
• /operate/res/20692.html
• /operate/res/20692+50.html
• /operate/index.html
• /operate/2.html

Additionally, copypaste uses these for unique features.

• /_g/
• /_t/

/_g/ and /_t/ are text files. I'm not going to route those. He can upload them to public on his own and they should continue to exist. In the future, we can probably have a URI like /board/post/post_id for GPG signatures. /_t/ will remain as-is because it's not an imageboard feature.

Names are not linked when posting with an email.

For the Kickstarter, we need Stripe.

• Install Stripe with composer.
• Add a page for donations.
• Allow Anonymous or User-based donations.
• Add a page to list donors.
• Add a campaign page.

Our current registration form is defaulted. Improve it to the current design standard.