Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "donation site"
-
Me: The dev agency didn’t follow best practices. They only implemented front end validation on the form. The form submits to a public endpoint, so bots don’t have to go through our site to submit the form. That’s why our database is still filled with $1 donation transactions. I honestly recommend telling this to the dev agency and request that you not be charged for the extra work needed to do this right.
Manager: They charge $95/hr and they’re billing for 8 hours already.
[Aside: The agency’s task was to implement a $10 minimum on the form, do some text changes, and deploy.]
Me: I would expect work to be done according to accepted best practices. It’s really a half done job.
Manager: But they were very helpful when we had that payment processing emergency. They stayed late to help us. We shouldn’t push this in case we need their help again. Can you do the backend validation? [We are in US and agency is in Lithuania.]
Me: 🤬😩😑🤐[To myself: This wouldn’t have happened if the fundraising team hadn’t panicked and would only wait until I came back from my one day of PTO.]1 -
Yesterday, the Project Manager forwarded an email from a staff member who worked on a donations campaign. Staff member was confused about a Cloudflare challenge that appeared before the user was sent to the donation page. It’s a less than 5 second JavaScript check. He thought it looked fishy.
I had to explain that it’s a security measure that’s been up for almost a month. PM knows this but left it to me to explain because ownership of the site is on me. The donations page and api gets hit by a lot of bots because it’s a public api and there are no security measures like captchas to deter the bots. I’m inheriting this website and I didn’t build it.
Staff member says other staff want to know if the Cloudflare page can be customized so it looks more legit. Um, Cloudflare is a widely known legit service. Google it.
A few thoughts pop into my head:
1. Engineering communicated to stakeholders about the Cloudflare messaging a month ago.
2. Wow, stakeholders don’t share relevant info with their staff who aren’t on these emails.
3. Woooow, stakeholders and staff don’t look at the website that often.2