Marijn b290620cf9 Declare ext-intl/ext-zip requirements and fix security audit findings (#213)
* Declare ext-intl and ext-zip as explicit composer requirements

DataExportService uses ZipArchive directly and the Dutch-locale
format_datetime Twig filter needs real ext-intl (the polyfill only
supports en), but composer.json only declared ext-ctype/ext-iconv.
Adding them lets `composer check-platform-reqs` catch a missing
extension before a runtime crash.

* Add authorization checks to PrepareEliminationController

index and viewElimination had no IsGranted guard, unlike every other
backoffice/elimination controller, so any authenticated user could
prepare or overwrite another season's elimination screens.

* Prevent formula injection in spreadsheet exports

Answer/candidate text starting with =, +, -, or @ was written to XLSX
exports as a live formula rather than plain text. Since seasons can
have multiple owners, a co-owner could plant a formula that runs (and
can exfiltrate data) when another owner opens the export in Excel.

* Add rate limiting to login and season-code entry points

Neither /login nor the public season-code guess form (POST /) had
any throttling, making both an unlimited brute-force/enumeration
oracle. Adds symfony/rate-limiter and enables login_throttling on
the main firewall, plus a dedicated per-IP rate limiter on the
season-code form.

* Add unique constraint to prevent double-submit score inflation

A candidate could submit two concurrent POSTs for the same question
before either committed, since GivenAnswer had no unique constraint
and the "next question" check was subject to a TOCTOU race — each
insert was then counted as a correct answer.

* Address CodeRabbit review findings

Include a Retry-After header on the season-code rate limit, correct
stale line references in the security audit doc, and fix a stray
comma in the reset-password email.
2026-07-13 22:58:29 +02:00
2025-09-28 18:14:58 +02:00
2025-09-28 18:14:58 +02:00
2026-03-22 22:40:25 +01:00
2024-12-29 14:58:03 +01:00
2026-01-25 19:58:39 +01:00
2026-02-18 16:20:14 +01:00
WIP
2025-06-01 15:40:47 +02:00
2026-07-07 21:43:24 +00:00
2026-02-18 16:20:14 +01:00
2026-03-22 22:40:25 +01:00
2026-03-22 22:40:25 +01:00
2026-05-25 13:56:46 +00:00
2026-03-22 22:40:25 +01:00

Tijd voor de test

CI

PHP/Symfony application for WIDM-style quiz management. Built with FrankenPHP, PostgreSQL, and Docker.

Disclaimer: This is an unofficial, non-commercial, open-source fan project. It is not affiliated with, endorsed by, or associated with Wie is de Mol? (produced by IDTV, broadcast by AVROTROS/NPO) or De Mol (produced by Woestijnvis, broadcast by Play/De Vijver Media). Wie is de Mol? and De Mol are trademarks of their respective rights holders. No copyright infringement is intended.

Requirements

  • Docker
  • Just (brew install just)

Local development

just up        # Start PHP + PostgreSQL containers
just migrate   # Run pending database migrations
just fixtures  # Load dev fixtures (truncates first)

just up first runs just init, which generates a .env.local (gitignored) with a unique COMPOSE_PROJECT_NAME, image tag and free host ports for this checkout, so multiple worktrees/clones can run at the same time without their containers, volumes, images or ports colliding. Run just ports to see the ports assigned to the current checkout — the app is served at https://localhost:<HTTPS_PORT> (self-signed cert — run just trust-cert on macOS to trust it).

Useful commands

just shell              # Shell inside the running PHP container
just shell-run          # Shell in a fresh one-off container
just stop               # Stop containers (keep volumes)
just down               # Stop and remove containers
just clean              # Nuclear: remove containers + volumes + generated files
just exec <cmd>         # Run any command inside the PHP container

Environment

Copy .env and override locally via .env.local (not committed):

Variable Description
APP_SECRET Symfony app secret
DATABASE_URL PostgreSQL DSN (auto-set in Docker)
SENTRY_DSN Sentry error tracking
DEFAULT_URI Base URL for CLI-generated links

Testing

just test                                   # Full PHPUnit suite
just test tests/Path/To/TestFile.php        # Single file
just test --coverage-html var/coverage      # HTML coverage report
just reload-tests             # Drop/recreate test DB + migrate + test fixtures

Tests use a separate database configured via .env.test. The DAMA Doctrine bundle wraps each test in a transaction that is rolled back after. just reload-tests loads the --group=test fixtures; just fixtures loads the dev group and is unrelated to the test database.

Code quality

All checks run in CI and must pass before merging.

just fix-cs              # Auto-fix PHP-CS-Fixer + Twig-CS-Fixer
just phpstan             # PHPStan static analysis (level 8)
just rector              # Apply Rector modernizations
just rector --dry-run    # Preview Rector changes without applying

Database

just migrate                      # Run pending migrations
just fixtures                     # Load dev fixtures
bin/console make:migration        # Generate a new migration (inside container)

Migrations live in migrations/ (namespace DoctrineMigrations). Test fixtures are in src/DataFixtures/ loaded with --group=test.

Translations

just translations    # Extract/update nl translation strings into translations/

Contributing

  1. Create a branch from main — use a prefix like feat/, fix/, or docs/.
  2. Open a pull request; CI must pass before merging.
  3. Install the pre-commit hook (see below) to catch issues before pushing.

Pre-commit hook

A pre-commit hook lives in .githooks/pre-commit. Install it once after cloning:

just install-hooks

On every commit it runs automatically, only on staged files:

Staged file type Tools run
.php Rector → PHP-CS-Fixer (auto-fix + re-stage), then PHPStan (blocks on errors)
.twig Twig-CS-Fixer (auto-fix + re-stage)
Other (docs, config, …) Nothing — commit proceeds immediately

If the PHP container is not running, the hook falls back to docker compose run --rm so checks still execute. PHPUnit is not run in the hook; CI covers that.

Deployment

Docker images are published to ghcr.io/marijndoeve/tijdvoordetest for each tagged release.

First-time setup

  1. Copy compose.yaml and compose.prod.yaml to your server.
  2. Create a .env.prod.local file with the required variables (see below).
  3. Start the stack — migrations run automatically on container start:
IMAGE_TAG=latest docker compose -f compose.yaml -f compose.prod.yaml up -d

Updating to a new version

IMAGE_TAG=<tag> docker compose -f compose.yaml -f compose.prod.yaml pull
IMAGE_TAG=<tag> docker compose -f compose.yaml -f compose.prod.yaml up -d

Required environment variables

Variable Description
IMAGE_TAG Image tag to run (e.g. 1.2.3 or latest)
APP_SECRET Random secret string for Symfony
CADDY_MERCURE_JWT_SECRET JWT secret for the Mercure hub
POSTGRES_PASSWORD PostgreSQL password
MAILER_DSN Mailer transport DSN
MAILER_SENDER From address for emails
SENTRY_DSN Sentry project DSN (optional)

The compose.prod.yaml configures Traefik labels for TLS termination at tijdvoordetest.nl. Adjust the traefik labels in that file if you're hosting on a different domain or using a different reverse proxy.

License

MIT

S
Description
No description provided
Readme AGPL-3.0 22 MiB
Languages
PHP 74.6%
Twig 16.5%
TypeScript 5.7%
Shell 1.4%
Just 0.9%
Other 0.9%