Add Crossref citations badge

[bondjimbond]

JIRA Ticket: (https://jira.duraspace.org/browse/ISLANDORA-2038)

What does this Pull Request do?

Adds a new Islandora Badges submodule, which generates citation counts via the Crossref REST API. This is a public API, without authentication, which would allow any Islandora site to get citation counts if they don't have access to Scopus or Web of Science credentials.

What's new?

A new badge titled "Islandora Crossref Citations". Displays citation counts for objects with DOIs, using the public-access Crossref REST API.

How should this be tested?

• Enable the module and the block
• Add a few objects with and without valid DOIs
• View the object, check the results

Interested parties

@Islandora/7-x-1-x-committers @bryjbrown @mjordan

[DiegoPino]

@bondjimbond there is one DCS warning, an extra space in admin.form.inc

[bondjimbond]

@DiegoPino I'm pretty impressed with myself that Travis only found one problem this time.

[DiegoPino]

Some logic and minor doc concerns

[DiegoPino]

This seems to be wrong. How can $result_json->error exist if it is defined later on?

[bondjimbond]

Ack, you're right. That was in islandora_oadoi, which this is based on. Should be removed there too. Testing on a DOI with no results doesn't create any problems, so it should be fine to remove it. I'll commit a fix.

[bondjimbond]

Would it be bad form to add the OADOI fix to this PR?

[DiegoPino]

Yes. OADOI fix should go in a separate one, if it is a code task then it could be ok, but its more like a bug fix right?

[DiegoPino]

If the request fails, does ->data exists?

[bondjimbond]

Nope, but if request fails, we don't get a badge or an error, which is what we want.

[DiegoPino]

is $block_text being escaped to avoid attacks on img.shields.io?

[bondjimbond]

No. How would I go about escaping it? (Though I expect they're already escaping input, since the general public can send whatever they want to the service.)

[DiegoPino]

You need to make that one safe/clean manually. See https://www.drupal.org/docs/7/security/writing-secure-code-0/handle-text-in-a-secure-fashion. I think simply storing an user input from a form into a drupal var does not remove possible breaking arguments for img.shields.io, no cleanup is being made. Good practices there could be run the whole src content which is an url? through https://api.drupal.org/api/drupal/includes%21common.inc/function/check_url/7 but you could also sanitize/check on form validation/submit? where not sure, but somewhere for sure. Also since check_plain() and check_url() could rewrite your values, but users could be not aware, it would be good to maybe store this already cleaned up.. at least the form will load with the cleaned default and smart users will notice the difference? Not sure here, what do other @Islandora/7-x-1-x-committers think here?

[bondjimbond]

check_plain() seems to be helpful. Tried it with some HTML in my variable, with and without... check_plain works.

Do we need check_url as well, or is that enough?

[DiegoPino]

I guess it should be enough. Lastly (sorry, i'm worst than travis!), what about putting the alt="Number of citations via Crossref: ' . $result_citation_count . into a t() function with replacements for international users?

[bondjimbond]

No problem. Done, I think?

[DiegoPino]

If Scholar is a dependency, why is it not part of the .info file? Is that so in every other submodule?

[bondjimbond]

Scholar dependency should be removed. Adding to commit list.

[DiegoPino]

Since this is a submodule (in terms of publishing) but is just a module for Drupal's eyes, it seems to me that using relative paths in the documentation is very context dependent. .md files should be readable outside the github context.

[DiegoPino]

How is badge image generating website used? io? could that be added in the readme?

[DiegoPino]

@bondjimbond https://api.drupal.org/api/drupal/includes%21common.inc/function/drupal_http_request/7.x
I feel you should use the response codes there to decide if further processing is needed or you can throw some message or exception. There are some constants for time outs, etc, but probably sticking with error | no error should be enough. Just a suggestion.

[bondjimbond]

@DiegoPino I think that's what the if statement in your first review comment was attempting to get at - it was just added one line too early. I've adjusted that with the last commit, seems to be working.

[DiegoPino]

Looks fine now! 24 hrs and we should be clear

[bondjimbond]

@DiegoPino Nobody seems to have any concerns... Are we ready to merge? 😀

[DiegoPino]

@bondjimbond give me a while (need to talk to @manez). It just came to my attention that even if this module is a "submodule" that fact is really just a convention, and it is in strict, not so strict, definition (see the naming of the functions) this is a new module. So we need to probably discuss if we should consider it as such, or as part of badges.. i know it sounds lame, but trust me, better to have this discussion now than later one.
Edit: what i mean here is that: if this module (and every consequent ) submodule is really a independent module and if so, it could need "new module" process we have at islandora. If not, and submodules are fine as part of the parent, then all Ok. But it is something we should discuss.

[manez]

@DiegoPino @bondjimbond Let's put this on the agenda for the Committers Call today. It's only a few hours away, so it wont hold things up too much,

[manez]

Just for the record, the Committers discussed it and determined this one is fine, but there's a larger issue about whether submodules should have license files of their own, which we're sending up to the Board of Directors as a legal question that's beyond the scope of Committers.

This should not hold up merging this PR, but should hopefully lead to a policy we can follow by the next release.