I'll soon have to review a bolt-on to our existing site, which has been written by an outside developer. While I've been made to squirm over my own code before now, and I've reviewed individual methods or classes, I've never been faced with reviewing what's essentially an entire application. I need to cover both code quality and UI quality.
How do I best direct my efforts, in order to get the most benefit for the work I do? As a UI specialist reviewing what I expect to be fairly complex PHP, how do I stop myself getting too bogged down in presentation issues?
These are the sort of questions I think I need to be asking, roughly in order. My plan of attack is to see if I can install the thing at all, then give it a good wringing out through the web UI, then get down and dirty with the code itself. Is that how you would handle it? Why, or why not?
Set-up
- Is there any documentation at all? If so, is it clear?
- Will it install on my local machine? on our dev playground?
At the UI level:
- Does it even look like the rest of the site?
- Is it usable without JavaScript?
- Does it have XSS and SQL injection holes?
Code level:
- Is there a clean separation between DB, presentation, and logic?
- Is all access to existing DB tables read-only and through the API provided?
What other questions should I be asking myself?
Lastly, should I interact with the developer at all during this process? My inclination is toward doing the entire review first and presenting him with the results.