This is a major feature which will require making significant changes to the entire application stack. A new column must be added to the users table to store Google's "id_token" values, and the entire apply/login process must be reorganized.

Problem: Due to inconsistencies in the way HTML5 sessionStorage is handled, Microsoft Edge and Internet Explorer users are unable to see the carpool map; instead, they are redirected to the login screen.

Temporary Fix (todo): Remove the redirect; overlay an error message on the map.

Permanent Fix (todo): Embed the map itself in the main application, instead of putting it on a separate page. The map should be just like any other tab; it really should get its own div and ng-controller. (In case you hadn't noticed, the carpool map was a poorly planned out last minute addition.)

The javascript code used to set the "piece_order" value is amazingly inefficient and looks really ugly. It should be modified up to send as few requests as possible, and the setTimeout used to buffer the requests to prevent the database from locking up should be changed to $timeout or completely removed.

Make required field red if they are not filled. (Profile page.)

Add support for Angular-style AJAX requests. Unlike typical jQuery-style AJAX requests, Angular requests are not automatically parsed by PHP and need to be manually decoded from the php://input stream. This issue is not critical, but fixing it would make the web application code much cleaner and more consistent with Angular design patterns.

Problem:
See the discussion here for details on the problem. This issue has been temporary addressed using a setTimeout, but the result is a really clunky user experience.

Proposed Fix:

1. Add latitude_longitude column to users table.
2. Set the latitude_longtitude value whenever home_address is set by geocoding; try to bias the results to California so the system doesn't unexpectedly put someone in Russia just because the user didn't specify their city/state.
3. Pull latitude_longitude directly from database instead of geocoding on client side.

Allow users who authenticate using the traditional username/password to add Google Sign-In to their accounts, and vice versa. This will involve adding new functions to the BAYMS.php file to manipulate the users table, specifically the user_name, user_pass, and user_google_id columns.

Hashing and salting isn't enough to protect against users who use pathetic passwords. Come up with and enforce a decent password policy. (6+ chars, alphanumeric?)

Allow admins to retrieve student/parent emails, including filtering by group (and maybe even searching by name/instruments).

SELECT student_email FROM users WHERE student_email <> ""
SELECT parent_email FROM users WHERE parent_email <> ""
SELECT student_email, ensemble_choir FROM users WHERE ensemble_solo
SELECT student_email, ensemble_choir FROM users WHERE ensemble_choir
SELECT student_email, ensemble_choir FROM users WHERE ensemble_woodwind
SELECT student_email, ensemble_choir FROM users WHERE ensemble_orchestra

Teacher Ma's request: add student_birthday and parent_2_* fields to the profile.

Instead of using file_get_contents, use the PHP class provided by Google to verify the oauth token. This should lead to minor speed increases.

There are only 3 tabs to move between, so the url routing can be as simple as a single switch statement or as complex as the angular ng-route module. This will replace using sessionStorage to save/restore the current tab.

I suspect this has something to do with the Chakra JavaScript engine, but it may also be related to how Microsoft's browsers handle pop-up windows.

Function deleteEvent($event_id) in bayms.php does not remove pieces linked with this $event_id. It may leave some orphan pieces in the database. Can we remove them when remove the event?

Add a field to the database, want_carpool. If set to true, add a link to a page which shows nearby BAYMS members who also want_carpool. This pulls data from the home_address field and geocodes it to longitude and latitude; since we don't live anywhere near eastern Russia or Alaska, the distance between two home_address is trivial to compute. Since there are only ~50 members to worry about, a brute force algorithm will work fine for computing nearest neighbors, no need for heuristics.

On older browsers without support for sessionStorage, the basic authentication values (user_id, user_name, etc.) should be stored using cookies. In fact, even in newer browsers, it might be better to save the authentication fields in cookies so they get automatically sent to the server instead of manually sending them with every request.

Long Term Goals:

• Make it easy for members to submit the same piece to multiple events
• Keep track of individual performers for each piece/event; use a dropdown or typeahead to select performers instead of allowing the user to enter whatever they want.
• Create more user_types for group leaders and other less-than-admin but more-than-member people
• Alumni section

allow each member to have a profile picture

Right now, the program.htm page is vulnerable to javascript injection. This should be fixed by blocking all html tags except for a few tightly controlled choices such as
and .

Add a profanity filter on the server side, preferably in api.PHP, which filters all user supplied fields.

maybe email the user with a new randomized password

Search by name/biography, filter by ensemble, etc.

Record all user-performed actions. Not just for analytics, but also to kick out malicious users. The easiest way to implement this would be to configure the nginx server to log all POST request data (except plain-text passwords, of course).

The title says it all. Build something to let users change their password.

Right now, essentially all of the operations concerning pieces (ordering, editing, deleting) are poorly implemented and the user interface for handling pieces is inconsistent and feels unnatural. The two main things to change are:

1. Changes in piece order aren't saved automatically; this means every time submit/approve/edit/delete is clicked, the piece order has to be saved BEFORE the submit/approve/edit/delete action can be performed. The piece order is saved, even if it was not changed since the last save. This is the single biggest waste of time in the pieces code.
2. After submitting/approving/editing/deleting an piece, the code should only refresh event data for the current event. Right now, it's re-retrieving data for all events, which is a colossal waste of bandwidth.

Teacher Ma's request: add piece_length to pieces table

Get a local copy of angular-sanitize so users in China don't run into the great firewall. (Or convince China to support freedoms of expression...)

Need to put some internal doc for members to check, such as ensemble practice schedule, room usage for every week.
Need a way to control the access to internal doc and folder.

Allow admin users to promote regular members to admin status.

new website must be the face of BAYMS but also integrate login system,
probably a home page with a button to log in in the corner

Anything irreversible - delete piece, delete user, delete event, etc. - should have a "confirm" prompt before the API call is executed. This can be as simple as

if (confirm("Are you sure?")) { /* Do something! */ }

Or as complex as a beautiful modal with parallax animations.

Use datalist to provide autocomplete functionality for the instrument input fields. However, make it clear that other instruments are also accepted.

Allow users to edit their piece submissions. The back-end is already set up for this, just add some CSS and JS to make this happen on the client side.