The last two days I’ve been sprint-hacking the phpList public API. What is PHPList, why an API, and what is a sprint-hack, you may ask. The first is a Free Software MailChimp competitor established 10 years ago, and available to install or use as a service. The second is for calling phpList actions remotely (such as sending a newsletter), and for easy integration with other apps and websites. The third I guess you know: a hacking sprint is a short burst of effort to write or improve a project, typically (but not always) code.
I was motivated to suggest the sprint to the phpList developers after again finding myself wishing for a simple, well documented way to add and remove newsletter subscribers from other software. The case in question was Open Funding – a crowdfunding platform startup company I’ve been consulting for over the last two months. They recently switched from MailChimp to phpList Hosted and now want to add “Subscribe to newsletter” buttons within their user control panel. Over the last six years of using phpList there have been similar occasions when I’ve found myself searching source code for an API, and this time I thought “it’s time to do something about this”.
Over two days a small team including phpList’s CEO and Community Manager did the following:
- Identified an old 3rd party plugin that added API functionality
- Used it as a basis for a new REST API plugin for the current PHPList version
- Tested API calls that are already implemented
- Began researching security issues with the legacy code
- Set up a new unit testing framework
- Wrote passing tests for eight different API calls
- Merged in work by other 3rd party developers orphaned last year
- Added documentation to existing code
Right now you can install phpList with the revamped API Plugin and have working public access to the following functionality:
- Login as an administrator
- Create a subscriber list
- Find all existing subscriber lists
- Update a subscriber list
- Create a new subscriber
- Add a subscriber to a list
- Delete a subscriber list
Giving access to your API to untrusted users is not recommended just yet however, as a thorough code security review should take place beforehand. Vulnerabilities are still present, and the plugin is not yet in a beta state.
The real reward will come for me when the API is ready for deployment on phpList hosted – the service provided by the app’s parent company, currently free of charge to use for Free Software projects. The sprint was a major step in that direction, and a good excuse to write passing unit tests too.