Now that the Movies Reviews CMS database schema is up, I will concentrate on explaining the designs of the schema, and how it fitted the requirements of the client, and how it continues to evolve.

The Movies Reviews Content Management System is a system for entering Movie Reviews. Each movie is classified according to language, country of origin, genre, actors and directors. It is designed primarily using ASP.NET with C# as the code-behind. The backend storage for the system is Microsoft SQL 2000. The system is designed in such a way that it is modular, and additional functionalities can be added easily. Also, the usage of defensive programming minimizes risks and threats to the system, if and when these risks and threats occur.

The CMS is designed for 3 groups of users. The first group is the site administrator, the second group are the movie reviewers, and the third group, site visitors. The site administrator can both add new movies to the system, and they can also add their own reviews to any movies existing in the system. In addition, they can also add genre, actors, directors, languages and countries to the system. Site visitors can see the list of movies and read the movie reviews. In addition, site visitors can also see what movies a particular actor has acted in, or directed.

Though the system appears simple, much thought went into the design of the system. Each visitor to the Movies Reviews web site is anonymous, until they choose to login. Once logged in, they can perform administrative roles, such as adding a new genre, adding a new movie title, or adding a new review for an existing movie.

Let's look at how users are administered first.

There is a site administrator who has to log in, in order to add/delete/edit users. But, initially, the administrator himself has to have an account right? A separate C# program is written, that creates the site administrator, given an account name, and a password. This C# program is only run once, when the system is initially being set up. Once the site administrator is added to the system, the site administrator will take over administration of the entire site. The site administrator is all powerful, and has the ability to add, edit, or delete anything on the system that other users have added.

The user id of the site administrator is not hard coded into the system. Instead, it is placed in the ASP.NET configuration file, web.config. Whenever a user logs in, the login page (at login.aspx) checks whether the user id (of the user attempting to log in) has the same value as that of the site administrator. If it is, a token is set in the system that recognizes the user as a site administrator, and gives full access to the user. Each user's password is not stored in the system, instead, a MD5 hash of the password is computed and stored. By not storing the user's password, if a breach of the system occurs, no one will be the wiser, since the actual password is not stored.

By not hard coding the site administrator's user id into the system, the system is designed to be free from threats, such as brute force attempts on logging in. Also, the client is given the opportunity to name any user as the site administrator, as long as the value of the Administrator key in web.config has been changed to point to that particular user.