acaptutorials · acaptutorials · Feb 15, 2025 · Feb 15, 2025 · Feb 15, 2025 · Feb 15, 2025
diff --git a/docs/pages/changelog.mdx b/docs/pages/changelog.mdx
@@ -42,7 +42,19 @@ export function FAQBoxError({ title, children, open = false }) {
 
 # ACAP Change Log
 
-This page contains summary of features and enhancements on major ACAP versions and their programming-development timelines.
+This page summarizes the features and enhancements of major ACAP versions, extensions, and their programming-development timelines.
+
+### Glossary of Terms
+
+- [ACAP 1.0](#version-1-acap-10) serves as the base model of the Agro-Climatic Advisory Portal (ACAP). Initially made for the Bicol region, it provides dynamic features setup support for other regional provinces. It served as the active ACAP version until ACAP 2.0.
+- [ACAP 2.0](#version-2-acap-20) and beyond is an extension of the Agro-Climatic Advisory Portal (ACAP), a Climate Information System, <u><i>expanding</i></u>, <u><i>enhancing</i></u>, and <u><i>building upon</i></u> the initial [ACAP 1.0](#version-1-acap-10) version.
+   > ACAP 2.0 builds upon ACAP 1.0 rather than replacing it. It enhances and expands the original system while maintaining its core foundation.
+
+<Callout>
+As of <u>July 2024</u>, **ACAP 2.0,** containing new features and upgrades, is the <u>latest</u> ACAP version and is now collectively referred to simply as **"ACAP"**
+</Callout>
+
+<br />
 
 <Steps>
 
@@ -62,12 +74,12 @@ Version 2.0 and later versions may have new requirements that will thrive on new
 
 <FAQBoxError title="💀 Version 2.0 - 2.1 Security Technical Debts">
 <div id="acap-2-security-debts" />
-1. **Flexible Firestore Database Use:** Version 2.0+ adopted a more flexible approach for handling data management, facilitating faster feature development by performing _<u>WRITE operations to the database directly from the web front end</u>_ coupled with more _<u>lenient Firestore database Rules</u>_. However, this shift also introduced the potential for data to enter the database without the usual front-end controls through the [Firestore REST APIs](https://cloud.google.com/firestore/docs/reference/rest/). While this was <u><b><i>not an issue in Version 1.0</i></b></u>, it emerged as part of the effort to enhance development speed and feature delivery starting with Version 2.0.
+1. **Flexible Firestore Database Use:** ACAP version 2.0+ adopted a more flexible approach for handling data management, facilitating faster feature development by performing _<u>WRITE operations to the database directly from the web front end</u>_ coupled with more _<u>lenient Firestore database Rules</u>_. However, this shift also introduced the potential for data to enter the database without the usual front-end controls through the [Firestore REST APIs](https://cloud.google.com/firestore/docs/reference/rest/). While this was <u><b><i>not an issue in [Version 1.0](#version-1-acap-10)</i></b></u>, it emerged as part of the effort to enhance development speed and feature delivery <u><b><i>starting with Version 2.0</i></b></u>.
 2. **Cross-Site Scripting (XSS) Vulnerability in Crop Recommendations:** Related to item 1, the new process for editing WYSIWYG HTML-form crop recommendations input may allow unsafe or inaccurate content due to limited validation through the [Firestore REST APIs](https://cloud.google.com/firestore/docs/reference/rest/). Risks associated with this were recognized early in the process, but the focus on delivering core features led to a delay in integrating security measures.
    <AnchorModal
      anchorText="XSS Vulnerability Awareness in ACAP 2.0"
    >
-      A YouTube video detailing steps for exploiting XSS vulnerabilities in the **ACAP 2.0 crop recommendations** at https://www.youtube.com/watch?v=b9UZ6_OCTaY has been set to private permissions to limit exposure. This video is a resource for understanding the security challenges associated with these vulnerabilities and ACAP, which occurred starting on **version 2.0** due to new development approaches and priorities.
+      A YouTube video detailing steps for exploiting XSS vulnerabilities in the **ACAP 2.0 Crop Recommendations** at https://www.youtube.com/watch?v=b9UZ6_OCTaY has been set to private permissions to limit exposure. This video is a resource for understanding the security challenges associated with these vulnerabilities and ACAP, which occurred starting on **[ACAP 2.0](#version-2-acap-20)** due to new development approaches and priorities.
 
      For ACAP Maintainers or developers interested in exploring the content, please contact the current active ACAP Maintainer(s) for an invitation to access the video. Engaging with this material can provide insights into the security considerations that have been acknowledged and inform future enhancements to the system's security measures.
    </AnchorModal>
@@ -111,7 +123,7 @@ Version 2.0 and later versions may have new requirements that will thrive on new
    - Removal of the rainfall condition trigger
 2. Public/admin 10-day recommendations and bulletin PDF generation
    - Removal of the single-date selection trigger within the active PAGASA 10-day date range for determining the crop stage/s
-3. Deprecation of the **uploaders** group of Node Package Manager (NPM) scripts in favor of cropping calendar/recommendations Excel file upload through the UI
+3. Deprecation of the <u>data uploaders</u> group of Node Package Manager **(NPM) scripts** <sup>[[1]](/post-installation/cropping-calendar/calendar-v1/), [[2]](/post-installation/recommendations/recommendations-v1/)</sup> in favor of cropping calendar/recommendations Excel **file upload through the UI** <sup>[[3]](/post-installation/cropping-calendar/calendar-v2/), [[4]](/post-installation/recommendations/recommendations-v2/)</sup>
 4. Allow creating seasonal bulletin PDFs with more than one (1) page.
 5. Text blast recipients by province/municipality instead of individual selection
 
@@ -207,4 +219,8 @@ _June 2023 onwards_
 
 </div>
 
+<Callout>
+All ACAP 1.0 features, updates, and follow-up fixes were carried over and inherited by [ACAP 2.0](#version-2-acap-20).
+</Callout>
+
 </Steps>
diff --git a/docs/pages/index.mdx b/docs/pages/index.mdx
@@ -2,7 +2,9 @@ import { Callout } from 'nextra/components'
 
 # Welcome to ACAP Tutorials 🏡
 
-This site offers a more organized and structured approach to documenting the software development approaches for the Agro-Climatic Advisory Portal - Bicol (ACAP Bicol), initially released as [ACAP 1.0](/changelog/#version-1-acap-10) at the end of 2022 and now enhanced to version [2.0](https://acap-bicol.github.io/) as of 2024.
+### Agro-Climatic Advisory Portal (ACAP), a Climate Information System
+
+This site offers a more organized and structured approach to documenting the software development approaches for the Agro-Climatic Advisory Portal (ACAP), initially released as [ACAP 1.0](/changelog/#version-1-acap-10) (ACAP Bicol) at the end of 2022 and enhanced to version [2.0](https://acap-bicol.github.io/) in 2024.
 
 > The Agro-Climatic Advisory Portal (ACAP), a Climate Information Services web application (CIS) co-developed by the [University of the Philippines Los Banos Foundation, Inc.](https://uplbfi.org/) (UPLBFI) and the [Alliance of Bioversity International and CIAT (Alliance)](https://alliancebioversityciat.org/) with the [Department of Agriculture (DA)](https://www.da.gov.ph/) and the [Regional Field Office 5 (RFO 5)](https://bicol.da.gov.ph/) is a digital platform that serves as a centralized hub for the development of Climate Information Services (CIS) in the Bicol Region. It contains relevant weather and climate information to use with tailored advisories and crop recommendations.
 

diff --git a/docs/pages/security.mdx b/docs/pages/security.mdx
@@ -4,9 +4,9 @@ import AnchorModal from '@/components/AnchorModal'
 
 # Security Guidelines
 
-ACAP adheres to strict security practices and development patterns defined by its technology stack <u>"_while considering the limited options of its (default) standard-pricing tier cloud services_"</u> starting from its initial [1.0](/changelog/#version-1-acap-10) version.
+ACAP adheres to strict security practices and development patterns defined by its technology stack <u>"_while considering compatible options with its limited (default) upgradable standard-pricing cloud services_"</u> starting from its initial [1.0](/changelog/#version-1-acap-10) version.
 
-Please ensure continued compliance with these security standards when extending ACAP to add or enhance new features while actively considering its currently available plans, options, and **features requirements** at hand.
+Please ensure continued compliance with these security standards when extending ACAP to add or enhance new features while actively considering its currently available plans, options, and **feature requirements** at hand.
 
 <Callout type="error" emoji="☠️">
 **NOTE:** Further enhancements and feature updates to the initial [**ACAP 1.0**](/changelog/#version-1-acap-10) version may introduce new requirements to address additional use cases. Please ensure that security measures meet the expectations outlined in these new requirements.
@@ -21,13 +21,13 @@ Please ensure continued compliance with these security standards when extending
       <AnchorModal
         anchorText="XSS Vulnerability Awareness in ACAP 2.0"
       >
-         A YouTube video detailing steps for exploiting XSS vulnerabilities in the **ACAP 2.0 crop recommendations** at https://www.youtube.com/watch?v=b9UZ6_OCTaY has been set to private permissions to limit exposure. This video is a resource for understanding the security challenges associated with these vulnerabilities and ACAP, which occurred starting on **version 2.0** due to new development approaches and priorities.
+         A YouTube video detailing steps for exploiting XSS vulnerabilities in the **ACAP 2.0 Crop Recommendations** at https://www.youtube.com/watch?v=b9UZ6_OCTaY has been set to private permissions to limit exposure. This video is a resource for understanding the security challenges associated with these vulnerabilities and ACAP, which occurred starting on **[ACAP 2.0](/changelog/#version-2-acap-20)** due to new development approaches and priorities.
 
          For ACAP Maintainers or developers interested in exploring the content, please contact the current active ACAP Maintainer(s) for an invitation to access the video. Engaging with this material can provide insights into the security considerations that have been acknowledged and inform future enhancements to the system's security measures.
       </AnchorModal>
       </Callout>
    - (b) Signed-in users cannot **CREATE** new Firestore collections and documents
-   - (c) Public users without sign-in authentication cannot **VIEW** sensitive information such as phonebook contacts and email information
+   - (c) Public users without sign-in authentication cannot **VIEW** sensitive information such as phonebook contacts and email information, by ensuring their Firestore collections are using the correct role/access-based Firestore Security Rules.
 
 2. Ensure that all mutative **"WRITE"** operations in the Firestore database occur only through authenticated HTTPS requests in the backend (NodeJS) REST APIs. _(see also [Server](/directories/server) for more information)._
    - (a) ACAP 1.0's Firestore Rules strictly prohibits **Database #1.a** and **Database #1.b** to enforce this.
@@ -38,11 +38,29 @@ Please ensure continued compliance with these security standards when extending
 4. Firestore database security relies on properly tested Firestore Rules to ensure security, especially if its rules do not disable all **VIEW/CREATE/EDIT/DELETE** operations.
    - Please ensure that "new" and robust Firestore Rules are created and thoroughly tested, in case new database components or requirements need to be added to the ACAP 1.0 Firestore database.
 
+### Firestore Database Rules
+
+ACAP's [Firestore Security Rules](https://firebase.google.com/docs/firestore/security/get-started), which enforces strict role/access-based security to the Firestore database, should be copied to the Firebase project's <b>Firestore Rules tab</b> in the [Firebase Console](https://console.firebase.google.com/u/0/?pli=1). It is located in this file for reference:
+
+```text copy
+/client/src/firestore.rules
+```
+
+<Callout type="warning">
+[ACAP 2.0](/changelog/#version-2-acap-20) allowed users to <u>edit crop recommendations, a new feature</u> introduced in **version 2.0** through <u>weak Firestore Security Rules</u>, making it vulnerable to **Cross-Site Scripting (XSS)**. This also lets unauthorized clients (e.g., Postman) modify WYSIWYG form data without protection. These security flaws contradict the best practices outlined in the [Database](#database) section.
+
+For more details, refer to GitHub Issues in the parent **acap-v2 repository** ([[1]](https://github.com/amia-cis/acap-v2/issues/34), [[2]](https://github.com/amia-cis/acap-v2/issues/57) or check the **Firebase Storage Announcements 2024** under the [Are there security concerns I should be aware of?](/announcements/firebase-storage-2024#security-considerations) section for more information and reference.
+</Callout>
+
 ## Sensitive data management
 
-1.  Ensure that sensitive data and environment variables are never statically generated and deployed to the GitHub Pages or Firebase Hosting static hosting websites.
+1.  Ensure sensitive data and environment variables are never statically generated and deployed to the GitHub Pages or Firebase Hosting static hosting websites.
 
-2. Sensitive data, secured with Firebase Authentication, Firebase Custom Claims (**User/Admin Accounts #1, #2**) and Firestore Rules (**Database #1.c**) is dynamically fetched from the Firestore Database using the Firestore Web APIs or the secure (NodeJS) REST APIs.
+2. Sensitive data, secured with Firebase Authentication, Firebase Custom Claims (**User/Admin Accounts #1, #2**), and Firestore Rules (**Database #1.c**), is dynamically fetched from the Firestore Database using the Firestore Web APIs or the secure (NodeJS) REST APIs.
+
+   <Callout>
+   Ensure that Firestore collections containing sensitive data (e.g., `"/phonebook/{docId}"`) are using appropriate role/access-based access settings defined in the **Firestore Security Rules**. This comprises a combination of **Firebase Authentication** and **Firebase Custom Claims**.
+   </Callout>
 
 ## File Storage
 
@@ -51,15 +69,27 @@ Manually test and ensure, using the Firebase Storage Web APIs, that:
 1. Public and signed-in users can only "READ" or download the PDF bulletin files.
 2. Public and signed-in users cannot UPLOAD or DELETE files.
 
+### Firebase Storage Security Rules
+
+ACAP's [Firebase Storage Security Rules](https://firebase.google.com/docs/storage/security/) enforce strict security by allowing only authenticated requests in the NodeJS backend to upload (PDF) files to the Firebase Cloud Storage while allowing public data (PDF, images) to download from the frontend. It should be copied to the Firebase project's <b>Storage Rules tab</b> in the [Firebase Console](https://console.firebase.google.com/u/0/?pli=1). It is located in this file for reference:
+
+```text copy
+/client/src/storage.rules
+```
+
 ## Codebase
 
-- Ensure that forked **climate-services-webportal-v1** (ACAP 1.0) or **acap-v2** (ACAP 2.0) monorepo code base or copies remain PRIVATE in GitHub and other public platforms.
+- Ensure that forked **climate-services-webportal-v1** ([ACAP 1.0](/changelog/#version-1-acap-10)) or **acap-v2** ([ACAP 2.0](/changelog/#version-2-acap-20)) monorepo code base or copies remain PRIVATE in GitHub and other public platforms.
 
 ## User/Admin Accounts
 
 1. Ensure that Admin accounts are created by the superadmin in the NodeJS backend using [Firebase Authentication](https://firebase.google.com/docs/auth/) with [Firebase Custom Claims](https://firebase.google.com/docs/auth/admin/custom-claims), leveraging the [Firebase Admin SDK](https://firebase.google.com/docs/admin/setup) to ensure maximum security.
 
-2. More information about ACAP 1.0's Security requirements are available in its Software Requirements Specifications document available in this [link](https://github.com/amia-cis/acap-v2/blob/dev/docs/acap_1.0_software_requirements_specification_v4.0.pdf) (accessible only for developers with access).
+2. More information about ACAP's Security requirements is available in its Software Requirements Specifications document in this [link](https://github.com/amia-cis/acap-v2/blob/dev/docs/acap_1.0_software_requirements_specification_v4.0.pdf) (accessible only for developers with access).
+
+   <Callout type="info">
+   These Security requirements carry over and apply to **ACAP 2.0**, even if the Software documents were written for **ACAP 1.0**. Since no new Software documents are available for the updates made in ACAP 2.0, you may <u>consult the new lead programmer</u> responsible for implementing ACAP 2.0 <u>about detailed upgrades specifics made to the system</u>.
+   </Callout>
 
 ## Related