Please specify the site or location where the LMS2 platform is accessed or utilized.
Is the story written as "As a [Role], I want [Feature], so that [Benefit]"?
Acceptance Criteria (AC): Are there at least 3 clear Pass/Fail conditions?
Does the story define what happens when things go wrong? (e.g., “What if the parent pays with an expired card?” or “What if the database is down during grading?”)
RBAC Defined: Does the story explicitly state which roles CAN and CANNOT perform this action?
IDOR Prevention: Does the requirement specify that users can only access their own data?
Data Privacy: If this collects student info, is it marked as PII (Personally Identifiable Information)?
Retention Policy: Does it state how long data is kept?
Input Validation: Are all inputs sanitized? (Prevent SQL Injection & XSS).
Authorization Check: Does the code verify the user's permission on the server side? (Not just hiding buttons on the UI).
No Hardcoded Secrets: Are API keys, DB passwords, and encryption keys stored in .env files, NOT in the code?
N+1 Query Check: Are database queries optimized?
Pagination: Is pagination implemented for large lists (Students, Logs, Payments)?
Clean Code: Are variables named clearly?
No PII in Logs: Verify that you are NOT logging sensitive data like passwords, student IDs, or credit card numbers in the console/server logs.
