Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Fields' markup contains undesirable data-quickedit-*
attributes.
ex:
Proposed resolution
Only add those data-quickedit-*
attributes when the user has permission to use Quick Edit.
Remaining tasks
None.
User interface changes
None.
API changes
None.
Data model changes
None.
Comment | File | Size | Author |
---|---|---|---|
#23 | quickedit_data_attributes_only_when_necessary-2528498-23.patch | 2.78 KB | Wim Leers |
Field_test___d8.png | 239.03 KB | mortendk |
Comments
Comment #1
mortendk CreditAttribution: mortendk as a volunteer commentedComment #2
mortendk CreditAttribution: mortendk as a volunteer commentedups dont wrap but adds in data-....
Comment #3
mortendk CreditAttribution: mortendk as a volunteer commentedComment #4
mortendk CreditAttribution: mortendk as a volunteer commentedComment #5
Wim LeersFirst: This is non-sensitive data.
Second: This is by design. It allows us to serve the same render cache items to both anonymous and authenticated users. So it allows us to have more effective caching.
Third:
is wrong — if you look at the screenshot you provided, you see that it's merely addingdata-
attributes to the already-existing field wrapper. (As you can see inquickedit_entity_view_alter()
.)Fourth: as a nice side effect, it ensures things don't break when using Quick Edit as an authenticated user, because the CSS and markup is the same for all users. So it helps prevent the "themers only tested this as the anonymous user, i.e. without Quick Edit's metadata, and now it breaks with Quick Edit"-problem.
So I wonder: is it really a problem, given that it does not add more divitis?
Comment #6
mortendk CreditAttribution: mortendk as a volunteer commentedmnaah i think it was me beeing out of coffe & beeing on a wtf raid in drupal markup ;)
Comment #7
JacineUgh. This is miserable. Absolutely miserable.
Comment #8
achtonI can get behind the argument about caching. But I am not convinced that the performance benefits outweigh the "clean markup" benefit. It simply feels wrong to expose markup intended for editors to end-users. I admit that this is a lesser issue if we really are *only* adding
data-
attributes (I have so far founddata-quickedit-entity-id
anddata-quickedit-field-id
).The theming aspect is also relevant, since I have had quite a few discussions with frontend (non-Drupal) developers now about how they should manage the stuff that quickedit "does" to the frontend for authenticated users. So far, we have decided to accept that the we have the same markup for both.
Mainly though, we had a situation where the addition of the field wrapper around a responsive
<picture>
element led the frontend developer to believe that Quickedit was causing images to not be shown (it was obscured via that wrapper, due to how they manage images in CSS), and so they had to add height to that wrapper. They did this by targeting thequickedit-field
class which is added to the wrapper from quickedit.js, which is obviously only loaded for users with correct permissions. So now we have a situation where the markup is *not* the same after all, and where the Quickedit markup behaviour has been mangled into place to account for a custom theming approach.I imagine this topic will come up again (and again), so I am reopening for more discussion (sorry!).
Comment #9
Wim LeersWell, that's very misguided. One should always first understand why classes are present before using them in CSS selectors.
#7 + #8: I've already given arguments in #5. If you have a solid change proposal, I'm all ears.
Comment #10
star-szrAt this point I'm with @Wim Leers I think we need more info here, the arguments in #5 seem pretty sound to me. A data attribute is the correct thing to use here, IMO it would be worse if it was yet another class (even if it were js- prefixed).
Would it ease the pain or misery at all if we could figure out a way to get the class attribute to come before the quickedit data attribute(s)? :)
Comment #11
JacineI could care less what attributes quick edit module wants to use. Data attributes are a perfectly valid use case for this.
What I loathe here, and find unacceptable is that this markup is littered in the markup when QuickEdit module is NOT available, while giving your entire backend configuration away to the public, exposing it to search engines and anything and everyone else. While some will argue (see #5-1), IMO, it is a potential security issue. Maybe not a serious one, but I find it crazy that we give away the entire configuration away:
data-quickedit-field-id="entity/id/field_name/lang/view_mode"
Better make sure your entity and field machine names don't give away any non-public information.
It's the whole 2 steps forward, 3 steps back. Theming WTF/garbage in the name of performance. I don't know what the actual difference is in terms of caching, but I hope it's a very significant difference, and even then I'm not sure I'd call it worth it.
Comment #12
Wim LeersGreat!
First of all, the sensitiveness of that information is highly questionable. But let's assume it is. Would it not be exposed without Quick Edit? Let's look:
contains:
data-quickedit-entity-id="node/7"
, which indeed exposes the entity type IDclass="… node node--type-article node--promoted node--view-mode-teaser …"
, which also exposes the entity type ID, and actually even more: the bundle, whether it's promoted or not, and even the view modecontains:
data-quickedit-field-id="node/7/body/en/teaser"
, which indeed exposes the field nameclass="… field--name-body …"
, which also exposes the field name, and actually even more: the precise field typeIn other words: the existing classes already expose far more information.
Finally, note that Quick Edit will only show up on entities & fields that end up being rendered anyway, and they are only rendered if the current user can actually access them.
Comment #13
JacineI know that people will want to argue it to death. I just disagree. You're also assuming I have RDF enabled in your examples, which I do not, and forgetting that these classes can be changed, if desired. I don't like what's being produced in RDF either, but I CAN disable it. Here I would have to disable QuickEdit entirely, which is a huge part of the editorial experience.
Also, the classes do not expose everything, especially not all together, in the form of paths, that are also sometimes accessible via URL.
/node/100
/node/100/field_headline/en/teaser
These are like SQL queries in markup... Straight up.
If that's needed for someone to actually USE QuickEdit, great! But, anonymous users sure as hell don't need or use it, and therefore this is just garbage in my markup, that also happens to display my backend configuration to the world. There is no denying that. It also sends a great message to contrib that littering your markup is fine as long as you get better caching at the end of the day.
You guys don't want to fix it. Fine.
You don't want to acknowledge that SQL-like queries in markup, required for a module that is not even running, is not ideal, fine.
I don't really want to argue. I just hate this decision with a passion.
PS - This is not a support request. :)
Comment #14
Wim LeersBefore these
data-
attributes, Quick Edit actually depended on the RDF module, and used the RDFa metadata. Sounds like it's a good thing that's no longer the case, or you'd have hated this even more :)They're not paths. They're not URLs. They're just slash-separated strings. We could make them colon-separated if you want. We could also have made it into JSON (
{entityType:'node',entityId:100,fieldName:'field_headline',langcode:'en',viewMode:'teaser'}
) but that'd have made it ridiculously verbose.Then you probably also dislike:
data-drupal-selector
all over the place: https://www.drupal.org/node/2503277/node/3
as the anonymous user. View source, and note this is present in your markup:You just really want clean markup that is as clean/simple/empty/minimal as possible, always. I understand that!
I do. I said this in #9:
I mean that.Overall, the problem is that in many cases, "cleanest markup possible" requires many variations of a particular piece of markup. In cases like Quick Edit's
data-
attributes and those<link rel="…" />
tags, they're pure declarations that are not at all user-specific. Hence it's beneficial to just always show them. Conditionally showing them means by definition more computations and worse cacheability.If you see an alternative implementation here, I'd love to make it happen!
Comment #15
JacineI said "in the form of paths, that are also sometimes accessible via URL" and stand by that.
/node/100
is definitely a path, and one that is accessible if you append it in your address bar. If didn't show up for users without permission to use QuickEdit, I wouldn't care.That would have been an atrocity.
I don't care about #1, but #2.... I don't even have the energy for this right now.
I believe you, and I do appreciate that. But, unfortunately for me, I'm SOL. You said:
All I can tell you, is what I have already:
And ultimately, I should just give up now, because I know how this will end.... It will end with a maintainer refusing to commit a fix because it changes markup that people may or may not be depending on now. So, it's all probably just a waste of time to say anything at all. I'm probably better off putting energy into disabling the QuickEdit module, which is unfortunate.
I probably just need to get out of the core issue queue in general before it starts sucking the life out of me again.
Comment #16
Wim LeersIt's not two versions. It's as many as there are combinations of permissions/roles. So just out of the box that is already 3! = 3*2*1 = 6.
I guarantee this is not the case, precisely because this is a
data-
attribute only used and controlled by Quick Edit. Which is why we're free to change it.I really, really want to un-frustrate you (if that's even a word :)). I want to help you make things better.
That got me thinking.
I just said above that it's not just 2 versions, it's 6. Because it needs to vary by combination of permissions. But… since #2493033: Make 'user.permissions' a required cache context we already do that for every freaking rendered thing anyway! So my entire argument is moot! (In this particular case at least: because it varies by permissions.)
Trivial patch. With updated test coverage.
Jacine++
Comment #17
JacineOMG. You just made my week. I will be testing this first thing tomorrow morning. Cannot thank you enough!!! :D
Comment #18
star-szrOkay that's really exciting then! I call dibs on committing this. :)
Comment #19
nod_I'll let Jacine RTBC but tested it and works great. RTBC +1
Comment #20
nod_Also when a Wim comment has a
<hr>
, you know it'll be a good one.Comment #22
dawehnerSo much love!
Comment #23
Wim LeersComment #24
achtonThat was an amazingly positive outcome! FWIW, I've tested the patch in #23 and it works as expected -- no more quickedit data attributes! So another RTBC+1 from me.
So .. does this mean the same might be possible for contextual.module (in a follow-up issue)?
Comment #25
swentel CreditAttribution: swentel commentedRelated issue in contextual links - see #2650246: Only emit Contextual Links data- attributes when actually necessary
Comment #26
Wim Leers#24: The answer is "yes", as @swentel shows in #25 :)
#25: reviewed!
Comment #27
Wim LeersComment #28
Wim LeersUpdated IS.
Comment #29
JacineJust tested and it works perfectly. TX just got MUCH better.
You guys did not have to wait for me, but I appreciate it! RTBC.
This is not at all how I expected this issue to go. When I commented initially I didn't even bother to set the issue back to active, because I really didn't think there was even a slim chance. Kudos to you guys for allowing this sort of change after release. That's huge. And thank you Wim, for your actual concern and dedication here. It's not always easy to do that, so I appreciate it that much more. Respect! :D
Comment #30
Wim Leers:)
Could you then also review #2650246: Only emit Contextual Links data- attributes when actually necessary and perhaps also RTBC it? :)
Comment #31
JacineYes, for sure! Will go review that as soon as I can (probably not today).
Comment #32
star-szr:D
Comment #35
star-szrCommitted and pushed fa5efed to 8.2.x and c1e7d05 to 8.1.x. Thanks!
I'm not committing this to 8.0.x because this isn't a bug fix and is technically changing markup as well (#5 in https://www.drupal.org/core/d8-allowed-changes#evaluate). On the bright side 8.1.0 will be out before we know it! :)
Thanks everyone and particularly @Jacine and @Wim Leers, this is a really great outcome that will make people happy!
Comment #36
mortendk CreditAttribution: mortendk as a volunteer commentedwoooho :) <3 -> @wim & jacine
Comment #37
sachbearbeiter CreditAttribution: sachbearbeiter commented