Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
See the original report
Proposed resolution
Update the markup.
Remaining tasks
Review.
RTBC.
Commit.
User interface changes
None
API changes
None
Data model changes
None
Original report by @jibran
While reviewing #1946466-58: Convert all confirm_form() in user.module and user.pages.inc to the new form interface and convert route I found.
+++ b/core/modules/user/lib/Drupal/user/Form/UserMultipleCancelConfirm.phpundefined
@@ -0,0 +1,220 @@
+ $form['accounts'] = array('#prefix' => '<ul>', '#suffix' => '</ul>', '#tree' => TRUE);
+ foreach ($accounts as $uid => $account) {
+ // Prevent user 1 from being canceled.
+ if ($uid <= 1) {
+ continue;
+ }
+ $form['accounts'][$uid] = array(
+ '#type' => 'hidden',
+ '#value' => $uid,
+ '#prefix' => '<li>',
+ '#suffix' => String::checkPlain($account->label()) . "</li>\n",
+ );
Me(@jibran) and @tim.plunkett unable to understand why '#prefix'
and '#suffix'
is used with '#type' => 'hidden'
Comment | File | Size | Author |
---|---|---|---|
#7 | update_the_markup_in-2049921-7.patch | 1.64 KB | jibran |
Comments
Comment #1
swentel CreditAttribution: swentel commentedWell, it's a neat trick to list the users, but it could probably be nicer :)
Comment #2
jibranCan some list the steps to fix this? I can work on that.
Comment #5
jibranHere we go.
Before
After
Comment #6
jibranBetter title.
Comment #7
jibranMinor docs improvement.
Comment #8
tim.plunkettThat is still one of the strangest bits of code I've seen. Thanks @jibran for fixing it!
Comment #9
xjmComment #12
xjmAt first I was going to ask why this was needed since it seemed out of scope. Usually I've seen this used for the data structure, not the rendering. Then I read:
https://www.drupal.org/docs/7/api/form-api/tree-and-parents
Okay, that sounds applicable. And the manual testing shows the fix works.
The updated structure is indeed much cleaner and more readable. Thanks! Committed to 8.4.x. I also reconsidered and chose to backport this to 8.3.x because slightly changing the render array structure in alpha is worth these branches not diverging in a confusing and ugly way.
Comment #13
jibranThanks! @xjm. Here is a fun fact at one point we thought this was a security issue. I'm going to create another issue for
\Drupal\comment\Form\ConfirmDeleteMultiple::buildForm()
to fix the markup.Comment #14
jibranCreated #2851849: Update the markup in comment module's ConfirmDeleteMultiple::buildForm(). The security issue reminds me that is it worth a security hardening to change the
'#type' => 'hidden',
to'#type' => 'value',
in the follow-up?