Problem:
Any developer may add an arbitrary {foo} element to the path and expect the raw or upcast value in the request attributes. However, Drupal core is currently putting may elements into attributes including 'system_path', 'theme', etc.
This makes for an unpredictable/poor developer experience since they would have to hope that a chosen path slug doesn't conflict with a value used by core, or worse, some contributed module.
Symfony already adds some such elements, but they are named with a "_" prefix like "_route".
Proposed Solution:
Based on the solution at:
#2043781: Drupal::request()->attributes->get('account') may conflict with an account object loaded from the path
We should at least prefix every one of these with "_" so that it does not conflict with an attribute from a path slug.
We should also add to the coding standard an expectation that and module-added attributes should be prefixed with _ or something else.
Note: an ideal solution would b more comprehensive (e.g. subclassing the Request class), but this solution ought to be sufficient for Drupal 8.
Comment | File | Size | Author |
---|---|---|---|
#9 | 2052389-7.patch | 22.29 KB | pwolanin |
#9 | 2052389-2-7.increment.txt | 3.68 KB | pwolanin |
#2 | 2052389-2.patch | 19.16 KB | pwolanin |
Comments
Comment #0.0
pwolanin CreditAttribution: pwolanin commentedUpdated issue summary.
Comment #1
dawehnerJust linking one subissue: #2048099: Replace system_path with _system_path
Comment #2
pwolanin CreditAttribution: pwolanin commentedThis converts system_path to _system_path, which is the main culprit.
Comment #3
dawehnerI don't really understand why you redid it, even there was an existing issue with a patch, but well.
Comment #4
pwolanin CreditAttribution: pwolanin commented@dawehner - oh, sorry I didn't know about the other issue. I want to add any others like 'menu_item' to this as well (though happy for it to go in multiple different patches).
Comment #5
pwolanin CreditAttribution: pwolanin commentedsome other possible problems:
Comment #6
tim.plunkettThe menu_link, menu, and node_revision are coming directly from the route placeholders, that's correct. Not sure about user.data.
But drupal_menu_item should be handled here.
Comment #7
dawehnerCan we please get the system_path in first, as it is really simple for now.
drupal_menu_item is something we don't want to deal with on the longrun anyway, as it just exists on the legacy router system.
Comment #8
tim.plunkettFine by me.
Comment #9
pwolanin CreditAttribution: pwolanin commentedhandles drupal_menu_item
Comment #10
dawehnerGreat.
Comment #11
webchickThis makes a ton of sense to me. I'm pleasantly surprised that these are the only places that need to be changed, but cool.
Committed and pushed to 8.x. Thanks!
Comment #12
webchickHm. And actually, let's change notice this.
Comment #13
dawehnerI changed the example on https://drupal.org/node/1539454/revisions/view/2789033/2789035 but yeah it is not a real change notice.
The question is whether we should try to group change notes.
Comment #14
tim.plunkettFixing tags
Comment #15
catch#2083415: [META] Write up all outstanding change notices before release.
Comment #16
dawehnerhttps://drupal.org/node/2083979
The existing ones already got updated, so this is just a new one.
Comment #17
jibranComment #18
pwolanin CreditAttribution: pwolanin commentedIt was unclear to me from Daniel's comment, but https://drupal.org/node/2083979 is the requested change notice.
Comment #19
effulgentsia CreditAttribution: effulgentsia commentedWondering if anyone here has feedback on #1778122-87: Enable modules to inject attributes into field formatters, so that RDF attributes get output where I'm asking whether we should adopt a similar leading "_" convention in Field API: specifically, for adding non-field-type-specific properties to field items: in that issue's case, an "_attributes" property for HTML attributes added by RDF and similar modules. If you do, please comment there; thanks.
Comment #20.0
(not verified) CreditAttribution: commentedUpdated issue summary.