Problem/Motivation
In #2991207: Drupal core should inform the user of the security coverage for the site's installed minor version including final 8.x LTS releases, the status messages explaining the security coverage for the installed versions are kind of wordy. Let's see if we can simplify the wording for better UX.
Proposed resolution
Improve the wording of the messages.
Remaining tasks
N/A
User interface changes
String changes (screenshots needed / see #2991207: Drupal core should inform the user of the security coverage for the site's installed minor version including final 8.x LTS releases for "before" screeenshots).
Message screenshots
Minor 8.2. is supported, no warning. Next minor has not come out.
Before:
After:
Minor 8.1 is supported, warning. Next minor 8.2 has come out
Before:
After:
Minor 8.0 is unsupported. 8.2 has come out
Before:
After:
Minor 8.8 supported based on date, no warning
Before:
After:
Minor 8.8 , supported based on date, warning because within 6 months of support being over
Before:
After:
Minor 8.8 , not supported based on date,
Before:
After:
Minor 8.9 supported based on date, no warning. No warning will show based on nearness of support being over
Before:
After:
Minor 8.9, support over
Before:
After:
API changes
N/A; string change only
Data model changes
N/A; string change only
Release notes snippet
N/A; string change only
Comment | File | Size | Author |
---|---|---|---|
#63 | 3110186-63.patch | 18.06 KB | tedbow |
#63 | interdiff-49-63.txt | 607 bytes | tedbow |
#54 | 3110186-54.49-again.patch | 18.05 KB | dww |
#52 | other_messages.png | 98.69 KB | tedbow |
#52 | 3110186-make-screenshots.patch | 2.26 KB | tedbow |
Comments
Comment #2
benjifisherComment #3
xjmIn #2991207-212: Drupal core should inform the user of the security coverage for the site's installed minor version including final 8.x LTS releases I wrote:
@tedbow replied:
We could maybe change it to "Covered" or "Not covered". Or we could do something else as part of reducing the amount of text. If we could say more with the header it would mean fewer sentences, maybe.
Comment #4
xjmOr here's another idea. We could get rid of the first paragraph by making the
$requirement['value']
header:Comment #5
dwwPosted this at #2991207-220: Drupal core should inform the user of the security coverage for the site's installed minor version including final 8.x LTS releases, but adding it here, too:
Do we expect end users to understand semver enough to know what "minor version" means? Should we find another way to word these messages to avoid using (introducing?) that terminology on this report?
Comment #8
tedbowHad another UX meeting on this today. With @xjm, @webchick, @benjifisher, me, and @ckrina
Here the consensus we came to:
Here is the current:
But it suggested we try to do something similar, make the heading more informative, combine the 2 & 3 paragraphs
Comment #11
tedbowcrediting more from the UX meeting
Comment #12
xjm#8 is missing one point, which was that the second sentence of the second paragraph can be eliminated by adding a link to the first sentence. Here's sample text:
Comment #13
xjmSince this is blocking the 8.8 backport and is a UX gate followup, bumping to critical.
Comment #14
benjifisherI am working on this.
Comment #15
benjifisherI am still working on a patch for this issue, but I wanted to point out a problem caused by the decision in #12. I used my WIP and hacked Drupal.php, setting
const VERSION = '8.7.7';
. This is what I see on my status report:We now have two different links to
/admin/reports/updates/update
under the error "Drupal Core Update Status" (link text "Not secure! (version 8.8.2 available)" and "available updates") and one link to/admin/reports/updates
under the warning "Drupal Core Security Coverage" (link text "Update to 8.8 or higher").I think it is confusing to have links to two different tabs on the same page. I also think it is confusing to have links to the same page with different link text, but that is out of scope for this issue. (I think we already have an issue for that anyway.)
On second thought, it was even worse before the decision in #12, since then we had the same link text ("available updates") going to two different tabs ("Available updates" and "Update").
I would like to change the link so that it goes to the same place (Update tab) as the links under "Drupal Core Update Status". Is that in scope for this issue?
Comment #16
benjifisherHere is a test-only patch. Watch me fail!
I copied the "after" screenshots from #2991207: Drupal core should inform the user of the security coverage for the site's installed minor version including final 8.x LTS releases into the "User interface changes" section of the issue summary for use as the "before" screenshots.
I am still doing some code cleanup, and then I will have to add "after" screenshots.
Comment #17
benjifisherHere is the full patch, and the testbot is not quite done with the test-only patch.
I still need to add some screenshots. I am not sure when I will have time for that, so I will un-assign myself.
Comment #19
tedbow@benjifisher thanks for the patch and the comments
I thought this feedback sounded familiar so I checked #2991207: Drupal core should inform the user of the security coverage for the site's installed minor version including final 8.x LTS releases
Sure enough @benjifisher pointed the same thing a year ago when we were first crafting this message https://www.drupal.org/project/drupal/issues/2991207#comment-12765333
So basically we had already considered the suggestion in #12 in making the message in first place but decided against it for this reason. I would be in favor of not doing #12
Comment #20
xjmOkay, can we have a prototype that retains the extra sentence from 12, to prevent future arguing about it? The original sentence has the same message.
Also we need to not make assumptions about what other update messages the users might be seing.
Comment #21
dwwAnother reason not to link to /admin/reports/updates/update for messages about core is that the "Update" form can't handle updating core. It just says "Manual updates required", and provides significantly less info than the "Available updates" report does for core releases. /shrug
Comment #22
benjifisherI am setting the status to NW for screenshots and for restoring the second sentence (#20).
@tedbow, thanks for looking up that comment. At least I am consistent!
Comment #23
benjifisherI am adding some screenshots.
Comment #24
benjifisherWe discussed this issue at the Drupal Usability Meeting - 2020-02-20. Here is what we decided:
I added #3115145: For core updates, link to list instead of update form as a follow-up issue. That takes care of point (3).
The decision in (4) removes the reason for my objection to removing the second sentence. The link text "Update to [version] or higher" in the "Drupal core security coverage" message is close enough to "Not secure! (version [version] available)" from the "Drupal Core Update Status" message that I do not think it will lead to confusion.
Re: #20. If I promise to stop arguing about it (see above) can we skip the prototype that restores the second sentence? I do not think we are doing anything that relies on the other message. We are not, for example, leaving off a link under the assumption that it will be in that message. We just want to avoid confusion in cases where both messages are present.
I am assigning this issue to myself to work on these points, and to add screenshots.
Comment #25
xjmThanks @benjifisher!
Comment #26
benjifisherI think the attached patch addresses all the points raised in #24. I will let the testbot do it thing while I take screenshots.
I made one change that is out of scope:
That is: we already check that we have the expected
<h3>
headers; the additional assertion is that no unexpected ones crept in. I am attaching an updated test-only patch (mostly because of the other updates to the test, not this one).Comment #27
benjifisherI created the screenshots by setting
protected $defaultTheme = 'seven';
in the test class and then running the test. (I just double checked that I did not commit that little hack.)Now that we have screenshots, this is really ready for review, unless the testbot disagrees.
BTW the patch in #26 removes some stray
<p>
tags. The comment in #24 was right that those were not just wrapping lines.Comment #28
benjifisherI am adding attribution.
Comment #30
benjifisherI forgot to unassign myself.
Comment #31
tedbowThis line change is out of scope and just adds line breaks.
It took a second for me figure out why
ltrim()
was being used here. It seems hard to read because the visible space is on the right.I realize now it is because it will trim to an empty string if the string is empty otherwise it will put a space between the 2 string.
I am guessing if it was hard for me to figure out it would be hard for others.
To me this would be easier to read
$message .= ($message ? ' ' : '') . $this->getReleaseCycleLink();
I checked and I only found pattern is only used 1 once(but it might be hard to find)
Sorry I have finished reviewing but didn't want to lose this
Comment #32
benjifisherI reverted the out-of-scope change aimed at keeping code lines to 80 characters or less.
I used the
ltrim("$var ")
pattern twice. The attached patch replaces both with a ternary expression, as suggested in #31.2.I considered making the two functions where
ltrim()
was used more consistent by changing the variable names to be consistent. I guess that is also out of scope for this issue.Comment #33
xjmI wonder if we should say "Coverage ending soon" or something like that in the warning case? (If we did that, it might be a case for making the LTS message a warning starting in May 2021 as @tedbow had mentioned earlier despite it still being a bugfix-supported releases. I could go either way on that, though.)Ignore my suggestion here; it's less detailed in all but one case. I should have looked at the screenshots first. :)
Comment #34
xjmTed is still working on his review for this patch, so assigning accordingly.
Comment #35
dwwMostly looks great. Definitely an improvement for the UI!
A few tiny questions on the tests:
Do we want/need both of these?
Do we actually want
$coverage_ended_message
as a local variable? All the other assertions include the title of the warning/error as human-readable text at the start of each 'message' declaration. Maybe we should re-use that pattern for the few cases we test coverage ended? The string literal takes 5 fewer chars to write, too. ;)Jah be praised! Since there are no longer multiple
<p>
we no longer need the weirdness of$see_available_message$release_coverage_message
and friends. Huzzah! :)Comment #36
benjifisher@dww:
Comment #37
tedbowThis line was just move but then line breaks were add. I know that it was indented and makes it more over 80 but I think we should change as little as we can. I don't think this breaks are needed for readability.
This line change is out of scope
This may be worth testing but it is out of scope here.
re #35.2 I agree with @benjifisher that we should add the variable to keep it similar to how we are handling other messages that are always the same.
Comment #38
benjifisher@tedbow, thanks for the review!
Personally, I feel that it should be in scope to improve compliance with coding standards when moving lines around, but I will not fight about it here.
The attached patch makes the changes requested in #37. In particular (#37.4) I did not make the change requested in #35.2. I think we have a majority agreement on that point but not a consensus. Maybe that is good enough for such a minor point.
Comment #39
tedbowLooks good to me. RTBC 🎉
Comment #40
xjmThis looks good; only one comment:
At one point we were requiring every
Markup::create()
call to include a comment explaining why any variable in it was already sanitized and known safe, to avoid contrib/custom code copying the pattern and introducing XSS. It looks like not all usages follow that anymore, but plenty of the non-test usages still do, so we should still include said comment here. The comment would be:This is technically not in scope I guess since this went into HEAD already with the previous version, so a followup would be OK too, but I'd prefer it here since it's a security consideration.
As above. Reflecting, I'm actually a little concerned that the string generation is so far removed from the
Markup::create()
forgetReleaseCycleLink()
(so it would be theoretically possible for user input to be introduced in that method without considering the impact on this one). Maybe a followup in that case.Comment #41
xjmComment #42
xjmDiscussed with @tedbow. Since these are the only two usages of
Markup::create()
in the update module anyway, we will address it here by converting to a render array and adding the strings to the render array elements, rather than passing around and concatenating variables.Reference: https://www.drupal.org/node/2296163
Comment #43
tedbowI still think it makes sense to assign to variables because they may or may not be set.
Comment #44
tedbowThese actually don't print $message or $description.
<p>
tags anymore that is not 2 paragraphs. I checked other status messages and they don't use themComment #45
tim.plunkettLocal cruft?
Nit, only since you have to post a new patch: blank line
Otherwise, looks good to me.
Comment #46
xjmI also recommended in Slack that the render array be initialized first and the strings added to it directly, rather than creating variables and adding them at the end.
Comment #47
tedbow#45 fixed
#46 Fix to use the separate string vars but the render array doesn't need to initialized first because we are adding a new key regardless
Comment #49
tedbowunused use statement
Comment #50
tim.plunkettPatch looks great, I think this deserves some screenshots (which also would serve as manual testing).
Comment #51
benjifisherI am updating the screenshots. I am using the same trick as in #27: setting
$defaultTheme = 'seven'
and running the automated test, so I am removing the "Needs screenshots" tag but leaving "Needs manual testing" for now.Comment #52
tedbowHere are the latest screenshots.@benjifisher beat me to it.<p>
tags. This is not more like all the other messages.Here is example with the message next to other messages.
You can see none have the space.
It does the following
\Drupal\Tests\update\Functional\UpdateCoreTest::securityCoverageMessageProvider()
only return the 1 case I want to look atI don't think need Manual Testing now
Comment #53
tim.plunkettThanks to both of you! I think this is ready to go
Comment #54
dwwBot is confused by the 3110186-make-screenshots_0.patch from #52. Re-uploading exactly #49 so the RTBC re-testing stuff is happening on the last patch in the issue.
Comment #55
dwwp.s. Re: #38:
#35.2 Was only a question and a "Maybe we should..." suggestion. I'm totally fine with the majority agreement on keeping it as it was. Let's call it consensus after all. ;)
Thanks,
-Derek
Comment #56
xjmNotes from a final review that are probably non-blocking, but I want to document them before I inspect the patch locally.
This can be
array[]
at least, or evenarray[][]
maybe, right? We should almost never usearray
as a typehint; something more specific is always possible.Ideally this would have an inline comment documenting that
getReleaseCycleLink()
returns a hardcoded translated string.I'm also wondering if we couldnt factor it differently so that we don't need the method at all?
I'm wondering about whether this way of including a date is actually sufficient for translators. In order to translate to their date format, they would need to reverse-engineer the
@date
back to a unicode timestamp, then output in their own date format. (I know we borrowed this particular date structure from a different status report so this is probably not blocking, but I'm going to ask @Gábor Hojtsy about it.Comment #57
Gábor HojtsyWhen a 'custom' date format is used, that is not at all translated. A named date format (one that has a corresponding config entity) would be translated. See https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Core%21Datetime%...
I don't think you would want to use any of the html_* formats as those are for dates that go direct into markup (eg. HTML attributes) and should not be translated. I don't think any of the other three formats match what you want here. So translatability would need new named date formats (shipped date format config entities) for these purposes here.
Whether that is in the scope of this issue or not would be a release manager question probably :)
Comment #58
xjmThanks @Gábor Hojtsy! I think it is not in scope here; it was feedback of mine on the original issue that never got addressed. I feel strongly that we should allow translators to translate dates into their calendar even if they don't use the Gregorian calendar. I remember that @tedbow was concerned that translators might make the date more specific than it's supposed to be, but I think that's preferable to imposing a foreign calendar on people. That said, it's out of scope here and only shown to administrators, so it's less bad than other places where the wrong date format might be used.
After reviewing locally, #57.2 is also out of scope because this was another thing that was added in the original issue. I think there's some refactoring that should maybe be done, but that also would be a followup.
Comment #59
Gábor HojtsyOpened #3117120: Project update related date formats are not properly localisable for date formats.
Comment #60
xjmThis is returning a render array, as it says. Render arrays are basically always
array[]
for one or more levels of nesting.Comment #61
benjifisherI added #3117157: Refactor Drupal\update\ProjectSecurityRequirement to remove methods returning string to address #56.2 (referred to as #57.2 in #58). I am removing the "needs followup" tag and setting the status to NW for #56.1.
In the follow-up issue, I suggested refactoring/removing both
getVersionNoSecurityCoverageMessage()
andgetReleaseCycleLink()
. I hope that is OK, and that my proposed resolution is in line with what you had in mind.Comment #62
xjmPerfect, thanks @benjifisher!
Comment #63
tedbowSo here is the fix for #56.1
Comment #64
benjifisherI checked the patch in #63, and it does what it is supposed to do. I would set the status to RTBC, but I contributed earlier patches to this issue.
A warning to anyone else who wants to check this: the
interdiff
utility gets confused when comparing the patches in #49 and #63. If you look at a diff (not interdiff) between the two patches, you will see just the change in @tedbow'sinterdiff-49-63.txt
and a bunch of changed line numbers.Comment #65
dww#63 Solves #56.1.
#56.2 is at #3117157: Refactor Drupal\update\ProjectSecurityRequirement to remove methods returning string
#56.3 is at #3117120: Project update related date formats are not properly localisable
So that's everything since the last RTBC. I did another review and I don't see anything to complain about (which is rare). ;)
Bot is happy. No CS warnings. Back to RTBC.
Thanks, all!
-Derek
Comment #69
Gábor HojtsyYay thanks all! Let's start this issue domino and see where we end :D