Problem/Motivation

The switch shortcut form (/user/N/shortcuts) displays the 'id' field when the associated text field 'label' is not visible.

I first saw this in a 9.5 installation, confirmed in 10.x.dev on simplytest.me.

Steps to reproduce

On a default Drupal installation:

  1. Create a second set of shortcuts
  2. Grant 'switch shortcut sets' ("Select any shortcut set") to authenticated users
  3. Create a new user
  4. Log in as the new user
  5. Go to the new user's account page ("My account")
  6. Go to the Shortcuts tab

Currently, you see a set of radio buttons for the existing shortcut sets, and a text field named "Machine-readable name". This happens because there is no #access key on the id element like there is on the label element.

If you visit the form as an admin with the administer shortcuts permission, then only the label element is visible unless you want to customize the id. In which case you can choose to display the id element as you normally would by clicking the link next to the label element.

But in the case of a user without the administer shortcuts permission, you don't have access to the label element. The label element is then omitted from the form. Without it, the normal processes that hide the id don't work. So the id gets displayed to the user.

Proposed resolution

Copy the #access key from the label to the id so it is omitted entirely if the user should not have permission to see it.

Remaining tasks

User interface changes

The Machine-readable Name field will be removed from the form for people who shouldn't be able to see it.

Before:
The shortcut switcher form with a machine-readable name field

After:
The shortcut switcher form with no machine-readable name field

Introduced terminology

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#12 after.png11.01 KBdcam
#12 before.png20.94 KBdcam
#2 drupal-hide-shortcut-id-3389633-1.patch673 bytesbrad.bulger

Issue fork drupal-3389633

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

brad.bulger created an issue. See original summary.

brad.bulger’s picture

brad.bulger commented
StatusFileSize
new drupal-hide-shortcut-id-3389633-1.patch673 bytes

It's such a small change, and has been like this for so long apparently, I feel like I must be missing something.

brad.bulger’s picture

brad.bulger commented
Issue summary: View changes
viren18febs’s picture

viren18febs commented
Status: Active » Needs review
smustgrave’s picture

smustgrave commented
Status: Needs review » Needs work
Issue tags: +Needs tests

Thanks for reporting, next step would be to add a test showing the issue.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

dcam made their first commit to this issue’s fork.

dcam opened merge request !13637

dcam’s picture

dcam commented
Title: switch shortcut form displays id (machine name) field when label field is not visible » SwitchShortcutSet form does not set access on machine name element
Issue summary: View changes
Status: Needs work » Needs review
Issue tags: -Needs tests

I disagree with the approach taken in #2. That would only hide the element visually. What we really need to do is set the #access on the element so it's removed from the form entirely for those who shouldn't have permission to see it. In fact, this is sort of a security gray-area. Users have the ability to see something that they shouldn't. Fortunately, they can't do anything with it. Entering text into the element does nothing. Otherwise I'd be contacting the security team. I considered adding the Security Improvements tag, but decided not to.

I added test assertions in addition to changing the proposed fix. I also updated the issue summary.

dcam’s picture

dcam commented
smustgrave’s picture

smustgrave commented
Status: Needs review » Needs work

So ran the test-only run

$this->assertSession()->elementNotExists('xpath', '//input[@id="edit-set-new"]');
    $this->assertSession()->elementNotExists('xpath', '//input[@id="edit-label"]');

Based on the comment in the test I'd expect these to fail but they pass, doesn't fail till it gets to 

$this->assertSession()->elementNotExists('xpath', '//input[@id="edit-id"]');

So if we are still showing these items 1. Think we need screenshots so people can see the change. But comments should also be updated.

dcam’s picture

dcam commented
Issue summary: View changes
Status: Needs work » Needs review
StatusFileSize
new before.png20.94 KB
new after.png11.01 KB

I'm happy to add screenshots so this issue is clearer. It's done.

Based on the comment in the test I'd expect these to fail but they pass...

No, they're passing correctly. There's no issue with those elements. In other words, they're being hidden appropriately. But there's no test coverage for it. I could have left those assertions out because they have nothing to do with this issue. But they were easy to add along with the assertion for this issue. Just consider it to be bonus coverage. See the before image I've added. There is no "New set" radio button or "Title" text field.

But comments should also be updated.

I assume you're talking about this comment:

    // Verify that users without the "administer shortcuts" permission have
    // access to the set selection radios, but not the new shortcut form
    // elements.

Users without that permission shouldn't be able to see the "New set" radio, "Title" text field, or "Machine-readable Name" field. These are the elements related to adding a new shortcut set. Would you prefer alternative text that explains it in a different way?

smustgrave’s picture

smustgrave commented
Status: Needs review » Reviewed & tested by the community
Issue tags: +Needs Review Queue Initiative

Suppose this works. Shortcuts UI is so weird, probably why it's up to be removed too. But this does address the issue described in the summary.

jibran’s picture

jibran
he/him
Primary language Urdu
Location Toronto, Canada
commented

Can we have a test only PR to show the fail?

smustgrave’s picture

smustgrave commented

No longer needed. In the MR there’s a test only run feature

jibran’s picture

jibran
he/him
Primary language Urdu
Location Toronto, Canada
commented

Thanks for pointing that. RTBC++

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Version: 11.x-dev » 10.6.x-dev
Status: Reviewed & tested by the community » Fixed

I think this functionality is very rarely used which is why nobody has really noticed it before! Backported down to 10.6.x as an eligible bug fix.

Committed and pushed 508e5ebfd25 to main and ad20c0b53e7 to 11.x and b62d87bedd6 to 11.3.x and ec7d387dd4b to 10.6.x. Thanks!

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

  • longwave committed ec7d387d on 10.6.x 
    fix: #3389633 SwitchShortcutSet form does not set access on machine name...

  • longwave committed b62d87be on 11.3.x 
    fix: #3389633 SwitchShortcutSet form does not set access on machine name...

longwave closed merge request !13637

  • longwave committed ad20c0b5 on 11.x 
    fix: #3389633 SwitchShortcutSet form does not set access on machine name...

  • longwave committed 508e5ebf on main 
    fix: #3389633 SwitchShortcutSet form does not set access on machine name...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.