Proposed commit message
Issue #687588 by tsphethean, mirie, Cottser, porchlight, cyborg_572, rgoodine, adci_contributor, joshi.rohit100: Remove access check from submit() in UserCancelForm
Problem/Motivation
Form _submit and _validate callbacks should not call user_access('administer users') (for D7) or ->hasPermission('administer users') (for D8). Having the access checks in _submit and _validate callbacks limits hook_form_alter() because one cannot alter out the permission check without rewriting the callbacks from scratch.
Proposed resolution
Move the access check into the user cancel form by setting a #value, so that it can be altered to some other permission by another module if desired. The permission condition check in _submit and _validate callbacks should check the value set in the form.
Remaining tasks
- Create a patch for D8
- Backport patch to D7
Original report by @agentrickard
Beta phase evaluation
Issue category | Bug because the current way limits the ability of contrib to alter this form's access |
---|---|
Unfrozen changes | Unfrozen because it only changes the way access is checked on the user cancel form to be more consistent with other parts of core |
Comment | File | Size | Author |
---|---|---|---|
#60 | 687588-60.patch | 4.61 KB | star-szr |
Comments
Comment #1
agentrickardMoving
Comment #2
oriol_e9gFirst solve and discuss in this issue http://drupal.org/node/687586 and then come back here to apply the same solution.
Comment #3
oriol_e9gComment #4
dixon_subscribing
Comment #5
emclaughlin CreditAttribution: emclaughlin commentedThe only place I can find that calls user_cancel_confirm_form_submit() in 8.x is user_multiple_cancel_confirm_submit(). I can't find anything that calls user_multiple_cancel_confirm_submit(). Is this some feature of drupal/php that I'm unaware of where some behind the behind the scenes mojo in user_cancel_confirm_form() calls user_cancel_confirm_form_submit() (or the equivalent for the multiple cancel)? Or are these both just functions that have been deprecated but are still used somewhere I can't find?
Comment #6
pjcdawkins CreditAttribution: pjcdawkins commented@emclaughlin module_formID_submit() is called dynamically when the form generated by module_formID() is submitted successfully.
That's the default submit callback (others can be defined explicitly in
$form['#submit']
).Comment #7
tsphethean CreditAttribution: tsphethean commentedI have reviewed the approach in 687586 and applied the same approach here. Let me know if anything additional is required as I see that despite a successful patch the 687586 issue was re-opened.
Comment #8
tsphethean CreditAttribution: tsphethean commentedComment #10
tsphethean CreditAttribution: tsphethean commentedRevised patch attached - now checking for null response from user_access call
Comment #12
tsphethean CreditAttribution: tsphethean commentedA little confused by why this is failing - I'm not getting the same notice when I test locally and stepping through adding debug output at each step has been successful.
I've added an extra isset check in this patch - hopefully that is ok but let me know if I'm missing something!
Comment #13
agentrickardLooks good.
Comment #14
oriol_e9gLooks good, doesn't add new features and don't break anything, so...
Comment #15
oriol_e9gWait!
1) Why use numbers here:
And then we use a boolean for the same:
Should be more consistent use TRUE/FALSE in both places.
2) Instead of use this:
I think it's better the compact form:
Comment #16
agentrickardI agree with TRUE/FALSE but Drupal coding standards dissuade the use of ternary expressions.
Please don't recommend changes that violate standards.
Comment #17
agentrickardFor TRUE/FALSE and brevity, we can just use:
In the IF, probably simpler to do this:
Clear, concise and avoids the ternary operator.
Comment #18
tsphethean CreditAttribution: tsphethean commentedThanks for the feedback and suggestions. Revised patch attached.
Comment #19
agentrickardNow there are redundant lines:
The first !empty() assumes that the 'administer users' form element is set. If not set and TRUE, admin riggers will not fire.
Comment #20
tsphethean CreditAttribution: tsphethean commentedGood point - revised patch attached.
Comment #22
tsphethean CreditAttribution: tsphethean commentedGah, sorry - typo on the form state values. Fixed working patch attached.
Comment #23
tsphethean CreditAttribution: tsphethean commentedGah, sorry - typo on the form state values. Fixed working patch attached.
Comment #24
tsphethean CreditAttribution: tsphethean commentedA while since this has moved so re-rolled against latest D8 build, apply cleanly so seeing what testbot makes of it now.
Comment #25
tsphethean CreditAttribution: tsphethean commentedSorry, not sure how I thought that last patch would apply... re-rolled now and re-queueing for testing.
Comment #26
tsphethean CreditAttribution: tsphethean commented#25: user-cancel_submit_remove-687588-25.patch queued for re-testing.
Seeing whether testbot still likes this one
Comment #30
mirie CreditAttribution: mirie commentedOk, did a little investigating with @esod. This needs to be rerolled for D8. Looks like this form + submit handler in D8 is now located in /core/modules/user/src/Form/UserCancelForm.php
line 125 shows that the administer user check is still inside of the submit handler:
Comment #31
mirie CreditAttribution: mirie commentedComment #32
mirie CreditAttribution: mirie commentedComment #33
mirie CreditAttribution: mirie commentedHere's a patch @esod and I worked on for D8 to move the user access check out of submit() to $form.
Comment #34
esod CreditAttribution: esod commentedComment #36
mirie CreditAttribution: mirie commentedOh whoops. Forgot #value in all of the excitement. Here's a new patch.
Comment #37
mirie CreditAttribution: mirie commentedComment #39
mirie CreditAttribution: mirie commentedOk, I think I figured out by looking at UserCancelTest and running that test locally.
Comment #40
mirie CreditAttribution: mirie commentedComment #41
joshi.rohit100As i think, in buildForm() method, we have
$user = $this->currentUser();
so why not just use
$user->hasPermission('administer users');
instead of
$this->currentUser()->hasPermission('administer users');
So resubmitted patch.
Comment #42
jhedstromComment #43
adci_contributor CreditAttribution: adci_contributor commentedTrying to reroll
Comment #44
jhedstromThis comment goes over the 80-character line-wrap.
Trailing whitespace here.
Comment #45
adci_contributor CreditAttribution: adci_contributor commentedThanks.
Comment #46
jhedstromThis looks good to me. I've updated the issue summary with a beta phase evaluation.
Comment #49
jhedstromBack to RTBC.
Comment #52
star-szrComment #53
star-szrActually this could use a small test.
Comment #54
star-szrWe are working on the test during sprint weekend in London Canada!
Comment #55
star-szrHere is a test, adding a proposed commit message to the issue summary because I had a lot of help from other sprinters.
The patches should fail and pass, respectively.
Comment #56
star-szrAlso this could potentially be backported I'd think, not sure why it was removed around #31.
Comment #58
jhedstrom+1 for the new test! I think this is back to RTBC now.
Comment #60
star-szrThanks @jhedstrom!
Looks like there was just a small context change. Rerolled.
Comment #61
jhedstromBack to RTBC assuming bot goes green.
Comment #64
jhedstromAnd again...
Comment #65
alexpottCommitted 20a76f0 and pushed to 8.0.x. Thanks!
Thank you for adding the beta evaluation to the summary.