What to cover in an application review

Last updated on

22 September 2023

This documentation needs work. See "Help improve this page" in the sidebar.

When a project is reviewed for an application, the following are critical points that need to be considered.

Licensing
Security
Drupal coding standards
Correct usage of Drupal APIs

The following points are important and need to be considered too.

Code documentation
Project duplication

Licensing

All code that is a derivative work of Drupal (typically PHP code), including modules, themes, and installation profiles hosted on Drupal.org, is licensed under the same license used for Drupal: GPL version 2.0 and later. It is not possible to license modules, themes, and installation profiles hosted on Drupal.org under a license that is different from the one used from Drupal, including GPL version 3.0.
Third party libraries that are hosted elsewhere should not be added to the project repository, with the exceptions listed in Policy on 3rd party assets on Drupal.org / Third party libraries.

Security

Writing secure code for Drupal has a list of common security issues a project used for an application should not have.
That documentation page could be updated for lasted Drupal release; for previous Drupal releases, what it reports is still valid, but the security issue and how to avoid it involves different functions/methods/classes.

Drupal coding standards

We do not expect the project to 100% adhere to the coding standards, but plain sloppy and poorly presented code is not accepted.

Correct usage of Drupal APIs

We check all the PHP code line-by-line, looking for proper use of Drupal APIs, to verify that functions/methods receive the correct parameters, but also that the correct APIs are used.
Verifying the code does not contain security issues also verifies the Drupal APIs are correctly used. This is an extension of the previous point; it also includes those cases where misusing a Drupal API does not cause any security issue.