The $field paramater to field_access() is pretty confusing. Some people think it's a field name, others think it's the whole field structure array. Getting this wrong leads to silently causing access bypass bugs. For example, I just found one over at #1393194: Access bypass in field_collection.
http://api.drupal.org/api/drupal/modules--field--field.module/function/f... just says:
"$field The field on which the operation is to be performed."
It'd sure be nice if a) that had a type and b) explained it's the field structure definition, not just a field name.
Not sure if "documentation bug" is the right issue tag for stuff like this anymore...
Comment | File | Size | Author |
---|---|---|---|
#18 | 1393234-field-access-docs-2.patch | 894 bytes | Niklas Fiekas |
#14 | 1393234-field-access-docs.patch | 1.01 KB | Niklas Fiekas |
#6 | 1393234-6.field_access_api_docs.patch | 1.03 KB | dww |
#3 | 1393234-3.field_access_api_docs.patch | 858 bytes | dww |
#1 | 1393234-1.field_access_api_docs.patch | 829 bytes | dww |
Comments
Comment #1
dwwPatches for D7 and D8.
Comment #2
Niklas Fiekas CreditAttribution: Niklas Fiekas commentedThese should be single quoted strings. See below.
Per http://drupal.org/node/1354 @see should be at the end of doc blocks. But because it's in the context of this parameter, so maybe just something like: "See field_info_field()." The function name would be linked automatically anyway.
For reference: Single quotes here are correct.
Comment #3
dwwThanks for the review.
The "view" etc are already in there, not changed by my patch. But sure, we can fix that while we're at it.
I suspected the inline @see was going to be a "problem", but fine, changed it to
See field_info_field().
Let's finish bikeshedding the D8 version before we bother with the D7 backport.
Cheers,
-Derek
Comment #4
Niklas Fiekas CreditAttribution: Niklas Fiekas commentedComment #5
Niklas Fiekas CreditAttribution: Niklas Fiekas commentedWhoops, then I've also been reviewing the context of that hunk. But yes, why not fix it. Very good. When we're doing that, we could just as well add a newline between the @param's and the @return. After that, this should be good to go.
Comment #6
dwwNewline added.
Comment #7
Niklas Fiekas CreditAttribution: Niklas Fiekas commentedVery good.
Comment #8
xjmActually, while we're changing it, I'm fairly sure the array keys are not supposed to be quoted at all. See:
http://drupal.org/node/1354#lists
#1333534: Further cleanup for documentation in core/includes files starting with A-G
Comment #9
xjmAnd actually I'm dumb because these are values, not keys. Disregard #8. :)
Comment #10
catchWhy not use @see?
Comment #11
Niklas Fiekas CreditAttribution: Niklas Fiekas commenteddww had a @see that, but I said he shouldn't. When reviewing that I looked at http://drupal.org/node/1354. It says, that there should be no inline @see's. If we put the @see at the end of the docblock (as recommended) it doesn't have the effect we want. So ... if we can use an inline @see there, we should, but ...
Comment #12
catchOK that makes sense, if we need it in context we shouldn't use @see, back to RTBC :)
Comment #13
catchCommitted/pushed to 8.x.
This probably needs backport?
Comment #14
Niklas Fiekas CreditAttribution: Niklas Fiekas commentedSimple backport.
Comment #15
xjmHum, realize I'm late to the party on this, but would it be better to say why we need to see
field_info_field()
explicitly?Comment #16
xjmEh, it's clear. :)
Comment #17
webchickI don't think we put data types in parameters in D7.
Comment #18
Niklas Fiekas CreditAttribution: Niklas Fiekas commentedOh ...
Comment #19
xjmRight, forgot about that, sorry. #18 looks fine.
Comment #20
dwwRe: #17-19: grep says otherwise. There are ~60 files in core that put something between @param and the $name (total ~350 times). I just thought that improvement was incomplete and on-going. I prefer #14 (equivalent to #6 that's in D8). But if there's some conscious policy to eradicate this from D7 I'd love to know the more appropriate issue for me to oppose such a policy. ;)
Either #14 or #18 are better than what we have now, and RTBC. I'll let webchick decide. ;)
Comment #21
xjmWell, we decided in the original issue to add the param docs in
d7d8 only. See http://drupal.org/node/1354#functions. There's also a longer explanation in the original issue.Comment #22
dwwFrom the linked page on documentation standards:
I'd say this would be a case of "non-obvious types", and therefore, worthy of including the types. Honestly, I really don't see the harm in providing this info if we've got it. But, I don't know what "the original issue" is, so I can't read the longer explanation.
Anyway, either #14 or #18 are an improvement. I just think #14 is more of an improvement. ;)
Cheers,
-Derek
Comment #23
xjm@dww: Sorry, thought I'd linked it. See webchick's post at: #1296842-29: Clarify scope of PHP coding standards for core (major version) and contrib code.
Comment #24
webchickCommitted and pushed #18 to 7.x. Thanks!