Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
#1890878: Add modular authentication system, including Http Basic; deprecate global $user
replaced global $user by \Drupal::request()->attributes->get('account'). However, this attribute is not available during access checks e.g. for menu links.
We need to populate account and other attributes to the Request in menu_item_route_access
This is closely related to the problem in #2032553: The _account attribute on the Request is not available during web tests
Comment | File | Size | Author |
---|---|---|---|
#24 | account-2040065-24.patch | 5.26 KB | dawehner |
#24 | interdiff.txt | 515 bytes | dawehner |
#22 | drupal-2040065-22.patch | 5.62 KB | dawehner |
#22 | interdiff.txt | 1.84 KB | dawehner |
#15 | menu-2040065-15.patch | 4.56 KB | tim.plunkett |
Comments
Comment #0.0
pwolanin CreditAttribution: pwolanin commentedimprove summary
Comment #1
dawehnerThis works on the real page but not in the test.
Comment #2
pwolanin CreditAttribution: pwolanin commentedThis is actually a big blocker to removing $GLOBALS['user']
Comment #3
pwolanin CreditAttribution: pwolanin commentedoops, missed the patch
Comment #4
dawehnerForgot the new file, but the problem is still that the request is not available in the request.
Comment #5
pwolanin CreditAttribution: pwolanin commentedFixing the interface name in the test.
Comment #7
pwolanin CreditAttribution: pwolanin commentedComment #9
dawehnerJust in general, even if this actually touches functionality which better will be removed in the fugure, I think at least the access checker is actually helpful in various places.
Comment #10
Damien Tournoud CreditAttribution: Damien Tournoud commentedThis is bogus, given the signature of the method:
We are going to need to set the attributes after the request is created. But really, we probably do not want to copy over all the attributes, so we need to figure out some form of whitelist.
Comment #11
tim.plunkettStarting to hit this in conversion issues. What about this for now?
Comment #12
dawehnerI don't see a reason why we still need the global user? Can you please at least add a comment why this is still needed?
Comment #13
tim.plunkettI have no idea *why* its needed, just that during my manual testing, the request didn't always have the account.
Comment #14
tim.plunkettLet's see if the bot can tell us anything.
Comment #15
tim.plunkett#2043781: Drupal::request()->attributes->get('account') may conflict with an account object loaded from the path happened.
Comment #16
pwolanin CreditAttribution: pwolanin commentedThis seems to overlap a bit with this? #2046737: Add a method to the AccessManager that only needs a route name and parameters
Comment #18
tim.plunkettSince maintainers are now bouncing patches for using global $user/user_access(), and spreading the
?: $GLOBALS['user']
hack around core would be unfortunate. We need to find where the _account isn't being set and fix it.Comment #19
dawehner#2032553: The _account attribute on the Request is not available during web tests is the reason why this is currently failing.
Comment #20
tim.plunkett#15: menu-2040065-15.patch queued for re-testing.
Comment #22
dawehnerReroll and fixing the test.
Comment #24
dawehnerThis should fix all of them (just tried to book ones).
Comment #25
andypostGet this bug in #1938390-62: Convert contact_site_page and contact_person_page to a new-style Controller
Comment #26
dawehnerLet's open a new issue for fixing the non existing _account in exception cases.
Comment #27
catchI can see us having to add more and more attributes individually here. Why not Request::duplicate()?
Comment #28
dawehnerThe problem I see is that you potentially override all kind of variables you would not expect to be there, like upcasted values.
Comment #29
catch#2004086: The Request service must be synthetic has the same problem.
It's not going to fly doing this every single place a new request gets created, so at a minimum there should be a helper for this to centralize the logic. But the fact we're having to do this at all smells very bad indeed.
Comment #30
catchRe-titling.
Comment #31
dawehnerIt seems to be that this would be solved by #2062151: Create a current user service to ensure that current account is always available automatically.
Comment #32
catchYes that's exactly what I was after, postponing.
Comment #33
catchThat issue's in, is this the right status change?
Comment #34
catchNope, 'cos #2073531: Use current user service instead of _account, remove _account from the request object was already opened by me of all people.
Comment #34.0
catchlink to 2032553