Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Ban module currently uses an event subscriber to implements its feature. Sadly this requires quite some code to be executed
before ban module can start its work.
Proposed resolution
Use a HTTP middlware, which has the big advantage that it runs much earlier. At the same time, there is even less code to be executed compared
to before, because you have
Remaining tasks
User interface changes
API changes
Comment | File | Size | Author |
---|---|---|---|
#17 | ban-middleware-2332983-17.patch | 6.98 KB | dawehner |
#17 | interdiff.txt | 1.21 KB | dawehner |
#12 | interdiff.txt | 388 bytes | dawehner |
#12 | ban-middleware-2332983-12.patch | 6.91 KB | dawehner |
#8 | interdiff.txt | 4.01 KB | dawehner |
Comments
Comment #1
andypostit's not clear, what is the order of the middleware executed?
Previously priority was used to order subscribers...
Comment #2
dawehnerWell, this is coming after page caching for example. Priority = 0.
Comment #3
andypostso any reason in ban after page cache?
suppose it should go before page cache...
Comment #4
Crell CreditAttribution: Crell commentedI'm not sure there's much advantage in this case, is there? Ban module is rarely enabled in the first place since it's much slower than doing the same thing at a web server or proxy level...
Comment #5
dawehnerWell, I decided to do it after page cache, as it is also after page cache in HEAD. We also should try to make page caching fast
but I agree that security might be more important.
Comment #6
jibranNo tests? Is it a good idea to add some phpunit here?
Comment #7
Fabianx CreditAttribution: Fabianx commentedNit - wrong comment.
Besides that: RTBC from my POV.
I don't think you ban a person from the page cache as usually banning is for preventing POSTs, etc. and less for preventing any page views. And yes that discussion / ticket would need to be follow-up as this is just a straight conversion.
For Tests: Yes, we could have a MockBanManager and a MockRequest to unit test the request stack.
Not sure it is needed though.
Comment #8
dawehnerThere are already ban module tests ... and well, we do have a DB call here, so I wonder how useful that would be.
Well, let's just write a unit test, to fast fail, in case we change this class in the future.
Comment #9
Fabianx CreditAttribution: Fabianx commentedRTBC, great tests!
And shows nicely how useful simple and nice to use middlewares are :).
Comment #10
alexpottActually the fact that banned user's can view cached pages could be viewed as a regression from D7 see #1929506: Banned IP addresses can still access cached pages and the corresponding CR https://www.drupal.org/node/1941682.
We could actually reverse this decision and give ban a higher priority than the page cache. The reason given in the CR is no longer valid since middlewares makes it entirely possible for the ban module to work as it did in D7.
Setting back to needs review for a bit of discussion.
Comment #11
catchStill think we should ditch the whole thing, but if we have it, then having it functionally equivalent to the 7.x logic seems better yes.
Comment #12
dawehnerSimple as that.
Comment #13
Crell CreditAttribution: Crell commentedOK then.
Comment #14
Fabianx CreditAttribution: Fabianx commentedComment #15
dawehnerI guess we should just remove [#1941682] after that?
Comment #16
xjmYeah I think we can just delete the old CR after commit. Nothing probably needs to reference it.
Comment #17
dawehnerOne suggestion of chx.
Comment #18
alexpottCommitted a8b92fe and pushed to 8.0.x. Thanks!