[D8] OpenBusiness Installation Profile

Thanks for you contribution!

1. It looks like all the git commits were done by user iuana? So we should probably approve her for security advisory coverage.
2. git repository: all the profile files should be in the repository root, there should not be an additional openbusiness_profile folder.
3. openbusiness_profile.info.yml: the description should say what this profile does or can be used for, not just who made it.
4. openbusiness_profile.profile: empty file that should be removed.
5. content_creator module: wrong name, all modules of your installation profile must be prefixed with the profile name. So this should be openbusiness_content_creator?
6. openbusiness_theme_form_user_register_form_alter(): unset() on form elements is problematic because other modules might rely on them. Instead, you should set #access to FALSE on form elements that you want to hide. Please check all your form functions and change that.
7. openbusiness_theme/src is an empty folder that just has a README?
8. openbusiness_theme/templates/system/html.html.twig: Why are you using the "raw" filter here? This is a potential security issue since it disables auto-escaping. I did not try to exploit it yet, but all the Drupal core themes do not use the "raw" filter here, so this looks suspicious. This is currently a security blocker.

Assigned by accident, undoing that.

I added a link to the PAReview checklist.

Please resolve the warning and errors first.

Hi ,

Below is my findings,

1. Please add hook_uninstall wherever you use hook_install .install file for removing saved configuration values whenever user uninstall this module/distribution.
2. function openbusiness_theme_form_user_pass_alter(&$form, FormStateInterface $form_state, $form_id) {
$form['login_account'] = [
'#type' => 'link',
'#title' => t('Log in'),
'#url' => Url::fromRoute('user.login'),
'#id' => 'login-reset-password',
'#weight' => 99,
'#prefix' => '

Go to', use t function here

3. Also Fix pareview.sh issues

There are three users committing codes for the project.

• rav98 - 22 commits
• SorinV - 23 commits
• iuana - 13 commits

I am closing this application, since the purpose of it is reviewing what a single user understands about writing secure code that follows Drupal coding standards and correctly uses the Drupal API; the result of these applications is that we give to that user the role necessary to opt into security coverage for the projects the user has created and will create.
These applications aren't a review of a group effort to make a project secure; they aren't about projects but the user who creates the application who, for the time of the application, must be the user with the most commits for the project, if not the only user committing code.

People should not get punished for contributing collaboratively. If they all have equal commits to the project we can simply approve all of them since it is a team effort.

@rav98: let us know once you are ready for review again, then please set this back to "needs review".

The intent of these applications is not reviewing more than a user with a single application. It has never been that since the time they were for giving users CVS access.

If we allow this application, we are going to review the project, not what a single user understands about writing code. For that reason, it's not an account that is going to be changed, but the project.

Hi @rav98,

Thank you for contribution!!!

Below are some errors & warnings in the functional test file. Please take a look.

FILE: /Library/WebServer/Documents/d81/web/modules/review/openbusiness/tests/src/Functional/OpenBusinessProfileTest.php
---------------------------------------------------------------------------------------------------------------------------------------------------
FOUND 1 ERROR AND 1 WARNING AFFECTING 2 LINES
---------------------------------------------------------------------------------------------------------------------------------------------------
 37 | ERROR   | Do not disable strict config schema checking in tests. Instead ensure your module properly declares its schema for configurations.
 67 | WARNING | t() calls should be avoided in classes, use \Drupal\Core\StringTranslation\StringTranslationTrait and $this->t() instead
---------------------------------------------------------------------------------------------------------------------------------------------------

Hi @rav98,

#12 is not the blocker, everything will work fine that's why I haven't changed status.
It just the report of the code_sniffer for the Drupal best practices.
* use $this->t() instead t()

1. HomeController: why do you need this controller? It is not really doing anthing? Please add a class code comment.
2. openbusiness_theme/templates/system/html.html.twig: Why are you using the "raw" filter here? This is a potential security issue since it disables auto-escaping. I did not try to exploit it yet, but all the Drupal core themes do not use the "raw" filter here, so this looks suspicious. This is currently a security blocker.
3. openbusiness_theme.info.yml: always use 2 spaces for indentation, otherwise you can easily confuse the YAML parser.

1. HomeController: no need to get rid of it if you need it, just add a code comment why and how you are using it.
2. I checked the core placeholder_token code and it seems it does not matter id the raw filter is used or not. renderHtmlResponseAttachmentPlaceholders() just replaces the token and it does not matter if that token was raw before or not. So there should not be a security issue in the Bootstrap theme.

Thanks for your contribution, rav98!

I updated your account so you can opt into security advisory coverage now.

Here are some recommended readings to help with excellent maintainership:

• Dries' post on Responsible maintainers
• Best practices for creating and maintaining projects
• Maintaining a drupal.org project with Git
• Commit messages - providing history and credit
• Release naming conventions.
• Helping maintainers in the issue queues

You can find lots more contributors chatting on IRC in #drupal-contribute. So, come hang out and stay involved!

Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

Thanks to the dedicated reviewer(s) as well.