Closed (duplicate)
Project:
Drupal.org security advisory coverage applications
Component:
module
Priority:
Minor
Category:
Task
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
26 Oct 2020 at 03:30 UTC
Updated:
18 Aug 2025 at 17:20 UTC
Jump to comment: Most recent
Comments
Comment #2
jaseerkinangattil commentedComment #3
jaseerkinangattil commentedComment #4
avpadernoComment #5
jaseerkinangattil commentedComment #6
jaseerkinangattil commentedComment #7
avpadernoComment #8
jaseerkinangattil commentedTeam, Please review
Comment #9
ameer khan commentedI did a manual review & it works as described.
Comment #10
avpadernoIt would be helpful to describe the differences between this module and the Assets Injector module or the CSS Injector module, or the reasons why the users should choose this module instead of one of the other two modules.
That isn't the correct description of the permission, which doesn't allow to configure permissions, but to set the CSS classes associated to nodes.
body_class isn't the module name, which is Body Class.
That isn't the correct description of the purpose of that page.
The code should first check the user who is accessing the configuration page has the permission to edit the node.
The
elsebranch is not necessary, as the empty property can be used for the message to show when the table is empty. as in the following code used from a Drupal core module.Instead of rendering the table, the code could also return a render array, as the following code does.
The latter code is preferable, as it allows a third-party module, or Drupal core to cache the render array setting the #cache property.
Since the module uses directly the
body_class_attributes()function, andbody_class()is an one-line function (whose body can be merely written asreturn body_class_attributes($node);), that function can be removed.Either
user_access('administer nodes')is removed from theifstatement, or the#accessline is removed. (I would rather opt for the first solution.)User-entered values are eventually sanitized when rendered in the output, not when saved. The module is doing exactly the opposite. (See also the following lines taken from
body_class_preprocess_html().)Instead of using those lines, the code should use
db_merge(), whose purpose is described in Merge queries using db_merge.While sites are surely running on a PHP version higher than 5.6, the module should make explicit its dependency from a more recent PHP version. cPanel used from some service providers still allows to select PHP 4.4 for running a site.
Comment #11
avpadernoComment #12
avpadernoComment #13
avpadernoI am closing this application since there have been replies in the past 5 months.
Comment #14
avpadernoComment #15
avpaderno