Closed (fixed)
Project:
Drupal.org security advisory coverage applications
Component:
module
Priority:
Normal
Category:
Task
Assigned:
Issue tags:
Reporter:
Created:
7 Oct 2021 at 20:06 UTC
Updated:
8 Nov 2021 at 14:34 UTC
Jump to comment: Most recent
Comments
Comment #2
avpadernoWe only review a single branch for a single project. Please choose the branch you want to be reviewed and edit the issue summary accordingly.
Is the account used to post this application a shared account?
Comment #3
avpadernoAnyway, there aren't commits from the account used to create this application; we cannot accept an application that uses a project for which the user who created the application hasn't done any commits.
Comment #4
mpbackenduser commentedThank you for the feedback
Code is committed with account maintenance account. Summary section is updated accordingly need review only for the below branch.
git clone --branch '8.0-x' https://git.drupalcode.org/project/motionpointtranslation.git
Comment #5
mpbackenduser commentedComment #6
avpadernoSee comment #3: A user who hasn't committed code in a project cannot apply using that project. These applications are for users, not for projects.
Comment #7
avpadernoComment #8
mpbackenduser commentedCommits for MotionPoint Translation Provider(D7,D8,D9)
8 Oct 2021 at 09:07 EDT
Commit 9d5f63f on 8.0-x
by MotionPoint
Commit the project for security review
The code is committed by the User "MotionPoint" who created the Project. Please let me know is anything iam missing.
there are two more additional developers (sugumarant and yli are added as maintainers for the project)
Comment #9
mpbackenduser commentedComment #10
avpadernoThat's just one commit. There is a user who made more commits.
I also asked: Is the account used to post this application a shared account?
Comment #11
mpbackenduser commentedYes Sir the account is the shared account with the developers of MotionPoint. the user sugumarant is the Senior Software Engineer worked on this project. If you want i can ask the developer sugumarant to create the project and submit the code for security review.
Sir We are new to the drupal ecosystem apologize if we missed any of the process.
Comment #12
mpbackenduser commentedComment #13
avpadernoThere is no need to create a new project: sugumarant can commit code in the existing project and follow this application.
As side note, shared accounts cannot be used to:
Comment #14
avpaderno8.0-x and 9.0-x are wrong tag names. The correct ones would be 8.0.x and 9.0.x. New tags needs to be created, the default one changed, and the old tags deleted.
Since the project machine name is motionpointtranslation, the following filenames are wrong.
There are other files/directory with the wrong name, including src/Plugin/tmgmt/Translator. The same is true for the paths used in the route definitions.
The .module file isn't necessary, if it doesn't contain code.
A class that implements
create()from which it receives the dependency container object doesn't use\Drupalto access a service or other dependencies.The code isn't following the Drupal coding standards.
UrlHelper::isValid()returnsTRUEorFALSE; that code is setting a URL to a Boolean value (which is surely not what it should do).Comment #15
mpbackenduser commentedThank You apaderno for the feedback. we discussed with the team and decided not to use the shared account going forward. We will delete the project created by shared account so in compliance with the drupal eco system.
sugumarant will create and project and check in the code.
I'll withdraw this issue and create an new request with the developer account.
Thanks for your feedback we want to be incompliance with drupal.
Comment #16
avpaderno@MotionPoint It's not necessary to delete the project. The developer can continue with this application and change the project code as reported here.
Shared accounts can be used to create project. They cannot be used to commit code, but a single commit isn't going to be a big issue.
Comment #17
avpadernoAlso, I think projects cannot be deleted.
Comment #18
mpbackenduser commentedComment #19
mpbackenduser commentedComment 1:
Since the project machine name is motionpointtranslation, the following filenames are wrong.
tmgmt_motionpoint.info.yml
tmgmt_motionpoint.module
tmgmt_motionpoint.routing.yml
There are other files/directory with the wrong name, including src/Plugin/tmgmt/Translator. The same is true for the paths used in the route definitions.
Fixed Since the MotionPoint translation provider should be part of tmgmt module . Original project was created wrongly. I created a new project with proper machinename "tmgmt_motionpoint" updated the Issue with the project name.
The .module file isn't necessary, if it doesn't contain code.
Fixed. Removed the .Module File
/** @var \Drupal\tmgmt_file\Format\FormatInterface $xliff_converter */
$xliff_converter = \Drupal::service('plugin.manager.tmgmt_file.format')->createInstance('xlf');
$xliff_content = $xliff_converter->export($job);
A class that implements create() from which it receives the dependency container object doesn't use \Drupal to access a service or other dependencies.
we Followed the same way as tmgmt FileTranslator uses \Drupal::service('plugin.manager.tmgmt_file.format')->createInstance('xlf');
(examples in following classes)
tmgmt\translators\tmgmt_file\src\Plugin\tmgmt\Translator\FileTranslator.php
tmgmt\translators\tmgmt_file\src\Commands\TmgmtFileCommands.php
if (is_bool($received_translation) === true) { throw new Exception(); };
The code isn't following the Drupal coding standards.
Fixed
$api_base_url = UrlHelper::isValid($translator->getSetting('motionpoint_api_url')) ? $translator->getSetting('motionpoint_api_url') : 'https://api.motionpoint.com';
UrlHelper::isValid() returns TRUE or FALSE; that code is setting a URL to a Boolean value (which is surely not what it should do).
Fixed
Comment #20
mpbackenduser commentedComment #21
sugumarant commentedComment #22
avpadernoPlease remember that only sugumarant can make commits for the duration of this application.
:configuredneeds to be surrounded by double quotes, as described inFormattableMarkup::placeholderFormat().The code doesn't follow the Drupal coding standards in some points, as:
TRUE,FALSE,NULL)elseandelseifbranches must be written on a new linefunctionand the first function/method code line\Drupal::logger('tmgmt_motionpoint')->warning('API Request Exception, status code is: ' . print_r();Instead of concatenating string, the message should use placeholders.
Why is the code returning an exception instead of re-throwing it? in PHP, exceptions aren't returned.
Classes that implement
ContainerFactoryPluginInterfacedon't use\Drupal, but inject their dependencies increate().Strings shown in the user interface must be translatable.
The first parameter of
t()must be a literal string, not a variable. Passing a variable is considered a potential security issue.The README.txt isn't complete and it's not formatted as the Drupal coding standards say.
Comment #23
sugumarant commentedFixed all the review comments. Please review and let me know your feedback.
Comment #24
sugumarant commentedComment #25
avpadernoThank you for your contribution! I am going to update your account.
These are some recommended readings to help with excellent maintainership:
You can find more contributors chatting on the IRC #drupal-contribute channel. So, come hang out and stay involved.
Thank you, also, for your patience with the review process.
Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
Comment #26
sugumarant commentedThank you apaderno for you time and valuable feedback