Closed (fixed)
Project:
Drupal.org security advisory coverage applications
Component:
module
Priority:
Normal
Category:
Task
Assigned:
Issue tags:
Reporter:
Created:
30 Jan 2022 at 12:04 UTC
Updated:
13 Oct 2022 at 18:34 UTC
Jump to comment: Most recent
Comments
Comment #2
bigbaldy commentedThis review uses the Project Application Review Template.
Automated Review
Automated review is not working. I ran phpcs manually with both the Drupal and DrupalPractice standards. Neither generated errors
Note that perfect adherence to Drupal Coding Standard is NOT a reason to block an application, except for total disregard of them. However, modules should follow them as closely as possible.
Manual Review
The module uses branching at the Major semantic version (ie. 2.x .) The guideline is unclear as to any preferences between a new branch at the major or minor release. The example in the guideline shows a new branch for a minor release (ex. 2.0.x)
The format is correct, but the content has not been completed.
This review is of the project overall. The intent of the security advisory coverage application though, is to evaluate the individual submitting the request. The submitter's last commit to the project was in July 2015 for a first version at 8.x. Eight additional commits were for 7.x in December of 2014. There was one project page update in 2020. The commits by the submitter look reasonable. Given the age and number of commits I'm not sure if there is enough information for the application based on this project alone. It did notice a significant number of commits to other projects.
The starred items (*) are fairly big issues and warrant going back to Needs Work. Items marked with a plus sign (+) are important and should be addressed before a stable project release. The rest of the comments in the code walkthrough are recommendations.
If added, please don't remove the security tag, we keep that for statistics and to show examples of security problems.
This review uses the Project Application Review Template.
Comment #3
bigbaldy commentedComment #4
avpadernoComment #5
le72Thank you for your review.
Comment #6
le72Comment #7
avpadernoFor these applications, we need at least a branch where the code has been committed from the user who applies. In this case, in the 2.x branch there are commits from other users. This means we cannot understand what the user who applies understands about writing secure code that follows the coding standards and correctly uses the Drupal API, since the code has been written from more users.
This application can continue, with a project/branch where most of the commits have been done from the user who applies. (The ideal would be a project where the commits for a branch are done from the user who applies.)
Comment #8
le72Correct, I updated the README.md only (last commit) as requested.
What else can I do here to make the module "green"? :-)
Comment #9
le72Comment #10
avpadernoSee my previous comment.
Comment #11
avpadernoComment #12
le72I added another project. Please review it so I could make it green under Security advisory coverage.
https://www.drupal.org/project/campaign_monitor_webform
Comment #13
le72Comment #14
avpadernoComment #15
le72Hi @apaderno.
Can you please review it before September 20-21 https://www.drupal.org/project/campaign_monitor_webform?
I am going to talk a bit about this module at DrupalCon in Prague.
Thanks in advance.
Comment #16
avpadernoThe minimum required Drupal 8.x version should be 8.8.3, when using semantic versions. Earlier Drupal versions don't handle semantic versions correctly.
The purpose of
ContainerInjectionInterface::create()(or similar methods likeContainerFactoryPluginInterface::create()) is passing the injected dependencies to the class constructor, non initializing the instance properties.The first argument passed to
MessengerInterface::addError(),MessengerInterface::addMessage(),MessengerInterface::addStatus(), andMessengerInterface::addWarning()must be a translatable string that uses placeholders.The
$messageparameter passed to theLoggerInterfacemethods must be a literal string and use placeholders.Comment #17
avpadernoComment #18
le72Thank you for the quick review.
I am fixing now, BUT regarding
I have a question. I used example of WebformHandlerBase . And actually all WebformHandlers initializing the instance properties in the
createmethod. Should I still change my module and move initialization to construct()? In that case, the module's custom Webform Handler will have different look comparing to other similar implimintations. I am fine wiht it, just need an advice and confirmation.Comment #19
avpadernoServices and dependency injection in Drupal 8+ / Injecting dependencies into controllers, forms and blocks says:
Passing the dependencies to the constructor makes sense, as initializing the constructed object is the constructor's responsibility. It's what other static methods do too, for example
Url::fromEntityUri()orUrl::fromRouteUri().Comment #20
le72Well, thank you very much @apaderno. I created an issue on webforms project (https://www.drupal.org/project/webform/issues/3311986#comment-14708352)
In my Campaign Monitor Webform Handler I can't just change the create method and add __construct, because the handler is inheriting the WebformHandlerBase. I can do everything in the way you recommend, but I will need to add all services of WebformHandlerBase to my custom handler. I know the webform maintainers are pretty responsive, so I want to see what they tell, maybe there are some reasons to write create() method in a way they did everywhere in the webforms.
The other notices are fixed and pished to v1.0.6
Comment #21
avpadernoWebformCampaignMonitorHandlerstill needs to implements its constructor, which is whatWebformHandlerBase::create()calls withnew static().How
WebformHandlerBase::create()is written, it doesn't allow to easily extend it. You should extendcreate()to pass all the dependencies to__construct(), which then initializes all the properties, including theWebformHandlerBase's properties.Comment #22
le72Hi @apaderno, here is an answer:
I see what you mean in your last comment and agree all dependencies in subclasses also should be written and passed to
__construct(). But I think what jrockowitz is saying makes sence.Maybe we can let it as it's done in webform for all other handlers?
Thanks in advance.
Comment #23
avpaderno@le72 If you made the other changes, feel free to change status. That isn't an issue you can resolve in your module.
The only change you can eventually do is requiring a specific Webform version, if that change is present starting with Webform 6.x. This isn't a change required from these applications, though.
Comment #24
le72Yes, the other changes are here: v1.0.6
Comment #25
avpadernoThank you for your contribution! I am going to update your account.
These are some recommended readings to help with excellent maintainership:
You can find more contributors chatting on the Slack #contribute channel. So, come hang out and stay involved.
Thank you, also, for your patience with the review process.
Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
I thank all the reviewers.
Comment #26
avpadernoComment #27
le72Thank you!