Closed (fixed)
Project:
Drupal.org security advisory coverage applications
Component:
module
Priority:
Normal
Category:
Task
Assigned:
Issue tags:
Reporter:
Created:
23 Jun 2023 at 10:15 UTC
Updated:
10 Jul 2023 at 17:49 UTC
Jump to comment: Most recent
Comments
Comment #2
vinaymahale commentedThank you for applying! Reviewers will review the project files, describing what needs to be changed.
Please read Review process for security advisory coverage: What to expect for more details and Security advisory coverage application checklist to understand what reviewers look for. Tips for ensuring a smooth review gives some hints for a smoother review.
To reviewers: Please read How to review security advisory coverage applications, What to cover in an application review, and Drupal.org security advisory coverage application workflow.
While this application is open, only the user who opened the application can make commits to the project used for the application.
Reviewers only describe what needs to be changed; they don't provide patches to fix what reported in a review.
Comment #3
avpadernoComment #4
vinaymahale commentedPlease fix the below PHPCS issue
Comment #5
avpadernoIs there anything else that needs to be changed? That alone is not an application blocker.
Comment #6
rfmarcelino commentedThank you @vinaymahale for your review.
Just added the missing type hint.
Comment #7
avpadernosrc/Controller/EntityDisplayJsonController.php
That property is already defined from the parent class. There is no need to declare it.
The description for
$aliasManageris copied from the other property.entity_display_json.routing.yml
Since the controller gives access to every entity on the site, including unpublished nodes that users with the access content permission would not otherwise see, or blocked accounts, which only users with the administer users permission should see, the permission used for that route is not sufficient.
At least, the route cannot be used to enumerate user accounts, since it requires the UUID which is not easy to gather (differently from the ID which is incremented by one for each entity). Still, there should be a flood protection.
Since the route requires a UUID and the entity type that matches that UUID, how would the module be used?
Comment #8
rfmarcelino commentedThank you @apaderno for your review.
The module can be used in conjunction with others like decoupled_router to get the uuid.
Comment #9
avpadernoThank you for your contribution! I am going to update your account.
These are some recommended readings to help with excellent maintainership:
You can find more contributors chatting on the Slack #contribute channel. So, come hang out and stay involved.
Thank you, also, for your patience with the review process.
Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
I thank all the reviewers.
Comment #10
avpaderno