Closed (fixed)
Project:
Drupal.org security advisory coverage applications
Component:
module
Priority:
Normal
Category:
Task
Assigned:
Reporter:
Created:
15 Dec 2025 at 21:40 UTC
Updated:
9 May 2026 at 11:40 UTC
Jump to comment: Most recent
Comments
Comment #2
vishal.kadamComment #3
rushikesh raval commentedThank you for applying!
Please read Review process for security advisory coverage: What to expect for more details and Security advisory coverage application checklist to understand what reviewers look for. Tips for ensuring a smooth review gives some hints for a smoother review.
The important notes are the following.
To the reviewers
Please read How to review security advisory coverage applications, Application workflow, What to cover in an application review, and Tools to use for reviews.
The important notes are the following.
For new reviewers, I would also suggest to first read In which way the issue queue for coverage applications is different from other project queues.
Comment #4
rushikesh raval commentedRemember to change status, when the project is ready to be reviewed. In this queue, projects are only reviewed when the status is Needs review.
Comment #5
avpadernoUsually, after reviewing a project, we allow the developer to opt projects into security advisory coverage. This project is too small for us; it does not contain enough Drupal (PHP) code to really assess your skills as Drupal developer.
Do you have any other project hosted on drupal.org that we could instead review? It needs to have most of the commits (but preferably all the commits) done by you, in at least a branch.
Comment #6
josecarlosmedero commentedI have significantly improved the **Required If Field Has Value** module that we have published on drupal.org. The main changes include improvements to functionality, user experience, and code architecture.
---
## 🎯 Main Changes
### 1. **Now works with ALL entities**
**Before:** Only worked with nodes (content)
**Now:** Works with users, taxonomy terms, custom entities, and any entity type in Drupal
**Benefit:** Much more versatile and useful for different use cases
---
### 2. **Much easier-to-use configuration form**
**Before:** You had to manually write the rules in a textarea with the format: `bundle|source_field|required_field`
**Now:**
- Dropdown selects to choose the entity type
- Selects to choose the bundle
- Selects to choose the fields (with their visible names)
- Visual table-like interface
- Automatic validation to prevent errors
**Benefit:** Anyone can configure it without needing to know the technical names of the fields
---
### 3. **Works correctly with complex fields**
**Before:** Had problems detecting values in CKEditor (rich text) fields and image fields
**Now:**
- Correctly detects when there is content in CKEditor fields (ignores empty HTML)
- Correctly detects when images have been uploaded
- Works well with file fields
- Handles all field types correctly
**Benefit:** The module is more reliable and works in all real-world scenarios
---
Comment #7
vishal.kadamI am changing priority as per Issue priorities.
Comment #8
batigolixReformat your comment #6
Ask your AI tool to convert the markdown to HTML or plain text
Comment #9
avpadernoComment #10
avpadernorequired_if_filled.module
A new module that aims to be compatible with latest Drupal releases is expected to implement hooks as class methods as described in Support for object oriented hook implementations using autowired services.
It requires increasing the minimum required Drupal version, but that is not an issue, since not all the Drupal releases are supported.
src/Service/RequiredIfFilledService.php
Code compatible with latest Drupal releases should use property promotion.
src/Form/SettingsForm.php
ConfigFormBaseis not the parent class to use for such a complex form.Drupal core comes with at least a fieldable entity with bundles. If the module needs to be sure that entity exists, it should implement
hook_requirements()and show an error when no fieldable entities with bundles exist. In the case there are not such entities when the form is shown, an exception should be thrown.Comment #11
josecarlosmedero commentedHello,
Thank you very much for your review and the detailed feedback. I have implemented the requested changes and prepared a new release reflecting the updates. The key adjustments are:
Property promotion:
Updated the RequiredIfFilledService and SettingsForm classes to use PHP 8 constructor property promotion where applicable, improving readability and reducing boilerplate code.
Form base class update:
For the SettingsForm, I kept FormBase instead of ConfigFormBase because the form is complex and dynamic, including a table of rules with AJAX add/remove functionality. Using ConfigFormBase was not suitable for this specific use case.
Compatibility:
The module is now fully compatible with Drupal 10 and PHP 8.3.
Minor coding standard fixes were applied to remove warnings and errors (doc comments, variable typing, etc.).
The release including these updates is tagged as v1.2.2 and can be found here:
https://git.drupalcode.org/project/required_if_filled
I would greatly appreciate if you could review the updated code and confirm that it meets the Drupal standards for security and best practices.
Thank you for your time and guidance.
Best regards,
Comment #12
vishal.kadamReleases should not be created after each review done here, since a review could ask for a change that is not backward compatible with the existing releases. Just using a development version avoids those BC issues.
It would also be better not to create new branches: Reviewers would need to check again all the files, to understand which changes have been done in the new branch.
Comment #13
vishal.kadamI am changing priority as per Issue priorities.
Comment #14
avpadernoIn which branch are you making commits? This application seems to require reviews for the 1.0.x branch, but latest tag does not seem created from that branch.
Comment #15
josecarlosmedero commentedThanks for the feedback.
The current development is based on the `1.2.x` branch, and the latest tag `1.2.2` was created from this branch.
Please confirm if the review should proceed on `1.2.x`, or if you prefer the work to be rebased to `1.0.x`.
Comment #16
avpadernoIt's preferable to use the same branch used at the beginning of the application, but since you already made commits to a new branch, we will continue with that branch. I had to ask to avoid reviewing a branch that was not updated, for which I would have reported something that was already fixed.
Comment #17
avpadernorequired_if_filled.info.yml
Those lines must be removed since:
required_if_filled.install
For translatable strings that change basing on a number (as in this case), there is
::formatPlural().required_if_filled.module
A new module that aims to be compatible with latest Drupal releases is expected to implement hooks as class methods as described in Support for object oriented hook implementations using autowired services.
It requires increasing the minimum required Drupal version, but that is not an issue, since not all the Drupal releases are supported.
src/Form/SettingsForm.php
Comments need to be in English.
If that string is shown in the user interface, it needs to be a translatable string. If
$field_definition->getLabel()and$field_name
, the code should use a translatable string with placeholders, which allows translators to change the strings order and use a different character for parentheses.
For methods defined in a parent class or interface, the documentation comment is simply
{@inheritdoc}.required_if_filled.permissions.yml
If the module does not define its own permission, there is no need to have a .permissions.yml which is then empty. If the module is instead supposed to have its own permissions, that file should not be empty.
Comment #18
josecarlosmedero commentedHi @avpaderno,
Thank you for the detailed review and clear explanations — they were very helpful.
I’ve addressed all the points you mentioned:
Removed the packaging script metadata from the .info.yml file.
Replaced t() with ::formatPlural() where appropriate.
Updated comments to English.
Made UI strings translatable using placeholders where needed.
Simplified the docblock in validateForm() to {@inheritdoc}.
Reviewed the permissions file and removed it since it wasn’t needed.
Refactored parts of the module to align better with modern Drupal practices.
I’ve pushed the updated changes and set the issue back to Needs review.
Thanks again for your guidance and time!
Best regards,
Comment #19
avpadernoThank you for your contribution and for your patience with the review process!
I am going to update your account so you can opt into security advisory coverage any project you create, including the projects you already created.
These are some recommended readings to help you with maintainership:
You can find more contributors chatting on Slack or IRC in #drupal-contribute. So, come hang out and stay involved!
Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
I thank also all the reviewers for helping with these applications.
Comment #20
avpadernoComment #22
josecarlosmedero commentedThank you so much, more contributions are on their way!