I would like to request a security advisory review for my module
"Required If Field Has Value" for Drupal 10.

The module provides conditional required field validation based
on another field value. It does not perform database writes
or handle sensitive data, but I would like to have it reviewed
so that I can release a stable version.

Project link

https://www.drupal.org/project/required_if_filled

Comments

josecarlosmedero created an issue. See original summary.

vishal.kadam’s picture

Title: Request for security advisory review » [1.0.x] Required If Filled
Project: Required If Filled » Drupal.org security advisory coverage applications
Version: 1.0.x-dev »
Component: Code » module
Category: Support request » Task
Issue summary: View changes
rushikesh raval’s picture

Thank you for applying!

Please read Review process for security advisory coverage: What to expect for more details and Security advisory coverage application checklist to understand what reviewers look for. Tips for ensuring a smooth review gives some hints for a smoother review.

The important notes are the following.

  • New releases are not necessary for these applications, which could require changes that are not backward-compatible. Not creating new releases avoids any possible issue.
  • Please do not change the branch to review once reviews started, except in the case the used branch needs to be deleted.
  • If you have not done it yet, enable GitLab CI for the project, and fix what reported from the phpcs job. This help to fix most of what reviewers would report.
  • For the time this application is open, only your commits are allowed. No other people, including other maintainers/co-maintainers can make commits.
  • The purpose of this application is giving you a new drupal.org role that allows you to opt projects into security advisory coverage, either projects you already created, or projects you will create. The project status won't be changed by this application.
  • Nobody else will get the permission to opt projects into security advisory policy. If there are other maintainers/co-maintainers who will to get that permission, they need to apply with a different module.
  • We only accept an application per user. If you change your mind about the project to use for this application, or it is necessary to use a different project for the application, please update the issue summary with the link to the correct project and the issue title with the project name and the branch to review.

To the reviewers

Please read How to review security advisory coverage applications, Application workflow, What to cover in an application review, and Tools to use for reviews.

The important notes are the following.

  • It is preferable to wait for a Code Review Administrator before commenting on newly created applications. Code Review Administrators will do some preliminary checks that are necessary before any change on the project files is suggested.
  • Reviewers should show the output of a CLI tool only once per application. The configuration used for these tools needs to be the same configuration used by GitLab CI, stored in the GitLab Templates repository.
  • It may be best to have the applicant fix things before further review.

For new reviewers, I would also suggest to first read In which way the issue queue for coverage applications is different from other project queues.

rushikesh raval’s picture

Remember to change status, when the project is ready to be reviewed. In this queue, projects are only reviewed when the status is Needs review.

avpaderno’s picture

Status: Active » Needs work

Usually, after reviewing a project, we allow the developer to opt projects into security advisory coverage. This project is too small for us; it does not contain enough Drupal (PHP) code to really assess your skills as Drupal developer.

Do you have any other project hosted on drupal.org that we could instead review? It needs to have most of the commits (but preferably all the commits) done by you, in at least a branch.

josecarlosmedero’s picture

Status: Needs work » Needs review

I have significantly improved the **Required If Field Has Value** module that we have published on drupal.org. The main changes include improvements to functionality, user experience, and code architecture.

---

## 🎯 Main Changes

### 1. **Now works with ALL entities**
**Before:** Only worked with nodes (content)
**Now:** Works with users, taxonomy terms, custom entities, and any entity type in Drupal

**Benefit:** Much more versatile and useful for different use cases

---

### 2. **Much easier-to-use configuration form**
**Before:** You had to manually write the rules in a textarea with the format: `bundle|source_field|required_field`

**Now:**
- Dropdown selects to choose the entity type
- Selects to choose the bundle
- Selects to choose the fields (with their visible names)
- Visual table-like interface
- Automatic validation to prevent errors

**Benefit:** Anyone can configure it without needing to know the technical names of the fields

---

### 3. **Works correctly with complex fields**
**Before:** Had problems detecting values ​​in CKEditor (rich text) fields and image fields

**Now:**
- Correctly detects when there is content in CKEditor fields (ignores empty HTML)
- Correctly detects when images have been uploaded
- Works well with file fields
- Handles all field types correctly

**Benefit:** The module is more reliable and works in all real-world scenarios

---

vishal.kadam’s picture

Priority: Normal » Major

I am changing priority as per Issue priorities.

batigolix’s picture

Status: Needs review » Needs work

Reformat your comment #6

Ask your AI tool to convert the markdown to HTML or plain text

avpaderno’s picture

Status: Needs work » Needs review
avpaderno’s picture

Priority: Major » Normal
Status: Needs review » Needs work
  • The following points are just a start and don't necessarily encompass all of the changes that may be necessary
  • A specific point may just be an example and may apply in other places
  • A review is about code that doesn't follow the coding standards, contains possible security issue, or does not correctly use the Drupal API; the single points are not ordered, not even by importance

required_if_filled.module

A new module that aims to be compatible with latest Drupal releases is expected to implement hooks as class methods as described in Support for object oriented hook implementations using autowired services.
It requires increasing the minimum required Drupal version, but that is not an issue, since not all the Drupal releases are supported.

src/Service/RequiredIfFilledService.php

Code compatible with latest Drupal releases should use property promotion.

src/Form/SettingsForm.php

ConfigFormBase is not the parent class to use for such a complex form.

    if (empty($entity_types)) {
      $form['no_entities'] = [
        '#type' => 'markup',
        '#markup' => '<p>' . $this->t('No entity types with bundles are available.') . '</p>',
      ];
      return parent::buildForm($form, $form_state);
    }

Drupal core comes with at least a fieldable entity with bundles. If the module needs to be sure that entity exists, it should implement hook_requirements() and show an error when no fieldable entities with bundles exist. In the case there are not such entities when the form is shown, an exception should be thrown.

josecarlosmedero’s picture

Status: Needs work » Needs review

Hello,

Thank you very much for your review and the detailed feedback. I have implemented the requested changes and prepared a new release reflecting the updates. The key adjustments are:

Property promotion:
Updated the RequiredIfFilledService and SettingsForm classes to use PHP 8 constructor property promotion where applicable, improving readability and reducing boilerplate code.
Form base class update:
For the SettingsForm, I kept FormBase instead of ConfigFormBase because the form is complex and dynamic, including a table of rules with AJAX add/remove functionality. Using ConfigFormBase was not suitable for this specific use case.

Compatibility:
The module is now fully compatible with Drupal 10 and PHP 8.3.
Minor coding standard fixes were applied to remove warnings and errors (doc comments, variable typing, etc.).

The release including these updates is tagged as v1.2.2 and can be found here:
https://git.drupalcode.org/project/required_if_filled

I would greatly appreciate if you could review the updated code and confirm that it meets the Drupal standards for security and best practices.

Thank you for your time and guidance.

Best regards,

vishal.kadam’s picture

Releases should not be created after each review done here, since a review could ask for a change that is not backward compatible with the existing releases. Just using a development version avoids those BC issues.

It would also be better not to create new branches: Reviewers would need to check again all the files, to understand which changes have been done in the new branch.

vishal.kadam’s picture

Priority: Normal » Major

I am changing priority as per Issue priorities.

avpaderno’s picture

Priority: Major » Normal
Status: Needs review » Postponed (maintainer needs more info)

In which branch are you making commits? This application seems to require reviews for the 1.0.x branch, but latest tag does not seem created from that branch.

josecarlosmedero’s picture

Title: [1.0.x] Required If Filled » [1.2.x] Required If Filled
Status: Postponed (maintainer needs more info) » Needs work

Thanks for the feedback.

The current development is based on the `1.2.x` branch, and the latest tag `1.2.2` was created from this branch.

Please confirm if the review should proceed on `1.2.x`, or if you prefer the work to be rebased to `1.0.x`.

avpaderno’s picture

Status: Needs work » Needs review

It's preferable to use the same branch used at the beginning of the application, but since you already made commits to a new branch, we will continue with that branch. I had to ask to avoid reviewing a branch that was not updated, for which I would have reported something that was already fixed.

avpaderno’s picture

Status: Needs review » Needs work

required_if_filled.info.yml

# Information added by Drupal.org packaging script on 2025-12-16
version: '1.2.2'
project: 'required_if_filled'
datestamp: 1765896588

Those lines must be removed since:

  • The 1.2.x branch is not version 1.2.2
  • Those lines are added by the Drupal.org packaging script for each module release; they are not added to branches

required_if_filled.install

 return t('Migrated @count rules to new format.', ['@count' => count($new_rules)]);

For translatable strings that change basing on a number (as in this case), there is ::formatPlural().

required_if_filled.module

A new module that aims to be compatible with latest Drupal releases is expected to implement hooks as class methods as described in Support for object oriented hook implementations using autowired services.
It requires increasing the minimum required Drupal version, but that is not an issue, since not all the Drupal releases are supported.

src/Form/SettingsForm.php

  /**
   * Constructor usando property promotion.
   */
  public function __construct(
    protected EntityTypeBundleInfoInterface $entityTypeBundleInfo,
    protected EntityFieldManagerInterface $entityFieldManager,
    protected EntityTypeManagerInterface $entityTypeManager,
    protected $configFactory,
  ) {}

Comments need to be in English.

      $fields[$field_name] = $field_definition->getLabel() . ' (' . $field_name . ')';

If that string is shown in the user interface, it needs to be a translatable string. If $field_definition->getLabel() and

$field_name

, the code should use a translatable string with placeholders, which allows translators to change the strings order and use a different character for parentheses.

  /**
   * Validate the rules table.
   */
  public function validateForm(array &$form, FormStateInterface $form_state) {
    $rules = $form_state->getValue('rules')['table'] ?? [];
    foreach ($rules as $delta => $rule) {
      if (empty($rule['entity_type']) || empty($rule['bundle']) || empty($rule['source_field']) || empty($rule['required_field'])) {
        continue;
      }

      if ($rule['source_field'] === $rule['required_field']) {
        $form_state->setError($form['rules']['table'][$delta]['required_field'], $this->t('The source field and required field must be different.'));
      }

      $available_fields = $this->getFields($rule['entity_type'], $rule['bundle']);
      if (!isset($available_fields[$rule['source_field']])) {
        $form_state->setError($form['rules']['table'][$delta]['source_field'], $this->t('The selected source field is not available for this bundle.'));
      }
      if (!isset($available_fields[$rule['required_field']])) {
        $form_state->setError($form['rules']['table'][$delta]['required_field'], $this->t('The selected required field is not available for this bundle.'));
      }
    }
  }

For methods defined in a parent class or interface, the documentation comment is simply {@inheritdoc}.

required_if_filled.permissions.yml

If the module does not define its own permission, there is no need to have a .permissions.yml which is then empty. If the module is instead supposed to have its own permissions, that file should not be empty.

josecarlosmedero’s picture

Status: Needs work » Needs review

Hi @avpaderno,

Thank you for the detailed review and clear explanations — they were very helpful.

I’ve addressed all the points you mentioned:

Removed the packaging script metadata from the .info.yml file.
Replaced t() with ::formatPlural() where appropriate.
Updated comments to English.
Made UI strings translatable using placeholders where needed.
Simplified the docblock in validateForm() to {@inheritdoc}.
Reviewed the permissions file and removed it since it wasn’t needed.
Refactored parts of the module to align better with modern Drupal practices.

I’ve pushed the updated changes and set the issue back to Needs review.

Thanks again for your guidance and time!

Best regards,

avpaderno’s picture

Assigned: Unassigned » avpaderno
Status: Needs review » Reviewed & tested by the community

Thank you for your contribution and for your patience with the review process!

I am going to update your account so you can opt into security advisory coverage any project you create, including the projects you already created.

These are some recommended readings to help you with maintainership:

You can find more contributors chatting on Slack or IRC in #drupal-contribute. So, come hang out and stay involved!
Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.

I thank also all the reviewers for helping with these applications.

avpaderno’s picture

Status: Reviewed & tested by the community » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

josecarlosmedero’s picture

Thank you so much, more contributions are on their way!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.