[1.0.x] Field Label Visibility

Thank you for applying!

Before giving links helpful to understand how the review process works, what to expect from a review, and what to do to avoid a review takes more time than needed, I would like to thank all the reviewers for the work they do.
These applications are volunters-driven, which also means it is not possible to predict when an application will be marked fixed and the applicant will get the permission to opt projects into security advisory policy. While we aim to make an application as quick as possible, it is also important for us that more people review the project used for an application. In this way, we make sure applications do not miss some important points that should be instead reported.
Applications are not meant to be complete debugging sessions that eliminate every existing bug, though. I apologize if sometimes applications seem to go into too-detailed reviews.

Please read Review process for security advisory coverage: What to expect for more details and Security advisory coverage application checklist to understand what reviewers look for. Tips for ensuring a smooth review gives some hints for a smoother review.

The important notes are the following.

• If you have not done it yet, you should enable GitLab CI for the project and fix the PHP_CodeSniffer errors/warnings it reports.
• For the time this application is open, only your commits are allowed.
• The purpose of this application is giving you a new drupal.org role that allows you to opt projects into security advisory coverage, either projects you already created, or projects you will create. The project status will not be changed by this application; once this application is closed, you will be able to change the project status from Not covered to Opt into security advisory coverage. This is possible only 14 days after the project is created.
  
  Keep in mind that once the project is opted into security advisory coverage, only Security Team members may change coverage.
• Only the person who created the application will get the permission to opt projects into security advisory coverage. No other person will get the same permission from the same application; that applies also to co-maintainers/maintainers of the project used for the application.
• We only accept an application per user. If you change your mind about the project to use for this application, or it is necessary to use a different project for the application, please update the issue summary with the link to the correct project and the issue title with the project name and the branch to review.

To the reviewers

Please read How to review security advisory coverage applications, Application workflow, What to cover in an application review, and Tools to use for reviews.

The important notes are the following.

• It is preferable to wait for a project moderator before posting the first comment on newly created applications. Project moderators will do some preliminary checks that are necessary before any change on the project files is suggested.
• Reviewers should show the output of a CLI tool only once per application.
• It may be best to have the applicant fix things before further review.

For new reviewers, I would also suggest to first read In which way the issue queue for coverage applications is different from other project queues.

1. Add a README.md file

The project is missing a README.md file, it should follow the template suggested in README.md template.

2. FILE: field_label_visibility.libraries.yml

version: VERSION

VERSION is only used by Drupal core modules. Contributed modules should use a literal string that does not change with the Drupal core version a site is using.

3. FILE: field_label_visibility.module

Since the module is declared compatible with Drupal 10.3, removing the function implementing the hook is not possible. The function still needs to be defined, but it calls the method defined by the service class, as described in Support for object oriented hook implementations using autowired services (Backwards-compatible Hook implementation for Drupal versions from 10.1 to 11.0).

4. FILE: src/Form/SettingsForm.php

With Drupal 10 and Drupal 11, there is no longer need to use #default_value for each form element, when the parent class is ConfigFormBase: It is sufficient to use #config_target, as in the following code.

    $form['image_toolkit'] = [
      '#type' => 'radios',
      '#title' => $this->t('Select an image processing toolkit'),
      '#config_target' => 'system.image:toolkit',
      '#options' => [],
    ];

Using that code, it is no longer needed to save the configuration values in the form submission handler: The parent class will take care of that.

It is better not to create new releases during these applications, since a review could ask for a change that is not backward compatible with the existing releases. Just using a development version avoids those BC issues.

FILE: field_label_visibility.module

Procedural hooks should be marked with the #[LegacyHook] attribute.

Priority should be change as per Issue priorities.

Rest seems fine to me.

Please wait for other reviewers and Project Moderator to take a look and if everything goes fine, you will get the role.

• The following points are just a start and don't necessarily encompass all of the changes that may be necessary
• A specific point may just be an example and may apply in other places
• A review is about code that does not follow the coding standards, contains possible security issue, or does not correctly use the Drupal API
• The single review points are not ordered, not even by importance

src/Hook/FieldLabelVisibilityHooks.php

  /**
   * Server-side validator for the "custom_label" textfield.
   *
   * Static signature is required by Drupal Form API for
   * #element_validate callbacks. \Drupal::translation() is the accepted
   * fallback in this static context — DI is unavailable to procedural
   * callbacks.
   */

Documentation comments for methods and functions need to also document parameters and return value, if there is any.

        \Drupal::translation()->translate('The custom label cannot contain the @lt or @gt characters.', [
          '@lt' => '<',
          '@gt' => '>',
        ]),

For a static method, it is sufficient to use t() or create a \Drupal\Core\StringTranslation\TranslatableMarkup instance, which what the documentation for t() suggests.

    if (
      !$widget instanceof WidgetInterface
      || !$field_definition instanceof FieldDefinitionInterface
    ) {
      return;
    }

Control statements are allowed to exceed the 80-character limit. If the checked conditions would be too much, Drupal coding standards suggests using local variables for the conditions, as in the following code.

  // Key is only valid if it matches the current user's ID, as otherwise other
  // users could access any user's things.
  $is_valid_user = isset($key) && !empty($user->uid) && $key == $user->uid;

   // IP must match the cache to prevent session spoofing.
  $is_valid_cache = isset($user->cache) ? $user->cache == ip_address() : FALSE;

  // Alternatively, if the request query parameter is in the future, then it
  // is always valid, because the galaxy will implode and collapse anyway.
  $is_valid_query = $is_valid_cache || (isset($value) && $value >= time());

  if ($is_valid_user || $is_valid_query) {
    // ...
  }

(Keep in mind that code in issues is not shown as entered; there could be new lines where the code did not have any.)

    if ($settings['bold']) {
      $formats[] = (string) $this->t('Bold');
    }
    if ($settings['italic']) {
      $formats[] = (string) $this->t('Italic');
    }
    if ($settings['underline']) {
      $formats[] = (string) $this->t('Underline');
    }
    if ($formats !== []) {
      $summary[] = $this->t('Format: @formats', ['@formats' => implode(' / ', $formats)]);
    }

There is no need to cast the value returned by $this->t() to a string; in contexts where a string is required, PHP does that cast automatically.

field_label_visibility.services.yml

Services can be autowired starting with Drupal 9.3.x. This means that it is no longer necessary to give a list of service arguments in the .services.yml file; they will be retrieved from the constructor definition.

What reported here in Differences with similar projects needs to be added to the project page.

field_label_visibility.module

/**
 * @file
 * Module file for field_label_visibility.
 *
 * The hook implementations live in
 * \Drupal\field_label_visibility\Hook\FieldLabelVisibilityHooks via the
 * #[Hook] attribute discovery introduced in Drupal 10.3 and required in
 * Drupal 11.
 *
 * Drupal 10.3 still supports legacy procedural hook discovery alongside
 * the attribute-based one, but legacy modules and contrib code paths
 * occasionally invoke procedural hooks directly. To stay compatible with
 * the full ^10.3 || ^11 range declared in the .info.yml file, the
 * procedural hook entry points below delegate to the same service
 * methods used by the attribute discovery and are tagged with
 * #[LegacyHook] so that Drupal's hook system knows they are bridges to
 * the OOP implementation rather than independent hook handlers.
 *
 * Once the minimum supported core version is raised to ^11, these
 * procedural bridges may be removed.
 */

The usual short description (Hook implementations for the Field Label Visibility module.) gives more information about the file content.

The rest of that documentation comment is not information a developer would need. It seems the type of comments an AI-assisted software would suggest. A maintainer could just need a @todo note that reminds that legacy hooks can be removed when Drupal 11 is the minimum required Drupal core version.

The use of AI-assisted software to write code needs to be disclosed in the project page.

/**
 * Implements hook_field_widget_third_party_settings_form().
 *
 * @param \Drupal\Core\Field\WidgetInterface $plugin
 *   The widget plugin being configured.
 * @param \Drupal\Core\Field\FieldDefinitionInterface $field_definition
 *   The definition of the field whose widget is being configured.
 * @param string $form_mode
 *   The form mode being configured (for example, 'default').
 * @param array $form
 *   The (parent) form array.
 * @param \Drupal\Core\Form\FormStateInterface $form_state
 *   The form state of the parent form.
 *
 * @return array
 *   The render array of third-party settings injected under the widget.
 */

Documentation comments for hooks just need the short description. A long description can be added to add details necessary when developing the module, for example a reminder of why a hook has been used instead of another one, or why the hook implementation is done that way. The description of the parameters and the return value is not necessary; it is something AI-assisted software tends to add.

field_label_visibility.info.yml

core_version_requirement: ^10.3 || ^11
php: '>=8.3'

May you explain why the module would require PHP 8.3 or any higher version?

src/Form/SettingsForm.php

        toConfig: static function (array $submitted) use ($valid_bundles): array {
          $selected = array_values(array_intersect(
            $valid_bundles,
            array_keys(array_filter($submitted)),
          ));
          sort($selected);
          return $selected;
        },

May you describe what that code does and why is it necessary?

src/Hook/FieldLabelVisibilityHooks.php

    if (preg_match('/[<>]/', $value) === 1) {
      $form_state->setError(
        $element,
        t('The custom label cannot contain the @lt or @gt characters.', [
          '@lt' => '<',
          '@gt' => '>',
        ]),
      );
    }

Why does the code check preg_match() returns 1?

        '#pattern' => '[a-zA-Z0-9_\\- ]*',
        '#element_validate' => [[static::class, 'validateLabelClass']],

Only one of those lines is usually necessary. May you describe the reason for using a custom validation handler?

      $form_state->setError(
        $element,
        t('The custom label cannot contain the @lt or @gt characters.', [
          '@lt' => '<',
          '@gt' => '>',
        ]),
      );

It is correct that using $this->t() is not possible in static methods, but what are the alternatives?
(As a side note, the comment explaining that $this->t() cannot be used in static methods is not necessary.)

      self::SETTING_CLASS => [
        '#type' => 'textfield',
        '#title' => $this->t('CSS classes'),
        '#description' => $this->t('Additional CSS classes separated by spaces. Only letters, digits, hyphen, underscore and spaces are allowed.'),
        '#default_value' => (string) $plugin->getThirdPartySetting(
          self::MODULE,
          self::SETTING_CLASS,
          '',
        ),
        '#maxlength' => 255,
        '#pattern' => '[a-zA-Z0-9_\\- ]*',
        '#element_validate' => [[static::class, 'validateLabelClass']],
        '#states' => $hidden_when_hide,

That regular expression is not correct to validate a CSS class name. Drupal core has a class method that can be used to verify a CSS class name is valid.

      self::SETTING_LABEL => [
        '#type' => 'textfield',
        '#title' => $this->t('Custom label'),
        '#description' => $this->t('When filled in, replaces the default field label. Leave empty to keep the original. With "Singular/Plural" enabled you can write <em>Singular|Plural</em> separated by a pipe.'),
        '#default_value' => (string) $plugin->getThirdPartySetting(
          self::MODULE,
          self::SETTING_LABEL,
          '',
        ),
        '#maxlength' => 255,
        '#element_validate' => [[static::class, 'validateCustomLabel']],
        '#states' => $hidden_when_hide,
      ],

If some characters are not allowed in a custom label, the form element description should say they are not allowed.
Why does the validation handler allow other characters Html::escape() would convert to HTML entities?

    $tag_is_allowed = in_array($settings['tag'], self::ALLOWED_TAGS, TRUE);
    $safe_tag = $tag_is_allowed ? $settings['tag'] : '';
    $filtered_class = preg_replace('/[^a-zA-Z0-9_\- ]/', '', $settings['class']) ?? '';
    $safe_class = trim(preg_replace('/\s+/', ' ', $filtered_class) ?? '');

    $id_is_valid = preg_match(self::ID_REGEX, $settings['id']) === 1;
    $safe_id = $id_is_valid ? $settings['id'] : '';

    $style_parts = [];
    if (in_array($settings['align'], self::ALLOWED_ALIGNS, TRUE)) {
      $style_parts[] = 'text-align:' . $settings['align'];
    }
    if ($settings['bold']) {
      $style_parts[] = 'font-weight:bold';
    }
    if ($settings['italic']) {
      $style_parts[] = 'font-style:italic';
    }
    if ($settings['underline']) {
      $style_parts[] = 'text-decoration:underline';
    }

    $text = $this->resolveLabelText($settings, $field_definition, $items);

    if ($safe_tag !== '') {
      $id_attr = $safe_id !== '' ? ' id="' . $safe_id . '"' : '';
      $class_attr = $safe_class !== '' ? ' class="' . $safe_class . '"' : '';
      $style_attr = '';
      if ($style_parts !== []) {
        $style_attr = ' style="' . implode(';', $style_parts) . ';"';
      }
      $escaped_text = Html::escape($text);
      $html = '<' . $safe_tag . $id_attr . $class_attr . $style_attr . '>'
        . $escaped_text
        . '</' . $safe_tag . '>';
      $this->setWidgetTitle($field_widget_complete_form, Markup::create($html));
      return;
    }

styles should never be used to style HTML markup.
That code should use Xss::filter(), which also prevent cross-site-scripting vulnerabilities.

    if ($settings['singular_plural'] && str_contains($custom, '|')) {
      [$singular, $plural] = explode('|', $custom, 2);
      $singular = trim($singular);
      $plural = trim($plural);
      $count = $items->count();
      return $count === 1 ? $singular : $plural;
    }

That code only works for English; for other languages, that does not work. In Russian, for example the singular form is used for 1, 101, and other numbers for which the plural form would be used in English.

For four of the points I listed in my previous comment, I asked questions. Those points were not suggesting changes but expecting answers.

        toConfig: static function (array $submitted) use ($valid_bundles): array {
          $selected = array_values(array_intersect(
            $valid_bundles,
            array_keys(array_filter($submitted)),
          ));
          sort($selected);
          return $selected;
        },

May you describe what that code does and why is it necessary?

    if (preg_match('/[<>]/', $value) === 1) {
      $form_state->setError(
        $element,
        t('The custom label cannot contain the @lt or @gt characters.', [
          '@lt' => '<',
          '@gt' => '>',
        ]),
      );
    }

Why does the code check preg_match() returns 1?

        '#pattern' => '[a-zA-Z0-9_\\- ]*',
        '#element_validate' => [[static::class, 'validateLabelClass']],

Only one of those lines is usually necessary. May you describe the reason for using a custom validation handler?

      $form_state->setError(
        $element,
        t('The custom label cannot contain the @lt or @gt characters.', [
          '@lt' => '<',
          '@gt' => '>',
        ]),
      );

It is correct that using $this->t() is not possible in static methods, but what are the alternatives?

As a further note, these applications never require removing implemented features, as long as those features are not already provided by Drupal core and the code just need to be adjusted to use classes or functions made available by Drupal core.
Changing the code that was incorrectly building markup is correct, but removing code to avoid to correctly implementing a feature is not correct.