Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
There are no messages displayed if install_node_export_import_from_file() fails, e.g. because the file either did not exist or could not be loaded.
Comment | File | Size | Author |
---|---|---|---|
#1 | install_profile_api-n402642-export_errors.patch | 524 bytes | DamienMcKenna |
Comments
Comment #1
DamienMcKennaThe attached file adds a dsm() to indicate the file could not be found or opened.
Comment #2
James Andres CreditAttribution: James Andres commentedSeems sensible to me. Committed.
Comment #3
dwwwhere does the value of $file come from? %file or @file would be safer than !file.
Comment #4
DamienMcKennadww: $file is one of the arguments.
Comment #5
dwwThat I understand. My point is where is $file coming from when this function is called? I know we're talking about an install profile, and therefore, user-supplied data isn't really a concern, but in general, it's better to be in the habit of writing secure code by default. Maybe this function is going to be reused in some context we don't anticipate. Better safe than sorry.
Comment #6
DamienMcKennadww: the command would be executed like this:
So the $file would be manually loaded by the admin.
Comment #7
dwwSorry, I keep phrasing my comments in the form of a question. I don't have a question at all. ;) I'm making a statement. Let me be more clear:
API functions shouldn't assume they know exactly how they're going to be called at all times in the future, so they should be written to be as safe as possible for any possible use-case. API functions that generate HTML sent to a browser should always sanitize potentially user-specified data using core's existing text filtering functions.
Comment #8
James Andres CreditAttribution: James Andres commenteddww, I follow and agree.
I propose we consider a standard format for exported content that works with the install_profile_api project. Maybe the format is just a wrapper around the original export (eg: from views, content_copy, etc..). A standard format would have the following advantages, and disadvantages:
Advantages
install_get_exports($type, $path)
could be createdDisadvantages
Thoughts?
Comment #9
anarcat CreditAttribution: anarcat commentedI noticed this commit while doing the latest release notes... so I was under the impression this bug was fixed... could you try again with the latest release?
Comment #10
anarcat CreditAttribution: anarcat commentedNevermind me, i got confused by the date. I'll remove this bug from the relnotes, there clearly seems to be issues remaining to discuss.