Problem/Motivation

While I'm opening this as major, as soon as we have a core or contrib update path that fails due to this code, it is going to become critical.

   // Replace User 1 with the user created here.
    // @todo: do this without saving the user account.
    /** @var \Drupal\user\UserInterface $account */
    $account = User::load(1);
    $account->setPassword($this->rootUser->pass_raw);
    $account->setEmail($this->rootUser->getEmail());
    $account->setUsername($this->rootUser->getUsername());
    $account->save();

We try not to save content entities in hook_update_N() because the schema might be out of sync, or hook invocations might rely on other schemas that also aren't outdated yet.

So our upgrade path test base class definitely shouldn't do it before updates have even run.

Proposed resolution

Any of these two would be better than the status quo:

1. Rely on the database dump having predictable values (admin, admin@example.com, pass) etc. and set $this->rootUser so they match.

2. Directly update the database tables with the values

Currently the MR adopts the proposed solution #2

Remaining tasks

User interface changes

API changes

Data model changes

Beta phase evaluation

Reference: https://www.drupal.org/core/beta-changes
Issue category Bug because saving an entity prior to running updates has the potential to cause unforeseen issues
Issue priority Major because we need confidence our update tests are as close to reality as possible
CommentFileSizeAuthor
#29 interdiff_2560237_27-29.txt661 bytesankithashetty
#29 2560237-29.patch1.41 KBankithashetty
#27 2560237-27.patch1.4 KB_utsavsharma
#27 interdiff_26-27.txt567 bytes_utsavsharma
#26 2560237-26.patch1.16 KBsmustgrave
#26 interdiff-3-26.txt1.97 KBsmustgrave
#3 update-test-entity-api-2560237.1.patch1.14 KBlarowlan

Issue fork drupal-2560237

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

catch created an issue. See original summary.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Assigned: Unassigned » larowlan

I wonder what option three is :)

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Assigned: larowlan » Unassigned
Status: Active » Needs review
StatusFileSize
new update-test-entity-api-2560237.1.patch1.14 KB

Went with option 2, option 1 relies on a known hash salt, which is not a good idea because I think that also means the simpletest cookie/header for the test User-agent could be easier to guess.

jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
commented
Issue summary: View changes
Status: Needs review » Reviewed & tested by the community 
+++ b/core/modules/system/src/Tests/Update/UpdatePathTestBase.php
@@ -294,14 +294,14 @@ protected function runDbTasks() {
+        'pass' => \Drupal::service('password')->hash($this->rootUser->pass_raw),

At first I thought this may be problematic, but it is a very basic service that isn't going to fire off hooks or anything else that might potentially interfere with the database prior to running updates.

I think the patch in #3 is good to go. I added a beta evaluation.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented

A bug report implies that we should have test coverage to ensure we don't reintroduce the bug. However, the issue summary seems to be talking about fear of a hypothetical bug, not that something's actually broken, so maybe this is fine?

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented

Why wouldn't we do option 1?

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
Status: Reviewed & tested by the community » Needs review
larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented

Each child site gets it's own hash salt - so that would mean we'd have to hand-edit the database dumps to call out to the \Drupal::service('password') to set the hashed password in the dumps.

This would mean the dump command relies on manual intervention.

jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
commented

Each child site gets it's own hash salt

and

This would mean the dump command relies on manual intervention.

seem like good enough reasons not to go with option #1 in the IS. Some of our partial dump files already use some very light-weight APIs like key value, so calling out the the password hashing service seems ok in this instance.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Status: Needs review » Reviewed & tested by the community

From \Drupal\simpletest\TestBase::prepareEnvironment

    // Reset settings.
    new Settings(array(
      // For performance, simply use the database prefix as hash salt.
      'hash_salt' => $this->databasePrefix,
      'container_yamls' => [],
    ));

So I'm pretty sure that means we can't have the hashed password in the dump in advance.

Setting back to RTBC to get on @alexpott and @webchick's radar (apologies if that's not the right thing to do).

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Needs review

I think the problem with this change is that is makes all alternate entity storage not upgrade path testable. Going to ping @chx for an opinion.

catch’s picture

catch
he/him
Primary language English
commented

@webchick we could test this by having a test module that breaks something in entity loading and saving until after updates are run.

That same test module could actually break the current approach though depending on what change we do - since the base class would need to be updated for any schema changes too, which is what @alexpott is getting at in #11.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

catch’s picture

catch
he/him
Primary language English
commented
Version: 8.9.x-dev » 9.3.x-dev
Category: Bug report » Task
Issue tags: +Bug Smash Initiative

I think alternative entity storages could override this method. We've been lucky that this hasn't caused a problem so far, given it's been six years with the code sitting there, moving to a task.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone commented
Issue tags: -D8 upgrade path +D9 upgrade path

Updating tag.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

smustgrave’s picture

smustgrave commented
StatusFileSize
new interdiff-3-26.txt1.97 KB
new 2560237-26.patch1.16 KB

Updated it for D10

Since it's a task does it still need a test?

_utsavsharma’s picture

_utsavsharma commented
StatusFileSize
new interdiff_26-27.txt567 bytes
new 2560237-27.patch1.4 KB

Tried to fix CCF for #26.

Status: Needs review » Needs work

The last submitted patch, 27: 2560237-27.patch, failed testing. View results

ankithashetty’s picture

ankithashetty
Location Karnataka, India
commented
Status: Needs work » Needs review
StatusFileSize
new 2560237-29.patch1.41 KB
new interdiff_2560237_27-29.txt661 bytes

Tried to fix the phpunit errors by replacing the deprecated method getUsername() with getAccountName().

Thanks!

smustgrave’s picture

smustgrave commented
Status: Needs review » Reviewed & tested by the community

Thanks @ankithashetty and good find!

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 29: 2560237-29.patch, failed testing. View results

smustgrave’s picture

smustgrave commented
Status: Needs work » Reviewed & tested by the community

Random ckeditor5

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Needs work 
+++ b/core/tests/Drupal/FunctionalTests/Update/UpdatePathTestBase.php
@@ -298,14 +297,14 @@ protected function runDbTasks() {
   protected function replaceUser1() {
-    /** @var \Drupal\user\UserInterface $account */
-    // @todo Saving the account before the update is problematic.
-    //   https://www.drupal.org/node/2560237
-    $account = User::load(1);
-    $account->setPassword($this->rootUser->pass_raw);
-    $account->setEmail($this->rootUser->getEmail());
-    $account->setUsername($this->rootUser->getAccountName());
-    $account->save();
+    Database::getConnection()->update('users_field_data')
+      ->fields([
+        'name' => $this->rootUser->getAccountName(),
+        'pass' => \Drupal::service('password')->hash($this->rootUser->pass_raw),
+        'mail' => $this->rootUser->getEmail(),
+      ])
+      ->condition('uid', 1)
+      ->execute();

I think we could do with a comment to explain why we're doing it like this - so no one thinks this is a good idea to copy and to put into real run-time code.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

bhanu951 made their first commit to this issue’s fork.

bhanu951 opened merge request !9693

bhanu951’s picture

bhanu951 commented
Status: Needs work » Needs review

Reroll of #29 and added comment as suggested in #33.

smustgrave’s picture

smustgrave commented
Status: Needs review » Needs work

Can issue summary be cleaned up some. Appears to have 2 solutions but not highlighted which.

bhanu951’s picture

bhanu951 commented
Issue summary: View changes
bhanu951’s picture

bhanu951 commented
Status: Needs work » Needs review
Issue tags: -D9 upgrade path

Updated IS. Setting NR.

amateescu’s picture

amateescu commented
Status: Needs review » Reviewed & tested by the community
Related issues: +#3363732: entity.last_installed_schema.repository has a race condition

Looks ready to me!

This is a blocker for #3363732: entity.last_installed_schema.repository has a race condition.

catch’s picture

catch
he/him
Primary language English
commented

Left one suggestion on the MR.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Version: 11.x-dev » 10.4.x-dev
Status: Reviewed & tested by the community » Fixed

Committed and pushed 8b53ceb644 to 11.x and a113593f22 to 10.4.x. Thanks!

  • alexpott committed a113593f on 10.4.x 
    Issue #2560237 by bhanu951, smustgrave, _utsavsharma, ankithashetty,...

  • alexpott committed 8b53ceb6 on 11.x 
    Issue #2560237 by bhanu951, smustgrave, _utsavsharma, ankithashetty,...
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

bhanu951 closed merge request !9693