Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
The Twig sandbox policy whitelists specific classes, this makes things less flexible.
Proposed resolution
Whitelist based on instanceof, not a specific class.
Remaining tasks
User interface changes
API changes
Data model changes
Comment | File | Size | Author |
---|---|---|---|
#27 | whitelist_instances-2623708-26.patch | 1.74 KB | lauriii |
Comments
Comment #2
star-szrI like #1 because it would be available from PHP too and there are probably use cases there. Not sure this is a bug but leaving that for now. Thanks @lauriii :)
Pseudo code:
$attributes = $attributes->merge($other_attributes);
{{ attributes.merge(other_attributes).addClass('kittens') }}
I'd think classes or other attributes we store as an array would add on (merge classes array) and string attributes would overwrite (ID from other_attributes would overwrite ID present in attributes for these examples).
And you could also do this I think if you didn't want the ID from other_attributes.
{{ attributes.merge(other_attributes.removeAttribute('id')).addClass('kittens') }}
Comment #3
joelpittetI think we can do this, though it's not a bug. This is a feature request and an API addition.
+1 to merge method on the object and maybe on AttributeValueBase
Comment #4
aspilicious CreditAttribution: aspilicious commentedWell I have troubles in DS. I tried to subclass Attributes to be able to merge now.
BUT than I get
Twig_Sandbox_SecurityError: Calling "mergeAttributes" method on a "Drupal\ds\DsAttribute" object is not allowed in "modules/ds/templates/ds-2col-fluid.html.twig" at line 28. in Drupal\Core\Template\TwigSandboxPolicy->checkMethodAllowed() (line 101 of core/lib/Drupal/Core/Template/TwigSandboxPolicy.php).
In TwigSandboxPolicy you need to overwrite "$whitelisted_classes" but you only can overwrite that in settings.php according to the documentation...
I guess that is for security reasons, so that a crappy module can't introduce security issues.
But it makes it impossible to fix my problem in twig.
The only way to fix this is merging everything in a preprocess function?
Comment #5
aspilicious CreditAttribution: aspilicious commentedUploading my patch again
Comment #6
aspilicious CreditAttribution: aspilicious commentedBut I can also create a twig function for now in DS.... (option 2)
Comment #7
chx CreditAttribution: chx commentedWhy array_merge_recursive? Do we expect the value of an attribute to be a list of arrays?
Comment #8
joelpittet@chx class is always an array
['class' =>['button']]
Comment #9
joelpittetOh nm, it's already looping through the attribute values, that's not needed.
Comment #10
lauriiiSome nits:
S/Attributes/Attribute
Missing dot
Extra line change
Comment #11
joelpittet@aspilicious thanks that looks like a great start. A couple of things:
Maybe it could accept arrays too that way we could pass in arrays in twig? What do you think?
And should we add maybe a test for twig integration as I'm sure this still runs into the Twig sandbox policy issue as it stands.
Comment #12
joelpittetBecause it's affecting contrib. I'm bumping and tagging.
Comment #13
lauriiiIn Twig filters it makes a little bit sense to make them support everything because in the template you might not know exactly what type of data you have. Adding support for arrays encourages people to use arrays instead of objects what I don't believe we want to do. I think we should create new issue for that and then there we could discuss that through and possibly create new method for that.
Comment #14
lauriiiI don't know what do you think but I would be happy to see it as simple as this.
I also hope we find a way to add this to 8.0.x since this seems pretty common use case (at least I've been struggling with this).
Comment #15
aspilicious CreditAttribution: aspilicious commentedfine by me...
Comment #16
aspilicious CreditAttribution: aspilicious commentedYou don't need to whitelist merge, the Attributes class is already whitelisted.
Comment #17
joelpittetOh I should have read that a bit closer, I thought it was
method
whitelisting notclass
whitelisting.Comment #18
joelpittetOh we invented the 'class' check in the
TwigSandboxPolicy
it's not part of the interface from Twig. We should really be checking ofinstanceof
. That may be an easier quick fix to this problem to allow the Attribute extending. And we can do that in 8.0.x then this merge function in 8.1.x. (quicker to production)Thoughts @aspilicious?
Comment #19
aspilicious CreditAttribution: aspilicious commentedYes sure, should be a separate issue if a core committer can accept this as a valid 8.0.x patch...
But it shouldn't be more than changing
Into something like this
Comment #20
aspilicious CreditAttribution: aspilicious commentedSo maybe this doesn't need a new issue...
Here is a patch that allows me to subclass.
Comment #21
joelpittetAdding a needs tag for the framework manager to approve this approach to get into 8.0.x. We can move the other patches to a follow-up issue. @lauriii could you do that please?
Comment #22
joelpittetComment #23
joelpittet@lauriii actually @aspilicious made one so let's just move your change over there #2623960: Improve the merge() method on Attribute objects
Comment #24
lauriiiThis looks good. Marking RTBC and waiting for framework managers review :)
Comment #25
star-szrComment #26
lauriiiComment #27
lauriiiOops. Posted test only twice
Comment #28
penyaskitoI walked through the patch with lauriii and explained what we are doing here. No nitpicks in code review.
Fix looks OK and test is testing correctly what it should, so I was going to RTBC it.
Then I found that an issue summary update is needed, so needs work for that.
Comment #31
aspilicious CreditAttribution: aspilicious commentedback to rtbc now summary is correct.
Comment #34
penyaskitoHide test-only patches so they are not tested all the time.
Comment #35
mikeker CreditAttribution: mikeker as a volunteer commentedSorry, late to the party because of the long weekend in the US...
FYI: The
instanceof
version of this code was removed in #2513266-106: Twig templates can call delete() on entities and other objects among some other performance tweaks, but was never profiled separately. I really can't imagine that this change would have much of an affect, but it might be worthwhile to profile this, just in case. (However, I'm not willing to set an RTBC'ed issue to NW for just that...)Regardless, I like #20 much better than #14 -- can't imagine what would happen if an Entity::merge() method were added... :)
Comment #36
aspilicious CreditAttribution: aspilicious commentedIn core there is only 1 class in the list, so the foreach isn't a problem (for core).
If your project needs 20 more classes this potentially could become a problem.
Comment #37
catchDiscussed with @alexpott.
We both think this is fine for 8.0.x.
I tried to think of theoretical breakage this could introduce, and wasn't able to in the end.
Comment #38
alexpottCommitted 27fe58a and pushed to 8.0.x. Thanks!