Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
List of authentication providers consists of module names, which are defined them. In this case an authentication cannot be configured, because providers with such names aren't exists.
The way it looks now
How it should look?
The way it dumped to config
How it should be dumped?
Proposed resolution
Correct a computation of the authentication_providers
variable for DI container inside of \Drupal\Core\DependencyInjection\Compiler\AuthenticationProviderPass::process()
method.
Correct a computation of the options list for configuring the authentication (\Drupal\rest\Plugin\views\display\RestExport::getAuthOptions()
).
Remaining tasks
None.
User interface changes
None.
API changes
None.
Data model changes
None.
Comment | File | Size | Author |
---|---|---|---|
#132 | interdiff-deprecated-docs.txt | 932 bytes | xjm |
#132 | 2825204-131-8.4.x.patch | 19.45 KB | xjm |
#132 | 2825204-131-8.5.x.patch | 19.5 KB | xjm |
#128 | interdiff-from-115-8.4.x.txt | 3.94 KB | xjm |
#128 | interdiff-from-111-8.5.x.txt | 3.99 KB | xjm |
Comments
Comment #2
BR0kENComment #3
BR0kENComment #4
BR0kENComment #5
tim.plunkettFrom what I can see, that test change would pass without the code change. This would need actual coverage to prove the bug.
Also, why doesn't this require a config schema change?
Comment #6
BR0kENWe can try to compare in this way. Schema was not changed since
display_options
do not have strict mapping.Comment #7
tim.plunkettOkay so you're asserting that the resulting data structure is what you expect.
But this is tagged as a major bug.
What functionality is broken that fixes?
Let's test that!
Comment #8
BR0kENI didn't get what you mean.
Exists an issue which block configuring REST authentication for Views. It is exists, because earlier settings was stored as an associative array and now - as an indexed. On the first screenshot you can see that, instead of auth providers, we can chose modules, defining them. Since `user` - is not auth provider, then authentication result will be negative. Exported configuration of that view will look like what you can see on the second screenshot.
Comment #9
tim.plunkettYou effectively wrote a unit test. I'm asking for an integration test.
Even if it's something clicking around the UI, if something is broken, we need to be able to expose that with a test to prevent regressions.
Just saying "the format was one way and now it's different" doesn't mean anything for a bug to be major.
Comment #10
BR0kENIt is subjective, of course. For me bug is major because I'm not able to configure authentication for REST views. How can I continue work with a view if I can't see the resulting output? Nohow.
To reproduce this, create a view with "rest_export" display type and try to set an authentication.
Comment #11
tim.plunkettThen to test this, write a test that creates a view with "rest_export" display type and try to set an authentication.
Comment #12
BR0kENI thought to not do this we have the
views.view.rest_export_with_authorization.yml
file. Was I wrong?Comment #13
tim.plunkettThat's unrelated. You would want to have a view that does not yet have an authorization/authentication, and then set one via the UI, thereby exposing the bug.
Comment #14
BR0kEN@tim.plunkett, thanks for your reviews, mate.
Comment #15
BR0kENAny news on this? I'd really want to have this fixed.
Comment #16
tim.plunkettIf you remove the bug fixes and run that test, it still passes. That means it's not actually testing anything.
The goal is to write a test that will fail, and then only pass once the fix is added. We ensure this by posting "test-only" patches alongside the full patch.
Comment #17
BR0kENThank you, Tim! Your review is quite helpful.
Here is the failing test case.
Comment #18
BR0kENAnd here is the patch that solves the problem.
Comment #20
Loparev CreditAttribution: Loparev commentedComment #22
BR0kENBringing back RTBC.
Comment #23
tim.plunkettJust to make the title less scary
Comment #25
BR0kENComment #26
Wim LeersI have no idea what "variable contains conformity" means.
s/variants/providers/
This looks logical. :)
Comment #27
Wim LeersSorry for bumping it back, but after this it's definitely RTBC again! :)
Comment #28
BR0kENHope now it'll be fine.
Comment #29
swentel CreditAttribution: swentel at eps & kaas for MuseScore commenteddo we need an upgrade path and/or upgrade path test, or am I to worries ?
Comment #30
BR0kENAccidentally forgot about an interdiff.
@swentel, existing configuration works properly, since only values are used. In old variant an array is associative, where key and value are equal to each other.
Comment #31
Wim Leersswentel is asking whether we can provide an upgrade path that "fixes" broken configuration, I think.
Comment #32
dawehnerI agree, let's fix what is possible. We deal with security here, so better be safe than sorry.
Comment #33
BR0kEN@dawehner, is it not enough tests in
RestExportAuth
? Initially I've provided the failing test case and then updated the code.Comment #34
BR0kEN@dawehner ??
Comment #35
Wim LeersI think @dawehner meant this.
Comment #36
dawehnerYeah exactly :) Thank you @Wim Leers
Comment #37
BR0kEN@Wim Leers, @dawehner: just to be sure: those tests means that old configuration will work after applying the patch?
Comment #38
tim.plunkettAn update path will ensure old configuration will work, yes.
An update path test is to ensure that the update path works.
This needs both.
Comment #39
dawehnerHere is an update path + a corresponding test.
Note: This is not only a problem for REST but also for stuff like CSV exports.
Comment #41
BR0kENRe-roll for
8.4.x
.Also, #39 didn't applied smoothly against
8.3.x
.Comment #42
BR0kENComment #43
dawehnerWhy do you have an interdiff for a reroll?
Comment #44
BR0kENBecause tests were not correct.
Comment #45
dawehnerWell, then its obviously not a reroll ;)
Comment #46
BR0kENYeah, sorry for that. Initially I wanted to make a re-roll, but found out some issues and did additional changes.
Comment #47
dawehnerHonestly, I don't get why you renamed files. This makes the interdiff harder to read than needed :(
Comment #48
pcambraConfirmed this problem, I've tested this manually by creating a view with user authentication and another using the contrib simple_oauth, both present the problem described (user defines a "cookie" authentication method and simple_oauth defines a "token_bearer" one).
After applying the patch on #41 and run the updates, for the user view, the problem is fixed, but for simple_oauth, the update is not performed.
I think this piece should be made more generic:
Will this patch need to be backported to 8.3 and 8.2?
Comment #49
pcambraDid a plain re-roll of #39 for 8.4.x to try to facilitate the process.
Comment #51
pcambraHere are the changes from #41 with an interdiff after the reroll
Comment #52
pcambraAnd here's a proposal for solving the issue in #48 about contrib modules that might provide authentication services.
Comment #53
Wim LeersThis now needs to be
8401
, since this is going into Drupal 8.4.x.Hm, why are we deleting the old update path test?
Why are we deleting the old update path test? We still need that old update path test!
It's fine to copy it, but we should also keep existing tests.
Comment #54
BR0kEN@dawehner, in #47 I've fixed the problem which @Wim Leers mentioned in #53. There were removed old tests.
Comment #55
BR0kENComment #56
pcambraI was a bit lost on the deleted/moved tests, thanks @BR0kEN. I think comments on #53 are solved, moving this to RTBC.
Not sure what current policies are but we should maybe try to backport this to 8.3 and 8.2?
Comment #58
BR0kENUpdated version.
Comment #59
pcambraBack to RTBC
Comment #60
dawehnerThank you, that looks great!
Comment #61
BR0kENHope to have this onboard during these days. I'm here for further interaction :)
Comment #62
BR0kENComment #63
rachel_norfolkI've read through this and I'm not entirely understanding how to tell if it is "fixed". I'm sure it is but some evidence might help a core committer to easily accept it. Can I suggest jumping up on stage at DevDays and asking for one of the 1st time contributors to run through it and create before and after screenshots etc?
If you can explain to them what the difference is and how to test, it might help improve the issue summary, too?
Comment #64
DuaelFrCleaning tags :)
Comment #65
iMiksuYeah, lets try to provide screenshot after the fix.
Comment #66
BR0kENHope this helps. Not sure what additionally can be described here.
Comment #67
tstoecklerThis was introduced in #39, but not with a real explanation in the issue. The code comment also doesn't really help. Shouldn't
calculateDependencies()
only be called onsave()
at which point the option should have been fixed?In my opinion this needs some further explanation at least. It seems as though this could leave config in a corrupt state due to missing dependencies, but I'm not sure.
Comment #68
dawehnerIt is indeed a good question. I never looked deep into it:
Tl;DR
block_content_8300</block updates entity definitions, which triggers views to clean up its tables potentially: <code>\Drupal\views\EventSubscriber\ViewsEntitySchemaSubscriber::onEntityTypeUpdate
resaves all the views. I think the current patch is alright ... you can never guarantee that not some other update functions run before your one.To be honest I would have not expected view entities to be saved when entity schema changed, that for itself seems a bit fishy, but its how it is right now.
Regarding the screenshots, I hope they were not really required :)
Comment #69
BR0kENThanks, @dawehner! Hope it's the answer on the @tstoeckler's question. Will wait for RTBC again.
Comment #70
tstoecklerBut we have
hook_update_dependencies()
just for that. And I think it would be better to implement that and maybe even write a change notice if other modules are doing something similar, than to potentially have corrupt config? I'm still not 100% sure that you actually do get corrupt config, but if that is the case, I think we should try to avoid it if at all possible. AFAICT @alexpott was also very adament about this over in #2468045: When deleting a content type field, users do not realize the related View also is deleted.Comment #71
dawehnerThis hook is really about just your local scoped
.install
file. You cannot know which all update hooks out there might run before yours.Comment #72
tstoecklerHmm... still not 100% sold, but let's see what committers think.
Comment #73
tstoecklerMeh, wanted to do this.
Comment #74
alexpottDiscussed with @catch - we think we need to fix this using hook_ENTITY_TYPE_presave() so that default views supplied by contrib and custom modules can be updated too. This means the hook_update_N() needs to be moved to post update and just determine which views need to be saved again and save them.
Comment #75
dawehnerWhile I totally agree that we should fix this problem, I'm not 100% convinced that this should block committing this patch, because, well, every module which ships with such a REST view at the moment is essentially broken, aka. has a bug. These views would have never worked for anyone, so these modules, from my point of view, in case anyone tested this piece of functionality, would have not shipped with the particular view in the first place.
Comment #76
BR0kEN@alexpott, are you proposing to have permanent hook for fixing temporary problem?
Comment #77
Wim LeersThis bug was reported again at #2874418: REST views: Authentication Error when using Simple OAuth authentication.
Comment #78
Wim LeersAll other "REST views" issues are in the
rest.module
component, are tagged , and all their titles start withREST views
. Let's do the same here.Comment #79
Wim Leers:)
Comment #80
dawehnerI was sure we would need something on page load level, but its actually just save time. I'll ensure we have that as well as a test.
Comment #81
dawehnerHere is a fix together with a test.
Comment #82
Wim LeersNit: Let's add
@see rest_update_8401()
to the docblock?
I was going to say
, but then I realized there's a very good reason: update functions cannot depend on any other code. And other code cannot depend on update functions.So +1 for this duplication.
Comment #83
dawehnerThank you for your instant review @Wim Leers!
I forgot to mention that I found #2877981: \Drupal\rest\Tests\Views\RestExportAuth is missing the Test prefix along the way.
Sure, why not.
Comment #84
Wim LeersComment #85
Wim LeersEhm this is an entirely new test… so let's fix it here instead of having the follow-up #2877981: \Drupal\rest\Tests\Views\RestExportAuth is missing the Test prefix :)
Comment #86
dawehnerOh nice, point! We can also ensure to not extend from the deprecated base class anymore.
Comment #88
dawehnerComment #89
Wim LeersRandom fail in
Drupal\aggregator\Tests\AggregatorCronTest
.Comment #90
Wim LeersThis is just clean-up AFAICT.
Does
user
meancookie
?This is confusing.
Comment #91
dawehner@Wim Leers
There are test configurations to ensure that the update path is working.
Comment #92
effulgentsia CreditAttribution: effulgentsia at Acquia commentedThere's duplicated code between these functions. Is there a reason not to do
rest_update_8401()
as apost_update
instead that just resaves the views without duplicating the logic that's in the presave()? Similar toviews_post_update_revision_metadata_fields()
?The IS screenshot for how this is currently stored in config is different than what this line is in HEAD. Is the screenshot outdated, or is this test file incorrect in HEAD?
Comment #93
effulgentsia CreditAttribution: effulgentsia at Acquia commentedI'm asking #92.2, because if what's in HEAD already contains all the information we need (unlike the claim that's in the IS), then what's the motivation for changing the schema? Even if doing so simplifies the schema, seems like that should be a cleanup task that's separate from what's needed to fix the bug.
Comment #94
Wim Leers#91:
hook_update_N()
implementations cannot share/reuse any code with the "regular" codebase. Because they must forever continue to work in the same way. So this is correct.path: frontpage/list/articles
, which certainly is nowhere in core, not even in tests. The code you're citing is a test that we're updating.I agree it's confusing though, that's why I asked about this in #90.1 too. But note that
views.rest.schema
specifies this is a sequence. Which means you can use arbitrary keys, they're ignored anyway. AFAICT this was just a small bug/bit of roughness that was introduced in #2228141: Add authentication support to REST views.#92: this is not changing the schema. Config/config schemas are less strict than you'd think. Any map in config is also a sequence… I've been confused by this in the past as well.
However, I agree it's a cleanup task that does not belong here, because clearly we both find it super confusing.
So: NW for #93/#92.2/#90.1.
Comment #95
dawehnerI totally agree, code duplication is not as evil as we pretend it to be, especially when they are responsible for different part of the system (update vs. import).
I made a
So we should certainly have an actual example in our tests, and well
is how an actual real life example looks like. Using the module name here is the actual problem of the issue, so we should certainly have this as part of the test itself. We can drop the change for the
basic_auth:basic_auth
test case, so let's do that.Comment #97
dawehnerwow, this space matters :)
Comment #98
Wim Leers:D
Comment #100
Wim Leers#95 reverted the changes that confused @effulgentsia in #92.2 (and me in #90.1). Except a space was accidentally still being deleted, which was fixed in #97. Now, zero changes remain in
core/modules/views/tests/modules/views_test_config/test_views/views.view.rest_export_with_authorization.yml
, therefore removing an unnecessary/distracting change, and also proving that we're not changing the test coverage to make the tests pass.Comment #101
damiankloip CreditAttribution: damiankloip at Acquia commentedA few points (sorry! forgot about this issue), nice work on test coverage by the way!
I wonder if this should be done in the constructor when we set it to the property?
This can be removed.
This comment seems wrong, $import_test_views will default to TRUE in the parent constructor too. So test views are being imported? :)
Shouldn't we test a POSTing of the form here too (after this hunk), then we can check the config options that were set from that?
This param can be removed.
We don't need to pass this in.
Comment #102
Wim LeersThis bug was reported again: #2909757: RestExport views display authentication providers.
Comment #103
dawehner#101
1. Done
2. Note: You cannot remove parameters in a subclass if the parent class has them ...
3. He, fair
4. Good idea, let's do that.
5. See 2.
6. While we don't have to, removing the parameter is not possible so meh.
Comment #104
Wim LeersThanks!
Comment #105
damiankloip CreditAttribution: damiankloip at Acquia commentedAh, right. Missed/forgot that in ViewsKernelTestBase. There is some whitespace in the latest patch, I think this can be fixed on commit though.
Comment #106
dawehnerLet's not the core committers bother with it
Comment #108
dawehnerSorry, that was the wrong patch.
Comment #109
damiankloip CreditAttribution: damiankloip at Acquia commented+1
Comment #111
Wim LeersThis probably no longer applies because both #2846614: Incorrect field name is used in views integration for multi-value base fields and #2449143: REST views specify HTML as a possible request format, so if there is a "regular" HTML view on the same path, it will serve JSON landed in the past 24 hours, this is a 3rd major Views bug affecting API-First.
There was only one conflict, with #2449143: REST views specify HTML as a possible request format, so if there is a "regular" HTML view on the same path, it will serve JSON:
Was trivial to resolve.
Comment #112
larowlancrediting reviewers
Comment #114
larowlanFixed on commit
Committed as 40b143f and pushed to 8.5.x.
Comment #115
Wim Leers#111 was rolled to adjust the patch for a change committed to 8.5. The patch in #108 still cleanly applies to 8.4.
I've essentially reverted the change in #111 to get this patch.
Comment #116
xjmThanks -- I agree it would be much better to use the actual names of the authentication providers. Also glad to see that thought was given to fixing the config dependency calculation based on this as that was my first concern reading this issue.
Nit: this should have parens.
This comment is a little weird. I think we can fix it by removing the hyphen (or is it an emdash? :P) and comma. Also it's not usual to use "choosing" without an object. I can't really parse out what it means to suggest an improvement, unfortunately. Is this true?
But it seems really confusing to have the parameter and the property with almost-the-same-name but totally different values. Can we instead change or deprecate one or the other?
Maybe it would be good to reference where the structure of
authenticationProviders
if it's documented elsewhere?This is similarly opaque. Can we make this clearer? I.e. "Previously... Now..." This might be easier if we do indeed change and deprecate the name of the property as I suggest above, rather than changing what the string values are.
...Hmmm just saw that this has already been committed to 8.5.x. Followup or revert? I do think point 2 above (edit: about the property and parameter having inverted values) is worth considering.
Comment #117
Wim LeersI'm inclined to say
, but whichever you prefer is fine.(I noticed point 2 too, but figured it wasn't worth it in the grand scheme of things — this is a major bug breaking a significant use case. Obviously I should've insisted on making the comments clearer.)
Comment #118
dawehnerI'm confused, for me a follow up makes much more sense. At least for me fixing the bug is super important, so iterating on top of that makes sense for me at least.
Feel free to disagree, but I opened up #2917527: Address post commit review from xjm in #2825204
Comment #119
Wim Leers👍
Comment #120
Wim LeersPer #118, back to RTBC.
Comment #121
dawehnerThe follow up is now ready to be reviewed.
Comment #122
adrianpintilie CreditAttribution: adrianpintilie commentedThe patch doesn't fix this: https://www.drupal.org/node/2874418
simple_oauth doesn't work with REST views export. Only basic_auth works fine.
Comment #123
adrianpintilie CreditAttribution: adrianpintilie commentedI stand corrected, applying the patch fixes also: https://www.drupal.org/node/2874418
Comment #124
Wim Leers@adrianpintilie thanks for testing and confirming this also fixes #2874418: REST views: Authentication Error when using Simple OAuth authentication! (Which is already a related issue since May, see #77.)
Comment #125
xjmBut now we're in a situation where both issues are in the RTBC queue, committed to different branches, and reviews are fragmented across two issues. Plus there's an internal BC break in this one that the other fixes, which is one thing for 8.5.x but quite another for backporting it. So let's revert and reroll it together.
Comment #127
xjmPatches for both branches, with:
And then just one other thing to check:
I think this is "Authentication provider modules, keyed by provider ID." ? Edit: It's the deprecated property's description.
Comment #128
xjmInterdiffs.
Comment #129
Wim LeersManually diffed #111 against @xjm's 8.5 patch and #115 against @xjm's 8.4 patch. Looks good.
RTBC++
Comment #130
dawehnerFair, a review is easy. I just want to ensure we don't forget about this issue again for a couple of months :)
Comment #131
xjmAttached addresses my last point from #127. (Because the docs for the two different properties were identical aside from the deprecation notice, which was also pretty confusing.) Setting NR to double-check the example.
Comment #132
xjm:( d.o ate my patches.
Comment #133
dawehnerI would have personally used an @see to avoid duplication, but I also don't care about deprecated docs that much :)
I'm glad someone ensures that d.o. is healthy on some level.
Comment #134
Wim Leers#132's improved description is correct, but there's a new typo:
Aunthentication 😀
🤣🤣🤣
Comment #135
xjmNow envisioning a children's book about Aunt Hen and Uncle Rooster.
Comment #138
xjmAlright, since all I did was combine two patches and add some docs, and especially since @larowlan already signed off and committed this once, I'm comfortable doing so again.
So, committed to 8.5.x and 8.4.x both. I also fixed "Aunthenitcation" on commit. Thanks everyone!
Comment #139
dawehnerDrupal, the only system which ships with Aunthenitcation as well as Unclethenitcation.
Comment #140
aalaap CreditAttribution: aalaap as a volunteer commentedI was able to apply this patch and get it working at my end, but it resurfaced for me. I wasn't able to fix it, even after clearing caches and re-uploading the patch, so I had to do a complete site restore. I figured out the trigger - this seemed to be happening after disabling caching and enabling twig debugging in settings.php and services.yml respectively. Even reverting those changes doesn't fix the problem, though - i still see 'user' instead of 'cookie'. I restored the site yet again and, this time, I'm leaving debugging and caching alone.
Comment #141
Wim Leers#140: It sounds like you perhaps did not run
update.php
?Comment #142
aalaap CreditAttribution: aalaap as a volunteer commented#141: I did try update.php as well as rebuild.php, but it had no effect. That's why I had to restore a whole site backup.
I'd like to add that I only updated the rest module in the live 8.4.0 installation with the one from 8.4.x-dev. Maybe the issue will resolve itself when I upgrade to the next 8.4 release.
Comment #143
Wim Leers😨 … that is guaranteed to cause problems, and most definitely unsupported. You must update all of Drupal, not copy/paste parts from newer versions. That's equivalent to hacking core!
Comment #144
aalaap CreditAttribution: aalaap as a volunteer commented#143: I like to live dangerously! :D
Thanks for your assistance. I'm now upgrading to 8.4.1!
Comment #145
Wim LeersHah :D