Problem/Motivation
The Drupal\node\Plugin\Action\AssignOwnerNode
action allows assigning node ownership to the anonymous user. This is due to a typo in buildConfigurationForm()
: The key #selection_setttings
has three t's.
Steps to reproduce
- Login as a user with ['administer actions', 'administer users'] permissions.
- Visit admin/config/system/actions.
- Until #3163934: Remove raw DB queries in AssignOwnerNode::buildConfigurationForm() and always use autocomplete is fixed, create over 200 users on the site.
- Create an 'node_assign_owner_action' action.
- Configure the username.
- Type in 'Anonymous' and see that you can select UID 0 for this.
Proposed resolution
Fix the typo + prevent Anonymous user from being used for this action (as originally intended).
Remaining tasks
- Decide if #3094840: Allow assigning Anonymous owner in AssignOwnerNode action is worth worrying about before fixing this.
- Decide if we need a CR for this change.
- Commit.
User interface changes
'Anonymous' will no longer be an allowed value for the autocomplete when configuring a node_assign_owner_action at admin/config/system/actions.
API changes
N/A
Data model changes
N/A
Release notes snippet
'Anonymous' will no longer be an allowed value for the autocomplete element when configuring the username for a node_assign_owner_action at admin/config/system/actions.
Follow-ups
Comment | File | Size | Author |
---|---|---|---|
#52 | 2830504-52.patch | 3.53 KB | jungle |
#47 | interdiff-44-47.txt | 1.3 KB | jungle |
#47 | 2830504-47-test-only.patch | 2.55 KB | jungle |
Comments
Comment #2
megadesk3000 CreditAttribution: megadesk3000 at Unic commentedComment #3
megadesk3000 CreditAttribution: megadesk3000 at Unic commentedComment #4
megadesk3000 CreditAttribution: megadesk3000 at Unic commentedComment #5
dermarioThis was a good finding! The fact that all test are fine after that change and obviously have been before, let me assume that this part has a lack of test coverage.
Comment #6
megadesk3000 CreditAttribution: megadesk3000 at Unic commentedYou are absolutely right. I will write a SimpleTest for that.
Comment #7
megadesk3000 CreditAttribution: megadesk3000 at Unic commentedI added a test that will fail with the original code and succeed with the included patch.
Comment #8
megadesk3000 CreditAttribution: megadesk3000 at Unic commentedComment #9
dermarioComment #10
Dinesh18 CreditAttribution: Dinesh18 as a volunteer and at TATA Consultancy Services for Pfizer, Inc. commentedThis Patch #7 Works as expected !!
Comment #11
dermarioI also can confirm, that the patch in #7 works as expected. In my opinion this fixes a trivial security issue as an anonymous user can be selected, even it was not intended by an administrator. The attached test adds coverage that was missing before. Together with the feedback #10 i think its ok to set this issue to RTBC.
Comment #12
alexpottNice to see the new test coverage being added.
We're only testing the negative case. As we're adding new test coverage of the autocomplete field I think we should at least add positive test coverage that it works too.
Let's just change this to:
$this->assertIdentical([], $data);
There's no point making someone wonder what $expected equals.
Comment #13
megadesk3000 CreditAttribution: megadesk3000 at Unic commentedHi alexpott
Thanks for your feedback. I will work on that tomorrow.
Jan
Comment #14
megadesk3000 CreditAttribution: megadesk3000 at Unic commentedHi alexpott
Sorry for the late reply. I did the changes proposed by you in 2) and 3).
Jan
Comment #18
Anonymous (not verified) CreditAttribution: Anonymous commentedRerolled #14 patch + slightly simplified test.
Comment #20
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedI don't think this new test adds any value, it is basically re-testing something that is already covered by
\Drupal\Tests\system\Functional\Entity\EntityReferenceSelection\EntityReferenceSelectionAccessTest::testUserHandler()
.The only thing that it's preventing is not allowing future patches to reintroduce the typo in
Drupal\node\Plugin\Action\AssignOwnerNode
, but chances of that happening are pretty close to 0 :)Comment #21
Anonymous (not verified) CreditAttribution: Anonymous commented#18: Fixed a potential flaw leading to a random error (among the 200 names there may be a combination of 'tor' that will return more than 1 user when searching for this name). + A little more simplification.
#20: @amateescu, if we can not correct a typo without giving a test, then what should we do?)
In fact, the test does not attempt to compete with other tests. It only checks the correctness of these lines:
For this purpose, he makes sure that the search is working (finds not anonymous users), and the
selection_settings
is correctly configured (does not find anonymous users), when more than 200 users.Comment #22
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedThis is the part that is already tested in
\Drupal\Tests\system\Functional\Entity\EntityReferenceSelection\EntityReferenceSelectionAccessTest::testUserHandler()
:)Comment #23
Anonymous (not verified) CreditAttribution: Anonymous commentedOkay) What if we leave only
Can we claim that the search filters anonymous? Yes, if in this test the filter is works at all. Otherwise, it can always return a empty data, and then in reality we can not guarantee anything.
For this reason, we need to be sure that the filter works in this test, and not in the other. In other words, we check the search with non-empty data not for checking the filter, but for self-testing the test ;)
Comment #25
Anonymous (not verified) CreditAttribution: Anonymous commentedUnrelated fail (perhaps after #2942769: Consolidate umami .htaccess files and testing.)
Comment #26
Anonymous (not verified) CreditAttribution: Anonymous commentedTo actually test the autocomplete widget, we need a JTB test. Now it's just a test of a specific parameter, in order to correct the typo in key.
If we do not need an additional self test, then I will delete it without any problems, of course :)
Comment #27
Anonymous (not verified) CreditAttribution: Anonymous commentedRemoved extra testing in accordance with #22.
Extended the comment on the creation of 200 users.
Quickfix - because it is a just nit typo. We can fix it with extra test coverage (#21), or with minimal test coverage (#27), or without test coverage at all.
Comment #29
Anonymous (not verified) CreditAttribution: Anonymous commentedComment #32
idebr CreditAttribution: idebr at iO commentedClosed #3065171: Code mistake un AssignOwnerNode.php file as a duplicate issue.
Comment #34
matthieuscarset CreditAttribution: matthieuscarset as a volunteer and commentedClosed https://www.drupal.org/project/drupal/issues/3094840#comment-13357098 as a duplicate issue.
By the way, I think it is a little bit frightening to see that a simple typo (e.g. just an extra "t" in
selection_settings
) has not been solved since the issue was opened 3 years ago.Could we consider fixing the typo and maybe open a another issue for the missing tests explained in #26 and #27 ?
Comment #36
jungleRerolled the patch based on #27, meanwhile, removed the typo from core/misc/cspell/dictionary.txt. No interdiff/raw-interdiff as the patch size is very small.
Comment #37
jungleApplying IS template
Comment #39
dwwBasically looks great, thanks! A bunch of mostly trivial nits and 1 point of real substance at the end:
"Tests that the autocomplete field does not show the anonymous user."
"Create 200 users to force the action's configuration page to use an autocomplete field instead of a select field."
s/See/@see/ ? Although then it'd be 81 chars wide. :( Maybe just leave it like this. ;)
This works, but we don't depend on incrementing
$i
before evaluating it here. Core basically always uses$i++
so we should stick with that for consistency (unless we actually needed the++$i
behavior for something).s/that/that the/
s/ anyway//
s/url/URL/
Would this be cleaner with
$this->getSession()->getPage()->findField('owner_uid')
?I think the
xpath()
is clear enough, but some folks prefer to use the specific helpers instead ofxpath()
. /shrugSince it's a new assertion, let's not add the message argument. We're trying to get rid of those. ;)
#12.2 is not addressed. The test should also make sure autocomplete works like it's supposed to. ;)
Thanks!
-Derek
Comment #40
jungle@dww, many thanks for reviewing!
Addressing #39 and #12.2 by adding the following lines.
Re #39.3, instead of s/See/@see/, appended/moved
See
to the end of the previous line.Comment #41
dwwThanks, that was fast!
Interdiff would have been helpful...
Almost there:
Whoops, the function name no longer matches the scope of what's tested.
Maybe:
* Tests the autocomplete field when configuring the AssignOwnerNode action.
testAssignOwnerNodeActionAutocomplete()
?
Now that we have the assertions above, this could use:
// Make sure the autocomplete does not show the anonymous user.
Thanks!
-Derek
Comment #42
jungleI have made an interdiff, but forgot to attach, attaching first. sorry.
Comment #43
jungleAddressing #41
Comment #44
jungleInstead of using hardcoded account name "Anonymous", I'd like passing it the account name got from the system.
Comment #45
Berdirouch, this is weird. The code is also super ugly and does raw database queries against the user table. I'm seriously wondering if we should create a follow-up and kill that conditionial and just always an autocomplete? Other places don't do this either, the node edit form is always an autocomplete, so why bother with this?
Then in that follow-up we could just remove this part.
anonymous doesn't have an account name, it only has a display name.
So this is searching for ''.
Comment #46
dwwRe: #45.1 (see also #12.4): Yup, that's a good idea.
#3163934: Remove raw DB queries in AssignOwnerNode::buildConfigurationForm() and always use autocomplete
Re: #45.2: looks like we should go back to patch #43 then.
NeedsFollowup;)Cheers,
-Derek
Comment #47
jungle@Berdir, you're right, thanks! calling getDisplayName() instead.
Comment #48
dwwNote: unsurprisingly, some folks prefer the current behavior. ;) See #3094840: Allow assigning Anonymous owner in AssignOwnerNode action I don't think we should do anything about that here, but I wanted to raise visibility for that.
Comment #50
jungleExpected fail
Comment #51
dwwYou need to upload the test-only first, then the full patch, or the bot gets confused. You'll probably want to re-upload #47 so the last patch in here is the real / passing one.
Test failure is as expected:
No CS violations.
Other than the follow-ups, I have nothing else to complain about. ;)
Once the latest patch is the keeper, this is RTBC.
Thanks!
-Derek
Comment #52
jungleRe-uploading the patch in #47, thanks again, @dww!
Comment #53
dwwYup, that's the RTBC patch we need, +1.
Thanks!
-Derek
Comment #54
dwwGiving this a more specific name for a more useful commit message.
Comment #55
quietone CreditAttribution: quietone as a volunteer commentedUn-assigning megadesk3000 since they haven't worked on this since 2017.
Comment #56
dwwFixing the summary. Not sure we need a release note snippet for this, but adding one.
Comment #57
dwwActually, set these as remaining tasks:
I think only a committer can really decide those, so leaving RTBC.
Cheers,
-Derek
Comment #58
dwwAlso adding a Follow-ups section.
Comment #59
alexpottI've stared at this one a bit and I wonder if we should "do" #3094840: Allow assigning Anonymous owner in AssignOwnerNode action and forget about the original intention. Like that is how it is working already today. We allow nodes to be assigned to anonymous users as part of the user cancel process already.... ah I have answer for why not.
This is only the case on sites with more that 200 users. On sites with less you can't assign to the anonymous user because we do a select and dropdown list instead where we have
Also given that I don;t think we need a CR for this change. We've got all the follow-ups to address whether we want keep this behaviour and to move away from directly querying tables.
Committed c3152e5 and pushed to 9.1.x. Thanks!
Given this doesn't apply to 9.0.x without extra work and maybe someone will disagree about the lack of CR or the direction going to commit to 9.1.x only for now and see what, if anything, happens.
Comment #61
BerdirThought about that too, as there's also #3163934: Remove raw DB queries in AssignOwnerNode::buildConfigurationForm() and always use autocomplete, which removes those queries completely and maybe then we can include the anonymous part there? Assumig we can agree on that, but I think the argument is the same as the one I made for removing the select-mode. It's the same on the node edit form, it also allows to select anonymous, so why should this be different?