Updated: Comment #N

Problem/Motivation

Look at Drupal\Core\Extension\ModuleHandler class. It's a mess. There are horrors in there like removeCacheBins() that is not something the module handler should ever care about.

Proposed resolution

Inject the event dispatcher into the module handler and fire events for module related hooks.

Remaining tasks

Patch, decide on how to deal with existing hooks.

User interface changes

None

API changes

Addition of module events.

Maybe not deprecation of hooks? Not sure.

This is a follow-up to #1577: Mapping privilege separation on non-SSL/SSL.

Steps to reproduce:

• Install HEAD
• Apply the following patch, which sets the #https key on the comment reply form (obviously users will use hook_form_alter; hacking comment.module is for demonstration purposes)
  
  --- a/modules/comment/comment.module
+++ b/modules/comment/comment.module
@@ -1836,6 +1836,7 @@ function comment_form($form, &$form_state, $comment) {
   // comments on nodes.
   if (empty($comment->cid) && empty($comment->pid)) {
     $form['#action'] = url('comment/reply/' . $comment->nid);
+    $form['#https'] = TRUE;
   }
   if (isset($form_state['comment_preview'])) {
• add $conf['https'] = TRUE; to settings.php
• log as admin via https://example.com/user (SSL)
• create an article node
• navigate to http://example.com/node/1 (PLAIN HTTP)
• Submit the comment form.

Expected result: The comment is saved.

Actual result: "This form is outdated. Reload the page and try again. Contact the site administrator if the problem persists."

For a more thorough demonstration, you can grab the DRUPAL-7--1 branch of securepages and run the tests.

I think it's caused by the dual session cookies, which causes session_id() to vary between requests, which means form tokens don't validate. I assume (though haven't tested) this would also cause anything that relied on drupal_valid_token() (such as /comment/42/approve?token=bczrJ7m...) to fail if redirected to HTTPS.

In D6, the securepages_prevent_hijack module implements similar dual-cookie functionality. However the secondary secure cookie isn't an actual PHP session cookie, it simply a hash from drupal_get_token() that authenticates the primary session. In this way session_name(), session_id(), and drupal_valid_token() work normally.

One last note - I realize an insecure form with an HTTPS action is not secure at all - there's no way to know the form itself hasn't been tampered with. An attacker could rename all the form elements, and substitute them with hidden fields of his own choosing. Or install a javascript keylogger. Or steal the form token and use it for an XSRF. Similarly, redirecting an unencrypted ?token=bczrJ7m link is asking for XSRF.
Nonetheless, we have the #https FAPI key - which appears to have been designed to support this use case.

Updated: Comment #31

Problem/Motivation

As has been mentioned elsewhere, we don't yet have guidelines on when and how to use string contexts (= translation contexts). Due to lack of guidelines every developer/module maintainer re-invents the wheel and decides on their own context strings. This results in a great variety of contexts, some good, some not. Further, the lack of guidelines for context, makes it difficult for module/core maintainers to accept string context suggestions. As a result discussions come to a standstill or bad contexts get accepted.

For examples of real-life string context issue, see the list of issues tagged with "string context".

Proposed resolution

Create a description of string context for both developers and translators. Including criteria for string context and examples of good and bad contexts.

Remaining tasks

• Agree on criteria for string context
• Complete the string context documentation page with this information.
• Get this documentation promoted to be a coding standard page.

(#20)

String context criteria

Define a context that:

• Fixes an actual translation problem that has been identified due to the lack of context.
• Allows a translator to distinguish the meaning of the string and decide on the right translation.
• Is reusable.
• Provides information on the meaning of the string.
• Is short and concise (phrase rather than a full sentence).
• Only add the context to the string in the deviating context. The dominant use of the string does not receive a context.

Avoid the following in context definition:

• Linguistic contexts like: "Verb", "Noun" or "Dative". This usually does not provide enough distinction
• "Module name". Module names are usually not translated. If the module name is the donimant use of the string, it will not receive a context.
• Don't use a module name. It silos the use within (groups of) modules and prevents collaboration between modules.
• Don't use functional part of the module where the string is used (e.g. "Block"), function name or php class name. This is not re-usable and this context may change over time.

Related issues

• #1034882: Make list of contexts used more evident for developers

Arguments from the original report by @zirvap

• Context is used to give additional information about strings to translators, for strings which would otherwise be difficult to translate well.
• General rule of thumb: If a string has several possible meanings (ie. "May" which can be both the complete month name and a three-letter abbreviation of the name), we use the bare string for one meaning, and add context to others. For instance: "May" without any context is the abbreviation, "May" with context "Long month name" is the complete name.
• Contexts should be reused. (For instance, a contrib module should not introduce "May" with context "Complete month name", it should reuse the core context.
  (#1034882: Make list of contexts used more evident for developers is necessary for this)

In DrupalWebTestCase, getAbsoluteUrl eventually calls url(). The url() function uses the $base_url set by the simpletest runner, not the internal web browser. One result of this is it's impossible to POST to an https URL.

Goal → MVP

1. As a distribution profile author, I'm easily able to inform the installer that only my distribution profile is to be installed, so that (1) I do not have to fork Drupal and so that (2) downloading my distribution package from drupal.org makes any sense in the first place.

2. As a distribution profile author, I can control the entire installer experience, including the theme, starting from the very first installer screen, so that I can tailor my product for the target audience.

3. As a distribution profile developer, I do not have to resemble or depend on any drupal.org specific release packaging script mechanics (that may or may not happen in ~2018), so that I can simply git clone my project repository + rock on.

Proposed solution

Proudly introducing...

Distribution installation profiles

Usage

Beautiful simplicity in $profile.info.yml:

Anatomy

1. The new 'distribution' info file property is optional and not required. → If no installation profile specifies it, then the installer operates as usual: Regular Drupal installer, regular profile selection, etc.

2. The 'distribution' info file property denotes that an installation profile is a distribution, which takes over the installer. → By definition, if you install with a profile that defines a distribution name then you are no longer installing "Drupal".

   Logical reverse condition: If you no longer install Drupal, then any installation profile, whose distribution name is not "Drupal", is hence (1) a distribution and (2) to be treated exclusively.

3. Next to the distribution name, a distribution profile can override additional installer environment parameters, such as the theme.

   Note: The goal of this patch is to establish the basic architectural functionality. Only the installer theme can be set at this point. The info file definition format is intentionally prepared to allow for other overrides. Further installer settings (langcode, translation server, etc) can be easily added and implemented in separate follow-up issues at any time (even after 8.0.0). There might also be use-cases for non-installer parameters, hence the nested 'install' key. Any additional settings should not be added prematurely; they should be based on actual distribution author feedback.

Live example

via Portfolio:

→ Just hit the installer.

API changes

1. The optional 'exclusive' (Boolean) flag and the optional 'distribution_name' property in installation profile .info.yml files have been replaced with the 'distribution' property:

   Drupal 7

   distribution_name = Commerce Kickstart
exclusive = 1

   Drupal 8

   distribution:
  name: Commerce Kickstart

   Note: The install.php?profile= URL query parameter can still be used to manually override the automatically preselected installation profile.

2. The behavior of the installer when multiple exclusive/distribution profiles are discovered has been changed:

   • In Drupal 7, if the installer discovered multiple 'exclusive' profiles, then no profile was preselected.
   • In Drupal 8, if the installer discovers multiple 'distribution' profiles, then the first discovered is preselected and others are ignored.

3. Distribution installation profiles are now able to override further aspects of the installer environment:

   distribution:
  name: Commerce Kickstart
  install:
    # Theme to use in the installer.
    theme: commerce_kickstart_admin

4. Distribution installation profiles now fully participate in the entire early installer environment (as if they would be a regular module).

   This means that the installation profile can implement any kind of module hook.

Notes

1. This work is not to be mistaken with installation profile inheritance à la base themes.
   → #1356276: Make install profiles inheritable

2. Support for multiple installation profiles in a distribution is a separate and different feature request.
   → #2186949: Allow a distribution to ship with multiple installation profiles (of which one can be selected in the installer)

.

.

.

Original summary

This came up in #1260716: Improve language onboarding user experience with the code suggestion I'm going to post soon (assuming that one gets committed) and in #1337554: Develop and use separate branding for the installer to make it possible for distros to make changes to the installer before they are selected.

1. It was always an issue for distros to pre-select themselves, effectively skipping the install profile selection page. There are various tricks Open Atrium and other distros used to overcome this and skip the profile selector by redirecting the user in the installer.
2. #1260716: Improve language onboarding user experience moved the language selector before the profile selector so it removed the possibility for profiles to affect the language (either pre-select it or alter the language selection screen). This then becomes an equivalent problem of the profile acting before it is selected.
3. There is an existing distro name .info file property that is effective once the profile is selected. The language step move makes the drupal naming/branding appear a bit longer, so it would be ideal to migrate this setting to a distro level setting that is effective right from the first screen.
4. The installer theme issue at #1337554: Develop and use separate branding for the installer suggests we introduce a distinct brand in the installer that would need to be alterable for serious profiles again before the profile is selected.

All these call for distro level configuration which would act before the profile would be selected for distros which serve one clear purpose, such as Open Atrium, COD and many others. Profiles that have a clear idea of how the language selection screen should look or what theme the installer should use, etc. would presumably ship with one custom install profile that could provide these details. So the need for for conflict resolution, when multiple profiles specify custom themes or ask for themselves to be the selected profile is minimal IMHO. We can just use the values from the first profile we found to specified them in the file system.

Proposed Resolution

Patch #29 adds the ability to have a file in profiles/distribution.php with settings on it that will pre-select options for install_drupal().
With this patch, the installation should work as normal by default, no installation tasks should disappear from the task list when going through it manually.

To test the distribution settings, create a file at profiles/distribution.php with the folliwing:

Remaining tasks

• More tests: ( #1961938: Test the interactive installer got in, and an example is in #2022549: Regression: No interface translation in the first installer steps )

Related Issues

• #1260716: Improve language onboarding user experience
• #1337554: Develop and use separate branding for the installer
• #1386394: Add back the ability for install profiles (or at least distros) to pre-select a language or modify the language-selection screen
• #1974048: Limited display of languages when going back in installer is confusing
• #1727430: Add 'exclusive' flag to install profiles to auto-select them during installation.
• #29 in #2030027-29: Add back the Druplicon in the installer

Updated: Comment #N

Problem/Motivation

In #2098119: Replace config context system with baked-in locale support and single-event based overrides we baked language support into the heart of the configuration system. This was so we could efficiently preload language configuration overrides. Language overrides are using configuration with name format with language.config.XX.configuration_object_name in order to sort the overrides per langcode (XX is the langcode).

This approach still raises an number of problems for us:

• Config file explosion leading unmanageable configuration stored in files - even if active moves to the DB we still want to have a sensible file structure in staging or a git repository.
• Filename length - we need to keep this less than 255 adding this whooping great prefix on the front does not help
• Because the language override configuration objects have different names schema don't automatically apply #2168609: Move config translations (language.config.[langcode]) in to new location
• Depending on how the language configuration is accessed configuration events sometime do fire and sometimes don't. In the configuration translation UI it is accessed both directly though configuration storage and through the config factory.
• Because language is special cased it is hard for other modules to do the same

Currently leaving this issue as a normal task as it needs more discussion.

Proposed resolution

Language configuration overrides should have exactly the same name as the configuration they are overriding. They should be subject to schema validation. They just need to reside in a different directory from active configuration. The patch moves them to a subdirectory language/XX. Language override configuration should only be accessible through the LanguageStorage service. It should not involve the configuration factory since it is not overridable itself.

The patch completely removes all reference to language from the configuration system. Instead we add a CompilerPass to add objects with implement the ConfigOverrideInterface to the factory. During a loadMultiple the override objects are asked for overrides. All module overrides use the same mechanism (the event has been removed).

Remaining tasks

• Agree approach
• Make config imports also import the overrides.

User interface changes

None

API changes

Lots

Follow-up of #1892182: #type details: Rename #collapsed to #open (comments #58 and #59) where #collapsible and #collapsed for detail elements is replaced by #open and the default is reversed. Following that idea, some logic and variable naming should be inversed as well.

This is a 3 line change patch for file/class/method core/modules/config_translation/lib/Drupal/config_translation/Form/ConfigTranslationFormBase::buildConfigForm(): where parameter $collapsed should be renamed to $open, including its logic default and thus also including changing calls to it that pass or not pass that option.

Updated: Comment #N

Problem

The 'Back to Site' button on the toolbar menu becomes unusable. I enter my site by invoking "site name'/index.php. The 1st time I invoke an administrative task from the toolbar the 'back to site' button will have a value of

The Archive_Tar library uses some functions which do not support stream wrappers, particularly dirname.

When called from update_manager_archive_extract, it is possible to pass a directory of the form: temporary://folder-that-does-not-exists/otherfolder as the directory parameter. This will cause Archive_Tar->_checkDir to attempt to create the folder 'temporary:' (which it won't be able to do) since it uses dirname to determine the parent directories of the extract location, and create them if they don't exist.

This doesn't show up as a bug in core (currently) as all calls of update_manager_archive_extract first call _update_manager_extract_directory which will create the directory if it doesn't exist. However, I feel that for completeness and robustness' sakes, we should avoid calling archiver->extract on streamwrapper style paths.

I'm attaching a patch to update.manager.inc that will remove the one location I see right now.

After upgrade to 7.26, block visibility settings are no longer effective: Block appears on all pages regardless of visibility settings.

A StackExchange user has reported this issue as well.

Configuration (hosted): Apache 2.4.6, PHP 5.2.17
jQuery 1.8 (for Bootstrap Theme)

This is not actually a real problem but a rather an issue with user safety:
when user types new password - password can be only 1 letter long.
So I suggest a check that the password is atleast 4 characters long....

Quick fix In function password_confirm_validate:

Part of #1839338: [meta] Remove drupal_set_*() drupal_add_*() in favour of #attached/response for out-of-band stuff. Sister issue of #2073819: [META] Remove direct calls to drupal_add_css(), #2073823: [META] Remove drupal_add_js() calls and #2168113: Add leading underscore and other discouragement to drupal_add_css() and drupal_add_js().

Summary of the changes:

Function declaration

/Users/jbeach/code/drupal/core/d8/core/includes/common.inc:
2706: function _drupal_add_library($module, $name, $every_page = NULL) {

Remaining invocation

/Users/jbeach/code/drupal/core/d8/core/includes/common.inc:
2706: function _drupal_add_library($module, $name, $every_page = NULL) {

Mentions in comments

/Users/jbeach/code/drupal/core/d8/core/includes/common.inc:
2488: * @see _drupal_add_library()
2766: * @see _drupal_add_library()

/Users/jbeach/code/drupal/core/d8/core/modules/locale/lib/Drupal/locale/Tests/LocaleExportTest.php:
124: // Load an admin page with JavaScript so _drupal_add_library() fires at

/Users/jbeach/code/drupal/core/d8/core/modules/system/system.api.php:
314: * @see _drupal_add_library()

Updated: Comment #N

Problem/Motivation

Now that #2036259: Move $drupal_hash_salt to settings() is in. We can remove the call to drupal_get_hash_salt() in CsrfTokenGenerator and just inject settings instead. Added bonus; we can also remove the if (function_exists(...)) hack in CsrfTokenGeneratorTest. Nice.

Proposed resolution

Inject settings into the csrf_token service, and call settings->get('hash_salt') in the get() method instead.

Remaining tasks

Patch

User interface changes

None

API changes

None

As part of #1830588: [META] remove drupal_set_title(), all calls to drupal_set_title() in the installation / update system should be converted to use #title in a render array. For the purposes of this issue, that also includes the batch and error systems.

Affected files are:
core/includes/batch.inc
core/includes/errors.inc
core/includes/install.core.inc
core/includes/update.inc
core/lib/Drupal/Core/EventSubscriber/MaintenanceModeSubscriber.php
core/update.php
core/modules/system/system.api.php (hook_install_tasks docblock)

Problem/motivation

Drupal 7 has most global site and page elements hardwired into templates, and gives no control to users to move them around. All the page elements (site name, slogan, site logo) are hardwired to core and contrib themes alike. We should stop special-casing these, so they can be moved around and selectively hidden or replaced as needed.

Proposed solution

• Introduce them as specific blocks that can be moved around.

To be done here #2005546: Modify regions to support Convert site elements (site name, slogan, site logo) into blocks:

• Remove special case items from themes.
• Introduce regions as needed to place these elements.

Related issues

The code should depend on blocks as plugins (#1535868: Change notice: Convert all blocks into plugins), however, we should not mark this postponed so we can do work on this in parallel and be ready for commits once that lands.

Also:

• #1869476: Convert global menus (primary links, secondary links) into blocks
• #507488: Convert page elements (title, tabs, actions, messages) into blocks

Updated: Comment #N

Problem/Motivation

In D7 you had access to $variables['theme_hook_suggestions'] in preprocess functions. This was good because you could see the available theme hook suggestions, but you could also change the current suggestion at any point during the preprocess stage by altering this variable and/or $variables['theme_hook_suggestion']. This ability to change the theme hook suggestions via preprocess made it so that checking the value of these variables in a preprocess function could not be relied on if you wanted to perform specific alterations for a certain theme hook suggestion or set of theme hook suggestions.

In Drupal 8 we've removed 'theme_hook_suggestions' and 'theme_hook_suggestion' from preprocess. Altering the theme hook suggestions happens in the theme suggestion stage before any preprocess hooks are invoked - see #1751194: Introduce hook_theme_suggestions[_HOOK]() and hook_theme_suggestions[_HOOK]_alter() and its change record.

We still want to find a way to solve the use case brought up in #939462: Specific preprocess functions for theme hook suggestions are not invoked and pave the way for template consolidation (#1804614: [meta] Consolidate theme functions and properly use theme suggestions in core).

Proposed resolution

Heavily inspired by @effulgentsia's post at #939462-6: Specific preprocess functions for theme hook suggestions are not invoked

Pass the complete array of theme hook suggestions to preprocess functions so that variable preprocessing can be done conditionally based on theme suggestions. Also, when an array of hooks is given, treat them as suggestions and pass them through accordingly in _theme().

Now that suggestions are immutable during the preprocess stage, we can check the second parameter passed to preprocess functions, $hook, to see which template is being used. What preprocess is missing is the complete array of theme hook suggestions to cover more use cases.

My suggestion at this time is to add this array to the $info array (the third parameter that is passed to preprocess functions). To my knowledge $info is currently made up of information coming from the theme registry and we would be adding non-theme registry data to this array, but I find this preferable to adding a fourth parameter to preprocess functions for this use case and it maintains backwards compatibility by not changing the function signature of preprocess.

See #1885714-16: Remove theme_install_page() for a basic proof of concept of how this could work, or read on for a more detailed explanation.

Preprocess functions can examine the theme hook suggestion data and have complete flexibility as to how they want to act. When working with theme suggestions these are the 2 most prominent ways that this data would likely be used (note that either of these can be used by both modules and themes):

1. Logic based on a suggestion actually being used (e.g. node--article.html.twig template exists in the currently active theme).

2. Logic based on a suggestion simply being in the list of $suggestions, whether or not node--article.html.twig exists within the theme or not.

If there is a large amount of preprocessing needed for a certain theme suggestion, that logic can always be moved out into a "helper" function and this function can even be named after the theme hook suggestion but it will not be invoked automatically. For example:

Remaining tasks

• Write patch
• Write tests
• Review patch

User interface changes

n/a

API changes

An API addition of being able to access the full suggestion data in preprocess functions.

Last release: https://github.com/ded/domready/tree/v1.0.4

hook_theme provides a way to place theme functions in a different location using the 'file' key. But when that theme function is used in context of theme_suggestions_alter the path defined in 'file' doesn't get included. Attached patch fixes it.

Part of meta-issue #2016679: [Meta] Expand Entity Type interfaces to provide methods.

See the detailed explanations there and look at the issues that already have patches or were commited.

Add get*, set* and additional methods as it makes sense to replace the public properties (e.g. isSomething() and something())

Task

Use Twig instead of PHPTemplate

Remaining

• Patch needs review
• Manual testing

To test this code

- set the stark theme to default
- make sure a menu block is placed in a sidebar. ("Tools" or "Main menu" wil do.)
- create one node, and view it's page
- the output of theme_menu_link, theme_menu_local_task, theme_menu_local_tasks, and theme_menu_tree will be visible on this node page output.
- change your theme back to Bartik to see the output of bartik_menu_tree
- visit admin/content/node to see the output for theme_menu_local_action