Issues for Drupal core

When creating a view with a relationship to an entity reference field (to join the referred-to entity in the query), duplicates will be produced if the entity reference field is multi-valued (i.e. cardinality > 1). Users assume that checking the box at Advanced -> Query settings -> Distinct will solve this problem, but it doesn't.

This is because from a database perspective, the records actually aren't duplicates. Each different entity reference in the multi-valued field will produce a different row as the target IDs are different, even though this isn't necessarily reflected in the view itself if not all fields are included. Said another way, the view results may look the same on the front-end, even though they're not on the back-end.

It should be noted that this affects all entity types, whether it be taxonomy terms, nodes, paragraphs, custom entities, etc. There are several duplicates of this issue in various other queues that should be marked as such, with all efforts directed here.

Proposed solution

If the Distinct box is checked in the view configuration, after the query has executed, remove results whose entity IDs are already in the list.

Remaining tasks

~~Produce a patch to solve the basic problem.~~
Add support for pagers (as per #12).
Add support for aggregation (as per the D7 version of Views Distinct).
Add tests.

Original report

If you have a content type with a multivalue taxonomy term field and add a relationship based on that field in a view (in my case I want to use the term name as an argument) the resulting views result has duplicates if one or more of the nodes has multiple terms in that field.

The DISTINCT keyword does not help, since the tid is added as a field in the SELECT part of the query.

I have the following query:

SELECT DISTINCT node_field_data.sticky AS node_field_data_sticky, node_field_data.created AS node_field_data_created, node_field_data.nid AS nid, taxonomy_term_field_data_node_field_data.tid AS taxonomy_term_field_data_node_field_data_tid
FROM 
{node_field_data} node_field_data
LEFT JOIN {taxonomy_index} taxonomy_index ON node_field_data.nid = taxonomy_index.nid
LEFT JOIN {taxonomy_term_field_data} taxonomy_term_field_data_node_field_data ON taxonomy_index.tid = taxonomy_term_field_data_node_field_data.tid
WHERE (node_field_data.promote = '1') AND (node_field_data.status = '1')
ORDER BY node_field_data_sticky DESC, node_field_data_created DESC

.. which produces duplicates, even though the DISTINCT keyword is present, because the taxonomy_term_field_data_node_field_data.tid makes the duplicate nodes in the results 'distinct'.

Ideally the query should just exclude the field from the SELECT part like this:

SELECT DISTINCT node_field_data.sticky AS node_field_data_sticky, node_field_data.created AS node_field_data_created, node_field_data.nid AS nid
FROM 
{node_field_data} node_field_data
LEFT JOIN {taxonomy_index} taxonomy_index ON node_field_data.nid = taxonomy_index.nid
LEFT JOIN {taxonomy_term_field_data} taxonomy_term_field_data_node_field_data ON taxonomy_index.tid = taxonomy_term_field_data_node_field_data.tid
WHERE (node_field_data.promote = '1') AND (node_field_data.status = '1')
ORDER BY node_field_data_sticky DESC, node_field_data_created DESC

which works an nodes with multiple terms in the field are now only appearing once.

I have couldn't find a way to actually omit the field in the SELECT part of the query, and I'm also not sure, if it could create other issues if removed. But the tid in the select the DISTINCT keyword is useless..

Steps to reproduce.
1. add multivalue taxonomy term field to node type, and add a node with multiple terms selected
2. add a view which uses that field to add a relationship to the term (needed to use the term name as argument)
3. make the view results DISTINCT
4. optionally add the argument (contextual filter) that uses the relationship to filter the views result on the term name.
5. if no argument is given, the node with multiple terms in the field will appear multiple times

We have a number of sites that cannot upgrade to 8.8 and throw this:

Symfony\Component\Routing\Exception\RouteNotFoundException: Route "entity.path_alias.collection" does not exist. in Drupal\Core\Routing\RouteProvider->getRouteByName() (line 208 of /srv/dev02/pep8can/web/core/lib/Drupal/Core/Routing/RouteProvider.php)

Interestingly, although the folder where the path_alias module is installed does exist, the module never shows up in Extensions. The site is WSOD.

I thought perhaps we were experiencing problems with the Pathauto module (which is 8.x-1.6) so I took it out altogether...but no luck.

MODULES:
Field types Address (address) Enabled 8.x-1.7
Administration Admin Toolbar (admin_toolbar) Enabled 8.x-1.27
Administration Admin Toolbar Links Access Filter Enabled 8.x-1.27
(admin_toolbar_links_access_filter)
Other Allowed Formats (allowed_formats) Enabled 8.x-1.2
User interface Autocomplete Deluxe (autocomplete_deluxe) Enabled 8.x-1.0-beta2
Other Automated Logout (autologout) Enabled 8.x-1.0
Views Better Exposed Filters (better_exposed_filters) Enabled 8.x-3.0-alpha6
Filters Block Exclude Pages (block_exclude_pages) Enabled 8.x-1.3
Other Bundle redirect (bundle_redirect) Enabled 8.x-1.1
Field Widgets Select Other (cck_select_other) Enabled 8.x-1.4
Commerce Commerce (commerce) Enabled
Commerce Commerce Cart (commerce_cart) Enabled
Commerce Commerce Checkout (commerce_checkout) Enabled
Commerce Commerce Log (commerce_log) Enabled
Commerce Commerce Number Pattern (commerce_number_pattern) Enabled
Commerce Commerce Order (commerce_order) Enabled
Commerce Commerce Price (commerce_price) Enabled
Commerce Commerce Product (commerce_product) Enabled
Commerce Commerce Store (commerce_store) Enabled
Commerce Commerce Combine Carts (commerce_combine_carts) Enabled 8.x-1.0-beta1
Commerce (shipping) Commerce FedEx (commerce_fedex) Enabled 8.x-1.0-beta1
Commerce (contrib) Commerce Migrate (commerce_migrate) Enabled 8.x-2.0-rc1
Commerce (contrib) Commerce Migrate Commerce (commerce_migrate_commerce) Enabled 8.x-2.0-rc1
Commerce (contrib) Commerce Reporting (commerce_reports) Enabled 8.x-1.0-beta1
Commerce (contrib) Shipping (commerce_shipping) Enabled
Commerce Stock Commerce Stock API (commerce_stock) Enabled
Commerce Stock Commerce Stock Enforcement (commerce_stock_enforcement) Enabled
Commerce Stock Commerce Stock Field (commerce_stock_field) Enabled
Commerce Stock Commerce Stock Local Storage (commerce_stock_local) Enabled
Commerce Stock Commerce Stock UI (commerce_stock_ui) Enabled
Commerce (shipping) Commerce UPS (commerce_ups) Enabled 8.x-3.0-alpha1
Configuration Configuration development (config_devel) Enabled 8.x-1.4
Development Partial Configuration Export (config_partial_export) Enabled 8.x-1.5
Chaos tool suite Chaos Tools (ctools) Enabled 8.x-3.2
Development Devel (devel) Enabled 8.x-2.1
Development Devel Kint (kint) Enabled 8.x-2.1
Other Email Registration (email_registration) Enabled 8.x-1.0-rc7
Other Entity (entity) Enabled 8.x-1.0-rc3
Field types Entity Reference Revisions (entity_reference_revisions) Enabled 8.x-1.7
Search Facets (facets) Enabled 8.x-1.4
field Field Permissions (field_permissions) Enabled 8.x-1.0-rc2
Other Helper (helper) Enabled 8.x-1.3
Fields Inline Entity Form (inline_entity_form) Enabled 8.x-1.0-rc2
Other Login And Logout Redirect Per Role (login_redirect_per_role) Enabled 8.x-1.4
Mail Mail System (mailsystem) Enabled 8.x-4.2
Other Menu Breadcrumb (menu_breadcrumb) Enabled 8.x-1.11
Menu Menu Item Role Access (menu_item_role_access) Enabled 8.x-1.0
Migration Migrate Plus (migrate_plus) Enabled 8.x-4.2
Migration Migrate Tools (migrate_tools) Enabled 8.x-4.5
Mail Mime Mail (mimemail) Enabled 8.x-1.0-alpha2
Administration Module filter (module_filter) Enabled 8.x-3.1
Other Pathauto (pathauto) Enabled 8.x-1.6
Field Types Physical Fields (physical) Enabled 8.x-1.0
Other Profile (profile) Enabled 8.x-1.0
Custom Recreate Block Content (recreate_block_content) Enabled 8.x-2.0
Other Redirect (redirect) Enabled 8.x-1.4
Search Search API (search_api) Enabled 8.x-1.15
Search Search API Attachments (search_api_attachments) Enabled 8.x-1.0-beta15
Search Search API Autocomplete (search_api_autocomplete) Enabled 8.x-1.2
Search Search API Solr Search Defaults (search_api_solr_defaults) Enabled 8.x-3.7
Search Search API Solr (search_api_solr) Enabled 8.x-3.7
Mail SMTP Authentication Support (smtp) Enabled 8.x-1.0-beta6
Other State Machine (state_machine) Enabled 8.x-1.0-rc1
Structure Structure Sync (structure_sync) Enabled 8.x-1.16
Mail Swift Mailer (swiftmailer) Enabled 8.x-1.0-beta2
Other Token (token) Enabled 8.x-1.5
Other Typed Data (typed_data) Enabled 8.x-1.0-alpha3
Views Views Bulk Operations (views_bulk_operations) Enabled 8.x-2.5
Views Views Entity Form Field (views_entity_form_field) Enabled 8.x-1.0-beta7

The hash_salt setting in default.settings.php has the following documentation supporting it within the file:

Salt for one-time login links, cancel links, form tokens, etc.
* This variable will be set to a random value by the installer. All one-time
* login links will be invalidated if the value is changed. Note that if your
* site is deployed on a cluster of web servers, you must ensure that this
* variable has the same value on each server.

It's clear from this that the hash_salt should be unique per website, and that the hash_salt should be the same amongst web servers in the same cluster of the same website. However there is no recommendation on whether the hash_salt should be the same amongst different environments (eg, dev/stage/production) of the same website, or whether each environment of the same website should have a different hash_salt.

I asked over in #security-questions if it was a bad idea to use the same hash across dev/stage/prod on the same website. There were a range of answers:

gapple:
Having different hash_salt values prevents tokens (like password reset) from being usable across environments

cashwilliams:
yes [it's a bad idea to use the same hash across dev/stage/prod]

freelock:
Huh, interesting questions, but not sure I agree with the response -- I don't see how getting the hash salt from a dev server can be used to get a valid login link on production -- when you get a password reset link, the code updates a timestamp in the user's row in the database that is part of the hash, so I don't see how that can be exploited without actually requesting a link from the production site.
That said, as I understand it, having the hash salt could make a brute force attack on the passwords database a bit easier (but still really difficult).

Over in #support, I asked the same question:
siliconmeadow: Good question! I'm not sure, and have often wondered the same.

snufft: Wouldn't you want the same hash salt across all environments for consistency?

So it seems that there isn't an agreed/documented consensus on what the 'best practice' way is. Can we use this issue to confirm what the agreed best practice method is, and then document it, by adding a comment to default.settings.php?

Problem/Motivation

Following on from #2842431: [policy] Remove PHP 5.5, 5.6 support in Drupal 8.7 we need to decide how to treat PHP 7 support.

Each release branch of PHP is fully supported for two years from its initial stable release. During this period, bugs and security issues that have been reported are fixed and are released in regular point releases.
After this two year period of active support, each branch is then supported for an additional year for critical security issues only. Releases during this period are made on an as-needed basis: there may be multiple point releases, or none, depending on the number of reports.

PHP 7.0 has security support until 3 Dec 2018

PHP 7.1 has security support until 1 Dec 2019

Drupal 9 will require PHP 7.2 at least as per #3079791: Bump Drupal's minimum PHP version to 7.2 as soon as 9.0.x is branched (a higher version may be required later), however that might be raised further based on this issue later.

Proposed resolution

Option 1. Increase the explicit requirement for PHP version each time security support for the previous version has been dropped. This will prevent the next minor release from installing on the version that has no security support, and show a warning on any existing installs.

Advantages:
- very clear cut off point

Disadvantages:
- prevents using Ubuntu LTS releases that still backport security fixes to the older version.

Option 2. Disable automated testing etc., but don't actually increase the requirement in code (except possibly to show a hook_requirements() warning if we add that). This will allow people running older PHP versions to keep doing so, but we won't accept bug reports etc. for anything specific to that version. The hard requirement may be added once a dependency relies on a PHP 7 + n feature though.

Advantages:
- allows people on Ubuntu LTS to keep going if they want to

Disadvantages:
- less clear warning for people self-hosting who haven't updated
- could result in bug reports specific unsupported PHP versions which require triaging.

Remaining tasks

Track PHP ecosystem responses to PHP 7.0 and 7.1 EOL.

Hosting provider information

See #2938725: [tracking issue] Track hosting provider support for PHP 7.

Distros

Debian
- Debian 9: Ships with PHP 7.0. Released in 2017; LTS coverage until "~2022" as per https://wiki.debian.org/DebianReleases).
- Debian 10: Ships with PHP 7.3. (LTS coverage likely until at least 2024, even an approximate is not yet available).
Ubuntu
- 16.04: Shipped with PHP 7.0. Released April 2016; supported until April 2021.
- 18.04: Shipped with PHP 7.2. Released April 2018; supported until April 2023.
- 20.04: PHP version TBD? Will be released April 2020; supported until April 2025.

Problem/Motivation

As mentioned in #3050389: Remove dependency to Classy from core themes, Classy will be moved to contrib before Drupal 9 and we have to remove dependencies on Classy from all core themes. Part of removing these dependencies includes providing each theme their own copies of templates that previously belonged to Classy.

There's considerable potential for error when copying ~100 templates to four different themes, so we need a test that removes some of the uncertainty from the process.

Proposed resolution

Create a test that confirms that themes do not inherit templates from Classy, and that none of the templates they use include/extend Classy templates or attach Classy libraries.

The test will include a per-theme ignore-list of templates that do not need to be included as part of the test. At first, the ignore-lists will be very large, and will shrink with each template-copying issue filed. When a new template-copying issue is filed (for example, copy aggregator templates to Bartik), the first patch will be this test, but with aggregator's templates removed from Bartik's ignore list. This way, the test won't pass until the templates are properly copied.

Every Classy-inheriting core theme currently extends, includes or attaches something from Classy, so these tests will not pass at first.

Remaining tasks

Write the test, configured it to ignore templates that still need to be copied.

Create issues to address existing attach_library() calls to Classy libraries in Bartik/Seven/Claro/Umami, as these will cause the test created here to fail.

Umami calls {{ attach_library('classy/node') }} in node--article--full.html.twig, node--card--common.html.twig, node--card.html.twig, node.html.twig
Bartik calls {{ attach_library('classy/node') }} in node.html.twig
Claro calls {{ attach_library('classy/file') }} in file-link.html.twig
Seven calls {{ attach_library('classy/image-widget') }}in image-widget.html.twig

These library-copying followup issues can't be created until #3096203: Create Classy library dependency tests that can be used for all themes, and verify by providing an Umami-specific classy/dropbutton is complete.

The Classy template include/require's should be addressed in the scope of this issue as this is where the test exists to verify they were done properly. This needs to be addressed with the following:

Bartik {% extends ""@classy/block/block--search-form-block.html.twig"" %} in block--search-form-block.html.twig
Bartik {% extends "@classy/block/block--system-menu-block.html.twig" %} in block--system-menu-block.html.twig
Bartik {% extends "@classy/content/page-title.html.twig" %} in page-title.html.twig
Bartik {% extends "@classy/misc/status-messages.html.twig" %} in status-messages.html.twig
Seven {% include '@classy/content-edit/image-widget.html.twig' %} in image-widget.html.twig
Claro {% extends '@classy/form/form-element-label.html.twig' %} in form-element-label.html.twig

The template copying can't happen until #3095713: Create classy directory with README, in the templates and css directories for all themes subtheming Classy is complete

User interface changes

n/a

API changes

n/a

Data model changes

n/a

Release notes snippet

n/a

Problem/Motivation

Drupal\Core\Extension has plenty of deprecated code. Let's remove it.

Proposed resolution

Remove the deprecated code and ensure an exception is thrown when a theme's .info.yml does not have a base_theme key set.

Remaining tasks

User interface changes

None

API changes

None

Data model changes

None

Release notes snippet

N/a

Problem/Motivation

As an example, you have the node entity type with three bundles: article, blog, and page.

JSON API provides three API resources for those: jsonapi/node/article, jsonapi/node/blog and jsonapi/node/page.

The entity list cache tag for node, node_list, will automatically be added to each of those responses but I think it's wasteful. Any operation on an article node will clear caches for blog and page. There's no need for that.

Proposed resolution

Stop adding the entity type's list cache tag to responses. Rather, provide a tag that takes the bundle in to account, ie, {entity_type_id}_list:{bundle}.

Using entity operation hooks, invalidate that tag.

Remaining tasks

Decide if this is a good idea and worth doing.
Evaluation any potential downsides such as other list cache tags not making it in the the response that may be required.
Write a patch.

Problem/Motivation

When Content Moderation is enabled and a user with 'view own unpublished content' creates a new piece of content and saves it in the 'draft' state they cannot see that content in either the Content Overview (Node) /admin/contentor the Managed Content (Content Moderation) admin/content/moderatedViews.

This occurs because if (a) any module implements hook_node_grants then access to the node is conditional based on if a record exists in the node_access table which (b) doesn't occur unless a node is published or another module sets access records for draft content, which Content Moderation does not do.

a) node_access_view_all_nodes docroot/core/modules/node/node.module:1014

  // If no modules implement the node access system, access is always TRUE.
  if (!\Drupal::moduleHandler()->getImplementations('node_grants')) {
    $access[$account->id()] = TRUE;
  }
  else {
    $access[$account->id()] = \Drupal::entityManager()->getAccessControlHandler('node')->checkAllGrants($account);
  }

b) \Drupal\node\NodeAccessControlHandler::acquireGrants called from \Drupal\node\Entity\Node::postSave

/**
   * {@inheritdoc}
   */
  public function acquireGrants(NodeInterface $node) {
    $grants = $this->moduleHandler->invokeAll('node_access_records', [$node]);
    // Let modules alter the grants.
    $this->moduleHandler->alter('node_access_records', $grants, $node);
    // If no grants are set and the node is published, then use the default grant.
    if (empty($grants) && $node->isPublished()) {
      $grants[] = ['realm' => 'all', 'gid' => 0, 'grant_view' => 1, 'grant_update' => 0, 'grant_delete' => 0];
    }
    return $grants;
  }

However if a module does implement hook_node_grants, the only way the content will appear in the Content Overview View (for non-admin users) is if it published.

Steps to reproduce

Install Drupal 8.5.3
Install a module that implements hook_node_grants i.e Content Access or Permissions by Term
Enable Content Moderation (and it's dependency Workflows)
Edit 'Editorial' workflow to apply to all content types
Create a new use role 'Editor' with the following permissions:

'access content''access content overview''create article content''delete all revisions''delete any article content''delete article revisions''delete own article content''edit any article content''edit own article content''grant content access''grant own content access''revert all revisions''revert article revisions''use editorial transition archive''use editorial transition archived_draft''use editorial transition archived_published''use editorial transition create_new_draft''use editorial transition publish''view all revisions''view any unpublished content''view article revisions''view latest version''view own unpublished content'

Create a new user 'editor'
Log in as the new user
Create a new 'article' with the title "[TEST] Title" with the "Save As" value "Draft" selected
Go to the Content Overview View (/admin/content)

No content is shown

Go to Moderated Content View (admin/content/moderated)

No content is shown

Edit the "[TEST] Title" node (/node/1)
Set the "Change to" field value to "Published"
save
Go to the Content Overview View (/admin/content)
You should see [TEST] Title with the Status Published
Go to Moderated Content View (admin/content/moderated)
You should not see [TEST] Title
Edit the "[TEST] Title" node (/node/1)
Set the "Change to" field value to "Draft"
Go to Moderated Content View (admin/content/moderated)
You should see [TEST] Title with the status

Proposed resolution

I'm not sure where the solution for this needs to occur but I feel like the implications of getting it wrong could have wide reaching consequences.

Does an extra conditional need to be added to \Drupal\node\NodeAccessControlHandler::acquireGrants to check for Content Moderation and set the same defaults, if none are set, or should Content Moderation implement hook_node_access_records?

Considering Content Moderation is now part of core I think adding a check for it and setting similar defaults as published content isn't a bad thing. Of course the 'gid' would need to be set using the users role, but would this allow other roles with more perms to access the content? This approach would also mean a test could be added in Content Moderation for the Content Overview View checking for draft visibility

I'm leaning more towards Content Moderation implementing hook_node_grants and hook_access_records - but that is where I wanted to find some validation from the community that this approach is going to be acceptable.

Remaining tasks

Determine the best approach for handling this.
Add/update tests in Content Moderation

so that the Views being tested against exactly match the default views.view.moderated_content, currently none of the test Views in content_moderation_test_viewshave the same access setting as content_moderation
add test coverage for draft content in Content Overview

Follow-up to #2225775: Migrate Drupal 6 core node translation to Drupal 8

Problem/Motivation

In D8, a node revision has data for all languages. In D6 and D7, each node revision has data for just one language. This means currently D6 -> D8 and D7 -> D8 migrations yield a revision history where each node revision has only one language present, even if previous revisions had translations. This is strange and likely to confuse users.

Priority is given to the D7 migration because the D6 one might be effected by the term node migrations.

This is for migrating core translation revisions, migrating revisions for entity translation is now being done in #3076447: Migrate D7 entity translation revision translations to D8. It is intended that this issue is completed first and then the approach used here is also used for entity translations.

Meeting notes

Things to consider, taken from notes of meeting with alexpott, Gábor Hojtsy, heddn, mikelutz and quiteone

Migration dependencies
- Possible: easy to do
- BC concerns: none
- BC what about contrib? Commerce / metatag
How do we figure out you need the new complex master migration?
- Possible: moderate to do
- BC concerns: none
- Don’t effect expose new d*_node_master unless explicitly enabled to existing sites
- This handles incremental, no UI option available to enable
- For new installs, give an option to upgraders to enable disable the new d*_node_master migration and use the old method.
What about migration lookups on dn_node etc.
- Possible: easy to do
- BC concerns: none
What about incremental migrations that have already begun
- Not allowed. You can only use the new approach on a site that has not run migrations. So we need some of flag where existing installs use the old migrations.
Contrib/Custom
Does it make sense to use d*_node_master instead of d*_node migrations?

Proposed resolution

The current focus is to get the D7 version working and then move those changes to D6.

Using the existing method where the final revision is migrated first doesn't work instead the revisions need to be migrated in order. The first proof of concept patch to show this is in #121, thanks to mikelutz. This new approach is called Master and the migrations and files use that name.

Run master or classic node migrations
However, the Master approach doesn't integrate with the current migrations, now being called Classic, that is the one either runs the existing node migrations or the new master one, not both. Choosing between the two methods is done at run time by checking the node migration map tables in MigrationConfigurationTrait() and migrate_drupal_migration_plugins_alter(). In the trait the classic method is selected if any of the classic node migrate_map tables has data (using processedCount) and in the plugins_alter it is selected if any classic node migrate_map exists and there are no master node migrate_maps.

The selection of node migration method also allows tests to decide which method to use. The test does this by adding either 'node_migrate_classic' or 'node_migrate_master' to $modules.

Altered migrations
There are several migrations that use migration_lookup on the node migration. The processes and dependencies for these are alter when the master node migration is being run. That change includes new processes to convert the 3 destination ids returned by master node to the correct 1 destination id expected when using the classic migration.
The migrations altered are: d6_term_node, d6_term_node_revision, d6_term_node_translation, d6_comment, d6_url_alias,d7_comment, d7_url_alias, statistics_node_counter, node_translation_menu_links

Incremental migrations
Because the node migration method is selected at run time it will continue to use the existing migration type for future incrementals.

From the original IS
D6 and D7 node revisions do not directly indicate which other translated node revisions they are associated with. But we can attempt to guess this, based on the order of revisions.

Remaining tasks

Fix tests, add comments
Review

For Reviewers

All level of code reviews welcome.
There are BC issues raised in meeting notes, above

For Testers

Use the lastest patch patch in this issue.
There are instructions in the Issue summary of the META issue #2208401: [META] Stabilise Migrate Drupal Multilingual module

From #55

For developers

Make this work with a multilingual source and a non multilingual source
Discuss and document implications for drush, especially drush migrate-upgrade --all
Make sure the d6 and d7 tests includes testing a fields on each revision
Handle the case where the vid of the first revision is higher the vid of a later revision. This is true for both d6 and d7.
Make sure that the use of migration_tag 'translation' is documented. It is used in
- d6_node_translation.yml
- d7_node_entity_translation.yml
- d7_node_translation.yml
- d7_node_revision_translation.yml
- d7_user_entity_translation.yml
- d7_taxonomy_term_entity_translation.yml/li>
- d7_comment_entity_translation.yml
- d6_node_revision_translation.yml
Make sure that the source plugin 'translation' property is documented
Make sure that the destination plugin 'translations' property is documented

Problem/Motivation

Sometimes a Composer command fails or prompts the user. This can usually be avoided by sprinkling some magic over it, for example -s dev or -n. At some point the underlying issue might get fixed, the project structure changes, or something else happens, and the option is no longer needed. But the magic lingers on in the documentation, and on the internet.

Ideally, a Drupal user who is not a Composer expert should now set off some time to study the intricacies of Symfony/Composer, when meeting such a challenge. But the new user simply wants a functioning Drupal installation with the least hassle, so this is often not realistic.

Many new users, who experience too many bumps and stops, while trying to get Drupal up and running, will eventually give up and look elsewhere for a CMS which is not as hard to install.

Proposed resolution

We should strive to remove as many obstacles as possible, to ease Drupal users' usage of Composer, by reducing or entirely removing options such as -s dev, -n, and --prefer-dist.

In #3086498: Parameters at the end in documentation, for better discoverability and legibility it was discussed to use composer create-project together with either --prefer-dist or --no-interaction|-n.

To keep it as simple as possible, no extra Composer options at all is the obvious solution, which actually works just fine.

We might want to add a note below: "NOTE: If for some reason you get a cryptic Composer "Keep/Yes/No/Aways" prompt, perhaps due to some left over .git folders, try adding --prefer-dist at the end of the command".

Remaining tasks

Make sure there are no conflicts, lingering .git folders, etc. when running composer create-project which will result in a prompt, by creating a test which runs composer create-project with no options. The command should go straight through, without Composer presenting a "Keep/Yes/No/Always" prompt. Also, a successful test should show the text "Congratulations, you’ve installed the Drupal codebase":
```
$ composer create-project drupal/recommended-project my-project
...
  Congratulations, you’ve installed the Drupal codebase
  from the drupal/recommended-project template!
Next steps:
....
```
Update documentation where pertinent to the leanest possible version, in this case:
$ composer create-project drupal/recommended-project my-project
[Optional Extra Task] Go through other Composer commands (update, require, etc.) with the ALAP (As Lean As Possible) philosophy, and get rid of options where possible

User interface changes

None

API changes

None

Data model changes

None

Release notes snippet

None

Problem

I have developed a custom module with a taxonomy created by the file my_module/config/install/taxonomy.vocabulary.myVocabulary.yml .
Terms are created during the module installation in my_module/my_module.install .

With only the custom taxonomy, the custom module uninstallation is successful, and the taxonomy is deleted.

But if a custom view is referring to this custom taxonomy, the module uninstallation is failing due to the following error :

[Fri Jul 12 12:38:33.106715 2019] [php7:notice] [pid 15765] [client 127.0.0.1:42460] Error: Call to a member function getConfigDependencyKey() on null in /home/user/MyDrupal/web/core/modules/taxonomy/src/Plugin/views/filter/TaxonomyIndexTid.php on line 394
#0 /home/user/MyDrupal/web/core/lib/Drupal/Core/Plugin/PluginDependencyTrait.php(75): Drupal\\taxonomy\\Plugin\\views\\filter\\TaxonomyIndexTid->calculateDependencies()
#1 /home/user/MyDrupal/web/core/lib/Drupal/Core/Plugin/PluginDependencyTrait.php(93): Drupal\\views\\Plugin\\views\\display\\DisplayPluginBase->getPluginDependencies(Object(Drupal\\taxonomy\\Plugin\\views\\filter\\TaxonomyIndexTid))
#2 [internal function]: Drupal\\views\\Plugin\\views\\display\\DisplayPluginBase->calculatePluginDependencies(Object(Drupal\\taxonomy\\Plugin\\views\\filter\\TaxonomyIndexTid), 9)
#3 /home/user/MyDrupal/web/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php(960): array_walk(Array, Array)
#4 /home/user/MyDrupal/web/core/lib/Drupal/Core/Plugin/PluginDependencyTrait.php(75): Drupal\\views\\Plugin\\views\\display\\DisplayPluginBase->calculateDependencies()
[...]

Proposed resolution

I did not dig into the module uninstallation process, but I feel the taxonomy is first removed then the custom views that calculates the dependencies.
The error is raised the issue because $vocabulary is null, as mentioned in the logs

Adding a check if (null != $vocabulary) , the module is uninstalling successfully.

I attach a patch to this issue.

I have checked the file from 8.0.X to 8.8.x, the test on $vocabulary is not present, I don't know if it could be useful to apply the patch on all branches.

The same error (getConfigDependencyKey() on null in TaxonomyIndexTid.php) has been met by other people but on a different context (2957376).

Since the last 2 core updates I have not been able to make any changes to a view. When clicking the "apply" button after making a change in the "edit" page dialog pop-up, nothing happens and no error is registered in the error log.

there is installation notices in locale.module

Notice: Use of undefined constant LOCALE_LANGUAGE_NEGOTIATION_URL - assumed 'LOCALE_LANGUAGE_NEGOTIATION_URL' in locale_language_negotiation_info() (line 570 of /modules/locale/locale.module).
Notice: Use of undefined constant LOCALE_LANGUAGE_NEGOTIATION_SESSION - assumed 'LOCALE_LANGUAGE_NEGOTIATION_SESSION' in locale_language_negotiation_info() (line 584 of /modules/locale/locale.module).
Notice: Use of undefined constant LOCALE_LANGUAGE_NEGOTIATION_USER - assumed 'LOCALE_LANGUAGE_NEGOTIATION_USER' in locale_language_negotiation_info() (line 597 of /modules/locale/locale.module).
Notice: Use of undefined constant LOCALE_LANGUAGE_NEGOTIATION_BROWSER - assumed 'LOCALE_LANGUAGE_NEGOTIATION_BROWSER' in locale_language_negotiation_info() (line 605 of /modules/locale/locale.module).
Notice: Use of undefined constant LOCALE_LANGUAGE_NEGOTIATION_INTERFACE - assumed 'LOCALE_LANGUAGE_NEGOTIATION_INTERFACE' in locale_language_negotiation_info() (line 614 of /modules/locale/locale.module).
Notice: Use of undefined constant LOCALE_LANGUAGE_NEGOTIATION_URL_FALLBACK - assumed 'LOCALE_LANGUAGE_NEGOTIATION_URL_FALLBACK' in locale_language_negotiation_info() (line 623 of /modules/locale/locale.module).

constants have been moved into locale.inc (https://www.drupal.org/node/780318), so we should require it in locale_language_negotiation_info()

function locale_language_negotiation_info() {
 + require_once DRUPAL_ROOT . '/includes/locale.inc';
  $file = 'includes/locale.inc';
  $providers = array();
  $providers[LOCALE_LANGUAGE_NEGOTIATION_URL] = array(
    'types' => array(LANGUAGE_TYPE_CONTENT, LANGUAGE_TYPE_INTERFACE, LANGUAGE_TYPE_URL),
    'callbacks' => array(
      'language' => 'locale_language_from_url',
      'switcher' => 'locale_language_switcher_url',
      'url_rewrite' => 'locale_language_url_rewrite_url',
    ),
    'file' => $file,
    'weight' => -8,
    'name' => t('URL'),
    'description' => t('Determine the language from the URL (Path prefix or domain).'),
    'config' => 'admin/config/regional/language/configure/url',
  );

Problem/Motivation

Currently, Drupal.org and various communication channels inform site owners of when the next important (and possibly more difficult) minor version update is scheduled, but this information is not available within Drupal itself.

In #2909665: [plan] Extend security support to cover the previous minor version of Drupal, we want to extended security coverage for the pervious minor version of Drupal for an extra release, so that if (e.g.) 8.6.2 is created with a security advisory in October, the security fixes in the advisory will be backported to (e.g.) 8.5.7, so that the site owner has more time to test minor updates while still keeping their site secure.

So for example the Drupal core minor 9.0.x would be supported until 9.2.0 is released and 9.1.x is supported until 9.3.x. This information is not available inside Drupal.

For Drupal releases before a new Drupal major this will different. For example 8.8.x will be supported until December 2, 2020 and 8.9.x, the LTS release will be supported until November 2021. This information also not available until inside Drupal

Related: This issue has some similarities to #2766491: Update status should indicate whether installed contributed projects receive security coverage, but it is not the same. That issue is about whether or not the whole contributed project has opted into security team support; this issue is about which minor versions of core currently have security team support.

Proposed resolution

Indicate to the site owner when:

The site's minor version of Drupal core will have security coverage until a specific version of Drupal is released. This will be 2 minor releases. For instance if 9.0.2 is installed the will have security coverage until 9.2.0 is released
The site receives security coverage but when the next minor version of Drupal is release their coverage will end. For example they are on 9.0.10 and 9.1.17 is the latest release. When 9.2.0 is released
9.0.x will no longer receive security coverage.
The site does not receive any support and they should update as soon as possible to have security coverage. They are on 9.0.10 and 9.2.0 has already been released.

Special logic for the minor releases 8.8.x and 8.9.x.

8.8.x will have security coverage until 2020-12-02. Sites on 8.8.x should be warned that they should update as soon as possible on 2020-6-02(this is that same as if they had 1 minor release to update)
8.9.x is the LTS release for Drupal. It will receive coverage until 2021-11-01. Sites on 8.9.x will not receive a update as soon as possible warning 6 months before the LTS term ends

Completed tasks

Followup regarding the last minor of a release and/or the next major release (might be noted on #2608062: [META] Requirements for tagging Drupal 9.0.0-alpha1): #2998287: Provide accurate information on the security coverage of the 8.x final minor and LTS, and recommend updating to the next major version when appropriate
Followup for potentially including minor coverage info/dates in the d.o XML data, rather than relying solely on the "supported minors" constant and handbook page: #2998285: Add information on later releases to updates.drupal.org
Followup to discuss whether this should also add anything to the "General system information" header at the top: #2998289: Make security coverage more prominent on the Status Report
Followup to discuss email notifications of being out of security coverage: #2998292: Send email when installed version no longer receives security coverage

Remaining tasks

None

User interface changes

Here are messages starting from the most out of date, earliest release. Currently the latest release is 8.7.x.

8.5.x out of date, 2 minor version behind most recent

8.6.x out of date, 1 minor version behind most recent, extra warning about updating soon

8.7.x out of date, current minor version behind most recent, not a warning

8.8.x, message doesn't change based on which version is most recent, only by date, using real date 2019.10.10

8.8.x, using test data date 2020.6.3, less than 6 months till end of coverage

8.8.x using test data date 2020.12.3, coverage over

8.9.x using real date 2019.10.10

8.9.x using test data date 2021.11.2, coverage over

API changes

None

Data model changes

None

Problem/Motivation

Although Drupal contains checks against the minimum supported version of PHP, currently there are no checks to stop the user from running Drupal with a version of Drupal that is newer than supported. For example, users who attempt to use Drupal 8.8.1 with PHP 7.4 will encounter problems, and there is nothing beyond documentation to warn them that this configuration does not work.

Proposed resolution

Add guards so that Drupal installations on new versions of PHP will fail-fast.

Drupal's composer dependencies should also have a constraint rejecting versions of PHP that are too new.
Drupal should have a constant DRUPAL_MAXIMUM_PHP to compliment DRUPAL_MINIMUM_PHP; it should be used in the same ways the existing constant currently is.

Remaining tasks

Add DRUPAL_MAXIMUM_PHP and corresponding checks.

User interface changes

None.

API changes

None.

Data model changes

None.

Release notes snippet

Drupal's composer.json file now constrains the maximum supported PHP version in addition to the minimum version.

Original report

I got a little over-zealous in bumping the PHP version for my Drupal project's Docker environment and discovered that Drupal 8.8.x has a known incompatibility with PHP 7.4 (being worked on at #3086374) but this is not expressed in composer.json, and there are no current core dependencies that otherwise block installation on PHP >= 7.4.

This patch adds an upper bound to PHP 7 compatibility to < 7.4.0, which will help address this issue at current and also on any future release cycle that is behind or otherwise out-of-sync with a new PHP 7 minor version. (E.g., when PHP 7.4 compatibility comes in, this can change to < 7.5.0).

I'm not sure of the exact internals of testbot relative to composer install, so unsure if this requires any follow-up on infra or in a test? This can be validated after the install by a failure, with some manual testing (The composer package is built from latest PHP stable version):

$ docker run --rm -u `id -u` -v `pwd`:/src -w /src/core composer:1.9 install
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - This package requires php >=7.0.8 <7.4.0 but your PHP version (7.4.1) does not satisfy that requirement.

Previously we have been able to turn off entity caching by using either hook_entity_type_alter() or hook_entity_type_build() by doing the following:

/**
 * Implements hook_entity_type_alter().
 */
function MY_MODULE_entity_type_alter(array &$entity_types) {
  $entity_types['ENTITY_TYPE_ID']->set('static_cache', FALSE);
  $entity_types['ENTITY_TYPE_ID']->set('persistent_cache', FALSE);
  $entity_types['ENTITY_TYPE_ID']->set('render_cache', FALSE);
}

This process no longer works in 8.7.x or 8.8.x since the introduction of entity type definitions now having the ability to be "loaded from code" and also the ability to get "the active definitions" in issue 2554235: Make the content entity storage and entity query use the last installed definitions instead of the ones living in code

The issue now is that depending on how the entity type object is retrieved, we will get different results.

For instance if we want to just turn off persistent caching on nodes, we would do the following:

/**
 * Implements hook_entity_type_alter().
 */
function MY_MODULE_entity_type_alter(array &$entity_types) {
  $entity_types['node']->set('persistent_cache', FALSE);
}

But this will not turn off persistent caching for nodes, as the following would indicate.

/** @var \Drupal\Core\Entity\EntityTypeManager $entity_type_manager */
$entity_type_manager = Drupal::service('entity_type.manager');
// The node's entity type when loaded "from code".
$is_cachable_1 = $entity_type_manager->getDefinition('node')->isPersistentlyCacheable();
// The node's entity type when loaded "from active".
$is_cachable_2 = $entity_type_manager->getActiveDefinition('node')->isPersistentlyCacheable();

// The node storage's entity type object is loaded "from active".
$is_cachable_3 = $entity_type_manager->getStorage('node')->getEntityType()->isPersistentlyCacheable();

// Node is ultimately loaded from persistent cache (if previously loaded)
// since load() uses the entity type object from the SqlContentEntityStorage
// class. This can be proven to load from cache by putting a breakpoint
// in \Drupal\Core\Entity\Sql\SqlContentEntityStorage::doLoadMultiple().
$node = Node::load(1);
// Yet the loaded node's entity type object is loaded "from code".
$is_cachable_4 = $node->getEntityType()->isPersistentlyCacheable();

// Results:
// $is_cachable_1 === FALSE
// $is_cachable_2 === TRUE
// $is_cachable_3 === TRUE
// $is_cachable_4 === FALSE

Is there an official way to modify an existing entity type to disable caching (or perform other modifications) besides using hook_entity_type_alter() or hook_entity_type_build()?

Problem/Motivation

At #1612910: [policy, no patch] Switch to Semantic Versioning for Drupal contrib extensions (modules, themes, etc) we finally decided to allow Drupal contrib extensions to use pure Semantic Versioning (SemVer). At over 400 comments, that issue is no longer useful to get anything done. ;)

This issue is the meta plan for tracking progress implementing the fixes to allow both semver and legacy versions within Drupal core. Drupal.org and packaging issues are tracked here: #2681459: Support contrib semver releases

Proposed resolution

Documentation Updates

Everywhere we've documented "PatchLevel" we need to relabel as "Minor", for example What do version numbers mean on contributed modules and themes?. PatchLevel and Minor are semantically equivalent, so we should eliminate confusion by having two semantically different things named "Patch" and "PatchLevel". There are a ton of other related docs that need to be updated to discuss this plan, explain / link to SemVer, etc.

Drupal 7

Drupal 7 contributed modules will continue to follow the existing pattern. 7.x-MAJOR.MINOR. For those user using composer to manage a drupal 7 site, the composer facade is able to translate this into a fake semver that composer can understand. For the users downloading files manually, or with tools like drush, they will still know that they are getting the drupal 7 version as it will be clearly marked.

Drupal.org

Drupal 8 contributed modules will allow for releases in the pattern of MAJOR.MINOR.PATCH. The composer facade and drupal.org will understand and allow for repository tags that include 8.x-MAJOR.MINOR (legacy), or MAJOR.MINOR.PATCH (fully compliant). Drupal core will need to be modified to expect and interpret these possibilities as well.

We have to fix Drupal.org to allow legacy (8.x-MAJOR.MINOR) and semver (MAJOR.MINOR.PATCH) versions on projects going forward. We'll probably have to retain the legacy support for a while, perhaps indefinitely.

see more #2681459: Support contrib semver releases

5) Drupal 9 (maybe) we can deprecate the (9.x) part of the versioning scheme, as it may not even be accurate, and from that point forward, MAJOR.MINOR.PATCH will be the version numbers for drupal contrib projects, and dependency compatibility *must* be specified in the info.yml files (or composer.json if that's where we end up).

Remaining tasks

Core

Core needs to support semver dependencies:

Modernize Version Handling
- #2677532: Move drupal_check_incompatibility() functionality to a new Dependency class and Version component
Fix bugs, add features to support semver
- #2313917: Core version key in module's .info.yml doesn't respect core semantic versioning
- #3005229: Provide optional support for using composer.json for dependency metadata

Core Update module needs to support semantic version releases and development branches

Drupal.org

See #2681459: Support contrib semver releases.

Documentation

As this moves forward, we'll need to update a lot of documentation.
(This list needs to be fleshed out):

User interface changes

TBD

API changes

TBD

Data model changes

TBD

Problem/Motivation

As stated in #3050389: Remove dependency to Classy from core themes, Classy will be moved to contrib before Drupal 9 and we have to remove dependencies on Classy from all core themes.

Part of this process includes creating theme-specific copies of all Classy libraries to core themes. This ensures Classy can be removed without impacting those themes.

Proposed resolution

- As needed ,copy libraries and assets from Classy to Seven.
- Create new libraries for every copied library, named with the convention "classy.
".
- Override the Classy libraries so they are not loaded by Seven.
- Any Classy libraries-extend: should now be taken care of in Seven.
The end result is no Classy library assets should load, and Seven experience should be unchanged.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

The Drupal.org infrastructure uses this by default and so do lots of Drupal shops, so why can't we add this snippet to settings.php (and settings.default.php) by default?

/**
 * Include a local settings file if it exists.
 */
$local_settings = dirname(__FILE__) . '/settings.local.php';
if (file_exists($local_settings)) {
  include $local_settings;
}

This could also be a tiny step forwards for local configuration management.