Problem/Motivation

Hi everyone,
I would like to report an issue with Drupal core routing system which provides access to users based on content publishing state. Please be inform that unpublished content on a multilingual website receives an error which is stated below:

Path: /fa/node/1. Drupal\Core\Http\Exception\CacheableAccessDeniedHttpException: in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 118 of /var/lib/tugboat/stm/web/core/lib/Drupal/Core/Routing/AccessAwareRouter.php).

Seems that the line refers to the below function: CacheableAccessDeniedHttpException

    if (!$access_result->isAllowed()) {
      if ($access_result instanceof CacheableDependencyInterface && $request->isMethodCacheable()) {
        throw new CacheableAccessDeniedHttpException($access_result, $access_result instanceof AccessResultReasonInterface ? $access_result->getReason() : '');
      }
      else {
        throw new AccessDeniedHttpException($access_result instanceof AccessResultReasonInterface ? $access_result->getReason() : '');
      }
    }

Steps to reproduce

1- Install Drupal 9.3.2 / Drupal 9.3.0 with PHP 8 / PHP 7.3.x
2- Install localization / language module
3- Install secondary language and make the setup multilingual
4- Add a basic page and make it unpublished
5- Browse to the URL with an anonymous user

Proposed resolution

Seems that the issue is related to publish state of the article when multilingual feature is activate. Since I do not have developer side of view to this matter I could not provide a solution. In mean time, I recreated this issue with simplytest.me and advise looking at the screen-shots provided.
Please find the screens as attached.
Thank you.

Problem/Motivation

When enabling CORS support in Drupal, cacheability is broken because this header is added to every request (of a different origin, but that is a different bug, see: #3001809: CORS breaks with cache proxies and same origin usage.):

Vary: Origin

This breaks cacheability because if a site allows numerous other origins to make requests to their site, they will get a cached version for each origin. Some CDNs will not cache the request at all if this is present as it results in too many cache objects.

Proposed resolution

This problem has been resolved upstream in asm89/stack-cors#64. The most recent release this has been included in is 2.0.0.

I would like to backport this release when it is in a stable upstream release.

Remaining tasks

1. Write Upgrade Patch

User interface changes

None

API changes

Requests that were not cached before may become cached.

Data model changes

None.

Release notes snippet

Enabling CORS preserves cacheability whenever possible.

Previously, enabling CORS would add Vary: Origin to all requests of a different origin. With this change, enabling CORS will only add this if absolutely necessary.

Problem/Motivation

composer outdated shows that some of our dependencies are old. Let's updated them. Major version updates for Symfony and Twig are handled by other pre-existing issues.

Proposed resolution

Run composer update

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

+----------------------------------+---------+---------+
| Production Changes               | From    | To      |
+----------------------------------+---------+---------+
| composer/semver                  | 3.2.6   | 3.2.7   |
| guzzlehttp/guzzle                | 7.4.0   | 7.4.1   |
| laminas/laminas-feed             | 2.15.0  | 2.16.0  |
| laminas/laminas-stdlib           | 3.6.1   | 3.6.4   |
| psr/cache                        | 1.0.1   | 3.0.0   |
| psr/container                    | 1.1.1   | 1.1.2   |
| symfony/console                  | v4.4.34 | v4.4.36 |
| symfony/debug                    | v4.4.31 | v4.4.36 |
| symfony/dependency-injection     | v4.4.34 | v4.4.36 |
| symfony/error-handler            | v4.4.34 | v4.4.36 |
| symfony/http-foundation          | v4.4.34 | v4.4.36 |
| symfony/http-kernel              | v4.4.35 | v4.4.36 |
| symfony/mime                     | v5.4.0  | v5.4.2  |
| symfony/polyfill-ctype           | v1.23.0 | v1.24.0 |
| symfony/polyfill-iconv           | v1.23.0 | v1.24.0 |
| symfony/polyfill-intl-idn        | v1.23.0 | v1.24.0 |
| symfony/polyfill-intl-normalizer | v1.23.0 | v1.24.0 |
| symfony/polyfill-mbstring        | v1.23.1 | v1.24.0 |
| symfony/polyfill-php80           | v1.23.1 | v1.24.0 |
| symfony/process                  | v4.4.35 | v4.4.36 |
| symfony/serializer               | v4.4.35 | v4.4.36 |
| symfony/validator                | v4.4.35 | v4.4.36 |
| symfony/var-dumper               | v5.4.0  | v5.4.2  |
| symfony/yaml                     | v4.4.34 | v4.4.36 |
+----------------------------------+---------+---------+

+-----------------------------------------+---------+---------+
| Dev Changes                             | From    | To      |
+-----------------------------------------+---------+---------+
| composer/composer                       | 2.1.12  | 2.2.3   |
| composer/xdebug-handler                 | 2.0.2   | 2.0.4   |
| friends-of-behat/mink-browserkit-driver | v1.5.0  | v1.6.1  |
| phpdocumentor/type-resolver             | 1.5.1   | 1.6.0   |
| phpunit/phpunit                         | 9.5.10  | 9.5.11  |
| seld/phar-utils                         | 1.1.2   | 1.2.0   |
| squizlabs/php_codesniffer               | 3.6.1   | 3.6.2   |
| symfony/dom-crawler                     | v4.4.30 | v4.4.36 |
| symfony/finder                          | v4.4.30 | v4.4.36 |
| symfony/lock                            | v4.4.33 | v4.4.36 |
| composer/pcre                           | NEW     | 1.0.0   |
+-----------------------------------------+---------+---------+

Problem/Motivation

In #2976098: MigrateExecutable should add details for the migration & destination property to exceptions that cause a row failure, the migration ID and destination property was added to migration failure messages.

For a process pipeline with several plugins, that can still leave some detective work finding the source of the problem.

It would be useful to add the process plugin ID, and also the index number, since the same process plugin can occur several times in a single pipeline.

Steps to reproduce

Proposed resolution

Move the catch in import():

        catch (MigrateException $e) {
          $this->getIdMap()->saveIdMapping($row, [], $e->getStatus());
          $msg = sprintf("%s:%s: %s", $this->migration->getPluginId(), $destination_property_name, $e->getMessage());
          $this->saveMessage($msg, $e->getLevel());
          $save = FALSE;
        }

to processPipeline(), which has the plugin name, and add an $index to the foreach loop.

This should then re-throw the exception with the process plugin details prefixed to the message.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Problem/Motivation

#2574767-36: Views listing page displays too few items on a page removed the "Tags" column from the list of views at /admin/structure/views, because it was rarely used.

I don't personally use Views Tags on every project, so I understand with, and largely agree with the reasoning in that issue. Also I couldn't find any other issues asking for it to be re-added, which probably also indicates that the feature is not used that often.

That being said, I do find Views tags very useful in specific situations, e.g.: for managing technical debt on a site with multiple developers and a tight timeline... I tag views by their base table, contextual filters, whether they use aggregation, and where they are used; so that it is easy for developers to find an existing view they can add a new display to (rather than creating an entirely new view), and it is easy to see which views could be combined when they are already a mess.

Ideally, the list of views at /admin/structure/views would become a view of its own (e.g.: as part of #1823450: [Meta] Convert core listings to Views), which would allow me to simply add a tags column on the sites that required it; and leave it at the default everywhere else.

However, in the meantime, it would be handy to have a patch to apply to add the tags column back.

Proposed resolution

Write a patch to re-add the tags column.

Remaining tasks

1. Write a patch.

I'll leave it to others to determine whether this is something we want to add back to Drupal core; or just leave here for people to apply when they need it.

User interface changes

Adds a "tags" column between Description and Displays to the list of views at /admin/structure/views

API changes

None.

Data model changes

None.

I'm attempting to create an html email newsletter content type whose content is populated by views. Because the Views Global: Custom text field strips inline styles, I've made custom twig templates for the newsletter content type in my theme:

html--newsletter.html.twig contains only {{ page }}

and

page--newsletter.html.twig contains only {{ page.content }}

While

node--newsletter.html.twig contains the html email markup (views called via twig tweak)

and

views-view-field--newsletter--block_2--nothing.html.twig contains the markup from the views Global: Custom text field.

This all works fine except that the result is still wrapped in two extraneous divs:

Because Drupal 10 does not support IE11, we can make better use of CSS variables and holistically refactor components to make them more understandable, extendable, and resilient.

This issue will serve as a moderately complex first try in doing so. The overall appearance and functionality of the tabs will not change, however, the code will be understandable, extendable, future-proof, and resilient.

I get this issue using Views module:

Symfony\Component\Routing\Exception\InvalidParameterException: Parameter "arg_0" for route "view.test.feed_1" must match "[^/]++" ("" given) to generate a corresponding URL. in Drupal\Core\Routing\UrlGenerator->doGenerate() (line 205 of /code/web/core/lib/Drupal/Core/Routing/UrlGenerator.php).

How to recreate it:

1. Create view with a block display.
2. Add filters to the block, expose them to visitors and enable AJAX.
3. Add page display with contextual filters and the path should have a dynamic argument such as /path/%.
4. Place the block to any page then you will get the issue.

The reason of that is views module wants to replace form action with page url and the url is broken because it doesn't have any argument.

I used Better Exposed Filter and didn't check the issue without it though.

Problem/Motivation

In certain situations regions that contain empty blocks still render.

The original design goal of regions was that the region itself not render when it contains "empty" content.

Determining emptiness is a challenge under the existing Render API implementation.
People expecting a region to dissapear may be surprised to find this feature non-functional.

@Eclipsegc

Dispite the fact that core community members are very aware of this issue, unfortunately there's really very little to be done about it until we decide to really overhaul this particular subsystem (Render API).
There are potentially a lot of people interested in doing that work, it's just a matter of figuring out the right solution, and building consensus.

The message you should take from this is that core developers are generally very aware of this issue, but it's not a simple as building a fix. It's more like we need to revisit the underlying paradigm that drives this section of Drupal.
It'll happen eventually, and until then, we'll all have to limp around this issue together.

Several approaches to solving this have been considered. All of which come with unacceptable drawbacks.

The core issue is that there is no possible way to definitely identify an 'empty' block without first
rendering it.

This is the standard code for detecting empty regions and results in wrapping divs showing regardless of content existing,

<?php
if ($page['region']) {...
?>

There are a number of symptoms of this issue.

It's a challenge to add class such as "has sidebar" to the body tag when it's impossible to determine if it's empty (there are some is empty() type workarounds in the thread)

Many possible workarounds have been proposed. None of which are suitable for implementation in core.

There are a number of existing child issues about broken layout, and more keep coming.

Considerations

Placeholders

Placeholders only have partially to do with BigPipe - They allow our dynamic page cache to work at all for complex scenarios. It is a pre-requisite for authenticated user caching.

Access

@fabianx

Access is not affected in core right now. If you use block visibility access conditions you are fine => with or without placeholders. (because it happens _before_ any rendering takes place). The only thing that there is, is that there is cache data in the region, so !empty() won't work. A helper function by Wim will filter that there are no renderable children. This needs a helper function, however at least the cacheable meta data needs to be put to the upper level.

We could also for empty regions just remove it and render it on the render stack instead. I think that would be safer, too and is exactly what happens when people using work-arounds to pre-render things.

This would make block visibility condition blocks work nicely - e.g. the user login block and is a really simple fix - just render an empty region before returning.

Empty blocks

@fabianx

Empty blocks happen just after rendering, so we cannot know if the region is empty before rendering it actually. Pre-rendering work-around works, but is ugly especially because it doubles the time to render the region.

Placeholdered blocks

@fabianx

In most cases you are by default not affected by this

Empty blocks happen just after placeholder replacement, with BigPipe even just on the client. => Pre-rendering work-around will not work. A late event subscriber or for BigPipe a JS solution will work.

Accessibility:

@andrewmacpherson

Empty DIVs don't really matter much for a11y, as they don't pollute the semantics at all.

However an empty is a problem for some assistive tech, as it will be included in their "landmark regions" navigation tools. An empty landmark region is potentially confusing. Same goes for header, footer, nav elements.

Proposed resolution

Suggestions

The best solutions that have been suggested over the years this issue has existed just don't get
the job done in an acceptable way.

The ideal result is the ability to add this to a template:

{# D8 #}
{% if region %}
  <div>{{ region }}</div>
{% endif %}

There have been some suggestions of adding twig filters for D8, for example:

{# D8 #}
{% set region = page.region|render %}
{% if region %}
  <div>{{ region }}</div>
{% endif %}

and calling render directly in the twig template:

// D7
if ($region = render($page['region'])):
  <div>$region</div>
endif;

These implementations suffer from the fact that placeholders are not yet replaced in the render array, using
this method will break features such as big pipe.

Design a new architecture for the render system.

It's clear from the existing thread that with the current implementation of the render system that was
introduced with drupal 7 that the issue steps from a fundamental flaw in the render architecture.

@pheneproxima has a good idea:

Render arrays already support a little-known property called #access_callback. If set, it is supposed to contain a callback function (or callable, I believe) which is called before its part of the array is rendered. And if it returns FALSE, that part of the array is skipped by the rendering system.

It would take a pretty large-scale effort across core, but we could take advantage of this property to quickly recurse through a render array and remove parts that should not, according to the access callbacks, be rendered. For example, an empty item_list could have an access callback which returns FALSE if there are no items in the list. A renderable array section that will contain the results of a view could have an access callback which returns FALSE if the view has no results (and there is no empty text). And so forth. Each part of a render array could implement lightweight logic to prevent rendering of that specific part of the array. Basically, we would pre-compute the #access property by recursively calling the lightweight access callbacks.

The downside is that this would still involve recursing through a gigantic renderable array. However...it'd be a great deal faster than rendering out the array and checking if there was any output. Also, we could take advantage of cacheability by returning AccessResult from the access callbacks (if, indeed, that's not what they already return).

Limitations

@markcarver

Simply rendering a variable in Twig does not guarantee the variable will be "empty".

If a render array contains properties for render caching/big pipe/lazy loading, then it can potentially generate placeholder markup.

This placeholder content may or may not be empty, but that will not be determined until it is replaced at a later time in the request... well after said Twig template is invoked, ran through "if empty" statement and subsequently render cached using the incorrect logic.

Known workarounds

// @todo audit the suggested work arounds and update this description.
// There a numerous workarounds and approaches, some general some for specific usecases.

@danbohea

OK, so there's a fourth option for people to consider for a default emptiness definition:

A: Empty means there must be text other than normal whitespace or tags or HTML comments (e.g. render|strip_tags|strip_comments|trim)
B: Empty means that there is no whitespace, but HTML tags or HTML comments are considered non-empty (render|trim)
C: Empty means there is absolutely no content in there not even whitespace (render)
D: (**NEW**) Empty means that there is no whitespace, HTML tags are considered non-empty, HTML comments are ignored and considered empty (I guess that's render|strip_comments|trim ?)
Option D is my preference: it's compatible with Twig debugging and shouldn't accidentally hide non-text HTML (e.g. tags).

assign render output in twig to determine "emptiness"

Add

{% set output = render_var(content) %}

to your twig

Remaining tasks

[ ] Escalate this issue to an plan or initiative
[ ] Audit the workarounds
[ ] Document the known limitations - it doesn't look like this is going away any time soon.

User interface changes

None from an admin perspective.
Sitebuilder's will now have regions with empty blocks not being rendered, as expected.

API changes

[ ] To be determined

Data model changes

// @ todo

Release notes snippet

// @ todo

Problem/Motivation

While playing with lazy loading attribute that is coming from Drupal core and our own implementation in #3060605: Support lazy loading of images @sasanikolic noticed that responsive image tag is missing width and height attribute. Why is Drupal core is not setting these attributes for lazy image loading which basically disable lazy loading for all responsive images? The short answer is that responsive images are more complicated. And it still needs to be implemented.

I've read quite a bit of info related to lazy loading and images and responsive images in the next resources:

• https://www.smashingmagazine.com/2020/03/setting-height-width-images-imp...
• https://github.com/whatwg/html/pull/4952
• https://bugs.chromium.org/p/chromium/issues/detail?id=979891
• https://bugzilla.mozilla.org/show_bug.cgi?id=1547231
• https://bugs.webkit.org/show_bug.cgi?id=201641

In short, at least as I understand, the problem with lazy loading and responsive images was that in one moment browsers were not properly supporting width/height attributes when images were lazy-loaded. So the browsers were not able to calculate the aspect ratio of images and show image area while image was still loading - and this resulted in recalculating page layout on image load. However, this should be fixed in most or all browsers now and this combination should work.

Proposed resolution

• Add width and height attributes to the responsive image tag.
• Add an option to toggle the loading="lazy/eager" option in the picture field formatter. For this, see the great work being done in #3173180: Add UI for 'loading' html attribute to images. We should model a similar result for picture.

A UI toggle is needed in this issue. We've learned a few things since loading="lazy" has started to be heavily used. Mainly, always enabling it negatively affects the page's LCP score. See https://web.dev/lcp-lazy-loading/ for an exhaustive description of the problem.

Remaining tasks

We want to avoid browser reflow if loading=lazy is configured.

From #13:
The HTML spec has very recently been updated to allow for width and height attributes to be set on source elements:

https://github.com/whatwg/html/issues/4968
https://twitter.com/zcorpan/status/1365046132401913861
https://twitter.com/jensimmons/status/1365066057774493697

Current browsers implementation:

• https://groups.google.com/a/chromium.org/g/blink-dev/c/GEjjJE0LCnM/m/0p8... state: "this has landed and will ship in Chrome 90. Christian On Thu, Feb 18, 2021"
• Firefox has open issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1694741 (linked from https://github.com/mozilla/standards-positions/issues/485)
• Safari has a closed (merged) issue https://bugs.webkit.org/show_bug.cgi?id=222368

As of Oct 5th, 2021, it looks like FF is the only major browser not currently supporting this. Safari and Chrome already do.

The image dimensions are always provided. The srcset attribute only supports a single set of dimensions. These
dimensions reflect the real size but all images should follow the same
image size ratio. If using sizes and art direction, that might not be true.
For image styles, that is less of a concern because specifying image
density should already require that all images are the same image size
ratio. One could argue that providing wrong dimensions for sizes attribute
is bad for art direction. But having some image size to calculate ratio
is better than providing nothing. Ergo, we provide dimensions in all cases
even though they might be wrong in some edge scenarios.

These image dimensions are used by the browser to calculate the size and render a placeholder. This avoids content shift on page load. If someone decided to use lazy loading and art direction, they should not use sizes attribute. But rather image styles and specify the image dimensions. Because if they don't then they could conceivably experience some content shift issues.

User interface changes

None.

API changes

None.

Data model changes

None.

Problem/Motivation

The ImageStyle class is a config entity that besides doing the config entity, also has methods that do process images into derivatives.

This is probably the result of the migration of the image system from D7.

As things stand, though, this is causing issues -

• the entity code is for instance invoking hooks
• it's difficult for custom/contrib to override parts of the image derivatives generation process, for instance to change the derivative URL/URI, or to pre/postprocess image derivatives

Several issues were filed in that respect, to list some:
#2359443: Allow creating image derivatives from an Image object
#1358896: Flexible scheme and URI for image derivatives
#2940016: Make possible to respond to image derivative creation
#1826362: ImageEffects of the same image style should be able to pass variables between them
#2685905: Refactor ImageStyleDownloadController so derivatives can be generated by contrib modules
#1903190: Allow image style derivatives of private images to be stored on the public file system
#2098247: Provide a hook for ImageStyle::createDerivative
#3218514: [PP-1] Deprecate passing path (instead of true URI) to ImageStyleInterface::buildUri($uri)

Proposed resolution

In #2359443-26: Allow creating image derivatives from an Image object, before stalling, we started discussing decoupling the config entity from the image derivative processing code.

This is implementing that:

• separate the image derivative processing methods from the ImageStyle into a plugin, that takes ImageStyle as the config entity as in input, like the source URI or the Image object directly
• deprecate the methods on the ImageStyle, leaving the code that calls the plugin methods instead
• the plugin implements a fluent API to pass the variables needed and then executes the process required, bieng determining the derivative URI, or creating the derivative image, or getting the safety token
• keeping full BC

Why a plugin?
So that the default implementation can be overridden e.g. to change the derivative URI calculation logic or to post-process an image derivative - only re-implementing the plugin methods that are necessary without touching the config entity code. But also, plugin allows to have parallel 'derivative processing engines' if someone wants that. For instance, Textimage contrib module has its own formatter and API that could leverage this plugin concept.

Remaining tasks

Review

User interface changes

None

API changes

Several methods deprecatedin ImageStyle, new plugin manager and a default plugin implemented.

Data model changes

None

Follow-up for #2174633: View output is not used for entityreference options: This covers the display on the form of already selected items.

When an entity relation field displays options via a view the view fields are not used to display the selected entity, instead the entity label is shown. This is a regression from Drupal 7.x.

Steps to reproduce

• Create a View with an entity reference display and set it up to display more then one field as an inline field
• Add an reference field to a content type that uses this entity reference display
• Add a node and fill out the field -> this will show the selected entity as configured in the View (using the selected inline fields)
• Save the node
• Edit the node
• Look at the selected value for the reference field

Expected value:
The entity is shown as configured in the View and the same way as it was shown when the selection was made

Actual value:
The entity label

Problem/Motivation

Twig 3 is here
https://github.com/twigphp/Twig/releases/tag/v3.0.0

Proposed resolution

Update Drupal 10 to Twig 3.

Installing Drush on Drupal 10

Drush 10 has a dependency that requires Twig 1 or Twig 2 so is incompatible with Drupal 10. To install Drush at the current time do:

composer require drush/drush 11.x-dev

Remaining tasks

Discuss. Patch. Commit.

User interface changes

None.

Problem/Motivation

During the installation process via Drush (drush site:install) or the Quick Start Command, the unmet requirements are supposed to be displayed in the terminal as a list via InstallerException.

However, in reality, there is no meaningful message, like:

In install.core.inc line 2293:
  Database settings:
  Array

or

In install.core.inc line 2293:
  Extensions PHP: Disabled
  Array

You can also review a duplicated issue with detailed analysis: #3081572: Unexpected description format when parsing the unmet requirements message string.

Steps to reproduce

Run the default Drupal installation via Drush with unmet requirement, for example MySQL < 5.7.8.

Proposed resolution

The proposed resolution is to use Drupal render service, because turns out the requirements arrays items may contain render elements, as it was described by @alexpott in #8:

- title and value can also be render elements
- There can be html in the description which is not good for CLI output

Remaining tasks

1) Open a merge request or attach a patch considering the suggestions in #8.
2) Add a test (if possible);

References:

• https://github.com/drush-ops/drush/issues/2158
• #2799957: Starting Drupal installation. This takes a while. Consider using the [ok] --notify global option. exception 'Drupal\Core\Installer\Exception\InstallerException' with [error] message 'PHP extensions: Disabled Array' in /home/insasse/workspace/workstation
• #2177655: Replace theme() with drupal_render() in install.core.inc
• #2625820: install_check_translations() sometimes incorrectly returns NULL instead of array

Problem/Motivation

Note: As far as I know unnecessary code counts as a bug, but this could also be seen as a task (and then retargeted for 9.4?), not sure.

Found in #3257407: Use "content" region in BlockCreationTrait::placeBlock() instead of "sidebar_first".

SettingsTrayBlockFormTest's implementation of getTestThemes() is identical to that of it's parent SettingsTrayTestBase

Steps to reproduce

-

Proposed resolution

Remove SettingsTrayBlockFormTest::getTestThemes().

Remaining tasks

User interface changes

-

API changes

-

Data model changes

-

Release notes snippet

Problem/Motivation

Always see a message about available updates.

Proposed resolution

Add option to display the message only when installed and/or recommended version of at least one extension has been changed.

Problem/Motivation

I have accidentally remove the block for search wide button. I was not able to add back when looking into search wide in block list.

Steps to reproduce

remove the search wide block but can't add back

It is very surprising that the font size patch for H1, H2, H3, ... tags was not applied during the last kernel update.

Currently this problem makes sites very inconsistent. In my screenshot I have an H2 tag followed by an H4 tag with a larger font.

It looks really ugly for editorial sites. I hope the patch will be applied before Drupal 9.4

Problem/Motivation

While working on #2976147: Create a sales report supporting daily, weekly, monthly, and yearly breakdowns., my tests failed due to configuration schema validation.

Schema errors for views.view.sales_report with the following errors: views.view.sales_report:display.default.display_options.fields.report_id.set_precision missing schema

The report_id is the entity identifier base field. The View has aggregation enabled, and the report_id is set to COUNT.

In Views, the handler is swapped to numeric as an override when the display is built. This is causing a SchemaIncompleteException exception to be thrown.

This following code is what changes the handler and causes the schema error

\Drupal\views\Plugin\views\display\DisplayPluginBase::getHandlers

        // If aggregation is on, the group type might override the actual
        // handler that is in use. This piece of code checks that and,
        // if necessary, sets the override handler.
        $override = NULL;
        if ($this->useGroupBy() && !empty($info['group_type'])) {
          if (empty($this->view->query)) {
            $this->view->initQuery();
          }
          $aggregate = $this->view->query->getAggregationInfo();
          if (!empty($aggregate[$info['group_type']]['handler'][$type])) {
            $override = $aggregate[$info['group_type']]['handler'][$type];
          }
        }

Proposed resolution

No idea.

Remaining tasks

• Write test which aggregates an entity ID
• ???

User interface changes

API changes

Data model changes

Problem/Motivation

#3036593: Add 'drupal_internal__target_id' to JSON:API representation of entity reference fields, because that can't be retrieved from the target resource for target entity types without corresponding resources added a meta.drupal_internal__target_id value on the relationship identifier for entity reference fields; this is super helpful to client-side implementations to filter by Drupal IDs, rather than UUID.

There are some circumstances (user IDs, for instance) where I would like to hide Drupal's internals, entirely. Serial fields in particular can leak information relating to the site's total user count, or the relative age of a user, or whatever, from the ID.

This isn't a huge issue, and enumeration of Drupal users (and other entities) by ID is not considered a security risk per se, but this value's automatic inclusion makes it harder to build a site that is API-forward in using UUIDs everywhere.

Because json:api module exposes a very limited PHP API, this is difficult to adjust in contrib or custom code.

It might be interesting to couple this with an opt-out of all the drupal_internal__* meta members, but this may be too edge a use case to make sense in core. The issue is mostly that this is pretty difficult to opt-out of without hacking core, since there is no real hookpoint to adjust this.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet