So this is the one issue kills them all issue. :)
* Mass-reporting of comments is broken. The added test will throw exceptions until #673974: PHP notice when mass-unpublishing or deleting comments, and wrong form validation redirect has been committed.
* Tests do not really test that stored session data actually contains a session.
* Node form title field mapping is broken. Submitting a node with just a title circumvents textual analysis.
* Various internal debugging watchdog messages are simply too long and don't contain useful information at the same time.
* The administrative user creation form contains a CAPTCHA due to a missing 'bypass access' property.
Comments
Comment #1
dries commentedI committed #673974: PHP notice when mass-unpublishing or deleting comments, and wrong form validation redirect to CVS HEAD (Drupal 7), and I assume it will go into Drupal 6 shortly.
Comment #2
dries commentedThanks sun. I liked everything in your patch so committed it to the DRUPAL-6--1 branch for inclusion in the upcoming Drupal 6 release.
The changes will have to be ported to Drupal 7 so updating the version and status ...
Comment #3
sunSame patch in green, didn't run tests.
Plus another one for D6 -- it absolutely doesn't hurt to do a visual diff between branches ;)
Comment #4
sunIn addition to both patches, we also want to add the sendFeedback method to our fake server and use that for the tests, so we can double-check that we actually send proper data.
However, let's commit those two first.
Comment #5
dries commentedI applied the follow-up patch to D6 and ran the tests. All tests passed so I committed the fix to DRUPAL-6--1.
I applied the patch to D7, ran the tests twice. Both times, I got quite a few test failures so I have not committed the patch to CVS HEAD (Drupal 7) yet.
Comment #6
dries commentedWe fixed a server-side bug yesterday with post_body when the keys are in developer mode. This fixed has only been deployed to one server, and it looks like some of the failures (but not all of them), are related to not having deployed the fix to our other servers. We'll update all servers tonight.
Comment #7
dries commentedNow the servers have been upgraded, we have fewer test failures, but there are still test failures and they seem to be reproducible (i.e. they persist across multiple test runs). I haven't really looked into the errors yet but figured I'd give an update nonetheless.
Comment #8
dries commentedComment #9
dries commentedsendFeedback watchdog messages to help debugging, but also to help end-users .
Comment #10
dries commentedSpent a few hours debugging a bug in the DRUPAL-6--1 branch. In the DRUPAL-6--1 branch, Mollom session IDs are not always stored in the {mollom} table. We only store an entry in the table if something is HAM, but not when something is UNSURE at first, and we correctly filled out a CAPTCHA.
Comment #11
sunSo, this is what I tried to explain earlier... it should work and the added changes to specifically pass a list of modules to install shouldn't be required, but is currently blocked by #347959: modules_installed is broken during testing
Comment #12
sunHmmm... somehow, we didn't commit everything of this patch to D6?
Comment #13
dries commentedWhen I run the DRUPAL-6--1 tests without this patch, all tests pass ... that is odd, because it looks like the patch in #12 is a pretty important fix. Should we add some tests?
Comment #14
sunAlrighty -- our own, previously existing tests were broken, so we didn't assert proper session handling at all, and that's the reason why I was able to break all of this.
Test failures in tests:
Comment submission protection
(which is the only one that actually performs mollom session id assertions)
Comment #15
sunThis patch should fix everything, but I now get obscure test failures: When invoking mollom.checkContent() with a session_id, a different session_id is returned.
Comment #16
sunI added a "Server responses" test, starting with mollom.checkContent(), which proves that the client gets a different session_id from the server. Please tell me what I did wrong (because I hope I'm doing + expecting something wrong)
Comment #17
sunPosting something in between... it turns out that the @todo I added is actually required to solve this (since we have a lot of other helper functions like postIncorrectCaptcha()).
Comment #18
sunSummary of what this patch does:
We therefore need to introduce some more (weird?) logic into the tests:
Instead of hacking testing-related code into the regular module code, I chose to solve this challenge by scannning the recorded watchdog messages. Because those watchdog messages already contain the information we need: In case of a server redirect or server list refresh, we have a corresponding watchdog message, and that simply means, we can forget about the last known session id and use the new one for future comparisons.
@see assertSessionIDInForm()
@see assertSessionID()
Comment #19
dries commentedThanks for diving into this. Some initial feedback:
We probably don't want to change the server list permanently. The way the Mollom backend works right now, you definitely want to go back to first server in your server list as that is where all your old sessions will be. In other words, we should change the server list as provided by mollom.getServerList. If the Mollom backend want you to have another server list, and another main server, it will force you to refresh your server list instead of doing a temporary redirect.
It is not clear why we split off the timestamp part. The original session ID has a timestamp, but it looks like we add another one or something. Might be an opportunity for further clean-up in a follow-up patch.
Any particular reason we use an underscore instead of over-riding the method and calling its parent?
Is this test meant to stay? If so, I'd add some PHPdoc.
Comment #20
sunIncorporated all requested changes.
Sorry for that _drupalPost() hickup... I tried to override it first but that failed for some reason... trying it once again works just nice.
Good news! I just ran all tests with this patch on Presssflow, and all passed. :)
Comment #21
sunAdded some potentially escaped characters to the values in MollomDataTestCase->testAnalysis() - however, I cannot replicate the escaping.
Comment #22
dries commentedLooks great now. Committed to CVS HEAD. Thanks.
Comment #23
sunmmmh, ok, this is a bit mind-blowing. Two patches:
1) Syncing D6 with code in HEAD. I ran tests with this, and all passed, so committing these changes may be fine.
2) An initial patch to port these changes to HEAD... however, the relatively new requirement to also account for a potentially changing session_id doesn't map at all to the existing module code. That's also why the existing tests had to be rewritten (already committed to D6), because they tried to verify that the session_id remains the same across requests. Now, the entire module logic and form integration is bound to a session_id. If it changes, then we need to cache the $form_state['mollom'] for a new session_id, while the current module code assumes that it won't change.
With this patch for HEAD, I at least see the "Unknown session id" watchdog warning for the first time (when running the Comment form protection tests).
This minor detail of changing session ids has the potential to invalidate a lot of the module's code. Plenty food for thought. :-/
Comment #24
dries commentedCommitted to DRUPAL-6--1.
Comment #25
sunSummary:
Comment #26
sunComment #27
sunReviewing this once more, looking at http://api.drupal.org/api/function/system_cron/6 and mollom_flush_caches(), we are in good shape.
Yes, we store many more cache entries than actually needed and used, but as long as they are properly flushed, I don't think it makes sense to complicate the code even more - especially, since we will remove that entire cache table for D7.