So this is the one issue kills them all issue. :)

* Mass-reporting of comments is broken. The added test will throw exceptions until #673974: PHP notice when mass-unpublishing or deleting comments, and wrong form validation redirect has been committed.

* Tests do not really test that stored session data actually contains a session.

* Node form title field mapping is broken. Submitting a node with just a title circumvents textual analysis.

* Various internal debugging watchdog messages are simply too long and don't contain useful information at the same time.

* The administrative user creation form contains a CAPTCHA due to a missing 'bypass access' property.

Comments

dries’s picture

I committed #673974: PHP notice when mass-unpublishing or deleting comments, and wrong form validation redirect to CVS HEAD (Drupal 7), and I assume it will go into Drupal 6 shortly.

dries’s picture

Version: 6.x-1.x-dev » 7.x-1.x-dev
Status: Needs review » Needs work

Thanks sun. I liked everything in your patch so committed it to the DRUPAL-6--1 branch for inclusion in the upcoming Drupal 6 release.

The changes will have to be ported to Drupal 7 so updating the version and status ...

sun’s picture

Status: Needs work » Needs review
StatusFileSize
new13.03 KB
new3.55 KB

Same patch in green, didn't run tests.

Plus another one for D6 -- it absolutely doesn't hurt to do a visual diff between branches ;)

sun’s picture

In addition to both patches, we also want to add the sendFeedback method to our fake server and use that for the tests, so we can double-check that we actually send proper data.

However, let's commit those two first.

dries’s picture

I applied the follow-up patch to D6 and ran the tests. All tests passed so I committed the fix to DRUPAL-6--1.

I applied the patch to D7, ran the tests twice. Both times, I got quite a few test failures so I have not committed the patch to CVS HEAD (Drupal 7) yet.

dries’s picture

We fixed a server-side bug yesterday with post_body when the keys are in developer mode. This fixed has only been deployed to one server, and it looks like some of the failures (but not all of them), are related to not having deployed the fix to our other servers. We'll update all servers tonight.

dries’s picture

Now the servers have been upgraded, we have fewer test failures, but there are still test failures and they seem to be reproducible (i.e. they persist across multiple test runs). I haven't really looked into the errors yet but figured I'd give an update nonetheless.

dries’s picture

Status: Needs review » Needs work
dries’s picture

StatusFileSize
new3.22 KB

sendFeedback watchdog messages to help debugging, but also to help end-users .

dries’s picture

Spent a few hours debugging a bug in the DRUPAL-6--1 branch. In the DRUPAL-6--1 branch, Mollom session IDs are not always stored in the {mollom} table. We only store an entry in the table if something is HAM, but not when something is UNSURE at first, and we correctly filled out a CAPTCHA.

sun’s picture

StatusFileSize
new5.4 KB

So, this is what I tried to explain earlier... it should work and the added changes to specifically pass a list of modules to install shouldn't be required, but is currently blocked by #347959: modules_installed is broken during testing

sun’s picture

Version: 7.x-1.x-dev » 6.x-1.x-dev
Status: Needs work » Needs review
StatusFileSize
new2.52 KB

Hmmm... somehow, we didn't commit everything of this patch to D6?

dries’s picture

When I run the DRUPAL-6--1 tests without this patch, all tests pass ... that is odd, because it looks like the patch in #12 is a pretty important fix. Should we add some tests?

sun’s picture

StatusFileSize
new27.52 KB

Alrighty -- our own, previously existing tests were broken, so we didn't assert proper session handling at all, and that's the reason why I was able to break all of this.

Test failures in tests:

Comment submission protection

(which is the only one that actually performs mollom session id assertions)

sun’s picture

StatusFileSize
new34.97 KB

This patch should fix everything, but I now get obscure test failures: When invoking mollom.checkContent() with a session_id, a different session_id is returned.

sun’s picture

StatusFileSize
new37.08 KB

I added a "Server responses" test, starting with mollom.checkContent(), which proves that the client gets a different session_id from the server. Please tell me what I did wrong (because I hope I'm doing + expecting something wrong)

sun’s picture

StatusFileSize
new42.8 KB

Posting something in between... it turns out that the @todo I added is actually required to solve this (since we have a lot of other helper functions like postIncorrectCaptcha()).

sun’s picture

Status: Needs review » Reviewed & tested by the community
StatusFileSize
new43.95 KB

Summary of what this patch does:

  1. Fixes the bug of no Mollom session_id being stored in the database, when a CAPTCHA was successful, but a unrelated form validation error occurred in the form. In this case, $GLOBALS['mollom_response'] was empty, because we do not communicate with Mollom in subsequent requests after passing a CAPTCHA.
  2. Fixes usage of non-existing variable and coding style in _mollom_send_feedback().
  3. Replaces previously existing assertions that tried to verify that the Mollom session id remains the same across requests with an entirely new Mollom session id assertion logic. The old code was not able to work at all, because it tried to access the form element value using a wrong xpath property (not invented here, #611860: Revamp the test suite). However, the overall revamp is caused by the fact that a Mollom session id can change across requests in the case of a server list refresh or server redirect. That is, because one Mollom server does not share session ids with other servers.

    We therefore need to introduce some more (weird?) logic into the tests:

    • We need to verify that we send, receive, and output the proper Mollom session id.
    • But we cannot rely on a static Mollom session id.
    • We only see what a regular user sees in the browser.
    • But we have some additional information available due to our watchdog message assertions.

    Instead of hacking testing-related code into the regular module code, I chose to solve this challenge by scannning the recorded watchdog messages. Because those watchdog messages already contain the information we need: In case of a server redirect or server list refresh, we have a corresponding watchdog message, and that simply means, we can forget about the last known session id and use the new one for future comparisons.

    @see assertSessionIDInForm()

  4. Adds a new test case "Server responses" along with a first low-level test for mollom.checkContent(). We should complete this test case with other methods in a follow-up issue.

    @see assertSessionID()

  5. When being redirected to the next server in the list, we now update the stored server list, because it is likely that we will be redirected in subsequent requests, too. (At least, this change [before I introduced the session id handling] made the low-level mollom.checkContent() server response test occasionally pass.)
  6. Adds dblog.module to list of modules to install, because it is now required to run tests.
dries’s picture

Thanks for diving into this. Some initial feedback:

+++ mollom.module	12 Jan 2010 22:58:47 -0000
@@ -1190,33 +1197,33 @@ function mollom($method, $data = array()
-          // Do nothing, we automatically select the next server.
+          // Update the server list to move this new server to the beginning.
+          $stored_servers = array_unique(array_merge(array($next), $servers));
+          variable_set('mollom_servers', $stored_servers);

We probably don't want to change the server list permanently. The way the Mollom backend works right now, you definitely want to go back to first server in your server list as that is where all your old sessions will be. In other words, we should change the server list as provided by mollom.getServerList. If the Mollom backend want you to have another server list, and another main server, it will force you to refresh your server list instead of doing a temporary redirect.

+++ tests/mollom.test	13 Jan 2010 02:07:45 -0000
@@ -132,11 +132,73 @@ class MollomWebTestCase extends DrupalWe
+  protected function assertSessionIDInForm() {
+    list($timestamp, $session_id) = explode('-', $this->getFieldValueByName('mollom[session_id]'));
+    return $this->assertSessionID($session_id);
+  }

It is not clear why we split off the timestamp part. The original session ID has a timestamp, but it looks like we add another one or something. Might be an opportunity for further clean-up in a follow-up patch.

+++ tests/mollom.test	13 Jan 2010 02:07:45 -0000
@@ -388,7 +461,7 @@ class MollomWebTestCase extends DrupalWe
-    $this->drupalPost($url, $edit, $button);
+    $this->_drupalPost($url, $edit, $button);

Any particular reason we use an underscore instead of over-riding the method and calling its parent?

+++ tests/mollom.test	13 Jan 2010 02:07:45 -0000
@@ -451,6 +552,54 @@ class MollomWebTestCase extends DrupalWe
+class MollomResponseTestCase extends MollomWebTestCase {

Is this test meant to stay? If so, I'd add some PHPdoc.

sun’s picture

StatusFileSize
new33.87 KB

Incorporated all requested changes.

Sorry for that _drupalPost() hickup... I tried to override it first but that failed for some reason... trying it once again works just nice.

Good news! I just ran all tests with this patch on Presssflow, and all passed. :)

sun’s picture

StatusFileSize
new34.51 KB

Added some potentially escaped characters to the values in MollomDataTestCase->testAnalysis() - however, I cannot replicate the escaping.

dries’s picture

Status: Reviewed & tested by the community » Fixed

Looks great now. Committed to CVS HEAD. Thanks.

sun’s picture

Status: Fixed » Needs review
StatusFileSize
new41.29 KB
new9.49 KB

mmmh, ok, this is a bit mind-blowing. Two patches:

1) Syncing D6 with code in HEAD. I ran tests with this, and all passed, so committing these changes may be fine.

2) An initial patch to port these changes to HEAD... however, the relatively new requirement to also account for a potentially changing session_id doesn't map at all to the existing module code. That's also why the existing tests had to be rewritten (already committed to D6), because they tried to verify that the session_id remains the same across requests. Now, the entire module logic and form integration is bound to a session_id. If it changes, then we need to cache the $form_state['mollom'] for a new session_id, while the current module code assumes that it won't change.

With this patch for HEAD, I at least see the "Unknown session id" watchdog warning for the first time (when running the Comment form protection tests).

This minor detail of changing session ids has the potential to invalidate a lot of the module's code. Plenty food for thought. :-/

dries’s picture

Committed to DRUPAL-6--1.

sun’s picture

Summary:

  • This works in D6, because we write Mollom session information to the cache at the latest point in time (at the end of #pre_render).
  • Doesn't work cleanly in HEAD, because we write the to the cache in different locations. Doesn't matter, because we need to #683998: Kill cache_mollom, rely on Form API anyway.
  • However, while working on the port to HEAD, I realized that we do not always update the session_id with a new one returned by Mollom servers. AFAICS, we cache and use the session_id returned from textual analysis in case we are unsure and present a CAPTCHA. I'm not 100% sure, but I guess this means that we need to fix this in D6.
  • Fixing this, however, may not be very easy. And it also means that we need to clear more than one session_id from the cache after successful form submission (the module code still expects only one, and clears only one session_id).
sun’s picture

Priority: Critical » Normal
Status: Needs review » Active
sun’s picture

Status: Active » Fixed

Reviewing this once more, looking at http://api.drupal.org/api/function/system_cron/6 and mollom_flush_caches(), we are in good shape.

Yes, we store many more cache entries than actually needed and used, but as long as they are properly flushed, I don't think it makes sense to complicate the code even more - especially, since we will remove that entire cache table for D7.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • Commit ddbf53d on master, fai6, 8.x-2.x, fbajs, actions by Dries:
    - Patch #674230 by sun: syncing with DRUPAL-6--1 HEAD.
    
    

  • Commit ddbf53d on master, fai6, 8.x-2.x, fbajs, actions by Dries:
    - Patch #674230 by sun: syncing with DRUPAL-6--1 HEAD.