Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The page matching in block module - the code that determines if a block should be visible on a given page - is useful in many contexts. Several contrib modules have already duplicated it in part or in whole. To avoid duplication and increase standardization, we should pull it into a separate function.
Attached patch pulls page matching into a new function, drupal_page_match()
, in common.inc. This shouldn't increase overhead, since block.module is one of the core required modules and so included in every page load.
Comment | File | Size | Author |
---|---|---|---|
#39 | drupal-php-eval.patch | 6.88 KB | jcnventura |
#37 | drupal-php-eval.patch | 6.88 KB | jcnventura |
#27 | drupal-php-eval.patch | 6.92 KB | jcnventura |
#25 | drupal-php-eval_0.patch | 6.92 KB | jcnventura |
#22 | drupal-php-eval_0.patch | 6.92 KB | jcnventura |
Comments
Comment #1
nedjoA grep of the /modules directory in contrib suggests the relevant code from core is repeated in various ways in 14 contrib modules so far. So this simple patch would save hundreds of lines of surplus code in contrib as well as improving consistency.
Comment #2
m3avrck CreditAttribution: m3avrck commentedNedjo, this is a great idea.
However, do you think we could take it on step farther and also encapsulate the proper form that goes along with this function too? Since that function isn't as useful without the form.
Comment #3
erdemkose CreditAttribution: erdemkose commentedThis will make things easier. +1
But this may open some security holes in the future.
Module-X uses this function to make decision about visibility.
Site admin let User-A to configure this module.
User-A can evaluate PHP code if Module-X has a broken logic to set the visibility value. If User-A can set it above 2, he/she can do anything.
This may not be a common scenario but IMO we should at least explicitly warn module writers about it.
Comment #4
chx CreditAttribution: chx commentedIf this gets in, http://drupal.org/node/106559 needs to be revisited. If that gets in, this needs to be revisited.
Comment #5
nedjo@m3avrck, good point. Here's an updated patch that pulls the form fragment for page matching into a separate reusable function.
I've also pulled the relevant permission into a new more generalized one, 'use PHP for settings' (not entirely sure that's a self-explanatory name for the permission, any better suggestions?), that can be referenced by all modules offering PHP settings. This in itself is an important improvement. PHP access should always be restricted. Existing modules out there implementing page matching presumably either introduce an additional permission or leave this open to e.g. everyone with 'administer site configuration' permission.
@erdemkose, the new form handling and permission should help prevent such security holes.
@chx, thanks for the reference, these two patches seem to be complimentary. I'll try to keep an eye on http://drupal.org/node/106559 and update this patch accordingly.
(I haven't been able to test this patch yet as I can't get a new HEAD install going.)
Comment #6
nedjoThis now belongs in our new PHP module.
Additions/changes to the previous patch:
* move PHP input to php.module
* move
drupal_eval()
to php.module* add an update to change existing 'use PHP for block visibility' permission to new 'use PHP for settings'
In sum: this patch accomplishes two aims: (1) complete the move to restrict potentially dangerous PHP input to the PHP module; (2) make page matching reusable to prevent the current proliferation of code copy and pasting.
Comment #7
nedjoI marked http://drupal.org/node/134779 a duplicate.
Comment #8
nedjoRefreshing the patch.
Comment #9
David StraussNice patch.
Comment #10
Bèr Kessels CreditAttribution: Bèr Kessels commentedTested on an upgraded database (not clean, upgraded all along from 3.x). And on a new, clean site.
Both work well. The upgrade code does what it needs to do: move the permissions to (ab)use PHP, if set, to 6.x php module.
The php module now handles all the functionality: when php.module is disabled I could not use 'php block visibility' to root the entire server :).
However, two minor things. IMO not enough to keep this patch from going in, but still enough to have a look at, or else document: As soon as I disabled PHP module, all blocks with PHP-for-block-visibility no longer showed up. This is probably a 'feature' but some may classify it as a bug.
The other is that we will have to document more properly the fact taht the function 'drupal_eval' is now only callable if php.module is enabled. Not many contribs use it, but this may (will) break some sites that don't check for an existing/enabled php.module.
Comment #11
Zen CreditAttribution: Zen commentedThe last patch looks like it is missing a chunk ...
Purely visual review for #6:
+ $page_match = $block->pages ? drupal_page_match($block->visibility, $block->pages) : TRUE;
The above line will return TRUE even if $block->visibility is set to PAGE_MATCH_ONLY_LISTED and $block->pages is empty.
I will test against HEAD once the patch in #8 has been re-rolled correctly. I also think that Bèr's point (on how to handle existing PHP configurations when the PHP module is disabled) is a good one.
Thanks Nedjo.
-K
Comment #12
nedjoThanks for the quality reviews and apologies I haven't found time to follow up with a new version of the patch. I intend to, but obviously not in time for code freeze.
Comment #13
Gábor HojtsyWow, this would have been great, if done for D6. I wish this is solved early in D7, or given that it is a security related improvement, maybe even in D6.
Comment #14
Wim LeersComment #15
jcnventura CreditAttribution: jcnventura commentedAbout #11's last commentary, the solution is to return !$block->visibility instead of TRUE.
Taking into account that the patch in #8 is functionally complete and moves drupal_eval() out of common.inc and places it in the php module, I would recommend that it be committed. Work on creating a drupal_page_match in common.inc and removing that code from block.module could be done in a separate issue.
The attached code corresponds to #8, updated to Drupal 7's current snapshot.
João
Comment #16
Dave ReidSmall comment, do we really need to inroduce a drupal_page_match() when we already have drupal_match_path?
Comment #18
jcnventura CreditAttribution: jcnventura commentedI don't see any drupal_page_match() being introduced in the code..
Comment #19
Dave ReidIt was in response to "Work on creating a drupal_page_match in common.inc and removing that code from block.module could be done in a separate issue." in #15. This will probably need some tests.
Comment #20
jcnventura CreditAttribution: jcnventura commentedRerolling the patch
Comment #22
jcnventura CreditAttribution: jcnventura commentedApparently the testing system failed to install Drupal, and the only way to restart it is to re-upload the patch.
Comment #23
jcnventura CreditAttribution: jcnventura commentedComment #25
jcnventura CreditAttribution: jcnventura commentedIdem as #22
Comment #27
jcnventura CreditAttribution: jcnventura commentedLast try..
Comment #29
nedjoThanks for picking up the patch. Looks generally good, I haven't tested.
Currently PHP is used in contrib in many places for settings that don't have to do with visibility. So, to ensure this permission is broadly usable, it would be better to rename the permission "Use PHP for settings" instead of "Use PHP for visibility settings". Suggested description: "Enter PHP in settings fields where PHP is allowed. %warning"
Comment #30
cburschkajcnventura: As a rule of thumb, if the testbot can't install the patched site the first two times, it's probably the patch. ;)
Edit: (Assuming the testing platform is working, which you can see by find if it is passing other patches.)
Comment #31
jcnventura CreditAttribution: jcnventura commented@Arancaytar: it failed to install HEAD.. That has nothing to do with the patch itself.. Try downloading HEAD yourself and apply the patch. You'll see that it applies perfectly and passes all tests. You may be able to see in #20, that the patch was working perfectly until April 1st, and then the testing system began having issues to install Drupal itself. I had a patch in #222926: HTML Corrector filter escapes HTML comments that failed for the exact same reasons at the time I was trying to upload this.
I will change the patch according to nedjo's description in #29 and try again.
João
Comment #32
Damien Tournoud CreditAttribution: Damien Tournoud commentedGiven that your patch was the only one to fail during the period, yes, that's definitely the patch. Probably some E_ALL warning somewhere. That it "works for you" doesn't mean it should work for everyone else.
Comment #33
Damien Tournoud CreditAttribution: Damien Tournoud commentedSo it is not the patch?
Comment #34
jcnventura CreditAttribution: jcnventura commentedHi Damien,
Thanks for that.. Indeed it is in the patch.. Because of the similar problem in #222926: HTML Corrector filter escapes HTML comments, I was assuming it was Drupal.org being stubborn, especially because the error was "failed to install HEAD" and not "Cannot redeclare system_update_7021" as it should be...
I will move it to system_update_7999() until this becomes reviewed by the community so that I don't have to be tracking Drupal's last system_update every day..
João
Comment #35
cburschka"Failed to install HEAD" means that the patch broke the installer. Those are all the details you get in the summary - if the patch fails, it's either because the patch failed to apply, or because it introduces a syntax error, or because the patched Drupal is unable to install, or because a test case fails after it has installed.
However, I would also like a more detailed view on the PIFR page. Counting failures and passes isn't very helpful when you need to know which assertion failed, exactly - or what the "exception" (ie notice/warning) was. You end up having to run the unit test yourself, unless I missed a link somewhere.
Comment #36
jcnventura CreditAttribution: jcnventura commented@Arancaytar: sometimes it means option e) that the installer is broken. At the time I was re-uploading this, as I mentioned 2 times before, I was also re-uploading a patch that started working after uploading it twice. That this patch was telling me the EXACT SAME ERROR at the EXACT SAME TIME, led me to believe naturally, that the solution would be EXACTLY THE SAME: re-upload it.
Thanks to Damien Tournoud, I was able to find out the root cause of the problem in this case.
Comment #37
jcnventura CreditAttribution: jcnventura commentedOK,
I have changed the name of the permission as requested by nedjo in #29. The system.install update is 7022, so it may expire soon.
João
Comment #39
jcnventura CreditAttribution: jcnventura commentedBumping system_update to 7023 and hoping for the best..
João
Comment #40
nedjoRemoving obsolete part of title.
We should also change the name and description of the php.module in the php.info file. Currently it cites only the PHP filter:
Suggested change:
Comment #41
nedjoOr maybe simply remove "filter" from the name and leave the existing concise description.
Comment #42
nedjoI was forgetting that Ber suggested in #11 the .info change wasn't needed. Resetting to needs review.
Comment #43
Damien Tournoud CreditAttribution: Damien Tournoud commentedVery nice clean up, I want. Don't abuse security: this solves no security issue by itself.
Comment #44
webchickOh, what a great little patch! Also, yay for permission descriptions, since "use PHP for settings" isn't descriptive enough (and I don't really see any alternatives), but the actual description of the permission is great and very clear. Hopefully with drupal_eval() moving to PHP module, we'll see contrib somewhat forced to conform to this standard as well, instead of having to set 50 different "use PHP for blah" permissions.
Committed to HEAD. Great job! :D
Gábor mentioned in #13 that it'd be great to have this in 6, and I agree it would've been, but a major API change like this is far too late for that now, I think.
Marking "needs work" because we need this to be documented at the 6.x -> 7.x upgrade page.
Comment #45
webchickHm, I should read the tags before I commit stuff. ;) "Needs tests" is also true. We can probably pick that up in another issue, though, since I don't think any of the block visibility settings are tested atm.
Comment #46
Gábor HojtsyWell, right, it is too late for Drupal 6. So sad.
Comment #47
jcnventura CreditAttribution: jcnventura commentedwebchick, thanks for committing the patch! After 3029 commits to drupal contrib, this is the first time that code modified by me gets to be committed to Drupal core.. Yay!
Indeed, I didn't modify any test because I couldn't find one that I could modify.. In the existing php.test, the PHP filter functionality test (function testPHPFilter()) executes some PHP code introduced in a node with the PHP filter.. The execution of that filter is handled by the newly renamed php_eval() function. The only part not tested is, as you indicated, the use of PHP for visibility settings (which in core is done only by the block module).
Can we add this to a list of TBD tests for the block module and mark this issue fixed?
And Gábor, don't you dare commit this to Drupal 6... The two modules I maintain both use drupal_eval, and I would hate to have to answer to users saying that their visibility no longer works because they don't have the PHP module enabled..
As to the documentation, one needs to say that drupal_eval() is now called php_eval() and that calls to drupal_eval() should be wrapped in a call to
if (module_exists('php'))
. And that the 'use PHP for settings' should be used.João
Comment #48
webchickYay, congrats for the commit! :D And agreed, it looks like tests for block visibility are at #370172: refactor block visibility.
Right. João, can you edit the page to add that in, please? Then feel free to mark this back as fixed.
Comment #49
jcnventura CreditAttribution: jcnventura commented@webchick: Just to confirm, the page to be edited is http://drupal.org/node/224333?
Comment #50
tstoecklerThat's the one.
Comment #51
jcnventura CreditAttribution: jcnventura commentedDocumented at http://drupal.org/node/224333#php_eval
PS: Can someone remove the 'Needs documentation' tag? I don't seem to have permissions for that...
Comment #52
tstoecklerYes you do =)