Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Currently user_autocomplete() just executes a query that filters by name, but this will not find the user with uid 0,
because it doesn't have the name in the database.
Views has a workaround for that http://drupalcode.org/project/views.git/blob/refs/heads/8.x-3.x:/include...
but i think it would be also helpful for core itself.
Comment | File | Size | Author |
---|---|---|---|
#69 | 64-69-interdiff.txt | 1.5 KB | alexpott |
#69 | 1817656.69.patch | 4.73 KB | alexpott |
#64 | 1817656.64.patch | 4.61 KB | alexpott |
#64 | 59-64-interdiff.txt | 1.11 KB | alexpott |
#59 | 57-59-interdiff.txt | 695 bytes | alexpott |
Comments
Comment #1
dawehnerWrong component.
Comment #2
dawehnerOne general question, should we remove the views specific implementation in this patch?
Comment #3
dawehner#2: drupal-1817656-2.patch queued for re-testing.
Comment #4
dawehnerRerolled.
Comment #5
ACF CreditAttribution: ACF commentedIf it goes green looks good to go.
Comment #7
dawehnerOh, the autocomplete now looks on the q GET parameter.
Comment #8
dawehner#7: drupal-1817656-7.patch queued for re-testing.
Comment #9
damiankloip CreditAttribution: damiankloip commentedLet's see how the bot gets on, this looks ok though.
Comment #10
damiankloip CreditAttribution: damiankloip commentedSorry, forgot some standard nitpicks :)
"Test that anonymous username is in the result" ?
"Allow autocompletion for..."?
Comment #11
dawehnerThank you for the review!
Comment #12
damiankloip CreditAttribution: damiankloip commentedThis looks good to me, do we need a user module maintainer to give this an eye too?
Comment #13
tstoecklerI think this should be an optional feature, i.e. I would vote for an $include_anonymous option in the function. I would very much welcome this feature but in certain cases choosing the anonymous user is senseless. I'm thinking of private messaging where the "Recipient" field would use an autocomplete. If I'm writing a message to some Andrew, it would be weird to type "An" and then have "Anonymous" pop up. I would assume that would be an actual user with a weird nickname or something.
I'm not sure whether the option should default to TRUE or FALSE.
In the long run, once we have an entity reference field in core, user module could even allow to have "Include anonymous user" as an option on the autocomplete widget.
Comment #14
damiankloip CreditAttribution: damiankloip commentedThat's a pretty good idea. I would default to FALSE I think (also not 100%), and later, an option for this on field widgets would be cool too :)
Comment #15
dawehnerI agree that we need this flexibility.
Comment #16
tstoecklerSome nit-picks. Marking needs work for the last item, as that would be a security issue (in case I am correct). Also no one ping Crell about this, as he will crucify you for using the "automatic passing of extra arguments"-feature of the (current) menu system. :-) I thought about using a dedicated menu router for this, but that would be a lot of code for such a small thing, so I personally like the way you solved that.
I think 'autocomplete' is redundant in the variable name. I proposed 'include_anonymous' above. I'm definitely open to other suggestions but I find the ...autocomplete($autocomplete... part weird-looking. Maybe, it's just me, though. :-)
I think this should be JSON.
I think the value should be check_plain()ed for anonymous as well.
Comment #17
dawehnerThanks for your review!
I totally agree with your suggested naming of the variable, good point!
Regarding the optional part, what about using a query parameter instead? So the router path just determines the controller/page callback and all other control-parameters are passed via $_GET. (That's not part of the new patch).
Comment #19
tstoecklerI guess we could do that as well. I must say, I don't really care either way. I don't find the current solution bad either. I'm just pretty certain Crell would hate it :-)
Test fail looks unrelated, but not sending to re-test in case you want to re-roll with the other approach.
Comment #20
dawehnerLet's keep the new parameter as short as possible.
Comment #22
dawehnerTotally failed on the patch.
This patch seems to be the perfect candidate for converting to DrupalUnitTests later.
Comment #24
dawehner#22: drupal-1817656-22.patch queued for re-testing.
Comment #25
tstoecklerJust noticed this now, sorry, but this should be randomString(). (Using that would have (potentially) caught the not using check_plain() in previous patches.)
Since I've been complaining a lot in this issue, I thought I'd quickly re-roll the patch myself. I also added some docs to user_autocomplete() on the 'anonymous' query parameter. It came out a bit verbose, so if you can shorten that, please feel free. Otherwise I think it's fine for you to RTBC this, because my "working on this" was not really substantial. This is RTBC from my perspective.
Comment #26
dawehnerGood improvement of the documentation! Thank you.
I usually try to avoid randomString() to avoid random test failures, but yeah for these kind of cases it is certainly better.
Sure we could do something like 'a', or 'anon' or something similar, though it seems to be that all of them do make it more complicated.
Comment #27
olli CreditAttribution: olli commentedDo we have a follow up for #2 to remove the workaround?
Comment #28
dawehnerNo, but here is one: #1881450: Replace views user autocomplete function with the one from core, once #1817656 is in. Believe me, I will take care of that :)
Comment #29
catchIt's not really a feature request if the feature is already in core hidden in Views. Committed/pushed to 8.x.
Could use a change notice.
Comment #30
catchComment #31
tim.plunkettNo where else in core do we check_plain() the anonymous name. This is causing random test failures.
Comment #32
catchCommitted/pushed that one.
Comment #33
dawehnerJust opened a follow up for the removal of that in views: #1892836: Use user/autocomplete instead of views own autocomplete function
Comment #34
tim.plunkettThis is still causing random test failures.
Let's roll it back and then deal with the special characters causing it to break.
Anyone want to be its '/'?
Comment #35
webchickCommitted the rollback to stop random test failures. Sorry, folks. :\
Back to needs work.
Comment #36
dawehnerThere are just reasons why you should avoid randomString() if possible. Let's use randomName().
Comment #37
alexpottRan the latest patch 100 times with no fails using #1825592: Add --repeat and --die-on-fail to run-tests.sh to make random test failure diagnosis easier no fails... This one is good to go (again)...
randomString()
is one of the common causes of random fails :)Comment #38
tim.plunkettWell, I'm not sure that its a valid fix. After all; the anonymous name could have any characters it wants.
I think we need a real fix (which is why it was rolled back and not just patched)
Comment #39
dawehnerYou know there are million of places in which randomString() is not used so we might should better fix them as well?
This is just a guess, could it be that certain random characters cause problems with some escaping?
Comment #41
alexpottHere are a couple of values for the anonymous name that will always fail:
*NlLi"97'
and''M=%[d-k
Attached are three patches which prove that we need to use
json_encode(check_plain($anonymous_name), JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT);
The patches called *.testonly.pass_.patch and *.testonly.fail_.patch are to prove that we've fixed the random fail.
Comment #42
alexpottGo bot go
Comment #43
alexpottAdded a comment to explain... thanks @dawehner
Comment #44
dawehnerRTBC if it's green and tim had a look at it.
Comment #45
tim.plunkettWhy are we adding the check_plain() back in here? This is still wrong.
Comment #46
dawehnerOh damnit.
Comment #47
tim.plunkettThanks! Good to go if it comes back green.
Comment #48
alexpottRemoving unnecessary check_plain() from test as well then :)
Also opened followed to remove the check_plain() from user account names as well - #1893514: Remove unnecessary check_plain() in user_autocomplete()
Comment #49
webchickCan I get one more +1 on amateescu's changes? Super nervous to commit another randomly failing test. :\
Comment #50
dawehner+1
Comment #51
webchickAnd by amateescu, I of course meant alexpott. :P~
Awesome, thanks!!
Committed and pushed to 8.x. Crossing fingers this time. :)
Comment #52
olli CreditAttribution: olli commentedIs that json_encode + assertRaw necessary or could one do drupalGetAJAX + assert as usual?
Back to active per #29.
Comment #53
alexpott@olli how right you are... the code looks much cleaner... nice one! And we're less coupled to the json_encode() options which has to be a good thing.
The patch attached changes the test to use this - i've tested it with the previously failing strings and repeated the test 30+ times - all pass.
Also it's apparent from #1892836: Use user/autocomplete instead of views own autocomplete function that the whole approach of adding to the query string is incompatible with FAPI's #autocomplete so I've created a new menu entry for user/autocomplete/anonymous
Removed the change notice till we've resolved this.
Comment #54
olli CreditAttribution: olli commentedNot critical but maybe worth changing if that works too.
Comment #55
dawehnerThis change looks pretty good, thanks for pointing that out olli.
Comment #56
alexpottAnd here's the patch does:
Bumping back to critical since views can't use the currently committed solution.
Comment #57
alexpottRemoving stray @
Comment #58
dawehnerIt has never been critical in the first place, so I think major might be better.
This clearly lacked a real world implementation, I'm sorry for that.
This is looking really good!
I think it should be look more like "@param bool $include_anonymous \n
TRUE if the anonymous user should be autocompleted. Defaults to FALSE."
Comment #59
alexpottUpdated comment
Comment #60
catchHmm I wondered about an extra router item but assumed there'd been an attempt to avoid creating one for whatever reason. Adding another one is fine with me.
Comment #61
tstoeckler< major nitpicking of one sentence, please don't kill me >
I agree with @dawehner's suggestion. We usually even do the super-verbose: "(optional) TRUE, if the anonymous user should be included in the list of suggestions, FALSE otherwise. Default to FALSE."
At least the "(optional)" should be at the beginning, though, that is a pretty well-enforced standard around core.
Also, I had "the name used to indicate anonymous users (e.g. "Anonymous")" before, where now you simply have "the anonymous user name". I know the audience here is developers but I personally find it weird to have a user name that is anonymous, i.e. if I know the name he/she is not anonymous anymore...
< / see above >
I would like to question the decision here to remove the check_plain(), I think that was wrong, or at least it should be optional. I realize that as a generic JsonResponse user_autocomplete() should have no business in deciding whether I want the names sanitized or not, but in the specific case where the autocomplete response is used directly in a form I was able to perform an XSS injection by simply applying this patch and then doing
in NodeFormController::form(). If you enter "Anonymous
alert('XSS!')" as the anonymous user name, the script runs in your browser when typing "A" in the user autocomplete field on the node add/edit form.
I think ideally, we would do that processing (should be just a
array_walk($names, 'check_plain')
right?) on the form side, and leave the user_autocomplete() as it (currently) is. Again, I'm the last person who wants to steal the purity of JsonResponses, but IMO it would be foolish to inadvertently open the door to XSS injections both in core and in contrib.Also as has been noted above, the user names themselves are being check_plain()ed also, so the current state could even be considered a regression. At the very least it's inconsistent and arguably a bug in its current form.
For these reasons, I think we should have that discussion here and not in a follow-up. Also because the form-side processing should be trivial, as noted.
I don't know what to set the status to, because the currently proposed path is an improvement over the status quo, and allows the (currently dangerous, see above) form API integration. I think we should commit the path (after the comment fix, see above) and then discuss the security/sanitization issue here as a follow-up.
Comment #62
tstoecklerI had already forgotten about #1893514: Remove unnecessary check_plain() in user_autocomplete(), but I personally still think we should handle this here (whether that now goes in or not).
Comment #63
Heine CreditAttribution: Heine commentedYou need to deliver HTML to autocomplete.js . This means that you must check_plain usernames and the anonymous name (if it isn't check_plained elsewhere in core, it's the elsewhere that is wrong.).
Comment #64
alexpottOkay
check_plain()
is back and improved comment in response to #61Thanks for all the reviews!
Comment #65
dawehnerGood to know.
I don't think adding possibilities like query arguments to autocomplete paths is worth the effort.
Comment #66
tstoecklerSince we went so much back and forth on this I think it would be good to specifically test for the check_plain()ed value. I.e. I would change this to
Comment #67
alexpottI don't think that's necessary as the json array is keyed by the non check_plain'ed value and we are testing the key.
Comment #68
tstoecklerWell, I just wanted to point out that that test will pass with or without the check_plain() in user_autocomplete(). Don't want to get into any status wars, though :-)
Comment #69
alexpottNow that is a good point!
Here's a patch to address that.
Comment #70
tstoecklerAssuming this comes back green, this is RTBC.
Comment #71
damiankloip CreditAttribution: damiankloip commentedLooks good, seems like paranoid tests, but I like that :)
Comment #72
webchickEeek! Thanks for testing, folks.
Committed and pushed to 8.x. Back to active for change notification?
Comment #73
tstoecklerHere we go: http://drupal.org/node/1896862
EDIT: The [ # ] filter obviously doesn't work here...
Comment #74
dawehnerThis looks great! Thanks for writing a change record.
Comment #76
xjmUntagging. Please remove the "Needs change notification" tag when the change notice task is complete.