This module adds a block of recent titles that update in real time on new content via a WebSocket. This functionality comes from Rachetphp and it's implemented as a Drupal service, so it can be invoked on any updates you want shown to the block.
Available customization:
Filter which content types you want to see updates from
Limit the number of recent titles shown at a time in descending order
Enable more realtime events to the block with the supplied service
NB I haven't added any tests since this module works with external libraries that already come with their own tests and Drupal functionality introduced isn't that complex.
Project link
https://www.drupal.org/project/live_content
Usage
To get all dependencies Install with composer require drupal/live_content
and use the module code from branch below.
Configure the Websocket server and feed output on Configuration » Web services » Live content.
Enable the module on Structure » Block layout » Place block button of your desired region.
Start the server with drush 9+ and enable the Live content block to your desired section page. See readme for more details.
Git instructions
git clone --branch 8.x-1.x https://git.drupalcode.org/project/live_content.git
PAReview checklist
https://pareview.sh/pareview/https-git.drupal.org-project-live_content.g...
My reviews
https://www.drupal.org/project/projectapplications/issues/3064265#commen...
https://www.drupal.org/project/projectapplications/issues/3063812#commen...
https://www.drupal.org/project/projectapplications/issues/3065331#commen...
Comment | File | Size | Author |
---|---|---|---|
#7 | security-issue.jpg | 4.22 KB | vuil |
Comments
Comment #2
seroton CreditAttribution: seroton as a volunteer commentedComment #3
vuilThank you for the contribution!
I have some small notices as recommendations which are not security issues:
example (to-be):
$this->t('WebSocket server port')
like on this
$this->entityTypeManager->getStorage('node_type')->loadMultiple()
usage.I didn't find any security issues.
Please, be patience through the whole reviewing process.
Good job!
Comment #4
apadernoI am changing status as per first point on previous comment.
Comment #5
seroton CreditAttribution: seroton as a volunteer commented@ilchovuchkov Thanks alot for your recommendations!
Have fixed all the items you've suggested now.
Thanks again.
Comment #6
vuilThanks for the contribution!
Great work of Ratchet & Websocket integration!
Just a little confusion but it needs to be fixed:
Could you add a Roave/SecurityAdvisories and use it as a firewall for vulnerable components? (see the attachment file)
composer require --dev roave/security-advisories:dev-master
Comment #7
vuilComment #8
seroton CreditAttribution: seroton as a volunteer commentedHey @ilchovuchkov thanks for this tip it was new to me. I've added roave to composer now.
Please can you or anyone tell me how you get that warning (attachment) to show up on your local dev environment? Is it IDE/editor specific? I'm using phpstorm.
Thanks!
Comment #9
vuil@seroton Thank you for the question! I will try to help.
Sometimes I am using external security testing software & programs.
Yes, I'm also using a dozen of Phpstorm plugins for drupal, symfony, composer, and other security related plugins into it.
And, the most important one is the manual security review, when I can touch and feel the code inside. ;)
Comment #10
vuilComment #11
vuilI have not found security related issues into the code.
Comment #12
apadernoWhy is the hook loading a node with the same ID of the inserted entity?
If the purpose is verifying the inserted entity is published, it's enough to check the value returned from
$entity->isPublished()
, once verified the entity object implements that method. If the hook must be invoked only for nodes, it should verify the entity is effectively a node, or the module should implementhook_ENTITY_TYPE_insert()
instead ofhook_entity_insert()
.Otherwise, the code is assuming that two entities with the same ID are also two entities of the same type, which is incorrect. The ID is merely an integer that can be used from entities of different types.
Is necessary to use
->value
to get the node ID and the title?The class used to implement a service should implement an interface, to allow other modules to change the service implementation.
Comment #13
seroton CreditAttribution: seroton as a volunteer commented@kiamlaluno Thanks for very valuable feedback and apologies for taking so long to look at this with summer breaks etc.
You're right I've changed it, my check should only validate that entity is node and is published but it should't implement hook_ENTITY_TYPE_insert as it should be for any node type selected.
Not sure what you mean here? How else would you suggest to get these 2 values out of the node?
Agreed, I've added this now for the send function.
Comment #14
apadernoIf the code implements
hook_node_insert()
, that hook is invoked for every node, independently from its content type. If then the hook should do something only when the content type is a specific one, the code should verify the node content type is that specific one.The code to get the node ID and the title I would use is similar to the following one.
Comment #15
apadernoThe sanitation functions should be used to sanitize data obtained from users when it's output on the browser, not when it's passed to another server.
I didn't find relevant issues that need to be fixed.
Comment #16
apadernoThank you for your contribution! I am going to update your account.
These are some recommended readings to help with excellent maintainership:
You can find more contributors chatting on the IRC #drupal-contribute channel. So, come hang out and stay involved.
Thank you, also, for your patience with the review process.
Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
I thank all the dedicated reviewers as well.
Comment #17
seroton CreditAttribution: seroton as a volunteer commented@kiamlaluno and @ilchovuchkov thank you very much for valuable feedback on this, it was much better than I could hope for!
I've updated the code to be inline with last comments too.
Comment #19
vuil