N1ED acts as Drupal 8 module. It uses API of CKEditor module to add a new plugin into CKEditor.
N1ED is a composite CKEditor plugin: it includes features of 5 CKEditor plugins well-integrated with each other to let them work in synergy.
Main features are: new widgets, Bootstrap layout editor, including blocks palette and custom blocks, preview content on mobile devices, file uploader, file manager, image editor, and many many more smaller features.
Project link
https://www.drupal.org/project/n1ed
GIT instructions
git clone --branch 8.x-2.x https://git.drupalcode.org/project/n1ed.git
PAReview checklist
https://pareview.sh/pareview/https-git.drupal.org-project-n1ed-8.x-2.x-0
Comments
Comment #2
Ankush_03Thanks for your contribution !
Please fix below warning
Review of the 8.x-2.x branch (commit 7fb92fe):
DrupalPractice has found some issues with your code, but could be false positives.
FILE: ...rupal/pareviewsh/pareview_temp/flmngr/lib/composer/autoload_real.php
--------------------------------------------------------------------------
FOUND 0 ERRORS AND 1 WARNING AFFECTING 1 LINE
--------------------------------------------------------------------------
9 | WARNING | Class name must be prefixed with the project name
| | "N1ed.info"
--------------------------------------------------------------------------
Time: 4.48 secs; Memory: 8Mb
Comment #3
shaktikPlease also add in info file to support d9
core_version_requirement: ^8 || ^9
https://www.drupal.org/docs/8/creating-custom-modules/let-drupal-8-know-...
Comment #4
dmitriy-komarov CreditAttribution: dmitriy-komarov commentedAnkush,
As I wrote in the ticket, this is false positive alarm.
"N1ed.info" is not correct module name: ".info" is incorrectly parsed by PAReview in some cases, please check this related bug of PAReview.
shaktik,
Drupal 9 support was added yesterday, checked and published. Module did not use any deprecated API, so it was easy. Please check again.
Comment #5
apadernoThe module includes code that is licensed under GPLv3: https://packagist.org/packages/edsdk/flmngr-server-php and https://packagist.org/packages/edsdk/file-uploader-server-php. Those libraries should be added as Composer dependencies. Including them in drupal.org repositories, you are releasing them as GPLv2+.
Comment #6
dmitriy-komarov CreditAttribution: dmitriy-komarov commentedkiamlaluno
I'm the author of this code and it's OK to license it as GPLv2+.
These libraries were adopted for Drupal and included as built-in code due to original libraries did not fit Drupal coding standards. There is no conflict with Composer users use to update Drupal. I actually thought this is required to move them into the code and adopt to Drupal coding standard, am I wrong?
Is it fine if now I keep code as is?
In future I can move it out as Composer dependencies.
Comment #7
apadernoDependencies that are available on external sites should not be committed in the drupal.org repositories.
Comment #8
dmitriy-komarov CreditAttribution: dmitriy-komarov commentedkiamlaluno,
I've made some changes in the code and removed all Composer stuff from N1ED repo.
But I decided to keep file manager server package into Drupal module and here are the reasons:
The main problem is Drupal 8 does not guarantee that Composer is installed on the server. There are many users with shared hosting who will be unable to use Composer (or will have too much difficulties related to this). So I think it will be better to move this code inside of the module. I'm the author of both module and PHP package, so I will contribute all the code as a part of N1ED. Please confirm this is OK.
Comment #9
dmitriy-komarov CreditAttribution: dmitriy-komarov commentedComment #10
apadernoI will review the code in the next 12 hours.
Comment #11
apaderno{@inheritdoc}
is not used for hook implementations, which are documented, for example, as Implements hook_help().Any string shown to the users needs to be translatable. The full output of the
hook_help()
implementation and other functions isn't translatable.edit own content isn't a permission Drupal core nor this module defines. It's also not clear in which way that page is related to content (i.e. nodes).
With a path like /n1ed/setApiKey, the settings page will not be visible from any page. Settings pages normally have path starting with /admin/config.
Settings are changed using Drupal forms. How are administrator users supposed to send a POST request to set the API key?
Drupal code should not directly access
$_POST
.Now that Drupal 8 support PSR4, code isn't included that way anymore. Eventually, if a PHP file needs to be included, there is the module_handler service.
Comment #12
apadernoComment #13
dmitriy-komarov CreditAttribution: dmitriy-komarov commentedHi kiamlaluno,
Thank you for hints. I've added translations calls, created two new permissions and changed URL of internal request, also now N1ED module uses Drupal's PHP autoloader to load all its modules.
Please let me explain call to "setApiKey" URL. We really need it because our CMS-independent configuration widget requires this call (to save API key now waiting before user clicks "Save" and submits the form).
This is reasonable: this widget allows to register an account on N1ED and create API key linked to it. If user will not save the form after creating an account he will lose info about this account and API key. So widget makes Ajax call to internal URL ("setApiKey") and the key is being saved into DB.
Comment #14
dmitriy-komarov CreditAttribution: dmitriy-komarov commentedComment #15
apadernoThe file_system service isn't used.
Since the controller is using the request_stack service, it should use that service to get the value of
$_POST["token"]
and$_POST["apiKey"]
. Modules should never use$_POST
.That class cannot be a plugin, since it uses the wrong namespace. Also, an abstract class cannot be a plugin.
Is there a reason those functions aren't defined in a interface?
Comment #16
dmitriy-komarov CreditAttribution: dmitriy-komarov commentedAbstract class was just a legacy from the times when there were a number of modules instead of one united N1ED module. Now this class was removed and the code was simplified.
All other issues were fixed too.
Code was pushed into GIT, but not published as a new module version due to there were no new features, just refactoring.
So I hope we will publish the next module version already with the green shield badge :)
Comment #17
dmitriy-komarov CreditAttribution: dmitriy-komarov commentedComment #18
klausiThis is currently a security blocker.
Comment #19
dmitriy-komarov CreditAttribution: dmitriy-komarov commentedHi Klausi,
Thank you for security review.
1. Just a mistype. Of course we need to use our own permission, fixed.
2 and 3. CSRF checking is added into D8 routes declaration, also support of CSRF tokens was added to client parts of N1ED too.
Comment #20
klausiThanks!
Comment #21
dmitriy-komarov CreditAttribution: dmitriy-komarov commented1. Prefixed all route names with module name.
2. Removed all GET requests from both client and server code; added only POST request as the only permitted in routes definition.
Could you check again?
Comment #22
klausiThanks!
{"error":"Array","data":null}
. Please check your error handling and make sure you return meaningful messages.I played around a little bit with the file manager service, but could not get an exploit to work with uploading PHP files or trying to read arbitrary files on the server. So that looks safe from my testing.
Now I'm just worried about if an attacker could read arbitrary files somehow, please clarify my questions above.
Comment #23
dmitriy-komarov CreditAttribution: dmitriy-komarov commentedHi Klausi,
We needed a time to test the new changes related to DIRECTORY_SEPARATOR and now I'm back.
sites/default/files/flmngr
by default). But the first slash is just a requirement of our Flmngr client-server protocol.Comment #24
klausiOK thanks, looks good to me.
Thanks for your contribution, Dmitriy!
I updated your account so you can opt into security advisory coverage now.
Here are some recommended readings to help with excellent maintainership:
You can find lots more contributors chatting on Slack or IRC in #drupal-contribute. So, come hang out and stay involved!
Thanks, also, for your patience with the review process. Anyone is welcome to participate in the review process. Please consider reviewing other projects that are pending review. I encourage you to learn more about that process and join the group of reviewers.
Thanks to the dedicated reviewer(s) as well.
Comment #25
dmitriy-komarov CreditAttribution: dmitriy-komarov commentedThanks to all for reviewing the module.
I very appreciate your work, and happy from being a part of Drupal community.