Problem/Motivation
Currently text fields can either be restricted to plain text, or the user may select between all accessible text formats independently of the context. This means that a privileged user who needs access to a permissive text formats (for example, to put tables or embedded remote content in basic pages) will get access to that format on every formatted text field (for example on a comment field).
There are three problems with this approach, and most experience Drupal developers have faced at least one of those in the past:
- Consistency
- At the moment you have to count on competence, good will and diligence of privileged users not to put certain markup in certain places. It would be convenient if a text field could be forced to use a specific text format (other than plain text). For example, you may want to make sure that comments only allow a very limited set of HTML tags ("filtertered HTML" for example) independently of the user's role, even if the same user has access to less restrictive formats in other places.
- Usability
- The ability to select text formats is a common source of confusion. By limiting the available text formats we also remove confusing user interface elements.
- Security
- If a privileged user account is taken over (for example, through social engineering), the attack surface is large due to the fact that every single text field can be used for XSS injections. By limiting where a dangerous text format can be used, we restrict the possibilities to inject malicious content.
Proposed resolution
Add an optional setting to the text field types that lets the site-builder determine if the text formats should be restricted. This setting is then used in the default textfield and textarea widgets to remove any non-allowed text formats. If nothing is set, the current behavior is unchanged.
Note that as it uses the underlying '#allowed_formats'
form API property, the settings can't be used to give access to text formats that the user wouldn't have access to otherwise.
Remaining tasks
1) Review and commit 🤞
User interface changes
Checkboxes on list of available formats on text field configuration. Reduced set of allowed formats on content edit forms, where used. No fields use the new setting by default, so the patch doesn't affect the user interface for those who don't do anything with this functionality.
API changes
None
Data model changes
One setting is added to the field settings. The structure of the field data is unchanged.
Release notes snippet
Site builders can now limit which input formats are available on a per-field basis.
Comment | File | Size | Author |
---|---|---|---|
#305 | 784672-drupal-10.0.x-305.patch | 42.37 KB | a.dmitriiev |
#302 | 784672-302.patch | 39.45 KB | s_leu |
#287 | 784672-287.patch | 39.92 KB | smustgrave |
| |||
#287 | interdiff-280-287.txt | 10.39 KB | smustgrave |
#271 | 784672-271.patch | 44.57 KB | darvanen |
Comments
Comment #1
c960657 CreditAttribution: c960657 commentedComment #2
c960657 CreditAttribution: c960657 commentedSlightly new approach: '#type' => 'text_format' now has a new property, #formats, if only a subset of the format accessible to the user should be available in this field instance.
What do you think of this?
Comment #3
bjaspan CreditAttribution: bjaspan commentedI don't see how this can go into D7 at this point.
Comment #4
webchickAgreed. Sorry.
Comment #5
c960657 CreditAttribution: c960657 commentedComment #6
David_Rothstein CreditAttribution: David_Rothstein commentedSomething similar to the filter.module part of this issue was discussed at length in #414424: Introduce Form API #type 'text_format' but ultimately did not make it into the final patch. See for example:
http://drupal.org/node/414424#comment-1617600
http://drupal.org/node/414424#comment-2177612
(and many subsequent comments)
The argument I tried to make there was that since we were already doing a massive API change in that issue (completely reworking how #text_format works), it would make sense to slip in both something like the #formats option described here, as well as a #default_format option, since it would require almost no extra work to do so. I was overruled though...
So personally, if limited to the filter.module at least (the field module changes do seem like they might be too much for now) I'd be very in favor of still trying to do this in D7 :) It's possible to do this kind of thing in a contrib module - and people will undoubtedly try to do it - but it's tricky to do correctly (involves somewhat complex form API stuff that most people don't know about), and if you do it wrong, you are very likely to introduce a security issue. Plus, the filter.module changes here wouldn't break any existing code, just introduce a new optional property to the form element. I think adding this API functionality to the Filter module in a way that we know will be easy for contrib modules to use securely is definitely still worth doing. Anyone else agree? And would doing that help allow a contrib module to make the changes to the field UI/functionality that are contained in the rest of this patch?
Comment #7
ogi CreditAttribution: ogi commentedIt's sad that such essential ability for user-friendly forms is not in Drupal 7. Please reconsider :-)
Comment #8
ogi CreditAttribution: ogi commentedLooking at the patch in #2, it doesn't provide what I want - ability to hide
format
fieldset altogether andwysiwyg
+tinymce
to do its job.Comment #9
mightyiam CreditAttribution: mightyiam commented+1 for Drupal 7!
Comment #10
Hanno CreditAttribution: Hanno commentedsubscribe, a default text format for textfields might be also relevant to allow adding html tags for accessiblity.
Comment #11
Everett Zufelt CreditAttribution: Everett Zufelt commentedThis may help accessibility in some situations, but definitely isn't an accessibility issue. Removing tag, thanks for bringing it to my attention.
Comment #12
Hanno CreditAttribution: Hanno commentedOK. Tagging this as WCAG/ATAG and 'language of parts' as this feature request would help create accessible content, especially language tagging (WCAG2.0 3.1.2)
Comment #13
mgifford#2: text-field-format-2.patch queued for re-testing.
Comment #14
mgiffordTagging for accessibility.
Comment #16
wjaspers CreditAttribution: wjaspers commentedDrupal 7.x patch on-the-way.
I didn't change how the filter formats permissions are checked against the field, since this will require additional community feedback.
I.E. Should the user's permission to use the format supercede their ability to use a format specifically defined on a text field?
This probably isn't the most efficient patch in the world, but I have tested it locally against 7.x-dev and it works!
EDIT: Opened #1419016: Allow text fields to enforce a specific format so it could be tested against D7.
Comment #17
wjaspers CreditAttribution: wjaspers commentedOops, forgot to set needs review.
Comment #19
David_Rothstein CreditAttribution: David_Rothstein commentedI think the strategy we need to take to implement this is:
1. Create an API in the filter system for any module which provides text format elements to specify which formats they want to allow in that instance.
2. Have the Text module implement that API.
We should really avoid hardcoding any special behavior for text fields inside the filter system itself, because that will limit how this can be used.
See also the related issue at #1423244: #allowed_formats property for #type 'text_format' to filter available formats. It almost would make sense to postpone this issue on that one (because that's basically #1 above), except that there's lots of code here already...
Note that there are also a lot of potential security issues that need to be dealt with in implementing this (see #1295248: Allow per-field-instance configuration of allowed formats for discussion and code), and that's one of the reasons why it would be good to at least have the API for this in core regardless of whether or not the code that implements it lives in core too.
Comment #20
mgiffordWe need clarification on why this is an accessibility issue. Sorry.
Comment #21
Hanno CreditAttribution: Hanno commentedSome while ago I tagged this issue as helping accessibility. For accessibility (or markup) in single line textfields we need sometimes additional HTML inline tags (span (for 'lang'), dfn and abbr). At the other hand, we don't want to allow HTML block level tags (h1, h2, h3, p) in single line fields, only in textareas.
So, in a website there are possibly two separate filter formats needed: one for single line textfields and one for textareas (where HTML block level tags are allowed). The end-user shouldn't be allowed to mix these sets, because we will end up with content that doesn't validate (ATAG2.0 issue (http://www.w3.org/TR/ATAG20/#principle_b2))
As abbr and dfn is needed on level AAA, it is mostly needed for language of parts (level AA), when someone wants to add text in another language (for example
<span lang="fr">Tour de France</span>
).Comment #22
mgiffordWished you'd been able to come over for A11ySprint by-the-way. You'd have had a great time with us I'm sure.
I think we just need a bit more of a use case where it's clear that this additional functionality meets the needs of the 80%.
How would this practically be used? I do think that there are a lot of instances where Languages of Parts really isn't dealt with all that well as you know.
What are the options for implementing this now in D7?
Comment #23
Hanno CreditAttribution: Hanno commented@mgifford yes, it would have been nice to help during the sprint.
This issue is at the moment not relevant for most of the users. It becomes more relevant as soon as the node title becomes a text field (#1188394: Make title behave as a configurable, translatable field (again)). At the moment it is not possible to produce titles with language information nor semantic markup (part of WCAG 1.3.1 Info and Relationships: Information, structure, and relationships conveyed through presentation can be programmatically determined or are available in text. (Level A)).
A technique for this is using semantic markup to mark emphasized or special text. For this certain - inline level - HTML tags are needed. Here are some examples taken from WCAG H49:
Note: Instead of having two filter formats (one for text fields, one for text areas), an alternative could be to automatically disable the block level html tags in filter formats applied to text fields and only allowing them on text areas.
Comment #24
mgiffordSadly this issue has been left behind. @Hanno are you in a place where you can try to update the patch?
Comment #25
sunComment #26
floretan CreditAttribution: floretan commented#1423244: #allowed_formats property for #type 'text_format' to filter available formats has a patch ready to be reviewed which adds some missing functionality in the
text_format
form element provided by the filter module. Once it's ready we can use it to make it possible to set the format for a specific field.Comment #27
BrianLewisDesign CreditAttribution: BrianLewisDesign commentedThis feature is key. Please don't leave it behind. You should be able to select available formats per field. Some fields require a specific one or things break. (I guess if a user didn't have permissions for the available format it should make the field un-editable for them).
Comment #28
mgiffordAgreed. I'm wondering about tagging it for security. It's come up a few times thus far in this thread.
Comment #29
dsoini CreditAttribution: dsoini commentedThis is very desirable to me. I have had to go about it with an ugly hack:
1. Created a custom module that searches the edit/add form for any field that has text_formats applied to it (sometimes there are many).
2. Hide the drop-down list but keep the guidelines for the default format displayed.
3. I set a default format by entering default text into the content-type field definition. The default text is
.
.
4. My modules looks for that default value and unsets it. I don't want the field polluted with this ugly data.
I like this functionality because sometimes I want a field that is just a simple 3 line box for entering a short amount of minimally-styled text. Perhaps I only want people to be able to use HTML to link some words in the text, but nothing else. I don't want them to have to switch between all the available content types, I don't want them to use a wysiwyg editor and be able to insert tables and headings and videos. I only want them to be presented with a simple box with guidelines on the limited allowed html they can use that is appropriate for that particular field.
Comment #32
jenlamptonThere is a working patch for this bug in D7 over at #1278886: Default text formats are not saved properly without accompanying values
Comment #33
mgiffordLooks like #1423244-68: #allowed_formats property for #type 'text_format' to filter available formats was committed 10 months ago. @floretan suggested in #26 above that it "adds some missing functionality in the text_format form element provided by the filter module. Once it's ready we can use it to make it possible to set the format for a specific field."
Thanks for the link @jenlampton and yes, hopefully it gets backported.
Comment #34
floretan CreditAttribution: floretan at Wunder commentedThe last patch didn't apply at all anymore, but the changes to the typed data API from the past two years have made it quite easy to rebuild this functionality.
Here's what this patch does:
#available_formats
attribute from #1423244: #allowed_formats property for #type 'text_format' to filter available formats. Note that this only restricts what formats are available, it doesn't make formats available that the user doesn't have access to.Open questions:
Once this gets in, we can have a follow-up issue where we check all fields in the default installation profile that should have limited text formats. For example, comments should probably be limited to "Restricted Html".
Comment #36
floretan CreditAttribution: floretan at Wunder commentedAdding default configurations to fix most of the exceptions seen in the test results.
Comment #38
floretan CreditAttribution: floretan at Wunder commentedFixing two more failures. The remaining failures are related to FieldUiTestTrait and I'm not sure how to fix them yet. Any help on that would be appreciated.
Comment #40
floretan CreditAttribution: floretan at Wunder commentedOh, the ordering of items in an array matters for comparison.
Comment #41
yannickooJust a minor thing: We should use the new syntax here, just
[]
instead ofarray()
.Another minor thing: We should remove that " " two spaces there.
Comment #43
floretan CreditAttribution: floretan at Wunder commentedFix the confusion between "available" and "allowed".
@yannickoo: I also fixed the double spacing in TextItemBase.php. Regarding the array notation, all of the modified files use the old
array()
notation, so I left it as is to not add unrelated changes with the patch.Comment #44
floretan CreditAttribution: floretan at Wunder commentedComment #45
floretan CreditAttribution: floretan at Wunder commentedThis new patch fixes the schema definition for the individual formats in allowed_formats fields in text.schema.yml, which should fix the remaining failures.
Comment #47
yannickooAh
sequence
property did the trick ;)Patch works fine, code looks good and no more failing tests!
Comment #48
floretan CreditAttribution: floretan at Wunder commentedActually, there are few more things that need to happen.
At the moment, the allowed formats get exported like this (because that's the way checkbox values are submitted):
What we want is something like
Once we have this, we can update the configuration schema in text.schema.yml. The allowed formats are a sequence, but their values are not just any strings. So we should replace
with something like
One final but important addition we would need is some test coverage. The
#allowed_formats
form API property is already covered, but we probably need to extend some more textfield-related tests.One issue pointed out by @maijs is that when applying this patch and there are already existing fields without the
allowed_formats
setting we get "undefined index" notices. We don't do something similar for other settings that have always been there, so I'm not sure if this is needed since it's one case of beta-to-beta upgrade. Saving the field settings form would get rid of those notices.Comment #49
rpayanmComment #51
vpeltot CreditAttribution: vpeltot commentedComment #52
woprrr CreditAttribution: woprrr commentedThis patch work fine in my case !! Thanks @floretan
ps : It would just be more optimized to put as select.
Comment #53
vpeltot CreditAttribution: vpeltot commentedReroll.
Migrate installation confiuration files (core/modules/migrate_drupal/config/install) was moved to core/modules/migrate_drupal/config/optionnal.
Comment #54
mgiffordYou can see this here /admin/structure/types/manage/page/fields/node.page.body
Looks good to me. What else, if anything, is needed before this is marked RTBC?
Comment #55
floretan CreditAttribution: floretan at Wunder commentedThe schema change I mentioned in #48 is not necessarily needed, but a test should be included.
Comment #56
floretan CreditAttribution: floretan at Wunder commentedWhile working on more real Drupal 8 projects, this functionality seems to be needed everywhere.
Here's the patch re-rolled, with some tests added. This should be good now.
Comment #58
lokapujyaThe set() is not working. I tried setSetting() and even calling save() after. The allowed_formats doesn't get saved to field storage.
Comment #59
floretan CreditAttribution: floretan at Wunder commentedThanks @lokapujya. The format ID should be in the key of the settings array, not in the value.
I also realised that the patch I uploaded somehow had an older version of the test. Here is the correct one (no functional change, only the test is different).
Comment #60
rcross CreditAttribution: rcross as a volunteer and at CrossFunctional commentedis there a d7 version of this patch (or one in the works)?
Comment #61
floretan CreditAttribution: floretan at Wunder commented@rcross: it could be done, but #1423244: #allowed_formats property for #type 'text_format' to filter available formats would need to be committed first.
Comment #62
lokapujyaChanged the test so that it first has 2 formats. Verify that the format select shows up. Change the field to only have 1 format. Then, verify that the format selector doesn't show up.
Also, made the following changes:
format (singular.)
This still wasn't working. The format selector was not showing up, but only because no formats were allowed.
'' should be NULL.
Comment #63
jcnventura CreditAttribution: jcnventura at Wunder commentedRe-rolling patch, due to changes made in #2533994: Move module-specific migration support into the block_content module
Skipping the interdiff, as it was a simple file rename from migrate_drupal to block_content
Comment #65
jcnventura CreditAttribution: jcnventura at Wunder commentedPrior to the use of array_filter, check if the value to be filtered is an array.
Comment #66
lauriiiComment #67
jcnventura CreditAttribution: jcnventura at Wunder commentedComment #68
jcnventura CreditAttribution: jcnventura at Wunder commentedComment #69
floretan CreditAttribution: floretan at Wunder commentedUpdating the summary.
Comment #70
lauriiiIt seems more like a task than a complete new feature. Beta evaluation needs update too.
Comment #71
LewisNymanNice, this is a really cool feature. I reviewed the usability of the new UI. Only minor comments:
Can we move these options so they are above the default value display? It is quite big and has shown a tendency to be distracting in usability tests. If we move the options above the default value they have a better chance of being noticed.
Here's a screenshot displaying the changes to the content creation screen. When there are multiple choices it's the same UI. When there is only one choice the UI looks like this:
Can we remove the text formats help link if there are no options? It doesn't seem to provide any value.
Comment #72
floretan CreditAttribution: floretan at Wunder commentedThanks @LewisNyman for the review.
I agree that placing these options above the default value would make sense, but that would be different from what every other field configuration form does (the default value always comes first), so I'm not sure we want to do that.
I also agree that the link "About text formats" doesn't make sense if there is only one text format available. The changes in this issue make that problem apparent, but the problem is independent. I created #2544188: Change the label "About text formats" if only one format is available to address that issue, it probably shouldn't be combined with this one.
Comment #73
jcnventura CreditAttribution: jcnventura at Wunder commentedSimplify tags, and requesting usability review
Comment #74
fgmProbably want to avoid two function calls by refactoring to a temporary variable.
Probably want to avoid two function calls by refactoring to a temporary variable, here too.
EDIT because DrEditor doesn't make it really clear, this is about the repeated calls to
$this->getFieldSetting('allowed_formats'));
in both cases.Comment #75
bruvers CreditAttribution: bruvers at Wunder commentedThe latest patch from #65 did not apply correctly anymore because 2 files were moved by recently commited issues #2415335 and #2534010. The files that have been moved and/or renamed are
core/modules/block_content/migration_templates/d6_block_content_body_field.yml
andcore/modules/migrate_drupal/src/Tests/d6/MigrateFieldInstanceTest.php
.The attached patch fixes that and implements the suggestions from #74.
Comment #76
yannickooWhat do you think about using
$expected = ['max_length' => 255]
instead ofarray()
syntax?Comment #77
lokapujyaDoes #71 & #72 qualify as the usability review?
Comment #78
jcnventura CreditAttribution: jcnventura at Wunder commentedShort array syntax FTW!
Comment #80
lokapujyaWhat happens if the field allows only one format, but the user doesn't have access to that format?
Comment #82
jcnventura CreditAttribution: jcnventura at Wunder commentedStupid array comparison.
Comment #83
jcnventura CreditAttribution: jcnventura at Wunder commented@lokapujya: Not sure how to reproduce that.. The plain text format is always available. If you find a way to disable or delete it, I can then answer your question. My guess is that the correct reply to your question is that, by design, Drupal will always allow you to use the plain text format.
Comment #85
lokapujyaThat's true, but, now with this patch, it can be configured that "plain text" is not allowed for the field.
The content editor will get this message in the input box when adding a new node, "This field has been disabled because you do not have sufficient permissions to edit it." That is the same message the content editor would get if he edited a piece of content and doesn't have access to the format.
Comment #86
Bojhan CreditAttribution: Bojhan commentedLooks good!
Comment #89
floretan CreditAttribution: floretan at Wunder commentedAfter discussing this with various people at the code sprint, it became clear that the best way to approach this issue is to implement it as a contrib module for now and eventually integrate it in Drupal 8.1. At this point the somewhat unclear logic for all fallback cases will be battle-tested.
I created a module here https://www.drupal.org/project/allowed_formats, we are working on converting the latest patch from this issue to a contrib module. Please join that module's issue queue if you want to contribute.
Comment #90
floretan CreditAttribution: floretan at Wunder commentedThe Allowed Formats module (https://www.drupal.org/project/allowed_formats) is now functional.
Comment #92
mlncn CreditAttribution: mlncn at Agaric for MASS Design Group commentedNice that there's a contrib module, but can we go back to getting this into core, now targeting 8.2?
Comment #93
lokapujyanot tested.
Comment #95
lokapujyaComment #97
lokapujyathis is the interdiff.
Comment #99
lokapujyaComment #101
floretan CreditAttribution: floretan commentedUpdated patch that addresses the DefaultConfigTest failures.
Comment #102
floretan CreditAttribution: floretan commentedAlso fix MigrateFieldInstanceTest failure.
Comment #103
colanAnyone have thoughts on whether #1278886: Default text formats are not saved properly without accompanying values should be postponed until we get this one done? This might affect how that one is solved.
Comment #104
lokapujyaThe last retest failed to apply.
Comment #105
Sonal.Sangale CreditAttribution: Sonal.Sangale at Blisstering Solutions commentedRelolling the patch.
Comment #106
Sonal.Sangale CreditAttribution: Sonal.Sangale at Blisstering Solutions commentedComment #107
eiriksmPatch does not apply anymore (because forum config was renamed).
Code looks ok though.
Re-roll patch.
Comment #108
eiriksmHm, maybe we should add a description to the field. For example. it is not immediately obvious what happens if you select no allowed formats.
Here is a patch with only that added.
Comment #109
eiriksmComment #110
hchonovinheritdoc missing.
The is_array check is not needed as it impossible to get anything different than an array there.
Why do we need to filter the array here?
Comment #111
mohit_aghera CreditAttribution: mohit_aghera as a volunteer and at Axelerant commented@hchonov
I have fixed 1 and 2
I tested by removing point 3
$allowed_formats = array_filter($allowed_formats_setting);
and tested manually. It seems worked fine for me.
still we can get some inputs from @eiriksm
Comment #112
eiriksmFeedback totally makes sense. As I said it was more or less a re-roll.
Nice points!
Comment #114
hchonov@mohit_aghera when you are posting an interdiff please make it so that it indicates all the changes that are included, in your case the third change is to see in the interdiff, but not in the posted patch.
Use $this->t() instead of t() whenever possible.
The property should be retrieved with $this->get('format').
An empty line is not needed here.
Comment #115
tstoecklerSome high-level remarks on the current approach:
We need to implement
calculateDependencies()
to declare a dependency on the text formats that we are limiting the text field to. Then we also need to implementonDependencyRemoval()
to remove a text format from the list of allowed formats in case it is removed. This then becomes problematic if we are removing the single text format that was allowed for a field. In that case theallowed_formats
array is empty which means that all formats are allowed which would be a security problem.I think that problem hints to the fact that the "no values means all values" pattern employed here - while being used elsewhere in Drupal as well - really is problematic and I think we would be wise to avoid it in this case. I would suggest to add a separate
restrict_formats
boolean setting that activates this behavior. Then theallowed_formats
setting really is just that: the list of allowed formats. And if it is empty (andrestrict_formats
isTRUE
) then it simply means that no text formats are allowed and thus text cannot be submitted until this issue is resolved either by allowing one or more formats or by deactivatingrestrict_formats
altogether.I by no means think that we always need to have a 1-1 relationship between our UI elements and our storage but in this particular case I think the separate setting would make the UI less confusing as well. We could have a simple Restrict text formats checkbox and only when it is checked does the list of text formats to allow appear.
Would love to hear your thoughts on this, but marking needs work because - as explained in the first paragraph - the current patch is not sufficient, even if we pursue a different approach than outlined here.
Comment #116
hchonov@tstoeckler what about if we just name it restricted_formats or enforced_formats and in this case only use what is set there without the boolean flag.
Comment #117
tstoeckleri.e. always restrict the list of text formats, and just have it default to all formats by default? I am not sure about that. Given the properly implemented dependencies, it would mean that every textfield has a dependency on every text format or a subset of them but at the very least on one. That could be seen as a benefit if you see it as already existing dependencies becoming more explicit or you could see it as a a problem if you argue that it increases coupling of different systems (text storage vs. text processing). Not sure where I stand on that myself.
Comment #120
nerdsteinI am curious if this should be closed since the Allowed Formats module is offering this functionality (per: https://www.drupal.org/node/784672#comment-10373375)
Comment #121
BerdirI think the point of that issue is to bring that functionality into core which would IMHO make sense as it is a very useful feature. We only started that contrib module because we didn't manage to get it into core for 8.0.
Comment #122
lokapujyaDoesn't apply to 8.4
Comment #123
jofitz CreditAttribution: jofitz at ComputerMinds commentedRe-rolled.
Comment #125
tstoecklerHaving thought about this for a while and having watched a bunch of other bugs being fixed with config dependencies in the meantime, I am convinced that we need to restructure the configuration that is currently being pursued by this patch. Feel free to disagree, of course, but this is what I think what we should do:
* Have a separate "restrict_formats" boolean flag, that defaults to FALSE.
* Have a "allowed_formats" array (just like now), that defaults to an empty array.
Then if "restrict_formats" is FALSE, then we do nothing. As soon as it is used then we use the "allowed_formats" array.
This is for the following reason:
We will have to add a config dependency on any text format that is being used. Then if a format is being deleted we will need to remove that format from the list of allowed formats. If that format happened to be the *last* format, then it must not be possible to use any format at all until the field is re-configured explicitly. Anything else would be a security problem. Currently if we remove the last format, the field is interpreted as not restricting formats as all.
I hope that was clear, this is kind of hard to explain... What do you think?
Comment #126
BerdirUnexpected behavior, yes, security issue, no, IMHO. This is not a security feature, it's a user experience improvement. Security is handled through permissions and you'd still only have access to formats that you are allowed to use.
I think showing all would be OK, we don't really have an API/UI to handle having no allowed format, it would likely just fall back to the fallback format, which is most likely not what you want.
We could also force you to fix your configuration first by letting the field be deleted, but we all know that users don't really read those warnings (e.g. the related views deletion issue), at least not with the current UI.
Comment #127
mofdi CreditAttribution: mofdi commentedto resolve this problem, i used allowed_formats module
Comment #130
Joao Sausen CreditAttribution: Joao Sausen at Dexa commentedA must have for sure. +1 to this feature
Comment #131
gordon CreditAttribution: gordon at Heydon Consulting commentedreroll for 8.5.x
Comment #132
gordon CreditAttribution: gordon at Heydon Consulting commentedShould not use t() inside an object. Use $this->t() instead.
Comment #133
joelpittetRerunning a test against 8.6.x
Comment #134
joelpittetAddressing a couple of the errors
Comment #135
joelpittet@tstoeckler re #125 Can we address the config dependency in a follow-up and does @Berdir's comments help alleviate your security concern?
Comment #138
joelpittetMissing use statement in test and umami default config for copyright field.
Comment #141
tstoecklerRe #135: Yes #126 is correct that it would be not be a security issue, unlike I claimed. However, not cleaning up the configuration would be a bug that we would be introducing here, so I don't think we can punt that to a follow-up. Also, since my proposal would change the configuration structure relative to what the patch contains now, I think - if people agree with my proposal - we should just do it "correctly" now instead of changing it again in a follow-up.
Comment #142
joelpittet@tstoeckler thanks for the quick reply, regarding your proposal of the extra field. What do we gain from the extra field? Can't we let none or explicit all checked for showing all? I believe that's how other things have worked in the past.
Comment #143
tstoecklerIt's true that this has been used before, but it has also lead to problems.
In this particular case the problem would be the following:
basic_html
basic_html
text formatIf we agree that this is not a big issue, I don't feel super strongly about this, but on the other hand I don't see much reason not to do it this way.
Comment #144
BerdirWe actually have this pattern already with allowed bundles in entity reference fields. We handle it there by treating NULL and [] differently. NULL means all filter formats are allowed that the user has access to, [] means none are allowed.
We could specifically test for that and disable the text field completely, similar to how we now handle existing data in a format that the user is not allowed to use, disabling the form element, possibly failing validation, forcing the admin to fix it.
Then again, this is actually rather theoretical, because officially, there is no way to delete a text format, you can only disable it (in which case you can't restore it, but that's another story).
So the only way to delete one would be through the API/deleting config files.
Comment #145
jan.stoecklerReroll attempt against 8.6.
Comment #146
AdamPS CreditAttribution: AdamPS at AlbanyWeb commentedGood points from @Berdir in #144.
Also sticking to a single field has the advantage of simplicity. Do we have a consensus for @Berdir suggestion? OK with you @tstoeckler?
In terms of "[] means none are allowed", if someone is keen they could add it to this patch. Or we could defer it to a follow-up issue on the basis that there is currently no UI to delete text formats.
Comment #147
GDrupal CreditAttribution: GDrupal as a volunteer and at Appnovation commentedThe patch seems to be working from the functional point of view but it seems that we need to accommodate some of the core tests.
I tested on 8.7 and then re-rolled back to 8.5.8 that is the stable for our platform. All is working fine so far, documented the re-roll here:
https://www.drupal.org/project/drupal/issues/3008020
I will try to fix the failing tests if none-one is working on that already.
Thanks for this!
Comment #149
iyyappan.govindHi All,
Having this feature in field settings will be applicable for all the form modes. So we can't restrict it to particular form mode. So Can we implement this feature based on form display?
Hope makes sense.Thanks
Comment #150
tstoecklerRe #149 I think that is a separate feature request, to make this available as a widget setting for the formatted textarea widget.
Comment #151
mpp CreditAttribution: mpp at AmeXio for District09 commentedThanks for the patch, very useful!
Some really small remarks:
I'm fine with using string here but it implies that the same format is valid for all languages (which makes sense imo).
use $this->t()
use $this->t()
Comment #152
aleevasThe last patch from #145 was rerolled
Comment #154
Deno CreditAttribution: Deno commentedThis is an excellent idea IMO. On a related note: once this is done, could we "kill" the formatted/unformatted text fields differentiation?
Instead of two field types, we could just have "text" with a list of allowed formatting types. And one of them being the "unformatted".
In that case, it would be possible to change the type of a field from "formatted" to "unformatted" and back easily. Moreover, it would be possible to apply *some* filters even to unformatted text if necessary. "Onomasticon" filter comes to mind. Or the one that recognises URLs in the text and adds links automatically.
Comment #155
hexabinaer+1 for Deno's idea. In new projects we are using formatted text fields in most instance where you'd expect a plain text field - mainly (but strongly) for the reason that editors should be able to add language attributes (German has a lot of loan words). The text format selectors cause a lot of clutter.
After all if would be awesome if we could enhance the accessibility on existing sites by allowing language attributes in plain text fields that would never be replaced.
Comment #157
PhilippVerpoort+1 for #154.
And thanks to all for working on this, I'm finding this a really annoying issue.
Comment #158
renguer0 CreditAttribution: renguer0 as a volunteer commented+1 to #154. I hope that could be merged soon because it's really annoying (I'm using Allowed formats module in order to hide that selector).
Comment #159
AndyF CreditAttribution: AndyF at Fabb commentedThanks all, would be great to get this in! The old patch is directly storing the checkboxes value for allowed formats in the config, eg:
This causes problems with the textfield widget: the allowed format doesn't exist so you get the This field has been disabled because you do not have sufficient permissions to edit it message as a non-admin user. (The textarea widget has an explicit
array_filter()
which makes it work as expected.)I've updated the patch to save the allowed formats as an indexed array of selected formats, eg.
When I originally saw the symptoms of the problem (but didn't know what was happening under the covers) I tried to update
\Drupal\Tests\text\Functional\TextFieldTest::testTextfieldWidgetsAllowedFormats()
to get a fail before fixing it. The change didn't detect the problem however because we don't use the UI to create the text field, but I've left it in nonetheless as I think it's still probably useful. Do folk think it's worth updating the test to actually use the UI to create the fields themselves? Thanks!Comment #161
AndyF CreditAttribution: AndyF at Fabb commentedStill todo: fix remaining tests, implement
calculateDependencies()
, thanks!Comment #163
AndyF CreditAttribution: AndyF at Fabb commentedGuess there's no remaining tests to fix (: I've added the text formats as config dependencies, tho that's not tested. Thanks!
Comment #164
jungleRemoved
Unused use statement
, see https://www.drupal.org/pift-ci-job/1613160Comment #165
jungleAdd needs follow-up to the remain tasks section of IS addressing the concern of #154
Comment #166
jungleMake the screenshot of text field types smaller in IS
Comment #168
Rajab Natshah CreditAttribution: Rajab Natshah at Vardot commentedThis is a very important feature!!
Thanks all for working on patches and contributed modules
I hope it will get into Drupal 9
To me it feels that a module like Allowed Formats could be added to Drupal 9 core under the same name or under text formats.
Comment #169
dasginganinjaIs it recommended to use the core patch or the contributed module at this point?
Thanks!
Comment #170
John Pitcairn CreditAttribution: John Pitcairn commentedFor production sites I would advise using the contrib module rather than patching.
Comment #171
jungleRe #169, this feature will be in core sooner or later I think, and eventually, it's preferred than the contributed module.
I would suggest using the patch.
Thanks!
Comment #172
Brendan.Smith CreditAttribution: Brendan.Smith commentedTested latest patch from comment #163 on v8.9.x of Drupal Core and it works as expected.
Comment #173
apadernoComment #175
viappidu CreditAttribution: viappidu as a volunteer commentedRework for 9.1.x
Note: [#https://www.drupal.org/node/3129738]
So,
(Sorry for missing interdiff)
Comment #176
viappidu CreditAttribution: viappidu as a volunteer commentedSorry, my bad
Comment #178
raman.b CreditAttribution: raman.b at OpenSense Labs commentedAddressing a few more deprecations
Comment #179
mr.baileysQuick review:
1. After applying the patch and clearing the cache, when going to the Edit page for an existing field (under Manage Fields), a notice is thrown:
This means we might need an update path for existing config, or at least improve handling of field config if
allowed_formats
is missing.2. When you limit the allowed values on a field, you are still able to provide default content using any of the other (disallowed) text formats. For example, I restricted a text field to only allow "Plain text", but provided a default value (
<script>alert('Llama');</script>
) using "Full HTML". When creating content using this field, the default value shows up converted to the allowed format (<p><script>alert('Llama');</script></p>
). It might make sense to provide some validation to ensure the default value can only be saved using one of the allowed formats?Setting to needs work for the undefined index notice.
Comment #180
minorOffense CreditAttribution: minorOffense at Coldfront Labs Inc. commentedReroll updating the patch to swap out "assertIdentical" for "assertSame" in one of the tests.
Comment #181
joegraduateFixed test failures in #180 by adding 'allowed_formats' to field config schema for the editor_test_text_long field plugin used in the failing EditorFileUsageTest.
Comment #182
joegraduateFailed to include updated patch.
Comment #183
joegraduateSetting back to "Needs work" because #182 did not address #179.
Comment #184
vakulrai CreditAttribution: vakulrai as a volunteer and at QED42 for QED42 commentedAdded a patch which will take care of point 1 and 2 mentioned in #179.
For point 2 under #179 I have used
massageFormValues()
method to format the values as per the selected allowed formats.This code
$text = check_markup($values[0]['value'], $format_type)
is responsible for restricting any unsupported inline tags to be save while saving the markup.Please Review!.
Thanks
Comment #185
AndyF CreditAttribution: AndyF at Fabb commentedThanks! A small review of #184:
Update path: As we're updating the schema, I think the ideal solution is to add a
hook_update_N()
that updates the config of text fields where necessary, see eg.field_update_8003()
(although that updates field storage config for ER fields, whereas we're interested in the field config for text fields). There's some more details on this page https://www.drupal.org/node/2535454. We'll also want to test it, which should be quite simple for this change: see https://www.drupal.org/docs/8/api/update-api/writing-automated-update-te....Limiting default value allowed format: Rather than adding code to text area widgets to handle the case of default values, I think it's more appropriate to add validation to the field settings page that prevents the default value having a prohibited text format.
Comment #186
joegraduateThe attached patch is an iteration of #182 that incorporates @AndyF's suggestions from #185:
- Added hook_update_N() function that updates config of existing text fields
- Added a new list class for the text field type plugins (
TextFieldItemList
) that overrides theDrupal\Core\Field\FieldItemList::defaultValuesFormValidate()
method with additional validation logic for the text format input in the default values form within the field settings form.Comment #187
joegraduateUpdated version of patch from #186:
- Fixed typo / Cspell error in TextFieldItemList.php
- Added @vakulrai's empty array default fallback (from #184) to
TextItemBase::fieldSettingsForm()
Comment #189
joegraduateAdded back fix for broken tests from #182 that was mistakenly removed.
Comment #191
Joao Sausen CreditAttribution: Joao Sausen at Dexa commentedI tried the patch from #189 on Drupal 9.2.0-beta and got a
I think this line:
$field_name = $this->fieldDefinition->getName();
is supposed to be
$field_name = $this->definition->getName();
?
That made it work.
Comment #192
BramDriesenNeeds work in that case.
Comment #193
Meenakshi_j CreditAttribution: Meenakshi_j at Srijan | A Material+ Company for Drupal India Association commentedFixed the issue.
Comment #194
Meenakshi_j CreditAttribution: Meenakshi_j at Srijan | A Material+ Company for Drupal India Association commentedComment #195
owenbush CreditAttribution: owenbush at Lullabot commentedI have tested patch #193 on 9.3.x and it applied cleanly and worked without issue.
Comment #196
PCate CreditAttribution: PCate commentedPatch applied cleanly to 9.x and the functionality worked great for restricting formats.
Comment #197
Rinku Jacob 13 CreditAttribution: Rinku Jacob 13 at Zyxware Technologies commentedI have tested patch #193 for 9.3.x dev.it applied cleanly thanks @Meenakshi_j
Comment #198
BramDriesen@Rinku Jacob 13 please refrain from uploading screenshots of how a patch applies. It adds zero value to the issue. Did you actually test the functionality?
Comment #199
quietone CreditAttribution: quietone as a volunteer commentedJust wondering what this patch is doing so started to read the patch. Then I noticed that it has an update hook but no test. Tagging Needs Tests and setting to NW for the test. Then I read the patch and noticed a few more things.
It is much easier to manage if this is added alphabetically.
Not sure why this is two paragraphs and I am not sure if the ::fieldSettingsForm will be displayed as a link on api.drupal.org. I think this will be better.
This needs an test. See Writing Automated Update Tests for Drupal 8.
This looks like it is a list not a 'text field'. How about 'Defines an item list class for text fields.', which I got from looking at CommentFieldItemList.php.
Expand the array on multiple lines.
I reckon t should be $this->t.
Comment #200
quietone CreditAttribution: quietone as a volunteer commentedI should add that I have not done a thorough review, this is outside my area and I was mostly reading the comments.
Comment #201
vsujeetkumar CreditAttribution: vsujeetkumar at Srijan | A Material+ Company for Drupal India Association commentedHi, I have worked on #199 and fixed the 1, 2, 4, 5, 6 issues. Test case needs to be written for 199.3. Looking for it.
Comment #202
BramDriesenPutting it back to needs work for the test cases. Good to see that the test run passed successfully :-)
Comment #203
Eduardo Morales AlbertiI am interested in it, but why do not you create a merge request? It is easiest to review, merge and contribute for the maintainer.
I would do it, but I do not want authoring.
Comment #204
smustgrave CreditAttribution: smustgrave at Mobomo commented+1 for this feature to be included
Patch in #201 seems to work great.
Comment #205
mkimmet CreditAttribution: mkimmet commentedApplied patch in #201 and it seems to work. However, I noticed a file, TextFieldItemList.php, in 2 extra places in my drupal install at:
- /web/core/b/core/modules/text/src/Plugin/Field/FieldType
- /web/core/core/modules/text/src/Plugin/Field/FieldType
Is that to be expected?
Comment #206
larowlanthis should just defer to the parent, e.g.
type: field.field_settings.text
to avoid the duplicationsame here, this should defer to the parent
there's no test coverage for this yet
we should use the third argument to in_array when comparing strings
nit, > 80 chars here
there's no test coverage for this, as we're setting the allowed formats using the API in the test, not via the UI
we need a corresponding `onDependencyRemoval` to go with this so that removing the filter format doesn't result in the field being deleted.
And test coverage for that
there's no test coverage for the dependencies being added yet, can we get that added (kernel test would be best)
we have a config entity updater class now that we can use here
Comment #207
larowlanThis is a feature request in my opinion.
Comment #208
xeM8VfDh CreditAttribution: xeM8VfDh commentedI found this issue via: https://drupal.stackexchange.com/questions/228811/how-to-enable-plain-te...
I see it's still in progress, after 11 years. Though, it does seem to be mostly done, minus test case coverage. Any hope on the test coverage mentioned in #201? Is that the only think holding this back at the moment?
Also, with the aforementioned patch, would changing a Basic HTML field that has lots of records, some with HTML tags, convert said data to raw text (including html tags), or would the tags be stripped out after switching the format type?
Thanks for the long journey of work to all those involved!
Comment #209
darvanenThere is always hope if the issue is not "closed (won't fix)" :)
In addition to the test coverage there is a review from a core committer at #206 that will need to be addressed before this goes RTBC let alone back to Needs Review.
I encourage you to give it a go!
Comment #210
xeM8VfDh CreditAttribution: xeM8VfDh commentedthanks @darvanen!
Comment #211
error84 CreditAttribution: error84 commentedIn need for a fix for this 12 year old issue now?
The answer with the hook_field_widget_form_alter() fix on this page https://drupal.stackexchange.com/questions/239068/how-do-i-force-a-text-... worked excellent for me. It's relatively simple and does not require an additional module. And it works for BaseFieldDefinitions too (where the Allowed Formats module does not).
It's a workaround still, so I wish this issue here got fixed so I could fix it decently :) ...
Comment #212
xeM8VfDh CreditAttribution: xeM8VfDh commentedthanks @error84
Comment #213
vikashsoni CreditAttribution: vikashsoni as a volunteer and at Zyxware Technologies commentedUnable to apply patch in drupal-9.3.x-dev Giving error while going to apply patch
Needs to Re-roll
Comment #214
xeM8VfDh CreditAttribution: xeM8VfDh commentedthis may have been discussed, but for people wanting a quick fix, I've realized I can just use the "strip HTML tags" option when pulling the field in the view to force this type of behavior.
Comment #215
quietone CreditAttribution: quietone as a volunteer commented@vikashsoni, Adding screenshots of your terminal do not advance this issue. Reading the issue you will see that a few comments above there are changes asked for in the patch. Therefore removing credit per How is credit granted for Drupal core issues.
Comment #217
MaxMendez CreditAttribution: MaxMendez commentedThis is not and advance about the changes requested on #206, but fixed 9.3.x. compatibility.
Comment #218
vdsh CreditAttribution: vdsh commentedHere is the patch 201 rerolled for the 9.3.0 version. It's just a reroll, I haven't reviewed feedbacks from #206
Edit: Sorry MaxMendez, I believe we have the same patch, I didn't refresh the page before working on the patch to reroll for 9.3
Comment #219
DanielVezaTook the patch from #217 & addressed most points from #206.
Still a WIP patch, points 3 & 7 need adressing.
Comment #220
larowlanComment #221
larowlanBack to needs work for this and the #206.3 and #206.7
nit: this should probably match existing naming patterns, e.g. $format1_id (snake case, not camel case)
is this intentionally commented? can be removed?
Comment #222
larowlanAdding another task here - we need a validation constraint to ensure that you can't set an invalid format over JSON:API/Rest
Comment #223
andypostAdded #2824979: The DataDefinitionInterface is missing setConstraints method as related because it could help to simplify validation
Comment #224
uberhacker CreditAttribution: uberhacker as a volunteer and commentedI can confirm the patch in https://www.drupal.org/project/drupal/issues/784672#comment-14339340 works. Great effort @MaxMendez!
Comment #225
smustgrave CreditAttribution: smustgrave at Mobomo commentedTook the patch from #219 and addressed the 2 bullets from #221
Comment #226
ravi.shankar CreditAttribution: ravi.shankar at OpenSense Labs commentedAdded interdiff of patch #219 and #225.
Comment #227
ravi.shankar CreditAttribution: ravi.shankar at OpenSense Labs commentedFixed Drupal CS issues of patch #225.
Comment #228
apadernoComment #229
dimr CreditAttribution: dimr at FIZ Karlsruhe commentedIt is working as expected, thanks!
Comment #230
smustgrave CreditAttribution: smustgrave at Mobomo commentedThis patch causes an issue when uninstalling linkchecker module https://www.drupal.org/project/linkchecker/issues/3280409
Not sure if it will break other modules.
Comment #231
smustgrave CreditAttribution: smustgrave at Mobomo commentedAdding a check
Comment #234
larowlanReroll for 9.4.x, doesn't include #231
Comment #236
smustgrave CreditAttribution: smustgrave at Mobomo commentedRerolled with #231. Not sure about the failing test. When I run locally no issues.
Comment #237
smustgrave CreditAttribution: smustgrave at Mobomo commentedComment #238
smustgrave CreditAttribution: smustgrave at Mobomo commentedLooking at the console for dispatcher I expect #237 to fail. Seeing almost 100 failures across random modules now.
test runner returned a non-zero error code (2).
Comment #239
smustgrave CreditAttribution: smustgrave at Mobomo commentedI stand corrected!
Comment #240
Berdir> Exception: Error: Class "\Drupal\text\Plugin\Field\FieldType\TextFieldItemList" not found
is the error.
This class is not in the patch, maybe you forgot to add it?
Build successful actually means that it fails so badly that it can't display the errors.
Comment #241
smustgrave CreditAttribution: smustgrave at Mobomo commentedI’ll take a look!
Comment #242
smustgrave CreditAttribution: smustgrave at Mobomo commentedNot sure how I screwed that up but should be fixed.
Comment #244
smustgrave CreditAttribution: smustgrave at Mobomo commentedThink I found it. I'm still on php8 which is why the error wasn't appearing for me.
Comment #245
smustgrave CreditAttribution: smustgrave at Mobomo commentedSweet! Ready for review
Comment #246
Luke.LeberOverall, looks great! Nice touch on calling
array_values
in the validate callback. Failing to do so has bitten me quite a few times.Just a couple of minor things.
1. Should we add a blurb of text to the widget settings summary?
2. We can probably save the test bot a bit of time here by creating the text formats via API here.
Comment #247
Luke.LeberIt looks like Lee's point in #222 still needs to be addressed, setting back to NW.
Comment #248
smustgrave CreditAttribution: smustgrave at Mobomo commented#222
Anyone know how to accomplish this?
Comment #249
larowlanWe might be able to add an additional constraint plugin to \Drupal\text\Plugin\Field\FieldType\TextItem::getConstraints
You can see there its already using the 'ComplexData' plugin to add a 'Length' validation plugin on the 'value' property.
We might be able to extend that to the 'format' property and add the 'AllowedValues' validation plugin
Something like
But I suspect adding two 'ComplexData' constraints is not efficient, and we should be able to add just one with both the 'value' and 'format' keys. That would probably entail building up an $options array for the second argument that was conditional on both the max length and allowed format settings.
This is further complicated by the fact that allowed_formats is on TextItemBase, while max_length is on TextItem, so you may need to do some parent child wrangling - ie add the allowed format constraint in TextItemBase and then add the max_length one on top of it in TextItem if it exists, if not, add a new one.
Comment #250
smustgrave CreditAttribution: smustgrave at Mobomo commentedTook a shot at #249
Comment #251
smustgrave CreditAttribution: smustgrave at Mobomo commentedComment #253
smustgrave CreditAttribution: smustgrave at Mobomo commentedComment #254
larowlanComment #255
larowlanGreat work @smustgrave - here's a few observations
is this an existing bug that this is missing?
should we split that to its own issue?
this looks to be an out of scope change
should this use $form_state->getValue($element['#parents']) instead of $element['#value']?
I'm not sure which is more correct
I think we also need an onDependencyRemoval implementation here, as removing a filter format shouldn't delete a field, which in turn could delete a view... 😬
We don't need to do this over HTTP, let's just do
$format1 = FilterFormat::create()
- we're not testing the filter format edit form here, so we may as well use the more efficient approachI can't see a test for the validation constraint.
We could add it here while we have all the scaffolding done, or we could add a separate kernel test.
We should just set the format to an invalid value via $entity->set() and then call $entity->validate() and make sure the violation is returned
We should add a test for onDependencyRemoval here too, given we've already got all the parts in place
Comment #256
smustgrave CreditAttribution: smustgrave at Mobomo commented#255
1.
Not sure I follow this one?
2. Actually was already there just looks like it got formatted differently. Probably from an IDE.
3. Addressed
4. Not 100% how to best address this. I tested manually by adding a format to a field, deleted the format, and the field was untouched. But now appeared empty because it was hanging on to a format that didn't exist.
5. Addressed
6. Address in a kernel test
7. Same as #4
Comment #257
BerdirDo we really need a new constraint for this?
formats are already validated by \Drupal\filter\Plugin\DataType\FilterFormat::getSettableOptions(), can't we just filter down that list, we can access the field item through $this->getParent(). That is from \Drupal\Core\TypedData\OptionsProviderInterface and a constraint is automatically added for it in \Drupal\Core\TypedData\TypedDataManager::getDefaultConstraints().
the update function number will need to change, this is 10.1 at this point. also not sure if it should be a post update?
Comment #258
larowlanIsn't embedding knowledge of the settings of a specific field-type in a data-type a bit of a code smell? Not all field-types that use filter format data-types will necessarily have an allowed format setting.
Comment #259
BerdirFair point.
Most computed data types depend on their parent and settings explicitly while non-computed usually don't.
But we could make it an explicit setting and set it in \Drupal\text\Plugin\Field\FieldType\TextItemBase::propertyDefinitions(), see \Drupal\Core\Field\Plugin\Field\FieldType\StringItemBase::propertyDefinitions for an example.
Comment #260
smustgrave CreditAttribution: smustgrave at Mobomo commentedSo what's the verdict regarding #258 and #259
Comment #261
smustgrave CreditAttribution: smustgrave at Mobomo commentedFollowing up on the verdict between #258 and #259?
Comment #262
apadernoComment #258 says that a data type class should not have settings for a field type; comment #259 agrees on that and suggests using a field type property that is set in
\Drupal\text\Plugin\Field\FieldType\TextItemBase::propertyDefinitions()
.Comment #263
smustgrave CreditAttribution: smustgrave at Mobomo commentedTook a shot at addressing #259.
Now question https://www.drupal.org/project/drupal/issues/1278886 is about saving default formatters. Would it be out of the scope of this ticket to make the allowed formatters be a dragable ordered field? That would cover the use case of 1278886
But don't want to delay this ticket.
Comment #264
smustgrave CreditAttribution: smustgrave at Mobomo commentedThe only different between the D9 and D10 patch is the D9 is patching some ckeditor tests that are removing in D10
Comment #265
andypostit should be hook_post_update_NAME() as there's only configuration changes
It may help to keep 9.5.x and 10.1.x similar
Comment #266
smustgrave CreditAttribution: smustgrave at Mobomo commentedFixed the test failure. Was left over from the constraint I removed.
Addressed #265
Comment #267
andypostIt looks mostly ready, just as feature for 10.1.x
Comment #268
smustgrave CreditAttribution: smustgrave at Mobomo commentedWould agree. Seems too late for D9.
Comment #269
smustgrave CreditAttribution: smustgrave at Mobomo commentedbumping again. Hoping to get this in for 10.1
Comment #270
DanielVezaCouple of Qs from a code review.
This looks like it has unopened and unclosed [ and ]. Is that correct?
Can we remove this else and set $format_dependencies = []; above the if statement?
Comment #271
darvanen#270.1 - Yes that's correct, it's a lovely Drupalism isn't it? It's documented under "Parameters" here.
#270.2 - Agree, new patches attached.
Comment #273
smustgrave CreditAttribution: smustgrave at Mobomo commentedMust of been a random failure I’m seeing all green so moving back to NR
Comment #274
DanielVezaChanges look good and tests are green :)
@darvanen and I went through this at DrupalSouth. I think this can be RTBC'd now
Comment #275
xeM8VfDh CreditAttribution: xeM8VfDh commentedVery cool! A long journey may be reaching the finish line! Well done everyone who stuck with it!
Comment #276
alexpottShould be called
text_
... which would also indicate this update function is not tested.Only needs to return TRUE if we set the field to a value.
Comment #277
BramDriesenVery early draft added here: https://www.drupal.org/node/3318572 Feel free to edit. I'll enrich it when I find time :) leaving the tag for now
Comment #278
smustgrave CreditAttribution: smustgrave at Mobomo commentedAddressed points in 276
Comment #279
apadernoComment #280
smustgrave CreditAttribution: smustgrave at Mobomo commentedThis should be better.
Comment #281
alexpottWhat happens to existing content if you limit formats after the fact and it uses and format that's not allowed? In that case the node would use the format until it is edited... but then then when it is the format will change. That might be very problematic. We need to think about this situation. And we should have test coverage of this.
Comment #282
BerdirWe've seen that case in production with contrib, you are then forced to pick a new format, I don't think that's very problematic. But yes, test coverage makes sense.
There's one thing I'm wondering about. Beside this feature, the allowed_formats contrib module also has settings to hide the lengthy text format explanations, a feature that we use often. I'm a bit unsure how to handle that, for now you'd still need to use the contrib module for that, so it would require a new major version with a (post) update function and just those two settings? definitely don't want to delay this issue even further, maybe a follow-up that would allow us to move those into the same minor version?
Comment #283
Luke.LeberWe just recently ran into this very same thing, only in our case it was with over 5,800 custom block instances across some 300 layout-overridable enabled node-like entities!
We ended up writing a post-update hook to batch-switch the formats over. Otherwise, it could have very well ended up a weird quirk that would have lived for the next decade.
At the very least, I think we should put a warning message up on the UI that describes this behavior if an allowed format is to be removed. It really caught us off-guard at the last minute.
Comment #284
Luke.LeberThis might be overkill, but I'll just throw out that I absolutely love the UX for text-list field storage settings which won't let an allowed value be removed if there are any references to it that still exist (current or in revision history). 👨🔬
Comment #285
smustgrave CreditAttribution: smustgrave at Mobomo commentedWith regards to the concern of this patch just my 2 cents.
If you want to use it for existing fields that would mean you want to limit content that currently is being let through. And if it removes content that was there, I would assume the site admin made the decision they don't want that kind of content allowed anymore for that specific field. So asking the editors to choose an approved editor makes sense to me.
If you don't want to limit your text fields and leave your fields as is, you can do that too.
I see this as a huge improvement to help limit the kind of content users can put in. Example a card body field I may not want to allow tables or embeds. So really hope this feature can make it in.
Comment #286
larowlanSo there are two remaining issues here
1) Create a follow up for #282 to look to add the 'hide filter tips' option like the contrib module
2) Add test coverage for an existing item that has a non allowed format, we want to test the content still outputs with the old format, but that on edit the new format is applied
3) Add a follow-up to discuss #154
Updated the issue summary
Code review:
there's a patch reject file here
🧐 ubernit: we can use {@inheritdoc} here
should we add a third format in the setup and assert it doesn't exist here?
are these changes needed? these are for security sake to ensure if there's no format it falls back to plain text.
E.g. a migration might set a value but not a format
We'd need to keep this test or some form of it for security sake
nit: we can simplify this to
if (is_a($class, TextItemBase::class, TRUE))
devil's advocate, should we look for allowed formats third party settings here and base the default value off that?
it would be a break from tradition to special case a contrib module but it might smooth the update path?
We're using a flavour of this patch in projects instead of the contrib module, so very keen to see it land in 10.1 🤞
Comment #287
smustgrave CreditAttribution: smustgrave at Mobomo commentedOpened up follow up tickets per #286.
Added additional test covered to address #2
For the code review addressed 1-5
For 6 not sure what to do for that.
Also see there is a CR started.
Comment #288
larowlanAdded a release note, updated the follow up
Re-reviewed the changes in #287, thanks for the new test coverage @smustgrave, I think that addresses the question from @alexpott #281
I think this is ready. Thanks everyone who's hung in here this long.
I've updated the issue summary to remove the remaining tasks
Comment #289
alexpottSorted out issue credit. I've tried to credit everyone who contributed a comment or a patch that moved the issue on.
Comment #290
alexpottCommitted 82576b6002 and pushed to 10.1.x. Thanks!
Comment #292
andypostIt needs to update CR with example - great feature but too short
Comment #293
BramDriesenYes correct, I drafted the CR but didn't have the time yet to add an example.
Comment #294
alexpottThis introduced a random fail - see #3324376: Fix random fail introduced by new text format tests
Comment #295
Luke.LeberCan we add a blurb about what the upgrade path from contrib allowed_formats might look like? Any outstanding blockers or lack of feature parity for site builders to consider?
Comment #296
BramDriesenRE #292 I Updated the CR with a field API example and a screenshot of the settings screen.
Comment #297
andypost@BramDriesen thank you! it much clear now
Comment #298
smustgrave CreditAttribution: smustgrave at Mobomo commentedCongrats everyone for this one landing! Already got ideas for this feature on projects.
Comment #299
Berdir> Can we add a blurb about what the upgrade path from contrib allowed_formats might look like?
There is none yet. That's something the contrib module needs to handle, typically be creating a 2.x release that requires 10.1 and includes an update function that moves the config over to the core settings structure. Created #3324446: Allowed formats are in Drupal 10.1 now, add an upgrade path for taht.
Would love to se #3323007: Add an option to 'hide filter tips' on text fields get into 10.1 as well, thanks for creating the issue, with that, the contrib module could then be removed, otherwise you'd still need it if you rely on that setting. Thanks for creating the follow-up, I'll try to help review if someone wants to work on that?
Comment #300
ressa CreditAttribution: ressa at Ardea commentedThis is great, thanks everyone for working on it since April 2010! Here's the Change record -- I scanned the last few issues, but only found it after searching on the page for change record: Text fields can enforce a specific text format.
Comment #302
s_leu CreditAttribution: s_leu at Tag1 Consulting commentedHere yet a re-roll against latest 9.5.x as none of the existing patches is applying anymore there.
Comment #303
jksloan2974 CreditAttribution: jksloan2974 commentedWorks on 9.5.1
Comment #304
vistree CreditAttribution: vistree commentedPatch from #302 works on 9.5.3
Comment #305
a.dmitriiev CreditAttribution: a.dmitriiev as a volunteer and at 1xINTERNET commentedRe-roll for Drupal 10.0.7, just so that it still can be applied
Comment #306
W01F CreditAttribution: W01F commentedNoting that this change doesn't seem to apply for default taxonomy description fields. It doesn't appear you can limit the allowed formats. I think this issue may also be related - https://www.drupal.org/project/drupal/issues/3106303.
Comment #307
steveoriolPatch from #302 works on 9.5.9 but break the site with D9.5.10...
This is the Apache2 error log :
Comment #308
djac CreditAttribution: djac commentedPatch from #302 is working as expected in our D9 (9.5.10) environment.
@steveoriol perhaps you can include some information about your field setup and steps to reproduce the error you're encountering?
Comment #309
Ncchenm CreditAttribution: Ncchenm as a volunteer commentedHas anybody encountered this error ?
I ran into this error everytime while I trying to access the front page on my Drupal 10.1.6 site. It's seen to be the same error with #307... Any suggestions? many thanks!!!
Error: Class "\Drupal\text\Plugin\Field\FieldType\TextFieldItemList" not found in Drupal\Core\TypedData\TypedDataManager->createInstance() (line 91 of /userap/httpd/htdocs/drupal/web/core/lib/Drupal/Core/TypedData/TypedDataManager.php) #0 /userap/httpd/htdocs/drupal/web/core/lib/Drupal/Core/TypedData/TypedDataManager.php(103): Drupal\Core\TypedData\TypedDataManager->createInstance('list', Array)