Problem/Motivation

#956186: Allow AJAX to use GET requests caused a regression that leaks the ajax_page_state query paramater into the redirect destination URLs generated by Views.

Steps to reproduce

  1. Install Drupal 11.x with standard profile
  2. Enable ajax on the /admin/content view
  3. Create one article node
  4. Visit /admin/content and apply a filter (e.g. Type = Article)
  5. Delete the article

This redirects to which breaks rendering because of the ajax_page_state:

/admin/content?title=&type=article&status=All&langcode=All&ajax_page_state[theme]=claro&ajax_page_state[theme_token]=OUqFxWhAOwXtkRPcSAdL4jbOuw8Cz4O-QlNSqWuM82c&ajax_page_state[libraries]=big_pipe/big_pipe%2Cclaro/drupal.nav-tabs%2Cclaro/global-styling%2Ccontextual/drupal.contextual-links%2Ccontextual/drupal.contextual-toolbar%2Ccore/drupal.active-link%2Ccore/drupal.dropbutton%2Ccore/drupal.tableheader%2Ccore/drupal.tableresponsive%2Ccore/drupal.tableselect%2Ccore/normalize%2Cshortcut/drupal.shortcut%2Csystem/admin%2Csystem/base%2Ctoolbar/toolbar%2Ctoolbar/toolbar.escapeAdmin%2Ctour/tour%2Cuser/drupal.user.icons%2Cviews/views.ajax%2Cviews/views.module

Proposed resolution

Fix it.

CommentFileSizeAuthor
#26 3364088-ajax-get-state-leaking-9_5_x-26.patch8.24 KBAltcom_Neil
#12 interdiff.txt1.95 KBlauriii
#12 3364088-11.patch7.49 KBlauriii
#9 interdiff.txt1.6 KBlauriii
#9 3364088-9.patch7.48 KBlauriii
#8 interdiff.txt3.2 KBlauriii
#8 3364088-8.patch7.45 KBlauriii
#6 interdiff.txt1.4 KBlauriii
#6 3359494-6-fast.patch5.86 KBlauriii
#3 3364088-3.patch5.29 KBlauriii
#3 3364088-3-test-only.patch3.81 KBlauriii
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

lauriii created an issue. See original summary.

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
CreditAttribution: lauriii at Acquia commented
Assigned: Unassigned » lauriii
lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
CreditAttribution: lauriii at Acquia commented
Assigned: lauriii » Unassigned
Status: Active » Needs review
FileSize
3364088-3-test-only.patch3.81 KB
3364088-3.patch5.29 KB

The last submitted patch, 3: 3364088-3-test-only.patch, failed testing. View results

Status: Needs review » Needs work

The last submitted patch, 3: 3364088-3.patch, failed testing. View results

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
CreditAttribution: lauriii at Acquia commented
Status: Needs work » Needs review
FileSize
3359494-6-fast.patch5.86 KB
interdiff.txt1.4 KB

Status: Needs review » Needs work

The last submitted patch, 6: 3359494-6-fast.patch, failed testing. View results

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
CreditAttribution: lauriii at Acquia commented
Status: Needs work » Needs review
FileSize
3364088-8.patch7.45 KB
interdiff.txt3.2 KB

Posting my progress here but this is going to have the same test failing as #6. The test failure looks unrelated to this - I'm researching that because it seems like another major/critical issue.

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
CreditAttribution: lauriii at Acquia commented
FileSize
3364088-9.patch7.48 KB
interdiff.txt1.6 KB

The other bug I discovered is that Views generates incorrect destination paths when Drupal is in a subdirectory. The fix is on the same method and is covered by the test coverage being added here so probably better to fix it here. I also can't integration test the originally reported bug without fixing this.

The last submitted patch, 8: 3364088-8.patch, failed testing. View results

Status: Needs review » Needs work

The last submitted patch, 9: 3364088-9.patch, failed testing. View results

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
CreditAttribution: lauriii at Acquia commented
FileSize
3364088-11.patch7.49 KB
interdiff.txt1.95 KB

This should address the failing tests. I tried to add a unit test to \Drupal\Tests\views\Unit\Controller\ViewAjaxControllerTest to test with base path but turns out setting up \Symfony\Component\HttpFoundation\Request with a base path is not super straight forward and mocking it doesn't seem super handy either. 😬

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
CreditAttribution: lauriii at Acquia commented
Status: Needs work » Needs review
smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented
Status: Needs review » Reviewed & tested by the community
Issue tags: +Needs Review Queue Initiative

Confirmed the issue described in the issue summary.

Patch #12 solved the issue.

mstrelan’s picture

mstrelan CreditAttribution: mstrelan at PreviousNext commented

@lauriii++

Patch looks good and fixes the issue I reported in #2253257-164: Use a modal for entity delete operation links. RTBC++

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
CreditAttribution: tim.plunkett at Acquia commented

Reviewed this as a subsystem maintainer of both AJAX and Views.

  1. +++ b/core/lib/Drupal/Core/Pager/PagerParameters.php
@@ -36,7 +36,7 @@ public function getQueryParameters() {
-        $request->query->all(), ['page']
+        $request->query->all(), ['page', 'ajax_page_state']

+++ b/core/modules/views/src/Controller/ViewAjaxController.php
@@ -162,17 +162,21 @@ public function ajaxView(Request $request) {
+        unset($param_union['ajax_page_state']);

+++ b/core/modules/views/src/ViewExecutable.php
@@ -705,7 +705,7 @@ public function getExposedInput() {
-      foreach (['page', 'q'] as $key) {
+      foreach (['page', 'q', 'ajax_page_state'] as $key) {

    These are 3 sensible places to do this. Especially glad to see the change to PagerParameters 

  2. +++ b/core/modules/views/src/Controller/ViewAjaxController.php
@@ -162,17 +162,21 @@ public function ajaxView(Request $request) {
-        $origin_destination = $path;
+        $origin_destination = $request_clone->getBasePath() . '/' . ltrim($path ?? '/', '/');

    Nice :) 

  3. +++ b/core/modules/views/tests/src/FunctionalJavascript/PaginationAJAXTest.php
@@ -100,6 +100,9 @@ public function testBasicPagination() {
+    // Test that no unwanted parameters are added to the URL.
+    $this->assertEquals('?status=All&type=All&langcode=All&items_per_page=5&order=changed&sort=asc&page=2', $link->getAttribute('href'));

    This assertion was incorrectly removed in #956186-152: Allow AJAX to use GET requests, glad to see it restored here 

  4. +++ b/core/modules/views/tests/src/Unit/Controller/ViewAjaxControllerTest.php
@@ -224,7 +224,7 @@ public function testAjaxViewViewPathNoSlash() {
-      ->with('test-page?ajax_page_state=drupal.settings%5B%5D&type=article');
+      ->with('/test-page?type=article');

    Confirmed that adding this slash here does NOT change the intention or coverage of the test. This is a side-effect of normalizing the path with that ltrim above.

RTBC++

olli’s picture

olli CreditAttribution: olli commented

The other bug I discovered is that Views generates incorrect destination paths when Drupal is in a subdirectory. The fix is on the same method and is covered by the test coverage being added here so probably better to fix it here.

Nice! This has been reported also in #3130504: In subsite setup view_path is not correct for links on AJAX page refresh.

lauriii credited anup.singh.

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
CreditAttribution: lauriii at Acquia commented

Thanks @olli! I tried to look for an issue for that but looks like I didn't try hard enough. 😅 Moving credits from #3130504: In subsite setup view_path is not correct for links on AJAX page refresh to here.

  • catch committed 7b0afe89 on 10.1.x 
    Issue #3364088 by lauriii, tim.plunkett, anup.singh, olli: Ajax state...

  • catch committed 710278cc on 11.x 
    Issue #3364088 by lauriii, tim.plunkett, anup.singh, olli: Ajax state...
catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch at Third and Grove commented
Version: 11.x-dev » 10.1.x-dev
Status: Reviewed & tested by the community » Fixed

Thanks for finding and fixing the bug I introduced...

I think it would be nice if we could eventually centralise taking out ajax_page_state from incoming request URLs (rather than on generation), but that might be something that could be looked at in #3348789: Compress ajax_page_state, definitely not here.

Committed/pushed to 11.x and 10.1.x, thanks!

dmurphy1’s picture

dmurphy1 CreditAttribution: dmurphy1 at Savas Labs commented

Hey all, thanks for your work on this! I just wanted to flag that I create a new issue that I think may be related but doesn't appear to be resolved when testing on 10.1.x-dev: https://www.drupal.org/project/drupal/issues/3366287.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir at MD Systems GmbH commented

Aaand there's another one: #3372678: Ajax state leaking to Views bulk operations

Altcom_Neil’s picture

Altcom_Neil CreditAttribution: Altcom_Neil commented
FileSize
3364088-ajax-get-state-leaking-9_5_x-26.patch8.24 KB

Thanks for working on this, here is a D9.5.x backport of patch #11

Yury N’s picture

Yury N CreditAttribution: Yury N as a volunteer commented

Another issue with destination path for subdirectory installation. If you also have language prefix in path it is lost: /subdirectory/de/admin/content/media becomes /subdirectory/admin/content/media