[1.0.x] Zefix

Thank you for applying!

Please read Review process for security advisory coverage: What to expect for more details and Security advisory coverage application checklist to understand what reviewers look for. Tips for ensuring a smooth review gives some hints for a smoother review.

The important notes are the following.

• New releases are not necessary for these applications, which could require changes that are not backward-compatible. Not creating new releases avoids any possible issue.
• Please do not change the branch to review once reviews started, except in the case the used branch needs to be deleted.
• If you have not done it yet, enable GitLab CI for the project, and fix what reported from the phpcs job. This help to fix most of what reviewers would report.
• For the time this application is open, only your commits are allowed. No other people, including other maintainers/co-maintainers can make commits.
• The purpose of this application is giving you a new drupal.org role that allows you to opt projects into security advisory coverage, either projects you already created, or projects you will create. The project status won't be changed by this application; when the application status is changed to Fixed, you will be able to change it and opt it into security advisory coverage.
• Nobody else will get the permission to opt projects into security advisory policy. If there are other maintainers/co-maintainers who need to get that permission, they need to apply with a different module.
• We only accept an application per user. If you change your mind about the project to use for this application, or it is necessary to use a different project for the application, please update the issue summary with the link to the correct project and the issue title with the project name and the branch to review.

To the reviewers

Please read How to review security advisory coverage applications, Application workflow, What to cover in an application review, and Tools to use for reviews.

The important notes are the following.

• It is preferable to wait for a project moderator before commenting on newly created applications. Project moderators will do some preliminary checks that are necessary before any change on the project files is suggested.
• Reviewers should show the output of a CLI tool only once per application. The configuration used for these tools needs to be the same configuration used by GitLab CI, stored in the GitLab Templates repository.
• It may be best to have the applicant fix things before further review.

For new reviewers, I would also suggest to first read In which way the issue queue for coverage applications is different from other project queues.

All the commits have been so far done by freezernick. As per my previous comment, until this application is not closed as fixed, only benferch is allowed to make commits.

These applications are for checking what the person who applies understands about writing secure code that follows the Drupal coding standards and correctly uses the Drupal API. They are not for understanding what the project maintainers as group understand about those topics.

The latest changes have been made by benferch, only the corresponding MR was merged by me. Is it still an issue? Would it make more sense to retract the submission and re-open with my user account?

@freezernick There is no need to create a new application. As long as you will make all the commits from now on and you will reply to any comment posted here, using this application is fine.

I reviewed the latest on 1.0.x (at this commit 29fcf830de35935517f30e6f453e93f45e74ec1b) and here are my comments:

1. zefix.services.yml
Key names in yaml files by convention use snake case (api_client) not camel case.

services:
  zefix.apiClient:

2. src/ZefixApiClient.php
- Quite bit of code duplication (wrt curl_init setup) in the get/post methods.
- Consider the case when the config settings for zefix is not available; handle the error cases as appropriately.

3. src/Services
- It is an interesting choice to create a separate service for each API call.

4. Form/SettingsForm.php
- Consider hardening the safety of api credentials (uname/pwd) by saving them through Key module.

FILE: composer.json

    "require": {
        "ext-curl": "*",
        "drupal/core": "^8.8 || ^9 || ^10 || ^11"
    },

As a side note, it is not necessary to add the Drupal core requirements in the /composer.json/ file: The Drupal.org Composer Façade will add them.

I am changing priority as per Issue priorities.