- Issue created by @aadeshvermaster@gmail.com
- 🇬🇧United Kingdom philipnorton42 Cheshire
I see this problem too.
The above patch does solve the issue, but the code contains other issues that cause more crashes. For example, the `$this->userStorage` property is called, but that property is never set so the page crashes if the user reaches that code.
I wonder if a better approach might be to decorate or extend the original UserController here? Most of the code in the ShyController is using code from that controller and that would mean that the ShyController only needs to reject the request or call the parent UserController resetPass action.
I'll give this a go.
- Open on Drupal.org →Core: 9.5.x + Environment: PHP 7.4 & MySQL 5.7last update
over 1 year ago Waiting for branch to pass - @philipnorton42 opened merge request.
- Status changed to Needs review
over 1 year ago 2:45pm 17 May 2023 - Open on Drupal.org →Core: 9.5.x + Environment: PHP 7.4 & MySQL 5.7last update
over 1 year ago Waiting for branch to pass - 🇬🇧United Kingdom philipnorton42 Cheshire
Created an MR with the proposed change.
Marking as ready for review.
- 🇩🇪Germany zcht
@philipnorton42 Thank you for the patch, however, this one leverages the primary mechanic. Initially, when the module was still an alpha version, the UserController class was also extended. However, this is not allowed to happen, as a team member from the security team informed me at the time. Attached is his explanation from back then.
As Drupal 8 and 9 backwards compatibility and internal API policy (backend) → says, database schema for core modules, HTTP headers, automated test classes, controller and form classes, plugins, entity handlers, parameter converters, access checkers, event subscribers, and hook implementations should always be treated as internal.
For classes, this means they cannot be extended from a class implemented by contributed code, except in the case of base classes like the ConfigBase class. For hooks, it means contributed code cannot call a hook implemented by a Drupal core module directly. - 🇬🇧United Kingdom philipnorton42 Cheshire
That's interesting, thanks for the update @zcht.
In that case there are two options:
- We copy and paste the entire codebase from the UserController module into the ShyController controller.
- We select another mechanism to perform this check. I'm thinking that instead of using the controller to return an access denied we do this through an event listener.I was looking at event listeners the other day and one to perform this action should be pretty simple to write (I think!).
I'll revert that code and have another go at it.
15:26 35:13 Running- 🇬🇧United Kingdom philipnorton42 Cheshire
Hi @zcht,
I have updated the MR with an event subscriber approach to this issue. As this removes the need for the ShyController I have removed that from the codebase.
I have never used the passwordless login module before, but I'm assuming that these changes would also negate the need for that controller. I've left it alone for now, but I'd be interested to hear what you think.
-
zcht →
committed f4bbb55d on 1.0.x authored by
philipnorton42 →
Issue #3349335: Extended the original UserController controller
-
zcht →
committed f4bbb55d on 1.0.x authored by
philipnorton42 →
- Status changed to Fixed
over 1 year ago 7:36pm 17 May 2023 - 🇩🇪Germany zcht
Thanks @philipnorton42, yes find the approach also good and more generic it is too. I'm so happy to take over the patch and make a new release right away. Thanks for the work.
- Status changed to Fixed
over 1 year ago 7:49pm 17 May 2023 - 🇬🇧United Kingdom philipnorton42 Cheshire
I know this is closed, but I just wanted to thank you very much for releasing a new version of the module so quickly. I really appreciate it.
- 🇩🇪Germany zcht
no problem and gladly, thank you for the work and support of the project. :)