Initiative for Group 1.x compatibility under Drupal 10

Created on 18 June 2023, over 1 year ago
Updated 29 August 2023, over 1 year ago

Problem/Motivation

I would like to start an initiative to make Group 1.x compatible with Drupal 10. I know there are some advocates for this, but also other opinions.

Primarily, the recommendation is to simply upgrade the module from Group 1.x to 2.x, the 2.x version is compatible with Drupal 10.

However, in many cases this is not easy and especially not fast. We still have about 5 months before an upgrade to Drupal 10 has to happen, otherwise you run the risk of being "forced" to stay with Drupal 9.5.x because of using Group 1.x. This would leave us with the problem that potentially many thousands of websites are no longer secure and cannot be provided with security updates. I personally see this very critically.

What is the argument for a working patch for Drupal 10?

- Over 12,000 installations of Group 1.x, probably more
- Many patches developed for Group 1.x, but not ported or existing for other Group versions
- Many additional modules that extend the Group Ecosystem are not available for version 2.x.
- Large sites with a lot of data, especially multisites, cannot be updated quickly.
- Projects running Group 1.x have complex processes and custom developments. All this needs to be updated in a very short time, which in many cases is not possible at speed.
- We need more time to update all >12,000 installations, in the best case immediately to Group 3.x (requires migration unfortunately).
- We need Drupal 10 to continue to provide security updates to the websites.

I don't know why many of the Group 1.x users are so quiet, it is after all over 12,000 installations, but in my eyes it is getting critical. Of course, it could also be that many have not even noticed the problem?

I would be happy if some people join the initiative and make Group 1.x compatible to Drupal 10. Please note that this is only about compatibility, NO feature requests will be considered. If you have feature requests, please develop them yourself or upgrade to higher Group versions. This issue is only about making Group 1.x work with Drupal 10 and not having a gaping security hole with Drupal 9.5.x from December on.

Steps to reproduce

Proposed resolution

Creation of a patch and after successful testing, release of a new version for Group 1.x.

Remaining tasks

User interface changes

API changes

Data model changes

πŸ“Œ Task
Status

Fixed

Version

1.0

Component

Code

Created by

πŸ‡©πŸ‡ͺGermany zcht

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @zcht
  • Status changed to Needs review over 1 year ago
  • πŸ‡©πŸ‡ͺGermany zcht

    I have created a first version of a possible patch. I'm not the right person for UNIT tests, maybe someone else could do that, but the first tests are very promising: tested in a custom project of my own with over 4,000 groups & subgroups, Drupal 10.0.9, PHP 8.1.17, only minor adjustments to custom modules of my own were necessary, but related to Drupal 10. So far everything works well and error free, testing will continue and testing is welcome.

  • πŸ‡©πŸ‡ͺGermany zcht
  • πŸ‡ΊπŸ‡ΈUnited States dww

    Yup, I want to get this done. I've just been too slammed with other things for the last few months, and most of my paying clients don't need Group module. 😒 I'm about to be AFK for a couple weeks, but hopefully in mid July when I'm back online I can move this forward.

    Thanks/sorry,
    -Derek

  • Status changed to Needs work over 1 year ago
  • heddn Nicaragua
    +++ b/src/Access/GroupContentCreateAnyAccessCheck.php
    @@ -57,7 +57,7 @@ class GroupContentCreateAnyAccessCheck implements AccessInterface {
    +    $group_content_type_ids = $entity_query->accessCheck(FALSE)->execute();
    
    +++ b/src/Access/SynchronizedGroupPermissionCalculator.php
    @@ -53,7 +53,7 @@ class SynchronizedGroupPermissionCalculator extends GroupPermissionCalculatorBas
    +    foreach ($group_type_storage->getQuery()->accessCheck(FALSE)->execute() as $group_type_id) {
    
    +++ b/src/Entity/Controller/GroupContentListBuilder.php
    @@ -85,7 +85,7 @@ class GroupContentListBuilder extends EntityListBuilder {
    +    return $query->accessCheck(FALSE)->execute();
    
    +++ b/src/Entity/Controller/GroupListBuilder.php
    @@ -157,7 +157,7 @@ class GroupListBuilder extends EntityListBuilder {
    +    return $query->accessCheck(FALSE)->execute();
    
    +++ b/src/Entity/Controller/GroupRoleListBuilder.php
    @@ -69,7 +69,7 @@ class GroupRoleListBuilder extends DraggableListBuilder {
    +    return array_values($query->accessCheck(FALSE)->execute());
    
    +++ b/src/Entity/Form/GroupRevisionDeleteForm.php
    @@ -138,6 +138,7 @@ class GroupRevisionDeleteForm extends ConfirmFormBase {
    +      ->accessCheck(FALSE)
    
    +++ b/src/Entity/GroupType.php
    @@ -160,7 +160,7 @@ class GroupType extends ConfigEntityBundleBase implements GroupTypeInterface {
    +    return $query->accessCheck(FALSE)->execute();
    
    +++ b/src/Entity/Storage/GroupRoleStorage.php
    @@ -211,7 +211,7 @@ class GroupRoleStorage extends ConfigEntityStorage implements GroupRoleStorageIn
    +      $group_type_ids = $this->entityTypeManager->getStorage('group_type')->getQuery()->accessCheck(FALSE)->execute();
    
    +++ b/src/GroupRoleSynchronizer.php
    @@ -86,7 +86,7 @@ class GroupRoleSynchronizer implements GroupRoleSynchronizerInterface {
    +    $group_type_ids = $this->entityTypeManager->getStorage('group_type')->getQuery()->accessCheck(FALSE)->execute();
    
    +++ b/tests/src/Kernel/EntityQueryAlterCacheabilityTest.php
    @@ -81,7 +81,7 @@ class EntityQueryAlterCacheabilityTest extends GroupKernelTestBase {
    +      $storage->getQuery()->accessCheck(FALSE)->execute();
    
    +++ b/tests/src/Kernel/EntityQueryAlterComplexTest.php
    @@ -519,7 +519,7 @@ class EntityQueryAlterComplexTest extends GroupKernelTestBase {
    +    $ids = $this->storage->getQuery()->accessCheck(FALSE)->execute();
    
    +++ b/tests/src/Kernel/EntityQueryAlterTest.php
    @@ -303,7 +303,7 @@ class EntityQueryAlterTest extends GroupKernelTestBase {
    +    $ids = $this->storage->getQuery()->accessCheck(FALSE)->execute();
    

    The default for an access check is TRUE. This would technically be a regression.

  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 10.0.7 + Environment: PHP 8.1 & MySQL 8
    last update over 1 year ago
    run-tests.sh fatal error
  • Status changed to Needs review over 1 year ago
  • πŸ‡©πŸ‡ͺGermany zcht

    Thanks for the review, here is the update of the patch.

  • Status changed to Needs work over 1 year ago
  • πŸ‡§πŸ‡ͺBelgium kristiaanvandeneynde Antwerp, Belgium

    Primarily, the recommendation is to simply upgrade the module from Group 1.x to 2.x, there is no upgrade path for this, but the 2.x version is compatible with Drupal 10.

    The bold part is simply not true. I've gone ahead and updated the IS.

    Having said that, I see changes like these:

    +++ b/group.install
    @@ -23,7 +23,7 @@ function group_update_8001(&$sandbox) {
    -    $sandbox['ids'] = $storage_handler->getQuery()->accessCheck(FALSE)->execute();
    +    $sandbox['ids'] = $storage_handler->getQuery()->accessCheck(TRUE)->execute();
    

    You can't go around and change access checks like that. The D10 requirement is that all entity queries specifically call accessCheck, but ones that were already deliberately set to either TRUE or FALSE cannot be changed. You can check the original issue here: πŸ› D10 compatibility Fixed

    That should give you some guidance on what changes we expect to see (e.g. the ProphecyTrait is a false one, don't do that one) and how to split these changes into smaller patches that are easier to review. Ideally, you have one child issue per type of change to make the review process easier.

  • πŸ‡¨πŸ‡¦Canada sylus

    I just did a quick re-roll add some of the missing voids for some of the test functions so my phpunit would pass.

    This doesn't address any of @kristiaanvandeneynde feedback.

  • πŸ‡ΊπŸ‡¦Ukraine trishen Kharkiv

    Unfortunately in my case, upgrading from version 1.5 to 2.1, removes all previously added groups.

  • Status changed to Needs review over 1 year ago
  • πŸ‡©πŸ‡ͺGermany zcht

    @kristiaanvandeneynde yes, you are absolutely right. existing accessCheck must not be changed of course, I did not pay attention to it. patch is reworked:

    • - existing accessChecks are the same
    • - in case of not existing accessCheck they are inserted with TRUE
    • - ProphecyTrait removed, was an "optimization" of phpStorm

    patch reroll with the adjustments from the patch from comment #8

  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 10.0.7 + Environment: PHP 8.1 & MySQL 5.7
    last update over 1 year ago
    5,072 pass, 14 fail
  • πŸ‡΅πŸ‡ΉPortugal hernani

    Rerolling patch for failed tests.

  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 10.0.7 + Environment: PHP 8.1 & MySQL 5.7
    last update over 1 year ago
    5,149 pass
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 9.5.5 + Environment: PHP 8.1 & MySQL 5.7
    last update over 1 year ago
    5,149 pass
  • πŸ‡΅πŸ‡ΉPortugal hernani

    The patch is working for us in all automated tests and scenarios in our internal Drupal distro.

    The patch is also passing all the module's automated tests for D9 and d10.

    It would be great to have another 1.x release with it !

  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 10.1.x + Environment: PHP 8.1 & MySQL 5.7
    last update over 1 year ago
    5,149 pass
  • The patch looks good. RTBC.

  • Status changed to RTBC over 1 year ago
  • πŸ‡§πŸ‡ͺBelgium kristiaanvandeneynde Antwerp, Belgium
    +++ b/tests/src/Unit/GroupContentEnablerManagerTest.php
    @@ -69,13 +69,12 @@ class GroupContentEnablerManagerTest extends UnitTestCase {
    -    $this->moduleHandler->getImplementations('entity_type_build')->willReturn([]);
    

    Looking at the patch, why was this line removed?

  • πŸ‡΅πŸ‡ΉPortugal hernani

    Line doesn't seem to be needed anymore and tests were green without it.

    There were similar changes and comments I could find related to similar fixes:
    https://www.drupal.org/project/rules/issues/3346842 πŸ“Œ [10.0] ModuleHandlerInterface::getImplementations() removed from core Fixed
    https://www.drupal.org/project/group/issues/3278740#comment-14838701 πŸ› D10 compatibility Fixed

  • Status changed to Needs review over 1 year ago
  • πŸ‡§πŸ‡ͺBelgium kristiaanvandeneynde Antwerp, Belgium

    Did a first round of review, found a bunch of config entity queries that had no accessCheck added. This is possible because config entity queries don't run any SQL query. I've made all config entities' access check FALSE except for listing pages so that if core ever starts supporting access checks on config entity queries, the listing pages immediately work as expected.

    Further review incoming.

  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 10.1.x + Environment: PHP 7.3 & MySQL 5.7
    last update over 1 year ago
    Composer error. Unable to continue.
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 10.1.x + Environment: PHP 8.1 & MySQL 5.7
    last update over 1 year ago
    5,149 pass
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 9.5.x + Environment: PHP 8.1 & MySQL 5.7
    last update over 1 year ago
    5,149 pass
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 9.5.x + Environment: PHP 7.3 & MySQL 5.7
    last update over 1 year ago
    5,149 pass
  • Status changed to Fixed over 1 year ago
  • πŸ‡§πŸ‡ͺBelgium kristiaanvandeneynde Antwerp, Belgium

    Cross referenced with the v2 and v3 work and looks good. In fact, we might want to check the config entity queries there too. Also replaced accessCheck(TRUE) with accessCheck().

    Will tag a new release tomorrow.

  • Automatically closed - issue fixed for 2 weeks with no activity.

Production build 0.71.5 2024