- Issue created by @mondrake
- Status changed to Needs review
11 months ago 1:45pm 7 February 2024 - ๐ฎ๐นItaly mondrake ๐ฎ๐น
Maybe this one is as simple as this,:we trigger_error E_USER_WARNING instead of E_USER_ERROR. As far as logging is concerned, errors and warnings are either reported both, or none. So we are not changing visibility of the issue in the db log of non-prod sites, just changing the severity level of the message.
- ๐ฎ๐นItaly mondrake ๐ฎ๐น
If the objective of the trigger_error is to add a log entry for site admins to review, however, then this is not fully right as the errors/warnings are only added if the appropriate setting allows - which is discouraged in prod sites. Better logging directly to a logger service.
- ๐บ๐ธUnited States smustgrave
The proposed changes make sense, could the issue summary be updated to include that? And think there's anyone to ping for 2nd eyes?
- Status changed to Needs work
10 months ago 4:11pm 14 February 2024 - Status changed to Needs review
10 months ago 9:32pm 14 February 2024 - ๐บ๐ธUnited States bradjones1 Digital Nomad Life
Was there a decision to not pursue #4 further and have this logged "properly" to a logger channel?
- ๐ฎ๐นItaly mondrake ๐ฎ๐น
The other, alternative approach here would be to avoid
trigger_error()
completely and log a message through the logger, instead. An example in that sense is in ๐ Find an alternative to trigger_error in Drupal\Core\EventSubscriber\RedirectResponseSubscriber::checkRedirectUrl Active . We need to take a direction, here. - ๐ฌ๐งUnited Kingdom longwave UK
This is just swapping one deprecation for another?
- #^Call to deprecated method expectError\\(\\) of class PHPUnit\\\\Framework\\\\TestCase\\: + #^Call to deprecated method expectWarning\\(\\) of class PHPUnit\\\\Framework\\\\TestCase\\:
Can we validate the operator earlier, in a more suitable place to inject a logger and/or throw an exception?
- ๐ฎ๐นItaly mondrake ๐ฎ๐น
c/p from Slack
my intention would be to backfill expectWarning in the issue where we drop the bridge. Itโs there already. We could easily backfill expectError, too. But I thought that where for error we should comply to PHPUnit direction, for warning instead we could keep it to reduce the refactoring needed, that alas in this case covers runtime code too, not just test one.
- ๐ฌ๐งUnited Kingdom longwave UK
๐ Log when invalid input is swallowed by database layer Closed: outdated makes the same point ten years ago.
This is an exceptional case. Maybe we just throw an exception, and be done with it?
- ๐ฎ๐นItaly mondrake ๐ฎ๐น
#12 mmmโฆ there are comments in the code above the change explaining why exception should be avoided here
- ๐ฌ๐งUnited Kingdom longwave UK
Is the comment correct though? The error is thrown in
compile()
and__toString()
explicitly requires you to callcompile()
first:public function __toString() { // If the caller forgot to call compile() first, refuse to run. if ($this->changed) { return ''; } return $this->stringVersion; }
It also looks like this check could be moved into
condition()
;$conditions
is protected and this is the only place it is added to with user input. - Status changed to Needs work
10 months ago 9:04am 15 February 2024 - ๐ฎ๐ณIndia samit.310@gmail.com
samit.310@gmail.com โ made their first commit to this issueโs fork.
- Merge request !7378Resolve #3419690 "Find an alternative to trigger error" โ (Open) created by samit.310@gmail.com
- Merge request !7396Refactor Condition to throw exception instead of error. โ (Open) created by longwave
- Status changed to Needs review
9 months ago 8:27pm 9 April 2024 - ๐ฌ๐งUnited Kingdom longwave UK
This was the fix for #2492967: SQL layer: $match_operator is vulnerable to injection attack โ and the test coverage should be good enough, but reviewers should have a quick look to make sure we haven't missed anything here. It's not clear to me why this was added in
compile()
instead ofcondition()
. - Status changed to Needs work
9 months ago 9:21pm 9 April 2024 - Status changed to Needs review
9 months ago 9:44pm 9 April 2024 - ๐ฌ๐งUnited Kingdom longwave UK
Turns out we have some near-duplicate test coverage, which I think we should keep, but we can clean it up somewhat here.
- ๐ฌ๐งUnited Kingdom longwave UK
longwave โ changed the visibility of the branch 3419690-find-an-alternative-to-trigger-error to hidden.
- Status changed to RTBC
9 months ago 11:55pm 9 April 2024 - ๐บ๐ธUnited States smustgrave
Based on issue summary update MR appears to match proposed solution and am seeing all green.
Believe this is good.
- Status changed to Needs work
9 months ago 2:37pm 10 April 2024 - ๐ฌ๐งUnited Kingdom alexpott ๐ช๐บ๐
I've added a comment to the MR - I don't think we should be moving the location of the check.
- First commit to issue fork.
- Status changed to Needs review
9 months ago 11:59am 11 April 2024 - ๐ฎ๐ณIndia immaculatexavier
The compile method now includes the detection of potentially dangerous operators. If any such operators are found during compilation, it will throw an InvalidQueryException with a message indicating the issue. This way, the error handling is centralized in the compile method, addressing your concerns about moving the condition out of compile. Please review
- Status changed to Needs work
9 months ago 12:01pm 11 April 2024 - Status changed to Needs review
9 months ago 9:18pm 11 April 2024 - Status changed to RTBC
9 months ago 5:37pm 12 April 2024 - ๐บ๐ธUnited States smustgrave
Replacement of trigger_error for InvalidQueryException() seems good.
Nothing has broken.
- ๐ฌ๐งUnited Kingdom catch
Read through the MR first and had various questions about the claims in the comment we're removing, then read the discussion on here and it answered all those questions.
Committed/pushed to 11.x, thanks!
- Status changed to Fixed
9 months ago 8:14pm 12 April 2024 Automatically closed - issue fixed for 2 weeks with no activity.