Contrib.social

Remove caching in HoneypotService::getProtectedForms preventing proper invalidation

Open on Drupal.org β†’
Created on 17 October 2024, 6 months ago

Problem/Motivation

HoneypotService::getProtectedForms uses drupal_static + cache backend.
This is problematic when honeypot.settings form_settings config changes, as the changes are not reflected in the returned array from that method.

Steps to reproduce

This is easier to reproduce programmatically:

// Initial state, we have a protected form.
\Drupal::configFactory()->getEditable('honeypot.settings')->set('form_settings', ['user_register_form'  => TRUE])->save();
$forms = \Drupal::service('honeypot')->getProtectedForms();
var_dump($forms);
\assert($forms === ['user_register_form']);

// Empty form_settings, we should have no protected forms.
\Drupal::configFactory()->getEditable('honeypot.settings')->set('form_settings', [])->save();
// uncomment this to make it pass:
// drupal_flush_all_caches();
$forms = \Drupal::service('honeypot')->getProtectedForms();
var_dump($forms);
\assert($forms === []);

Proposed resolution

- Drop the drupal_static: looks like legacy prior to #2949447: Expose honeypot protection via service β†’
- Drop the cache backend, there is very little advantage of caching this in terms of performance IMHO. If we really want to keep it it should pass cache tags when being set in order to be invalidated correctly.
$this->cacheBackend->set($cache_key, $forms, Cache::PERMANENT, $this->config->getCacheTags());

So the whole method could be simplified to this, in order to leverage config invalidation properly.

public function getProtectedForms(): array {
  return array_keys(array_filter($this->config->get('form_settings') ?? []));
}

Remaining tasks

?

User interface changes

None

API changes

None

Data model changes

None

πŸ› Bug report
Status

Active

Version

2.2

Component

Code

Created by

πŸ‡§πŸ‡ͺBelgium herved

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @herved
  • Merge request !49Remove caching in HoneypotService::getProtectedForms preventing proper invalidation. β†’ (Merged) created by herved
  • Pipeline finished with Success
    6 months ago
    Total: 206s
    #312351
  • Pipeline finished with Success
    6 months ago
    Total: 208s
    #312378
  • Comment 6 months ago β†’
    πŸ‡§πŸ‡ͺBelgium herved
  • Comment 6 months ago β†’
    πŸ‡§πŸ‡ͺBelgium herved

    Here is a patch that applies cleanly to 2.2.0

  • Pipeline finished with Success
    6 months ago
    Total: 216s
    #312603
  • Comment 6 months ago β†’
    πŸ‡§πŸ‡ͺBelgium herved

    Leftover in HoneypotSettingsForm::submitForm...
    MR updated, and here's the updated 2.2.0 patch

  • Pipeline finished with Success
    6 months ago
    Total: 286s
    #313354
  • Comment 6 months ago β†’
    πŸ‡§πŸ‡ͺBelgium herved

    Leftover again...
    MR updated, and updated 2.2.0 patch

  • Comment 6 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States tr Cascadia

    Yes, looking at the logs, it's legacy code that was added in the D7 version of Honeypot in 2011 by #1264822: More forms to select for protections β†’ . The port to D8 was made in 2014 by replacing variable_get() and cache_set() with their D8 equivalents.

    There have been no substantive changes to this piece of code since then. It was moved unchanged into a service and then a long-standing typing error (returning null instead of an array) was discovered and fixed because testing was failing with the service in the issue you mentioned.

    I never understood why this double-caching method was implemented - there are no comments in the code. But I have left that section of code alone because up until now there have been no issues reported with it and I assumed there must have been a reason for adding the caching - I didn't want to trigger an old problem by removing the caching. Now that I've looked at the logs and read the original issue to figure out why this was done, I still don't see a reason why it was put there in the first place.

    I have no problem with removing this legacy code.

    Is the ??[] needed here $this->config->get('form_settings') ?? []? I believe form_settings is always an array.

  • Comment 6 months ago β†’
    πŸ‡§πŸ‡ͺBelgium herved

    Is the ??[] needed here $this->config->get('form_settings') ?? []? I believe form_settings is always an array.

    Oh good point, indeed, otherwise it would have nullable: true in the config schema if I'm not mistaken.
    MR updated.

  • Pipeline finished with Success
    6 months ago
    Total: 278s
    #316084
  • Pipeline finished with Skipped
    4 months ago
    #375519
  • Comment 4 months ago β†’
    System Message
  • Status changed to Fixed 4 months ago
  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States tr Cascadia
  • Comment 3 months ago β†’
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024