[1.0.x] Confirm Unpublish

Thank you for applying!

Please read Review process for security advisory coverage: What to expect → for more details and Security advisory coverage application checklist → to understand what reviewers look for. Tips for ensuring a smooth review → gives some hints for a smoother review.

The important notes are the following.

• If you have not done it yet, you should run phpcs --standard=Drupal,DrupalPractice on the project, which alone fixes most of what reviewers would report.
• For the time this application is open, only your commits are allowed.
• The purpose of this application is giving you a new drupal.org role that allows you to opt projects into security advisory coverage, either projects you already created, or projects you will create. The project status won't be changed by this application and no other user will be able to opt projects into security advisory policy.
• We only accept an application per user. If you change your mind about the project to use for this application, or it is necessary to use a different project for the application, please update the issue summary with the link to the correct project and the issue title with the project name and the branch to review.

To the reviewers

Please read How to review security advisory coverage applications → , Application workflow → , What to cover in an application review → , and Tools to use for reviews → .

The important notes are the following.

• It is preferable to wait for a Code Review Administrator before commenting on newly created applications. Code Review Administrators will do some preliminary checks that are necessary before any change on the project files is suggested.
• Reviewers should show the output of a CLI tool → only once per application.
• It may be best to have the applicant fix things before further review.

For new reviewers, I would also suggest to first read In which way the issue queue for coverage applications is different from other project queues → .

As a side note, since this project is new, it is not possible to opt into security advisory policy for this project before 10 days are passed.

1. FILE: composer.json

    "require": {
      "drupal/core": "^9 || ^10 || ^11"
    },

FILE: confirm_unpublish.info.yml

core_version_requirement: ^9 || ^10 || ^11

A new project should not declare itself compatible with a Drupal release that is no longer supported. No site should be using Drupal 8 nor Drupal 9, and people should not be encouraged to use those Drupal releases.

2. FILE: confirm_unpublish.module

/**
 * Implements hook_form_FORM_ID_alter().
 */
function confirm_unpublish_form_node_form_alter(&$form, FormStateInterface $form_state, $form_id) {

The description for that hook should also say for which form that hook is implemented, either by indicating that with the name of the class that implements the form (namespace included) or the form ID (which is usually indicated by getFormId()).

Thanks everyone for the quick response and I apologize for my delayed response.

@avpaderno I wasn't aware there was a 10 day waiting period. I appreciate the info and I'm definitely ok with that.

@ vishal.kadam thank you for pointing out those issue. I have corrected the core version requirements in the .info and just removed it from composer since it didn't need to be there. I also updated the comment to be more specific in the .module file. All changes are current in the 1.x branch.

I did work this evening to get all the CI passing as well. Ran into some issues with that but got them all straightened out. Please let me know if there is anything else I need to do.

Setting back to needs review.

Updating priority according to issue priorities → .

• The following points are just a start and don't necessarily encompass all of the changes that may be necessary
• A specific point may just be an example and may apply in other places
• A review is about code that does not follow the coding standards, contains possible security issue, or does not correctly use the Drupal API
• The single review points are not ordered, not even by importance

src/Controller/ConfirmUnpublishController.php

Since that class does not use methods from the parent class, it does not need to use ControllerBase as parent class. Controllers do not need to have a parent class; as long as they implement \Drupal\Core\DependencyInjection\ContainerInjectionInterface, they are fine.

src/Form/ConfirmUnpublishSettingsForm.php

  /**
   * Constructs the settings form.
   */
  public function __construct(ConfigFactoryInterface $config_factory, EntityStorageInterface $node_type_storage) {
    $this->setConfigFactory($config_factory);
    $this->nodeTypeStorage = $node_type_storage;
  }

The parent class requires the $typedConfigManager parameter; this is a change introduced in Drupal 10.2. The project cannot be compatible with Drupal 10 and Drupal 11; it needs at least Drupal 10.2.

    $form['logging'] = [
      '#type' => 'checkbox',
      '#title' => $this->t('Log unpublishing actions to <a href="/admin/reports/dblog" target="_blank">Recent Log Messages</a>.'),
      '#description' => $this->t('This will log the user who confirmed the unpublish action. E.g. "User %user confirmed unpublish of %alias."'),
      '#default_value' => $config->get('logging'),
    ];

With Drupal 10 and Drupal 11, there is no longer need to use #default_value for each form element, when the parent class is ConfigFormBase: It is sufficient to use #config_target, as in the following code.

    $form['image_toolkit'] = [
      '#type' => 'radios',
      '#title' => $this->t('Select an image processing toolkit'),
      '#config_target' => 'system.image:toolkit',
      '#options' => [],
    ];

Using that code, it is no longer needed to save the config values in the form submission handler: The parent class will take care of that.

confirm_unpublish.module

    $form['#attached']['drupalSettings']['confirm_unpublish'] = [
      'message' => $config->get('alert_text'),
      'logging' => $config->get('logging'),
      'user_id' => \Drupal::currentUser()->id(),
      'node_id' => $form_state->getFormObject()->getEntity()->id(),
    ];

The message passed to JavaScript should be the translated configuration value.

js/confirm_unpublish.js

          const message =
            drupalSettings.confirm_unpublish.message ||
            'Are you sure you want to unpublish this node?';

To translate a string, JavaScript code can use Drupal.t().

Thank you @ avpaderno for those suggestions.... I have made the requested changes and tagged a new release.

Setting back to "Needs Review".

Hi! Quick note: you don't need to tag a new release after every feedback. We're reviewing directly the branch specified in the title of the ticket, in this case 1.x.

Below you have my feedback:

There are pending PHP Code Sniffer warnings and errors:

FILE: /var/www/html/web/modules/contrib/confirm_unpublish/confirm_unpublish.routing.yml
---------------------------------------------------------------------------------------
FOUND 1 ERROR AFFECTING 1 LINE
---------------------------------------------------------------------------------------
 14 | ERROR | [x] Expected 1 newline at end of file; 2 found
---------------------------------------------------------------------------------------
PHPCBF CAN FIX THE 1 MARKED SNIFF VIOLATIONS AUTOMATICALLY
---------------------------------------------------------------------------------------


FILE: /var/www/html/web/modules/contrib/confirm_unpublish/confirm_unpublish.module
----------------------------------------------------------------------------------
FOUND 1 ERROR AND 3 WARNINGS AFFECTING 4 LINES
----------------------------------------------------------------------------------
  1 | ERROR   | [x] Missing file doc comment
  3 | WARNING | [x] Unused use statement
  4 | WARNING | [x] Unused use statement
 28 | WARNING | [ ] Only string literals should be passed to t() where possible
----------------------------------------------------------------------------------
PHPCBF CAN FIX THE 3 MARKED SNIFF VIOLATIONS AUTOMATICALLY
----------------------------------------------------------------------------------


FILE: /var/www/html/web/modules/contrib/confirm_unpublish/confirm_unpublish.info.yml
------------------------------------------------------------------------------------
FOUND 1 ERROR AFFECTING 1 LINE
------------------------------------------------------------------------------------
 7 | ERROR | [x] Expected 1 newline at end of file; 2 found
------------------------------------------------------------------------------------
PHPCBF CAN FIX THE 1 MARKED SNIFF VIOLATIONS AUTOMATICALLY
------------------------------------------------------------------------------------


FILE: /var/www/html/web/modules/contrib/confirm_unpublish/confirm_unpublish.permissions.yml
-------------------------------------------------------------------------------------------
FOUND 1 ERROR AFFECTING 1 LINE
-------------------------------------------------------------------------------------------
 3 | ERROR | [x] Expected 1 newline at end of file; 2 found
-------------------------------------------------------------------------------------------
PHPCBF CAN FIX THE 1 MARKED SNIFF VIOLATIONS AUTOMATICALLY
-------------------------------------------------------------------------------------------


FILE: /var/www/html/web/modules/contrib/confirm_unpublish/confirm_unpublish.libraries.yml
-----------------------------------------------------------------------------------------
FOUND 1 ERROR AFFECTING 1 LINE
-----------------------------------------------------------------------------------------
 9 | ERROR | [x] Expected 1 newline at end of file; 2 found
-----------------------------------------------------------------------------------------
PHPCBF CAN FIX THE 1 MARKED SNIFF VIOLATIONS AUTOMATICALLY
-----------------------------------------------------------------------------------------


FILE: /var/www/html/web/modules/contrib/confirm_unpublish/config/install/confirm_unpublish.settings.yml
-------------------------------------------------------------------------------------------------------
FOUND 1 ERROR AFFECTING 1 LINE
-------------------------------------------------------------------------------------------------------
 4 | ERROR | [x] Expected 1 newline at end of file; 0 found
-------------------------------------------------------------------------------------------------------
PHPCBF CAN FIX THE 1 MARKED SNIFF VIOLATIONS AUTOMATICALLY
-------------------------------------------------------------------------------------------------------


FILE: /var/www/html/web/modules/contrib/confirm_unpublish/confirm_unpublish.routing.yml
------------------------------------------------------------------------------------------------------------------
FOUND 0 ERRORS AND 1 WARNING AFFECTING 1 LINE
------------------------------------------------------------------------------------------------------------------
 14 | WARNING | Open page callback found, please add a comment before the line why there is no access restriction
------------------------------------------------------------------------------------------------------------------

- There is no schema definition for the confirm_unpublish.settings config
- There is no guarantee that the basic_html text format exists in the target site. For example, installing a Drupal site using the Minimal profile does not create the Basic HTML text format. Maybe you could add it as an optional config dependency or consider splitting the text. Also, having a class in the p tag might get stripped on some sites
- The controller is still extending the ControllerBase class and overriding two properties
- The __construct methods do not require a description anymore. It's optional if you want to keep it or remove it
- src/Controller/ConfirmUnpublishController.php line 107 when the node object is available, the canonical path could be retrieved from the object: $node->toUrl()->toString()
- src/Form/ConfirmUnpublishSettingsForm.php the __construct method is missing the parent call
- The "require" section in composer.json is empty it should probably be removed if not used
- For a new module that aims to be compatible with Drupal 10 and Drupal 11, I would rather implement hooks as class methods as described in Support for object oriented hook implementations using autowired services →
- The open access in routing which is also pointed out by PHPCS needs to be resolved

This is totally true: Releases should not be created after each review done here.
It is better not to create new release during these applications, since a review could ask for a change that is not backward compatible with the existing releases. Just using a development version avoids those BC issues.