drupal/rat

Maintainers

Details

git.drupalcode.org/project/rat.git

Installs: 585 719

Dependents: 2

Suggesters: 0

Security: 0

1.0.0 2023-07-19 20:22 UTC

Requires

  • php: ^7.4 || ^8.0

Requires (Dev)

gpl-2.0-or-later 28202b02262a39ac8dbbfd43696b67c0c8c46b71

  • Merlin <merlin.woop@geeks4change.net>

This package is auto-updated.

Last update: 2024-04-19 22:06:07 UTC

README

See Examples.

Don't mess with #access!

One of the reasons for this library is the restrictAccess method. Altering the #access property of a render array is quite dangerous, and the restrictAccess method does the heavy lifting to do it safely.

So what can happen. Take this example:

$fieldRenderable['#access'] = $fieldIsTranslatable;

What can happen? If this code is not the only one messing with the render array, and there are other components doing their work before this one, then a lot can happen. And in Drupal, due to the complex nature of the build and render process, this is usually the case.

Another component may have set access to false, and this code overwrites it to true, and boom.

Even more tricky: Another component may have sett access to a AccessResult object which contains cacheability. Which is overwritten, and boom.

Both cases open the door for information disclosure. Not good.

It turns out that restricting access and adding cacheability, while preserving cacheability from other components is not trivial. RenderArrayTool to the rescue!

// Add access restriction and cacheability, while preserving any existing access
// restrictions, including cacheability.
\Drupal\rat\v1\RenderArray::alter($fieldRenderable)
  ->restrictAccess($fieldIsTranslatable, $fieldConfig);