Commit 3fc5c8af authored by catch's avatar catch
Browse files

Issue #3293077 by longwave: Enforce TrustedCallbackInterface in #date_date_callbacks 

(cherry picked from commit 29ae0b68)
parent 3527513c

core/lib/Drupal/Core/Datetime/Element/Datelist.php

+2 −3
Original line number Diff line number Diff line
@@ -9,7 +9,6 @@ 
use Drupal\Core\Form\FormStateInterface;

use Drupal\Core\Security\DoTrustedCallbackTrait;

use Drupal\Core\Security\StaticTrustedCallbackHelper;

use Drupal\Core\Security\TrustedCallbackInterface;



/**

 * Provides a datelist element.
@@ -267,8 +266,8 @@ public static function processDatelist(&$element, FormStateInterface $form_state 
    // Allows custom callbacks to alter the element.

    if (!empty($element['#date_date_callbacks'])) {

      foreach ($element['#date_date_callbacks'] as $callback) {

        $message = sprintf('Datelist element #date_date_callbacks callbacks must be methods of a class that implements \Drupal\Core\Security\TrustedCallbackInterface or be an anonymous function. The callback was %s. Support for this callback implementation is deprecated in drupal:9.3.0 and will be removed in drupal:10.0.0. See https://www.drupal.org/node/3217966', Variable::callableToString($callback));

        StaticTrustedCallbackHelper::callback($callback, [&$element, $form_state, $date], $message, TrustedCallbackInterface::TRIGGER_SILENCED_DEPRECATION);

        $message = sprintf('Datelist element #date_date_callbacks callbacks must be methods of a class that implements \Drupal\Core\Security\TrustedCallbackInterface or be an anonymous function. The callback was %s. See https://www.drupal.org/node/3217966', Variable::callableToString($callback));

        StaticTrustedCallbackHelper::callback($callback, [&$element, $form_state, $date], $message);

      }

    }

core/lib/Drupal/Core/Datetime/Element/Datetime.php

+4 −5
Original line number Diff line number Diff line
@@ -9,7 +9,6 @@ 
use Drupal\Core\Datetime\Entity\DateFormat;

use Drupal\Core\Security\DoTrustedCallbackTrait;

use Drupal\Core\Security\StaticTrustedCallbackHelper;

use Drupal\Core\Security\TrustedCallbackInterface;



/**

 * Provides a datetime element.
@@ -273,8 +272,8 @@ public static function processDatetime(&$element, FormStateInterface $form_state 
      // Allows custom callbacks to alter the element.

      if (!empty($element['#date_date_callbacks'])) {

        foreach ($element['#date_date_callbacks'] as $callback) {

          $message = sprintf('DateTime element #date_date_callbacks callbacks must be methods of a class that implements \Drupal\Core\Security\TrustedCallbackInterface or be an anonymous function. The callback was %s. Support for this callback implementation is deprecated in drupal:9.3.0 and will be removed in drupal:10.0.0. See https://www.drupal.org/node/3217966', Variable::callableToString($callback));

          StaticTrustedCallbackHelper::callback($callback, [&$element, $form_state, $date], $message, TrustedCallbackInterface::TRIGGER_SILENCED_DEPRECATION);

          $message = sprintf('DateTime element #date_date_callbacks callbacks must be methods of a class that implements \Drupal\Core\Security\TrustedCallbackInterface or be an anonymous function. The callback was %s. See https://www.drupal.org/node/3217966', Variable::callableToString($callback));

          StaticTrustedCallbackHelper::callback($callback, [&$element, $form_state, $date], $message);

        }

      }

    }
@@ -304,8 +303,8 @@ public static function processDatetime(&$element, FormStateInterface $form_state 
      // Allows custom callbacks to alter the element.

      if (!empty($element['#date_time_callbacks'])) {

        foreach ($element['#date_time_callbacks'] as $callback) {

          $message = sprintf('DateTime element #date_time_callbacks callbacks must be methods of a class that implements \Drupal\Core\Security\TrustedCallbackInterface or be an anonymous function. The callback was %s. Support for this callback implementation is deprecated in drupal:9.3.0 and will be removed in drupal:10.0.0. See https://www.drupal.org/node/3217966', Variable::callableToString($callback));

          StaticTrustedCallbackHelper::callback($callback, [&$element, $form_state, $date], $message, TrustedCallbackInterface::TRIGGER_SILENCED_DEPRECATION);

          $message = sprintf('DateTime element #date_time_callbacks callbacks must be methods of a class that implements \Drupal\Core\Security\TrustedCallbackInterface or be an anonymous function. The callback was %s. See https://www.drupal.org/node/3217966', Variable::callableToString($callback));

          StaticTrustedCallbackHelper::callback($callback, [&$element, $form_state, $date], $message);

        }

      }

    }

core/tests/Drupal/KernelTests/Core/Datetime/DatelistElementFormTest.php

+4 −5
Original line number Diff line number Diff line
@@ -8,6 +8,7 @@ 
use Drupal\Core\Form\FormState;

use Drupal\Core\Form\FormStateInterface;

use Drupal\Core\Security\TrustedCallbackInterface;

use Drupal\Core\Security\UntrustedCallbackException;

use Drupal\KernelTests\KernelTestBase;



/**
@@ -116,16 +117,14 @@ public function testDatelistElement() { 
  }



  /**

   * Tests that deprecations are raised if untrusted callbacks are used.

   * Tests that exceptions are raised if untrusted callbacks are used.

   *

   * @group legacy

   */

  public function testDatelistElementUntrustedCallbacks() : void {

    $this->expectException(UntrustedCallbackException::class);

    $this->expectExceptionMessage(sprintf('Datelist element #date_date_callbacks callbacks must be methods of a class that implements \Drupal\Core\Security\TrustedCallbackInterface or be an anonymous function. The callback was %s. See https://www.drupal.org/node/3217966', Variable::callableToString([$this, 'datelistDateCallback'])));

    $form = \Drupal::formBuilder()->getForm($this, 'datelistDateCallback');

    $this->expectDeprecation(sprintf('Datelist element #date_date_callbacks callbacks must be methods of a class that implements \Drupal\Core\Security\TrustedCallbackInterface or be an anonymous function. The callback was %s. Support for this callback implementation is deprecated in drupal:9.3.0 and will be removed in drupal:10.0.0. See https://www.drupal.org/node/3217966', Variable::callableToString([$this, 'datelistDateCallback'])));

    $this->render($form);



    $this->assertTrue($form['datelist_element']['datelistDateCallbackExecuted']['#value']);

  }



  /**

core/tests/Drupal/KernelTests/Core/Datetime/DatetimeElementFormTest.php

+10 −8
Original line number Diff line number Diff line
@@ -8,6 +8,7 @@ 
use Drupal\Core\Form\FormState;

use Drupal\Core\Form\FormStateInterface;

use Drupal\Core\Security\TrustedCallbackInterface;

use Drupal\Core\Security\UntrustedCallbackException;

use Drupal\KernelTests\KernelTestBase;



/**
@@ -149,18 +150,19 @@ public function testDatetimeElement() { 
   *   Name of the callback to use for the date-time date callback.

   * @param string $time_callback

   *   Name of the callback to use for the date-time time callback.

   * @param string|null $expected_deprecation

   *   The expected deprecation message if a deprecation should be raised, or

   * @param string|null $expected_exception

   *   The expected exception message if an exception should be thrown, or

   *   NULL if otherwise.

   *

   * @dataProvider providerUntrusted

   * @group legacy

   */

  public function testDatetimeElementUntrustedCallbacks(string $date_callback = 'datetimeDateCallbackTrusted', string $time_callback = 'datetimeTimeCallbackTrusted', string $expected_deprecation = NULL) : void {

    $form = \Drupal::formBuilder()->getForm($this, $date_callback, $time_callback);

    if ($expected_deprecation) {

      $this->expectDeprecation($expected_deprecation);

  public function testDatetimeElementUntrustedCallbacks(string $date_callback = 'datetimeDateCallbackTrusted', string $time_callback = 'datetimeTimeCallbackTrusted', string $expected_exception = NULL) : void {

    if ($expected_exception) {

      $this->expectException(UntrustedCallbackException::class);

      $this->expectExceptionMessage($expected_exception);

    }

    $form = \Drupal::formBuilder()->getForm($this, $date_callback, $time_callback);

    $this->render($form);



    $this->assertTrue($form['datetime_element']['datetimeDateCallbackExecuted']['#value']);
@@ -178,12 +180,12 @@ public function providerUntrusted() : array { 
      'untrusted date' => [

        'datetimeDateCallback',

        'datetimeTimeCallbackTrusted',

        sprintf('DateTime element #date_date_callbacks callbacks must be methods of a class that implements \Drupal\Core\Security\TrustedCallbackInterface or be an anonymous function. The callback was %s. Support for this callback implementation is deprecated in drupal:9.3.0 and will be removed in drupal:10.0.0. See https://www.drupal.org/node/3217966', Variable::callableToString([$this, 'datetimeDateCallback'])),

        sprintf('DateTime element #date_date_callbacks callbacks must be methods of a class that implements \Drupal\Core\Security\TrustedCallbackInterface or be an anonymous function. The callback was %s. See https://www.drupal.org/node/3217966', Variable::callableToString([$this, 'datetimeDateCallback'])),

      ],

      'untrusted time' => [

        'datetimeDateCallbackTrusted',

        'datetimeTimeCallback',

        sprintf('DateTime element #date_time_callbacks callbacks must be methods of a class that implements \Drupal\Core\Security\TrustedCallbackInterface or be an anonymous function. The callback was %s. Support for this callback implementation is deprecated in drupal:9.3.0 and will be removed in drupal:10.0.0. See https://www.drupal.org/node/3217966', Variable::callableToString([$this, 'datetimeTimeCallback'])),

        sprintf('DateTime element #date_time_callbacks callbacks must be methods of a class that implements \Drupal\Core\Security\TrustedCallbackInterface or be an anonymous function. The callback was %s. See https://www.drupal.org/node/3217966', Variable::callableToString([$this, 'datetimeTimeCallback'])),

      ],

    ];

  }