Skip to content
- Please use dependency injection in place of static calls to different services like database.
 - You should use a constant or configuration for the BASE_URL of the external URL (https://my.sendinblue.com). This should not be hardcoded at multiple places in code. 
- sendinblue_page_attachments(): why do you add you admin library to every page? You should only add it on the render array of admin pages?
 - SendinblueManager: do not call mail() directly, use Drupal's configured mail system instead. This is currently a blocker because developers expect that on a dev site no emails go out if they have configured a dev mail system. If you are using mail() directly then you are bypassing that assumption and a developer might send unintended mails from their dev site.
 - SignupAccessControlHandler: a default of allowing access at the end of the checkAccess() method is not a good idea. A default to deny access to avoid any access bypass problems is more secure.
 - class Signup: the doc blocks seems copied from an example module? Please replace all wrong example docs with real docs about your entity.
 - ConfigurationSendinblueForm::validateForm(): Du not change configuration in a validation method, that should be done in the submit method.
 - ConfigurationSendinblueForm::validateForm(): do not flush caches in a validation method, should also be done on submit only. drupal_flush_all_caches() s expensive, can you only flush the menu related caches?
 - class RegisteringUserForm: doc block talks about SMTP, but it looks like the class is dealing with user registrations? Please update all your class doc comments.
 - I double checked that the D7 permission related vulnerability is fixed on the 7.x-1.x branch, so we should be good there.
 - I fix all Drupal and DrupalPractice PHPCS