In this article we are going to see how your Drupal team can do code reviews and available tools or libraries which help people in the team to do the code reviews seamlessly.
It’s pretty important to follow a few guidelines as well, so that all people or developers in the team are on the same page.
Firstly, for the code reviews to be at their best, the committed code should be more organised by the people or developers who would commit and push the code to a branch.
Whatever the code pushed to the branch should have an understanding like
- Why was this particular change made?
- What lines of code were changed? And how the new code works.?
- How to verify that the change actually worked?
If a commit or pull request is holding the above details, then code reviews can go pretty smoothly.
Second, all the people in the team should be aware of the workflow of the code changes, from their local machine to the dev or higher environment.
Here’s a standard flow
- Create a Story branch or Feature branch out of a Base branch (develop or master).
- Dev’s always make sure to have proper commit messages. Example: Story #1203: Validate form fields.
- Dev’s always make sure to get the latest code from Base branch before pushing Story branch to repository.
- And create a PR, from Story branch to Base branch, and add the details mentioned in the Firstly section above.
Their are tools like PHP Codesniffer and drupal coder, which will help to do automated checks, Use them on your local machine and also on Github workflows (here’s article like how to configure and used PHP Codesniffer in Github workflows).
So far discussed points are to be checked or used by all the team members. Now we're gonna discuss what code reviewers should make sure to review before pushing the code to a higher environment.
Appropriate or Systematic way to write the code (check if its done) like below
- Alters or Validations to be done in the module file, nothing to be done on the JS or Jquery.
- Any preprocess of data to be done, then make sure no data load is done twice or multiple times.
- Once the data is on the Twig file, then don’t load any data from DB at this point.
How Secure is the written code.
- Make sure to have
check_plain()
, andfilter_xss()
, wherever needed, which will avoid cross origin exploits. - Make sure it has a CSRF token, if it's an API to avoid cross-site request forgery (CSRF) exploits.
- Content Access controls should be strictly followed, check for Roles and permissions of all the modified ones.
Last one, Documentation should be maintained within the code, so that the code is readable at its best.
To conclude, if the code reviewer and the people in the team are following these above minimum steps, then you should be good at your code reviews.