While working on some top secret awesomesauce, I realized that we do not properly use Form API to validate usernames in autocompletes.

CommentFileSizeAuthor
#7 drupal.user-element-validate-name.7.patch4.5 KBsun
#4 drupal.user-element-validate-name.4.patch4.36 KBsun
drupal.user-element-validate-name.patch4.32 KBsun

Comments

sun’s picture

sun
Primary language German
Location Karlsruhe
commented

Should we additionally replace the element's value with the uid on successful validation, so the form submit handler gets a fully validated and resolved user id as value and doesn't have to deal with a name?

dries’s picture

dries commented

Both approaches seem valid, however this approach allows for a bit more re-use which is nice.

I'd let the validate handler focus on validating the username -- at least for now -- so no need to return anything extra IMO. It wouldn't be an elegant API, IMO.

sun’s picture

sun
Primary language German
Location Karlsruhe
commented

yup - we may rethink that for D8.

But until then, this element validation handler works well for core, and there are many modules in contrib that would be happy to re-use it.

I'll jump in circles when http://api.drupal.org/api/function/node_validate/7 will be almost empty someday ;)

sun’s picture

sun
Primary language German
Location Karlsruhe
commented
StatusFileSize
new drupal.user-element-validate-name.4.patch4.36 KB

Slightly improved the comments.

sun requested that failed test be re-tested.

damien tournoud’s picture

damien tournoud commented

#564702: The user module should use #element_validate is passing now, and also implements a (slightly smarter) user_name_element_validate() why not merge the two?

sun’s picture

sun
Primary language German
Location Karlsruhe
commented
StatusFileSize
new drupal.user-element-validate-name.7.patch4.5 KB

To remove potential conflicts with #564702: The user module should use #element_validate, I renamed the #element_validate function name and added a '_autocomplete' suffix.

Makes sense.

mr.baileys’s picture

mr.baileys
Primary language Dutch
Location 🇧🇪 (Ghent)
commented

Applied the patch and tested it locally and the patch works as advertised.

Some comments/questions after reviewing:

  1. + * Form elements should additionally set #required => TRUE when a valid user is
+ * required. Otherwise, it is assumed that an empty string will be used to
+ * denote the anonymous user.

    IMO, if this function is to be reused elsewhere, the comment should not make assumptions about how an empty, non-required, value is handled (ie empty string does not necessarily denote the anonymous user, it might just mean no user at all). Same comment for the comment within the function body. 

  2. +function user_element_validate_name_autocomplete($element) {

    The _autocomplete suffix feels a bit strange to me. Validation is not really related to the autocomplete portion of this element. What about user_validate_author($element)?

  3. PageEditTestCase in node.test currently does not test author/username validation. Should this patch add it or is that outside of the scope of this patch?
sun’s picture

sun
Primary language German
Location Karlsruhe
commented

1 + 2) As the function name implies, this function is to validate existing user names, potentially in an autocomplete. It's possible that replacing _autocomplete with _existing might make more sense, not sure.

In general, however, this function needs a distinct suffix, so it doesn't clash with the proposed #element_validate functions proposed in #564702: The user module should use #element_validate.

3) Are you sure that the node author functionality is not tested anywhere (else)? Note that this user name form element is usually only visible to admins, so you might have looked at the wrong test. If it is really not, that would be disastrous.

sun’s picture

sun
Primary language German
Location Karlsruhe
commented
Version: 7.x-dev » 8.x-dev
klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented
Status: Needs review » Needs work

does not apply anymore

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented
Issue summary: View changes
Status: Needs work » Closed (outdated)

This code has changed so much in the meantime that we don't even validate the comment user name like that anymore. Feel free to reopen if this issue still exists.