When you send a form(edit/create) to be validate, if you pass the form POST array serialized it WILL pass through ALL your rules you have made "while form being validate" or "post have been submitted" ... This can cause a major security flaw for someone who want to block some info to be recorded in database under certains circumstance... Form will "pass by" without stop ...

Exemple :

include a JS script in the form.tpl you invoke the form :

function xx(){

   //wathever your node form ID is it's an exemple
$('#node-form').submit( function() {

  $.post($(this).attr('action'), $(this).serialize(), function(response) {
  var tmp=response.match(/<div class="messages error">+[\s\S]+id="node-form"+[\s\S]+<\/form>/g);

     if(tmp){
      //wathever
     }
     else{
     //anything
     }     

  });
  return false;   // for somewath reason it is important not to be redirected to pass through ....
});
}

If we send "$(this).serialize()" as object "this" without serialize it for AJAX, no problems the rules will be listen for that form ... Else(like above) it will be pass and user can send anything ... Well even without JS included, knowing the flaw, anyone with minimal knowledge could possibly pass through the Rules form process without major problems ...

Ps : thanks you for your work ... Alex.

Comments

dutch45612’s picture

dutch45612 commented
Assigned: dutch45612 » Unassigned
dutch45612’s picture

dutch45612 commented
Title: serialized POST pass completely through Rules conditional . » RULES and AJAX form support.
Status: Active » Closed (fixed)

Ok got it case closed ...

For some reason rules simply was not detecting that the form state was submitted since it was submitted by AJAX ... Well in file rules_forms.modules in function rules_forms_after_build changing:

if (!$form_state['submitted']) {
return $form;
}

to:

if (!isset($form_state['submitted'])) {
return $form;
}

make it detect that the form is submitted, not returning the form before applying your rules en el acto .

tuccio’s picture

tuccio commented
Status: Closed (fixed) » Needs review

I am using Rules version 6.x-1.4 and had the same problem when trying to trigger an event on a chat AJAX form submission, until I found this post and modified the code accordingly . Shouldn't this have been fixed back then? But thanks a lot in any case.

YK85’s picture

YK85 commented

+1 subscribing

fago’s picture

fago
Primary language German
Location Vienna
commented
Category: bug » support
klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented
Priority: Critical » Normal
Status: Needs review » Postponed (maintainer needs more info)

No patch to review here, and the approach seems wrong to me. The submit and validation handlers are only added to the form when it has been submitted, that's what they have been meant for. I'm not sure what comes in on ajax requests and how we could handle them.

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented
Version: 6.x-1.x-dev » 7.x-2.x-dev
Component: Forms Support » Rules Engine
Category: support » bug
Priority: Normal » Critical
Status: Postponed (maintainer needs more info) » Closed (cannot reproduce)

Closed since no further information has been provided. Reopen if still an issue.