Suppose you have two roles:
- advertiser
- site admin
The advertiser cannot set the expiration date. The site admin can. The site admin has configured an expiration date. The advertiser then edits the advertisement, but upon saving, even without changing a single thing, he gets this error: "Please select a valid time to automatically expire this ad."
But he cannot even *access* this setting!
The problem lies in the fact that the input data for 'autoexpire' (and 'autoactivate' is in an identical situation) is a string that is converted to an integer (timestamp) using strtotime. When the node is loaded, it is loaded as the integer (well, an integer in a string). So when the user has no access to the corresponding form items, these integers will be passed through strtotime() as well. Which will return false. Which causes the form validation error.
Patch attached.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | ad_nodeapi_validate_bug-2.patch | 4.41 KB | wim leers |
| ad_nodeapi_validate_bug.patch.patch | 1.22 KB | wim leers |
Comments
Comment #1
wim leersApparently it's worse.
In the above story, when the advertiser edits and saves the node (which works thanks to the patch above), then both timestamps actually get reset to 0!
Comment #2
wim leersThis fixes it.
My god, this reminds me how stupid, ugly and counter-intuitive node API is … Changes made to $node in 'validate' aren't passed through — while $node is passed in by reference!
Comment #3
jeremy commentedThanks! Fix committed:
http://drupal.org/cvs?commit=295712
Please don't reformat queries into ways that don't match core's coding style, or the ad module's coding style. I reverted the formatting changes.
Comment #4
wim leersOk, will remember.
I just got sick of scrolling to the right every time: I like to see all code of a query at once.