Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Form _submit and _validate callbacks should not call user_access() checks. Doing so interferes with form processing and can break hook_form_alter().
Looks like the form itself needs to be rewritten to pass appropriate values to trigger certain conditions.
Comment | File | Size | Author |
---|---|---|---|
#24 | topic-687584-24.patch | 2.36 KB | BBommarito |
#14 | 687584-comment-form-submit-access.patch | 2.34 KB | dixon_ |
#13 | remove-access-checks-687584-13.patch | 2.33 KB | oriol_e9g |
#10 | 687584.patch | 2.34 KB | jarodms |
#5 | 687584.patch | 2.33 KB | pgrond |
Comments
Comment #1
Dave Cohen CreditAttribution: Dave Cohen commented+1. Also breaks drupal_form_submit(), when called from say a cron job as anonymous user.
Comment #2
agentrickardMoving
Comment #3
oriol_e9gFirst solve and discuss in this issue http://drupal.org/node/687586 and then come back here to apply the same solution.
Comment #4
oriol_e9gComment #5
pgrond CreditAttribution: pgrond commentedCreated patch with solution from issue http://drupal.org/node/687586
Comment #6
pgrond CreditAttribution: pgrond commentedComment #7
rickmanelius CreditAttribution: rickmanelius commentedWhat exactly would we be testing for here? If it's removing the access controls checks, how would the result to the user appear differently based on the patch? Or would we check via some log file?
Comment #8
agentrickardThe test would be if the message is/is not present based on which user is passed to the function, yes?
Comment #9
xjmThanks for the patch! Here's a patch review with some code style pointers:
Is it better to use
$form_state
or$form
here?Trailing whitespace.
Misspelling and a missing period.
Trailing whitespace.
Indentation is off; trailing whitespace; needs capitalization and a period. I'd suggest: "Check whether the user can administer comments."
7 days to next Drupal core point release.
Comment #10
jarodms CreditAttribution: jarodms commentedMinor changes based on feedback from #9. All tests passed.
Comment #11
rickmanelius CreditAttribution: rickmanelius commentedComment #12
oriol_e9gMinor: Whitespaces.
Comment #13
oriol_e9gReroll without whitespaces.
Comment #14
dixon_The patch looks fine to me, it solves the problem. Some minor things though:
Too much indentation.
I'd like to have a little bit more descriptive variable names here.
$is_admin
is used in other places in core. So$can_post
should be fine too, yes?0 days to next Drupal core point release.
Comment #15
agentrickardLooking good!
Comment #16
oriol_e9gWe can continue the work here:
Review this patch with the same approach: #687586: Remove access check from user_register_submit()
Roll a similar patch: #687588: Remove access check from submit() in UserCancelForm
Comment #17
catchIf this breaks hook_form_alter() or drupal_form_submit(), it should be possible to write a test for that.
Also if this is something we need to apply lots of places (and presumably contrib is doing the same thing wrong), is there somewhere central that could be documented?
Comment #18
agentrickardIt's in Drupal 7 Module Development :-p
Comment #19
dixon_I guess the way that this "breaks"
hook_form_alter()
is if a contrib module alters in another submit handler and doesn't do the equivalent checks (which might be a valid use case)?This patch will only make it easier to do those checks by adding the result of the permission checks to values in
$form_state
. It doesn't fix anything else, does it?So, does it really make sense to add tests for that -- the fact that it'll be easier to do a form alter the right way?
Comment #20
agentrickard@dixon_ is correct. This change doesn't break anything. It makes proper hook_form_alter() possible, since the form submit behavior is no longer hardcoded.
The only way (IMO) to have tests for it is to provide a proper test framework for form introspection -- e.g. the ability to compare $form array values before and after a hook_form_alter() -- which I don't think exists yet.
@catch
Here's the original list of the behavior:
These issues should all be tagged 'D7DX'. We had a meta-tracking issue, but it was deprecated.
Here are active issues I'm aware of:
#687588: Remove access check from submit() in UserCancelForm
#687586: Remove access check from user_register_submit()
#683778: Remove permission checks from _validate() and _submit() handlers -- the original issue report
Comment #21
dixon_So, my conclusion is that we don't need tests for this, no? It doesn't need tests because it's generally just a cleanup.
Comment #22
xjmHm. Maybe if we had Object FAPI we could test it properly. So no tests then?
Tagging as novice for the task of rerolling the Drupal 8.x patch on account of #22336: Move all core Drupal files under a /core folder to improve usability and upgrades.
If you need help rerolling this patch, you can come to core office hours or ask in #drupal-gitsupport on IRC.
Comment #23
BBommarito CreditAttribution: BBommarito commentedComment #24
BBommarito CreditAttribution: BBommarito commentedReroll
Comment #25
BBommarito CreditAttribution: BBommarito commentedComment #26
xjmThanks!
Comment #27
kscheirer#24: topic-687584-24.patch queued for re-testing.
Comment #29
andypostShould be fixed in #2227503: Apply formatters and widgets to Comment base fields