Download & Extend
Issues

Remove access check from user_cancel_confirm_form_submit()

Posted by agentrickard on January 17, 2010 at 9:10pm
Project:Drupal core
Version:8.x-dev
Component:user.module
Category:bug report
Priority:normal
Assigned:tsphethean
Status:needs work
Issue tags:forms api, needs backport to D7, Novice

Issue Summary

Form _submit and _validate callbacks should not call user_access() checks. Doing so interferes with form processing and can break hook_form_alter().

Looks like the form itself needs to be rewritten to pass appropriate values to trigger certain conditions.

Login or register to post comments

Comments

#1

Posted by agentrickard on April 11, 2011 at 2:04pm
Version:7.x-dev» 8.x-dev
Issue tags:-D7DX+needs backport to D7, +Novice

Moving

#2

Posted by oriol_e9g on June 21, 2011 at 12:36pm
Assigned to:Anonymous» oriol_e9g

First solve and discuss in this issue http://drupal.org/node/687586 and then come back here to apply the same solution.

#3

Posted by oriol_e9g on September 14, 2011 at 10:51am
Assigned to:oriol_e9g» Anonymous

#4

Posted by dixon_ on September 29, 2011 at 6:46am

subscribing

#5

Posted by emclaughlin on January 7, 2012 at 3:01am
Assigned to:Anonymous» emclaughlin

The only place I can find that calls user_cancel_confirm_form_submit() in 8.x is user_multiple_cancel_confirm_submit(). I can't find anything that calls user_multiple_cancel_confirm_submit(). Is this some feature of drupal/php that I'm unaware of where some behind the behind the scenes mojo in user_cancel_confirm_form() calls user_cancel_confirm_form_submit() (or the equivalent for the multiple cancel)? Or are these both just functions that have been deprecated but are still used somewhere I can't find?

#6

Posted by pjcdawkins on January 8, 2012 at 12:28pm

@emclaughlin module_formID_submit() is called dynamically when the form generated by module_formID() is submitted successfully.

That's the default submit callback (others can be defined explicitly in $form['#submit']).

#7

Posted by tsphethean on March 20, 2012 at 8:30pm
Assigned to:emclaughlin» tsphethean

I have reviewed the approach in 687586 and applied the same approach here. Let me know if anything additional is required as I see that despite a successful patch the 687586 issue was re-opened.

AttachmentSizeStatusTest resultOperations
user-cancel_submit_remove-687588-7.patch1.74 KBIdleFAILED: [[SimpleTest]]: [MySQL] 35,649 pass(es), 0 fail(s), and 1 exception(s).View details | Re-test

#8

Posted by tsphethean on March 20, 2012 at 8:30pm
Status:active» needs review

#9

Posted by System Message on March 20, 2012 at 8:52pm
Status:needs review» needs work

The last submitted patch, user-cancel_submit_remove-687588-7.patch, failed testing.

#10

Posted by tsphethean on March 20, 2012 at 10:03pm
Status:needs work» needs review

Revised patch attached - now checking for null response from user_access call

AttachmentSizeStatusTest resultOperations
user-cancel_submit_remove-687588-10.patch1.75 KBIdleFAILED: [[SimpleTest]]: [MySQL] 35,638 pass(es), 0 fail(s), and 1 exception(s).View details | Re-test

#11

Posted by System Message on March 20, 2012 at 10:26pm
Status:needs review» needs work

The last submitted patch, user-cancel_submit_remove-687588-10.patch, failed testing.

#12

Posted by tsphethean on March 20, 2012 at 10:54pm
Status:needs work» needs review

A little confused by why this is failing - I'm not getting the same notice when I test locally and stepping through adding debug output at each step has been successful.

I've added an extra isset check in this patch - hopefully that is ok but let me know if I'm missing something!

AttachmentSizeStatusTest resultOperations
user-cancel_submit_remove-687588-12.patch1.85 KBIdlePASSED: [[SimpleTest]]: [MySQL] 35,660 pass(es).View details | Re-test

#13

Posted by agentrickard on March 21, 2012 at 3:54pm

Looks good.

#14

Posted by oriol_e9g on March 21, 2012 at 4:24pm
Status:needs review» reviewed & tested by the community

Looks good, doesn't add new features and don't break anything, so...

#15

Posted by oriol_e9g on March 21, 2012 at 4:30pm
Status:reviewed & tested by the community» needs work

Wait!

1) Why use numbers here:

+     '#value' => ($admin_access ? 1 : 0),

And then we use a boolean for the same:

+  $admin_access = FALSE;

Should be more consistent use TRUE/FALSE in both places.

2) Instead of use this:

+  $admin_access = FALSE;

+  if (isset($form_state['values']['administer_users'])) {
+    $admin_access = $form_state['values']['administer_users'];
+  }

I think it's better the compact form:

$admin_access = isset($form_state['values']['administer_users']) ? $form_state['values']['administer_users'] : FALSE;

#16

Posted by agentrickard on March 21, 2012 at 5:11pm

I agree with TRUE/FALSE but Drupal coding standards dissuade the use of ternary expressions.

Please don't recommend changes that violate standards.

#17

Posted by agentrickard on March 21, 2012 at 5:15pm

For TRUE/FALSE and brevity, we can just use:

<?php
  '#value' =>  user_access('administer users'),
?>

In the IF, probably simpler to do this:

<?php
  $admin_access = !empty($form_state['values']['administer users'];
?>

Clear, concise and avoids the ternary operator.

#18

Posted by tsphethean on March 21, 2012 at 6:51pm
Status:needs work» needs review

Thanks for the feedback and suggestions. Revised patch attached.

AttachmentSizeStatusTest resultOperations
user-cancel_submit_remove-687588-17.patch1.87 KBIdleFAILED: [[SimpleTest]]: [MySQL] 35,660 pass(es), 3 fail(s), and 0 exception(s).View details | Re-test

#19

Posted by agentrickard on March 21, 2012 at 6:59pm
Status:needs review» needs work

Now there are redundant lines:

<?php
-

$admin_access = !empty($form_state['values']['administer users']);

+  if ($admin_access) {
+    $admin_access = $form_state['values']['administer_users'];
+  }
?>

The first !empty() assumes that the 'administer users' form element is set. If not set and TRUE, admin riggers will not fire.

#20

Posted by tsphethean on March 21, 2012 at 9:07pm
Status:needs work» needs review

Good point - revised patch attached.

AttachmentSizeStatusTest resultOperations
user-cancel_submit_remove-687588-20.patch1.77 KBIdleFAILED: [[SimpleTest]]: [MySQL] 35,656 pass(es), 3 fail(s), and 0 exception(s).View details | Re-test

#21

Posted by System Message on March 21, 2012 at 9:35pm
Status:needs review» needs work

The last submitted patch, user-cancel_submit_remove-687588-20.patch, failed testing.

#22

Posted by tsphethean on March 21, 2012 at 10:19pm
Status:needs work» needs review

Gah, sorry - typo on the form state values. Fixed working patch attached.

AttachmentSizeStatusTest resultOperations
user-cancel_submit_remove-687588-22.patch1.77 KBIdlePASSED: [[SimpleTest]]: [MySQL] 35,677 pass(es).View details | Re-test

#23

Posted by tsphethean on March 21, 2012 at 10:19pm

Gah, sorry - typo on the form state values. Fixed working patch attached.

#24

Posted by tsphethean on November 27, 2012 at 9:35pm

A while since this has moved so re-rolled against latest D8 build, apply cleanly so seeing what testbot makes of it now.

AttachmentSizeStatusTest resultOperations
user-cancel_submit_remove-687588-24.patch1.76 KBIdleFAILED: [[SimpleTest]]: [MySQL] Unable to apply patch user-cancel_submit_remove-687588-24.patch. Unable to apply patch. See the log in the details link for more information.View details | Re-test

#25

Posted by tsphethean on November 27, 2012 at 9:45pm

Sorry, not sure how I thought that last patch would apply... re-rolled now and re-queueing for testing.

AttachmentSizeStatusTest resultOperations
user-cancel_submit_remove-687588-25.patch1.6 KBIdleFAILED: [[SimpleTest]]: [MySQL] Unable to apply patch user-cancel_submit_remove-687588-25.patch. Unable to apply patch. See the log in the details link for more information.View details | Re-test

#26

Posted by tsphethean on May 10, 2013 at 4:49pm

#25: user-cancel_submit_remove-687588-25.patch queued for re-testing.

Seeing whether testbot still likes this one

#27

Posted by System Message on May 10, 2013 at 4:49pm
Status:needs review» needs work

The last submitted patch, user-cancel_submit_remove-687588-25.patch, failed testing.