Passing Data through Form Preview
| Project: | Drupal |
| Version: | 4.7.2 |
| Component: | forms system |
| Category: | support request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
There does not appear to be a way to pass protected data through a form preview. I am converting the Image module to use the Filemanager module. When an image is uploaded for preview, I generate thumbnails in Filemanager. Since I don't want to create the thumbnails twice, I need to pass the file ID through the form preview. I can do this in a hidden field, however, this is open to abuse by malicious users.
See this Acidfree bug discussion and this Filemanager bug discussion for background.
From the Acidfree discussion, vhmauery notes:
I am going to say that the exploit is the form api's problem. Between the lack of parameters for hook_prepare and hook_form, it makes it impossible to use the '#type' => 'value' form element, which never actually gets passed to the browser. The form api should have some '#readonly' => true property or something. Or it should compare the hidden values that come back from the browser to see if they are the same as the ones sent.
Does Drupal offer a way to pass read-only data through a form preview? A couple methods I can think of would be to either store that data in $_SESSION or to create some sort of verification hash to let us check that the hidden field data was not changed. I would like to do it the "Drupal way" if possible.
#1
Before being a bug, it's a support request on how to do something.
Anyone inside FAPI 2.0 can help?
#2
#3
Closing support requests older than 1 month.
#4
I still think this is a bug, despite the lack of discussion in the bug or support lists.
#5
Magico is just cleaning up the queue and attempting to bump issues that are obvious.
You have every right to re-open the issue.