Posted by catch on June 9, 2010 at 6:50am
28 followers
| Project: | Drupal core |
| Version: | 7.x-dev |
| Component: | field system |
| Category: | bug report |
| Priority: | major |
| Assigned: | dags |
| Status: | closed (fixed) |
| Issue tags: | 7.15 release blocker, 7.15 release notes, needs backport to D7, Needs issue summary update, Novice |
Issue Summary
In field_default_form(), it only populates the form if field_access() returns true, this means you get a completely different form structure depending on whether access is true or false, and any code which might depend on that form structure can get horribly broken.
Instead we should have the same form structure, but set #access => FALSE.
Attaching a test (which should fail with one fail and two exceptions) first, then test and patch forthcoming.
Change records for this issue
| Attachment | Size | Status | Test result | Operations |
|---|---|---|---|---|
| field_access.patch | 1.19 KB | Idle | FAILED: [[SimpleTest]]: [MySQL] 20,678 pass(es), 1 fail(s), and 2 exception(es). | View details |
Comments
#1
And the full patch.
#2
Hm, I think we went back and forth on this in, IIRC, #629252: field_attach_form() should make available all field translations on submit.
Trying to get my brain in 'remember' mode.
#3
Actually, this very change (or something very similar) went in with #636834: Field revision data messed up when user has no 'edit' access on the field.
And #629252-22: field_attach_form() should make available all field translations on submit was the reason this got changed back - quoting / adapting from there:
Imagine an integer field, with a 'min value' setting of '0'.
Create a node with value '1' for the field.
Then edit the field and set the min value to '2'.
If a user doesn't have 'edit' access for the field, and we include the widget in the form with #access = FALSE, any attempt at editing the node will fail validation, because there are some submitted values that are invalid.
And the user cannot do anything about it, because the invalid value is not accessible to him.
#4
That sounds like correct behaviour to me to be honest, a bit annoying if you're that user, but it's the fault of the administrator, not Drupal, that you get into that situation. Certainly it's more of an edge case than having code which works without field access then fails once you add it.
#5
"it's the fault of the administrator, not Drupal, that you get into that situation"
I don't really see how. The admin used the UI to do perfectly valid changes.
from #629252-23: field_attach_form() should make available all field translations on submit :
"Hm. Unless we explicitly make field_default_form_errors() *not* report errors on elements where #access == FALSE".
#6
Hmmm. I think I could go either way on this one. Seems like a reasonable compromise to add "field_default_form_errors() *not* report errors on elements where #access == FALSE"
#7
That seems like a decent compromise to me too. My main concern is that hook_field_attach_submit() gets the same $form and $form_state each time it's called - the way this was found was a hook implementation added four months ago, which worked fine for four months, then suddenly stopped working when hook_field_access() was implemented and the usual array structure disappeared from under it. I'll look at field_default_form_errors() a bit later today and see if I can add that to the patch.
#8
bump. still buggy.
#9
subscribe
#10
subscribe
#11
subscribe, came from #1062072: Notice : Undefined property: stdClass::$field_name_of_the_field in locale_field_node_form_submit()
#12
subscribe
#13
subscribing from #1062072: Notice : Undefined property: stdClass::$field_name_of_the_field in locale_field_node_form_submit()
#14
subscribe
#15
#16
#1: 822418_field_access_form.patch queued for re-testing.
#17
The last submitted patch, 822418_field_access_form.patch, failed testing.
#18
subscribe
#19
Reroll of patch to head
#20
#21
The last submitted patch, form-field-acess-822418-19.patch, failed testing.
#22
Bad reroll missed a property lets try again.
#23
The last submitted patch, form-field-acess-822418-22.patch, failed testing.
#24
#22: form-field-acess-822418-22.patch queued for re-testing.
#25
Tagging issues not yet using summary template.
#26
To quickly fix this problem on my D7 site, can I apply form-field-acess-822418-22.patch?
#27
A year and two months latter I looked at field_default_form_errors()...
Untested patch.
#28
The last submitted patch, form-field-acess-822418-27.patch, failed testing.
#29
#30
The last submitted patch, form-field-acess-822418-29.patch, failed testing.
#31
+ if (!empty($element['#access'])) { <= that should be if (!isset($element['#access']) || $element['#access'])
#37
#38
Just comparing side by side for now :
- reroll effect, patch reintroduces a t($instance['label']). t()s around labels have been removed meanwhile.
- "// Locate the correct element in the the form" : the typo is present in the current code, but let's fix it while we move the line around.
- We might want to add a line of comment above the #access check in field_default_form_errors()
Other than that, looks reasonable. We might want a test, though...
#39
subscribe
#40
Adding "Needs tests" according to #38.
+++ b/modules/field/field.form.incundefined@@ -37,76 +37,73 @@ function field_default_form($entity_type, $entity, $field, $instance, $langcode,
+ // If field module handles multiple values for this form element, and we
+ // are displaying an individual element, process the multiple value form.
"are" will fit on the previous line.
+++ b/modules/field/field.form.incundefined@@ -37,76 +37,73 @@ function field_default_form($entity_type, $entity, $field, $instance, $langcode,
+ '#field_parents' => $parents,
Tabs here.
+++ b/modules/field/field.form.incundefined@@ -37,76 +37,73 @@ function field_default_form($entity_type, $entity, $field, $instance, $langcode,
+ // Also aid in theming of field widgets by rendering a classified
+ // container.
"container" will fit on the previous line.
#41
The patch includes a test and its failures are exposed in the original post. Is there additional test coverage that is needed?
#42
Tagging novice for the cleanups mentioned in #38 and #40.
#43
#44
Reroll patch after /core move, address #38 and #40.
#45
The last submitted patch, drupal-822418-44.patch, failed testing.
#46
LANGUAGE_NONE has been renamed to LANGUAGE_NOT_SPECIFIED
#47
Thank you, davidjdagino.
Here's a quick review:
+++ b/core/modules/field/tests/field.testundefined@@ -1650,6 +1650,19 @@ class FieldFormTestCase extends FieldTestCase {
$langcode = LANGUAGE_NOT_SPECIFIED;
+++ b/core/modules/field/tests/field.testundefined@@ -1650,6 +1650,19 @@ class FieldFormTestCase extends FieldTestCase {
+ // Test that the form structure includes full information for each delta apart
+++ b/core/modules/field/tests/field.testundefined@@ -1650,6 +1650,19 @@ class FieldFormTestCase extends FieldTestCase {
+ $langcode = LANGUAGE_NONE;
LANGUAGE_NONE has been removed from Drupal 8 as of LANGUAGE_NONE changed to LANGUAGE_NOT_SPECIFIED, LANGUAGE_NOT_APPLICABLE and LANGUAGE_MULTIPLE added.
Note that
$langcodeis already set toLANGUAGE_NOT_SPECIFIEDin the context.#48
Changes from #47.
#49
#50
Attached is identical to #48; I just wanted to make sure the tests still show the expected fails since it's been awhile since June 2010.
#51
Alright, those test failures look correct. All the feedback from #38 on has also been addressed. I reviewed the patch myself and found only tiny stylistic issues; the solution looks complete to me.
+++ b/core/modules/field/field.form.incundefined@@ -358,31 +355,34 @@ function field_default_form_errors($entity_type, $entity, $field, $instance, $la
+ $function_exists = function_exists($function);
+
+
+ $multiple_widget = field_behaviors_widget('multiple values', $instance) != FIELD_BEHAVIOR_DEFAULT;
Extra blank line here.
+++ b/core/modules/field/field.form.incundefined@@ -358,31 +355,34 @@ function field_default_form_errors($entity_type, $entity, $field, $instance, $la
+ // For a multiple-value widget, all errors are passed to the main widget.
This line is 81 characters.
+++ b/core/modules/field/tests/field.testundefined@@ -1650,6 +1650,18 @@ class FieldFormTestCase extends FieldTestCase {
+ $this->assertEqual($form[$field_name_no_access][$langcode][0]['value']['#entity_type'], $entity_type);
+ $this->assertFalse($form[$field_name_no_access]['#access']);
It would be good to have assertion messages for these because otherwise we get things like "Value FALSE is FALSE" in the results which isn't so helpful. (Note: the messages should not be translated; see http://drupal.org/simpletest-tutorial-drupal7#t).
#52
Oops, didn't mean to untag!
#53
I'm on it.
#54
Fixed those style issues, added an assert message. No attempted comprehension of the rest of the patch! Thanks for the help, xjm.
#55
Thanks @ezheidtmann! That looks good.
#57
Two more minor tweaks: Assertion message for the other assertion, plus putting FALSE in caps per our text standards.
#58
Re-TBC. Thanks everyone!
#59
Thanks folks, committed pushed to 8.x, moving back to 7.x for backport.
#60
#61
Rerolled.
Once again, I forgot that D8 uses 'complete_form' and not 'complete form' like D7.
#62
The last submitted patch, drupal-822418-61-tests.patch, failed testing.
#63
Excellent.
#64
Thanks @tim.plunkett!
#65
This looks like a legit bug fix, and I've no real problems backporting it, but I'd like to hold this until after Wednesday's release "just in case" it breaks something. It's possible (though unlikely) a contributed module is counting on this current situation.
#66
This needs a reroll, I'll do it right afte 7.13 comes out.
#67
tim.plunkett, was it rerolled finally?
#68
Reroll needed because of #1541792: Enable dynamic allowed list values function with additional context.
#69
Re-roll looks good.
#70
Committed to 7.x and added to CHANGELOG.txt - thanks! http://drupalcode.org/project/drupal.git/commit/84e34e4
Have to say I'm a little scared of this one, but code in general should be checking #access before assuming that a form element will actually be displayed... so hopefully any custom/contrib code that this breaks is code that was already somewhat broken anyway. And we have time to roll this back before the next Drupal 7 release if anyone finds something wrong with it in the meantime.
In addition to the release notes, I think this will need a D7 change notification (since it does change the array structure and the behavior of the field validation code). Moving to a critical task for that.
#71
We probably need this change notification in place for Drupal 7.15, since I think we want to link to it from the release notes.
#72
#73
Added change notice.
#74
Looks good to me.
#75
Automatically closed -- issue fixed for 2 weeks with no activity.
#76
Thanks for the change notification (for reference, it's at http://drupal.org/node/1663020)! I've added a link to this in CHANGELOG.txt:
http://drupalcode.org/project/drupal.git/commit/4c0d034
However, this paragraph looked wrong to me:
Based on the above discussion, that was not supposed to happen in the final patch that was committed here (and I sure hope it doesn't)... I also did a quick test with the Field Permissions module (modifying the minimum allowed value of a private integer field and then trying to edit the node as a user without access to that field, per the scenario in @yched's comment above), and everything worked fine.
So, I have removed that paragraph from the change notification, and consequently also removed "Site builders, administrators, editors" from the list of affected audiences.
Obviously, if I made a mistake there somehow, it's not too late for someone to re-edit and fix it.
#77
Skipped the last posts there somehow. #76 is correct, and thus so is the current change notification.