Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
erm, first attempt - sounded easy, but apparently, form rebuilding, caching, re-using, restoring, and alteration after #process on $complete_form doesn't work out (and I had to code to find this out :P )
Don't try this at home.
Comment | File | Size | Author |
---|---|---|---|
#18 | current-password.png | 57.21 KB | quicksketch |
#16 | drupal.paranoia.16.patch | 4.33 KB | sun |
#3 | drupal.paranoia.3.patch | 7.45 KB | sun |
#2 | current-password-2a.png | 25.19 KB | sun |
#2 | current-password-2b.png | 12.35 KB | sun |
Comments
Comment #1
sunTo provide some clues:
The idea was to rebuild the user account (and user cancellation form) in case the user tries to change the e-mail or password, or wants to kill his account.
The screenshot shows the form after submission. Actually, only the current password field should have been there, but apparently, #process can't alter the complete form during processing of child elements.
Comment #2
sunThis should give you some more clues:
Almost done.
Comment #3
sunwell, "almost". ;)
I hope chx, eaton, and/or frando are able to kick in.
Comment #4
sunSolving this === killing confirm_form(), btw.
Comment #6
RobLoachDie confirm_form(), DIE! +1 Subscribe!... Love that paranoia patch.
Comment #7
sunConcept.
Problem
Details
This, however, doesn't really work out. On the user account form, we have two form elements (e-mail and password) that should require the current password to confirm. So we'd need either a separate "Current password" field for each of those, or we'd move both fields into a new fieldset, which also contains a new "Current password" field to confirm one of both or both changes. To do that, we'd probably use a custom #confirm_elements property on that "Current password" form element, which references to the other elements in the form that need the advanced validation/confirmation in case their value has been changed.
However, that sounds a bit awkward.
This would be the very first multi-step form implementation in core, AFAICS. So, ++DX.
Problems (current patch)
That would work, if there were not elements like #type = 'password_confirm', which apparently seem to be processed somewhere from their original array-based values in POST into $form_state['input']. "somewhere" means I have no clue where that happens.
Amendments
Comment #8
sunThis is an advanced use-case: A #process and/or #element_validate form handler (not sure yet) tries to turn a form into a multi-step form.
Comment #9
alexanderpas CreditAttribution: alexanderpas commentedhow about we create seperate pages for changing password (user/edit/password) and email-address (user/edit/email)?
on the password page, we request the current password, along with the new password. (
MENU_LOCAL_ACTION
?)on the email page we request the new email along with the current password. (again
MENU_LOCAL_ACTION
?)on user/edit we show the current values of those fields (or ******** in case of the password.)
Comment #10
sunThanks, Alex! But if you want that, you can subscribe to a flood of other issues - just search for "user password" (and similar) in Drupal core. ;)
This issue is, indeed, about bringing Form API from Drupal 4 to Drupal 7 regarding confirmation forms. The [theme_]confirm_form() construct using a separate page callback actually dates back to pre-form-API, i.e. before Drupal 4.7.
Comment #11
mattyoung CreditAttribution: mattyoung commented.
Comment #12
pwolanin CreditAttribution: pwolanin commentedcan we handle the simple case for D7? #86299: Add "current password" field to "change password form"
Comment #13
sunSure, you can try to handle all of these...
#86299: Add "current password" field to "change password form"
#75924: Include fields for resetting password on the one-time password reset page
#486544: system_settings_form does not support password / password_confirm fields well
#430780: User account hijack prevention
#85494: Use email verification when changing user email addresses
#64483: permissions & variable for disallowing editing of user variables
They all share the same common denominator if you start to think about it, and especially if you start to think about usability.
This one is in my top 10 of API clean-up issues. Because, as mentioned before, we're carrying forward this crappy construct of confirm_form() since years, instead of implementing our existing APIs properly.
Comment #14
simeI'd suggest updating the title cos this is hard to follow. Is the issue "remove the confirm form foo"? (Which in turn is a pre-requisite for fixing password confirm?)
Comment #15
sunComment #16
sunRe-rolled against HEAD. Due to other Form API fixes, this should be easier now, but I couldn't make it work yet though.
Comment #17
catchDowngrading all D8 criticals to major per http://drupal.org/node/45111
Comment #18
quicksketchThis sure seems like it was fixed already as part of #86299: Add "current password" field to "change password form" (see screenshot of D7's account form).
The major part of this issue was certainly corrected (a password confirmation). In any case, this issue is very hard to follow (considering the summary was finally added in #7). If we want to make a new task for removing confirmation forms, it should be in a dedicated issue.
Comment #19
sunComment #20
quicksketch@sun: So what's the goal of this issue now? Remove confirmation forms? We've already added the field for password confirmation, which I assume is why this issue is titled "Drupal paranoia"?
Comment #21
David_Rothstein CreditAttribution: David_Rothstein commentedI think the goal here is to improve the user experience (by not showing a confusing "Current password" field on the user edit form every time, but rather only showing it on a followup confirmation screen when it's actually needed).
And potentially to do it via the same form (in a built-in multi-step fashion), rather than resorting to confirm_form().
Attempting to give it a more descriptive title :)
Comment #22
quicksketchA potential concern with this approach is that any form that uses $form_state['storage'] or is multiple steps will make an entry in the cache_form table, potentially *with* the users plain-text password stored in the database. Actually now that I think about it, if you add a FileField to the user form, this could already be the case. These "cache" entries are both insecure and long-lived (for at least 6 hours).
Comment #35
smustgrave CreditAttribution: smustgrave at Mobomo commentedWonder after 12 years if this is still a needed task?