? fix_form.patch
Index: index.php
===================================================================
RCS file: /cvs/drupal/drupal/index.php,v
retrieving revision 1.82
diff -u -r1.82 index.php
--- index.php	21 Aug 2004 06:42:34 -0000	1.82
+++ index.php	7 Sep 2005 20:59:59 -0000
@@ -14,6 +14,7 @@
 include_once 'includes/common.inc';
 
 fix_gpc_magic();
+fix_checkboxes();
 
 $status = menu_execute_active_handler();
 switch ($status) {
Index: includes/common.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/common.inc,v
retrieving revision 1.434.2.10
diff -u -r1.434.2.10 common.inc
--- includes/common.inc	29 Jul 2005 19:05:31 -0000	1.434.2.10
+++ includes/common.inc	7 Sep 2005 20:59:59 -0000
@@ -413,6 +413,38 @@
 }
 
 /**
+ * An unchecked checkbox is not present in $_POST, so give a default
+ * value of 0 here.
+ * With form_checkboxes, we always expect an array, but HTML does not send
+ * the empty array. This is also fixed here.
+ */
+function fix_checkboxes() {
+  if (isset($_POST['form_array'])) {
+    $_POST['edit'] = _fix_checkboxes($_POST['edit'], $_POST['form_array'], array());
+  }
+  if (isset($_POST['form_zero'])) {
+    $_POST['edit'] = _fix_checkboxes($_POST['edit'], $_POST['form_zero'], 0);
+  }
+}
+
+function _fix_checkboxes($array1, $array2, $value) {
+  if (is_array($array2) && count($array2)) {
+    foreach ($array2 as $k => $v) {
+      if (is_array($v) && count($v)) {
+        $array1[$k] = _fix_checkboxes($array1[$k], $v, $value);
+      }
+      else if (!isset($array1[$k])) {
+        $array1[$k] = $value;
+      }
+    }
+  }
+  else {
+    $array1 = $value;
+  }
+  return $array1;
+}
+
+/**
  * @name Conversion
  * @{
  * Converts data structures to different types.
@@ -1141,9 +1173,7 @@
   if (!is_null($title)) {
     $element = '<label class="option">'. $element .' '. $title .'</label>';
   }
-  // Note: because unchecked boxes are not included in the POST data, we include
-  // a form_hidden() which will be overwritten for a checked box.
-  return form_hidden($name, 0) . theme('form_element', NULL, $element, $description, $name, $required, _form_get_error($name));
+  return form_hidden($name, 1, 'form_zero') . theme('form_element', NULL, $element, $description, $name, $required, _form_get_error($name));
 }
 
 /**
@@ -1176,10 +1206,7 @@
     foreach ($options as $key => $choice) {
       $choices .= '<label class="option"><input type="checkbox" class="form-checkbox" name="edit['. $name .'][]" value="'. $key .'"'. (in_array($key, $values) ? ' checked="checked"' : ''). drupal_attributes($attributes) .' /> '. $choice .'</label><br />';
     }
-    // Note: because unchecked boxes are not included in the POST data, we
-    // include a form_hidden() which will be overwritten as soon as there is at
-    // least one checked box.
-    return form_hidden($name, 0) . theme('form_element', $title, $choices, $description, NULL, $required, _form_get_error($name));
+    return form_hidden($name, 1, 'form_array') . theme('form_element', $title, $choices, $description, NULL, $required, _form_get_error($name));
   }
 }
 
@@ -1357,8 +1384,8 @@
  * but be sure to validate the data on the receiving page as it is possible for
  * an attacker to change the value before it is submitted.
  */
-function form_hidden($name, $value) {
-  return '<input type="hidden" name="edit['. $name .']" value="'. check_plain($value) ."\" />\n";
+function form_hidden($name, $value, $edit = 'edit') {
+  return '<input type="hidden" name="'. $edit .'['. $name .']" value="'. check_plain($value) ."\" />\n";
 }
 
 /**