Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Numeric item fields do not have their minimum value validated if the minimum value is zero. This allows for negative values for decimal items or numeric item fields that are not flagged as unsigned.
This is due to a not-empty check:
if (!empty($settings['min'])) {
$min = $settings['min'];
$constraints[] = $constraint_manager->create('ComplexData', [
'value' => [
'Range' => [
'min' => $min,
'minMessage' => t('%name: the value may be no less than %min.', ['%name' => $label, '%min' => $min]),
],
],
]);
}
Zero is technically empty.
Proposed resolution
Check if the value is not equal to ''
Remaining tasks
User interface changes
API changes
Data model changes
Release notes snippet
Comment | File | Size | Author |
---|---|---|---|
#9 | 3090629-9.patch | 4.57 KB | mglaman |
#9 | 3090629-9-test-only.patch | 3.58 KB | mglaman |
Comments
Comment #2
mglamanThis means Commerce has been relying on this base field definition and had no validation support.
Comment #3
oriol_e9g!empty it's also checking for isset. If $settings['min'] is not set the new code will produce a warning. Maybe we can add an isset check? $settings['min'] can not be set if you add the field programatically?
Comment #5
mglamanI forgot getSettings doesn't merge defaults. The default is '', so maybe that should be done as well.
Or we have PHP 7 so ??
Comment #6
mglamanThis ensures the default settings are present when checking the definition settings. This way min/max always have a default value of
''
.Marking this for API-First Initiative since it deals with data definition level validation
Comment #7
BR0kENIf we use the
array_merge
then I'd say we have to callstatic::defaultFieldSettings()
instead ofself::defaultFieldSettings()
. Also, the order of arguments should be changed in order$this->getSettings()
could override defaults.Generally, I think it is better to use two
isset($settings[PARAM])
than merging settings.Comment #8
mglamanUpdating to use
isset
and adding tests.Comment #9
mglamanPatch + Test only.
Comment #11
BR0kENCould we deny specifying empty
min
andmax
? I mean if theisset($settings['min'])
returnstrue
then we assume this value needs to be validated.Comment #12
mglamanThe default value is empty because there shouldn't be a constraint. The only reason it's not set is due to Drupal does not guarantee the settings array contains the default settings as well or all values as defined in the config schema.
Which is what my other patch did.
Comment #13
BR0kENMakes sense.
Comment #14
rachel_norfolkretagging
Comment #15
alexpottCommitted and pushed eb99b6b50f to 9.0.x and 9ef14c6195 to 8.9.x. Thanks!
Fixed coding standards on commit.
Comment #18
alexpottDiscussed with @catch who +1'd 8.8.x backport.
Comment #26
quietone CreditAttribution: quietone as a volunteer commentedclosed #2838121: Numeric item min/max settings ignored if set to 0 as a duplicate and moving credit.