Now that $edit is passed to #process you can always add $edit to #options and also the new form caching means if some callback sends options to JS via AHAH calls, it can also cache the options. Removing this flag just means that there is no sanctioned way to do this as there should not be. I was always at unease because of the existence of this attribute.

CommentFileSizeAuthor
down_with_dangerous_skip_check.patch958 byteschx
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

moshe weitzman’s picture

moshe weitzman CreditAttribution: moshe weitzman commented
Status: Needs review » Reviewed & tested by the community

The #process workaround handles this without a special case.

Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy commented
Status: Reviewed & tested by the community » Needs review

Let's start from what was this used for "legally". I know it was used in some contrib modules "illegaly" and caused security problems. So what legal code would we brake by removing this. Where is the "update docs" on what to do if this gets removed? (We really need update docs if this gets committed).

yched’s picture

yched CreditAttribution: yched commented

I was one of the ones who advocated for that flag.
It was for 4.7, and back then I needed it to AHAH-fill choices in a select based on the entry in a textfield, with too many (1000's, taken from db) possible values to make them all valid.

This use case is now supported by D6 FAPI/AHAH features, right ?

chx’s picture

chx CreditAttribution: chx commented
Status: Needs review » Reviewed & tested by the community

yched, I already answered this: if some callback sends options to JS via AHAH calls, it can also cache the options in cache_form.

Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy commented

There were two sides to that use case, right? One is that the options where handled with AHAH, the other is that there were thousands of options. For caching would cache the thousands of options in the regular form structure right? I guess that was one thing people tried to avoid with this flag to save some performance.

Note that I am not advocating keeping this security hole possibility here, but I'd not commit the patch without understanding the consequences.

moshe weitzman’s picture

moshe weitzman CreditAttribution: moshe weitzman commented

@In that use case, the developer can use #process to inject just the options that were selected into the #options array. He does so by reading in from $edit, which is available to #process functions.

Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy commented
Status: Reviewed & tested by the community » Needs work

Understood, so committed. Please document this in the update docs. Leaving it code needs work for this reason.

moshe weitzman’s picture

moshe weitzman CreditAttribution: moshe weitzman commented
Status: Needs work » Fixed

added to update doc.

Anonymous’s picture

(not verified) CreditAttribution: commented
Status: Fixed » Closed (fixed)
pelicani’s picture

pelicani CreditAttribution: pelicani commented

it would have been nicer if y'all provide a little more information on how to subvert this filter hook.
What is published in this thread, and anywhere else i've looked, isn't enough for the casual form api hacker.
>frustrated<

Harry Slaughter’s picture

Harry Slaughter
Location Omaha NE USA
CreditAttribution: Harry Slaughter commented
Version: 6.x-dev » 6.9
Status: Closed (fixed) » Active

The 'update doc' (http://drupal.org/node/114774#choice_check) points to this issue as a source of instruction on how to work around the removal of #DANGEROUS_SKIP_CHECK, yet this post provides no code examples on how to do it.

I have an awkward use case where I need to set CCK optionwidgets_select options dynamically. And after several hours trying different things, I cannot avoid the dreaded 'An illegal choice has been detected'.

Could someone provide a concrete, working example of code that alters the default form options safely?

ss81’s picture

ss81 CreditAttribution: ss81 commented

I don't know is my code safely or not, but I hope it can help. My example is based on Ubercart address fields, so some functions can be found in Udercart module.

"Country" field:

  $select = array(
    '#type' => 'select',
    '#title' => $title,
    '#description' => $description,
    '#options' => $options,
    '#default_value' => empty($default) ? uc_store_default_country() : $default,
    '#required' => $required,
    '#ahah' => array(
      'path' => 'ss81/zone_select',
      'wrapper' => 'edit-profile-step5-zone-wrapper',
      'method' => 'replace'
    )
  );

Function, assigned to "ss81/zone_select" path:

function ss81_zone_select() {
  $country_id = intval($_POST['profile_step5_country']) > 0 ? intval($_POST['profile_step5_country']) : uc_store_default_country();

  //get form from cache and store modified place selection
  $form_state = array('values' => $_POST);

  $form = form_get_cache($_POST['form_build_id'], $form_state);

  $form['Personal Information']['profile_step5_zone'] = uc_zone_select('State/Province', NULL, NULL, $country_id);
  $form['Personal Information']['profile_step5_zone']['#default_value'] = '';
  form_set_cache($_POST['form_build_id'], $form, $form_state);

  //rebuild the form.
  $form_state = array('submitted' => FALSE);
  $form = form_builder('user_profile_form', $form, $form_state);

  $output = drupal_render($form['Personal Information']['profile_step5_zone']);

  // Don't call drupal_json(). ahah.js uses an iframe and
  // the header output by drupal_json() causes problems in some browsers.
  print drupal_to_js(array('status' => TRUE, 'data' => $output));
  exit();
}

Really appreciate to author of http://drupal.org/project/weather for examples of code.

chx’s picture

chx CreditAttribution: chx commented
Status: Active » Fixed

The oriignal post clearly says what can be done and also http://drupal.org/node/331941 is the proper AHAH way.

ss81’s picture

ss81 CreditAttribution: ss81 commented

I think such posts must be with code examples :)

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

raffuk’s picture

raffuk CreditAttribution: raffuk commented

What if I don't wanna use AHAH? I'm using jquery only to add options to the select. Is there any *simple workaround*?

Ivan Zugec’s picture

Ivan Zugec CreditAttribution: Ivan Zugec commented

Check out this post.

http://drupal.org/node/303576

jhchnc’s picture

jhchnc CreditAttribution: jhchnc commented
Version: 6.9 » 6.13

Dear Drupal,

I don't want to learn your crappy AHAH to rewrite the contents of a $%&-ing select box. Especially when I'm allowing for the select box to _become_ a textfield! Um, they can post whatever they %&*^-ing want!

Ok, I'm feeling better now.

SOLUTION: Initiate your select as a textfield. On document load, javascript it into a select. Boom. This is fine because you need to call it via script anyway... no harm, no foul. Plus, if script is turned off, a textfield is much more flexible for the user.

I win!