Problem/Motivation
Creating nodes from REST I have detected that I can create new nodes with empty title.
TypedData\Map's implementation of ::isEmpty() does strict type checking, so "" is not considered an empty value and hence passes the NotNull validation.
However, user module implicitly relies on this behaviour as during user_install it creates a user with no name (UID 0). So this means fixing it to treat "" as empty breaks in spectacular fashion.
Because our validation API does not in fact validate required fields, this could lead to data integrity issues and could result in some fairly hairy update hooks to repair broken stuff.
There are other issues in the queue around 'unable to remove empty text fields', probably the same issue as this. E.g. #2349819: String field type doesn't consider empty string as empty value
Proposed resolutions
Two possible fixes:
- Sub-class StringItem for username (UsernameItem) and don't consider "" empty in that case. Change Map to consider "" as empty (as well as NULL). Change User to use UsernameItem. The existing UserName constraint will validate users (other than the one created in user_install()). -OR-
- Force anonymous user to have a username - e.g. 'anonymous' and make this a reserved username (See #18)
Comment | File | Size | Author |
---|---|---|---|
#18 | notnull-constraint-2444585.16.patch | 4.83 KB | larowlan |
#18 | interdiff.txt | 3.01 KB | larowlan |
#15 | notnull-constraint-2444585.15.patch | 1.82 KB | larowlan |
#15 | interdiff.txt | 1.14 KB | larowlan |
#13 | notnull-constraint-2444585.2.patch | 1.5 KB | larowlan |
Comments
Comment #2
larowlanComment #3
BerdirBetter title :)
This is really bad, I don't know why we didn't figure this out earlier?
NotNullValidator really is a !== NULL check.
I can currently see two ways to fix this:
a) Make it also fail on empty strings (like the UI which depends on form API for this does).
b) Somehow *reliably* filter out empty field items before running the validation.
Comment #6
fagoI think, validation should match the field's isEmpty() logic - so if that fails also this is probably the problem.
Right. I've been already thinking whether it would make sense to provide a custom NotEmpty constraint instead of just relying on symfony ones. Right now, the validator does extra massaging of the values to make empty data structures NULL to make it work, see PropertyContainerMetadata::accept(). So maybe the problem here is just a not good isEmpty() implementations of the field type?
Howsoever, my thought was that NotEmpty constraint could just work with the object and call $typed_data->isEmpty() itself, what should help simplifying the validator logic. Not sure it's related, depending on where the bug really is here.
Comment #7
marthinal CreditAttribution: marthinal commentedFrom Rest I'm updating fields for users. I've detected that the situation is the same. I can update the value of a required field with an empty string and in this way you can remove the data from fields...
I think that this patch fixes the problem, at least for user update and when creating a node. I was testing from the rest client so let's take a look at the results.
Comment #10
larowlanDiscussed with @webchick, given this involves data loss (see last comment) this may in fact need to be critical.
Feel free to drop back.
Comment #11
larowlanRemoving the tag
Comment #12
larowlankicking along as per #6
Comment #13
larowlanI think we have a few issues in the queue around not being able to remove string/text fields in multi-value setups.
This might solve those too.
We might need similar treatments for numeric fields.
Comment #15
larowlanOr maybe this approach
Comment #17
larowlangold, user_install() relies on creating an invalid user, with an empty username, despite the UserName constraint considering this invalid.
Comment #18
larowlanPerhaps we can make anonymous a reserved username
Short of that we can make user-name its own item type, we already did that for password.
Comment #19
dawehnerHow can any of the properties of a StringItem be computed? IMHO I just see value in there, so this maybe need some documentation? Let's also use single quotes :P
Comment #21
larowlanNew issue summary
Comment #22
larowlanPossible duplicate of #2349819: String field type doesn't consider empty string as empty value
Comment #23
amateescu CreditAttribution: amateescu for Pfizer, Inc. commentedYes, it's a duplicate of #2349819: String field type doesn't consider empty string as empty value. Let's make sure we bring the test from #7 to the patch over there.
Comment #24
larowlan@marthinal can you comment over on #2349819: String field type doesn't consider empty string as empty value so you can be added to credits - ta