When making a file upload element conditionally required when another field is filled or another option is chosen, the field doesn't become required.

Steps te reproduce:

1. Create a form
2. Create a radiobutton element
3. Option A and option B
4. Create a file upload element, set it to not required
5. In the conditional settings, make it required when radiobutton element has Option A selected
6. Select option A and submit the form
7. The form is submitted

CommentFileSizeAuthor
#9 conditional_required-2860529-9.jpeg57.97 KBartureiji
#7 conditional_required-2860529-7.patch924 bytesjrockowitz
#5 webform.webform.2860529_cond_required_file (1).yml2.93 KBjrockowitz
#4 webform.webform.2860529_cond_required_file.yml2.72 KBjrockowitz
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

FkoNL created an issue. See original summary.

jrockowitz’s picture

jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commented
Issue tags: +#states API

I am willing to bet that core's #states API does not handle requiring file uploads. Still the required attribute is supported by most browsers. https://www.w3schools.com/jsref/prop_fileupload_required.asp

artureiji’s picture

artureiji CreditAttribution: artureiji at CI&T commented

Hi @jrockowitz,

I've run some tests considering what you've commented and indeed if the required="required" attribute is set on the file input, the browser supports it's validation.

But since that attribute can be removed by browser tools (e.g. chrome inspector) isn't that still an (security?) issue since that there's no backend validation for those conditional fields?

I've tested the form mentioned by @FkoNL but with an additional textfield, which worked perfectly with #state API. But removing the required attribute resulted in both the file field and the textfield not being validated.

jrockowitz’s picture

jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commented
FileSize
webform.webform.2860529_cond_required_file.yml2.72 KB

The fact the conditional logic in Webform 8.x-5.x is client-side only means that malicious users can bypass conditionally required fields. Users submitting bad data is not exactly a security issue... but it is still a problem.

Attached is a test form that demonstrates that conditionally required file upload are not validated.

jrockowitz’s picture

jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commented
FileSize
webform.webform.2860529_cond_required_file (1).yml2.93 KB

This example includes text field which is required.

jrockowitz’s picture

jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commented

This is definitely a core issue. Please create a ticket. I might be able to come up with temporary work-around.

jrockowitz’s picture

jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commented
Title: Conditional required File upload field 't work » Conditional required File upload field don't work
Status: Active » Needs review
FileSize
conditional_required-2860529-7.patch924 bytes

Please test the attached patch.

Status: Needs review » Needs work

The last submitted patch, 7: conditional_required-2860529-7.patch, failed testing.

artureiji’s picture

artureiji CreditAttribution: artureiji at CI&T commented
Status: Needs work » Reviewed & tested by the community
FileSize
conditional_required-2860529-9.jpeg57.97 KB

Worked like a charm.
Nice work @jrockowitz
Attached evidence screenshot.

regards,
Artur Aciole

jrockowitz’s picture

jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commented
Status: Reviewed & tested by the community » Fixed

I committed the patch.

  • jrockowitz committed ae7739c on 8.x-5.x 
    Issue #2860529 by jrockowitz, artureiji: Conditional required File...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.