GroupContent entities have an entity reference validator on their "entity_id" base field that checks if the entity being added isn't exceeding the amount of times it can be added to the same group or the amount of groups it can join.

When using the "Join group" form, this cardinality isn't being checked because Form API only runs validation on visible fields, whereas the "entity_id" field referencing the user is purposely hidden.

Task: Validate the entity during form validation, which should trigger the "entity_id" base field validation.

Comments

kristiaanvandeneynde created an issue. See original summary.

jludwig’s picture

jludwig CreditAttribution: jludwig commented

Is this an actual issue?

I am able to verify that this is the case by, for example, setting the default value for the Join Form to a user that is already a part of the group when only one person is allowed in the group.

That wouldn't happen in real life because we are programmatically setting the value to what we know is valid and because #access was set to FALSE, it can't be changed.

Can you provide a case where someone would encounter this without changing the values programmatically?

Edit: I thought of an edge-case where someone is already on the form and someone else adds them to the group before they submit. However, I think denying them at that point could make the user confused as to why it said they were already a member of the group and possibly lead to some false bug reports.

Perhaps a better approach for this would be to either just have the submission handler swallow it without reporting it back if this edge-case were to occur. No one would need to be confused about why they the site thought they already joined.

joachim’s picture

joachim CreditAttribution: joachim at Torchbox commented

> Task: Validate the entity during form validation, which should trigger the "entity_id" base field validation.

I'm not sure that's the problem.

Each Group Content entity can only have one entity ID it points to -- base fields have cardinality 1 by definition.

What that form element allows is to create more than one Group Content entity that joins the same group and node together. So the validation that's required isn't a Field thing, it's a matter of querying for an existing Group Content entity, and then rejecting the action if one is found.

kristiaanvandeneynde’s picture

kristiaanvandeneynde
Primary language Dutch
Location Antwerp, Belgium
CreditAttribution: kristiaanvandeneynde at Deeson commented

Basically, any entity form runs validation handlers for all of the entity's fields but filters out those fields that were unavailable to the user.

So our entity_id element already has a validation handler (the ER one) that will fail if you try to submit a "join form" (which extends the GroupContent entity form). However, because the entity_id field was hidden, this validation error is ignored.

In order to cleanly fix this, we could override the logic that ignores hidden fields to never ignore the ER fields that reference a group or entity id, adding an inline comment explaining these two fields are too crucial to not validate.

kristiaanvandeneynde’s picture

kristiaanvandeneynde
Primary language Dutch
Location Antwerp, Belgium
CreditAttribution: kristiaanvandeneynde at Deeson commented
Status: Active » Fixed

This is now fixed by the fact that the join page is no longer accessible by anyone (including user 1) when they're a member. So if the edge case explained in #2 were to happen, you'd face an access denied when submitting that form.

Cheers for the input guys!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.