Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Email registration module usurps the registration page, generates a unique username, and only allows users to enter their email address.
In this case, the username constraint doesn't make any sense.
What would make more sense is to prevent the user from using their email address as their password.
However, password constraints don't have access to any form state values, because the password_policy validator doesn't send the form state along to the constraint checkers.
Feature Request
Give constraint checks access to form_state array or some other means of accessing submitted form values.
Comment | File | Size | Author |
---|---|---|---|
#15 | interdiff.txt | 603 bytes | AaronBauman |
#15 | password_policy-form_state_constraint_check-2878918-15.patch | 14.16 KB | AaronBauman |
| |||
#13 | interdiff-2878918-12-13.txt | 2.84 KB | AohRveTPV |
#13 | password_policy-7.x-2.x-form_state_constraint_check-2878918-13.patch | 14.15 KB | AohRveTPV |
| |||
#12 | interdiff.txt | 1.12 KB | AaronBauman |
Comments
Comment #2
AaronBaumanThis kind of check would require $form_state as an argument to Constraint::check like the attached patch.
Is there any good reason NOT to do this?
Otherwise I have to do some kind of crazy static-cache based form cache to look at any other fields on the form.
Comment #3
AaronBaumanComment #4
AaronBaumanComment #5
AaronBaumanOne more.
This one is working locally, with an example constraint (email.inc.txt attachment).
Comment #6
AohRveTPV CreditAttribution: AohRveTPV commentedWithout looking at the code, I'm wondering if we could get rid of
$account
and just use$form_state
.Comment #7
AaronBaumanseems like it, since $account is available in $form_state
already the username and drupal_strength constraints are looking directly at $_POST, which seems like a hacky workaround.
the tricky bit (of course) seems like the ajax callback.
shall I work on a proper patch?
Comment #8
AohRveTPV CreditAttribution: AohRveTPV commentedSure. Thanks for looking into this problem.
It looks like 7.x-1.x has the same limitation. We probably shouldn't change the Constraints API there, though, since 7.x-1.x has been a full release for years, and people probably have custom constraints written against its Constraints API.
Comment #9
AaronBaumanThere are 4 existing constraints making use of account information:
1. delay
2. past_passwords
-- both these constraints need the account id to fetch user-specific information. This feature is updated thus:
3. username
4. drupal_strength
-- both these constraints rely only on the username string value, and I DRYed this up by putting the helper function into password_policy.module:
All other constraints ignore the $account argument completely.
Finally, the ajax callback builds $form_state with
drupal_build_form()
:Also updated the example email constraint.
Comment #10
AaronBaumanComment #12
AaronBaumanUpdated test and call to failMessages()
Comment #13
AohRveTPV CreditAttribution: AohRveTPV commentedFixed these.
$values
doesn't have the needed values. Added ignore directives for these warnings.Comment #14
AohRveTPV CreditAttribution: AohRveTPV commentedNo problems in my ad hoc testing (just the username constraint, though).
Two concerns with this line:
1. What would happen if someone made a POST request with a fraudulent
form_build_id
? Are there any security implications to this? I'm not sure offhand, will plan to look into.2. Will this hurt performance on a busy website?
drupal_build_form()
would be called with every few keystrokes as a user enters their password.Not so worried about #2, we can find out through usage. #1 more concerning.
Comment #15
AaronBauman2 points on this:
1. this should be passing form_id, with form_build_id in the form_state, to drupal_build_form
2. this is how drupal_get_form (and thence drupal_build_form) work already, so i don't think it opens any security risk that isn't already present. it's a long, unique hash string which is difficult to forge, tied to a short-term cache identifier.
Definitely could have an impact, but I'd say no more than it's already having.
I think bootstrapping Drupal will have the biggest hit, and loading a cached form array will be minimal in comparison.
Comment #16
AohRveTPV CreditAttribution: AohRveTPV commentedThis seems to let a user build any form they want by specifying its form ID as a POST parameter. I'm worried about the implications of that. Instead of
user_register_form
, for instance, they could cause an administration form to be built. I don't see anywhere in Drupal core where the user has the ability to specify the form ID passed todrupal_build_form()
.I'll keep looking at the code to see if I can convince myself it is safe.
Comment #17
AohRveTPV CreditAttribution: AohRveTPV commentedProbably beyond the scope of this issue, but I suspect the module should be using Drupal's AJAX API instead of directly doing POSTs.
Comment #18
AaronBaumanThat would definitely be a problem.
I may have time tomorrow to look at #ajax'ing the form (in a separate issue).
Comment #19
AaronBaumanLet's mark this postponed on the outcome of #2879489: #ajax-ify password callback