It is possible to implement hook_scald_atom_providers_opt_alter() in order to bypass the initial add form in scald. When doing so, the following steps in most of the scald providers will blindly try to access something in $form_state['values']... without even checking if $form_state['values']... is empty or not. This causes several notices to be displayed on the screen.

This happens in all the scald providers that we have found so far. Here is a list ...

  • scald_audio (core)
  • scald_flash (core)
  • scald_image (core)
  • scald_video (core)
  • scald_file (separate repo)
  • scald_text (separate repo)
  • scald_views (separate repo)

We have written patches for the scald version that is on our servers. We are going to port them on the dev version so that anyone can benefit from it.

We will also submit the appropriate patches on scald_file, scald_text and scald_views repositories separately.

CommentFileSizeAuthor
#5 scald-protect-bypassing-steps-2612714-5.patch596 bytesgifad
#4 scald-protect-bypassing-steps-2612714-4.patch1.98 KBgifad
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

asiby created an issue. See original summary.

asiby’s picture

asiby CreditAttribution: asiby commented
Version: 7.x-1.4 » 7.x-1.6
asiby’s picture

asiby CreditAttribution: asiby as a volunteer and commented

Update: We were using sclad 1.4 were the issue was first discovered. But after verification, version 1.6 is also affected by the same issue.

gifad’s picture

gifad CreditAttribution: gifad commented
Version: 7.x-1.6 » 7.x-1.x-dev
Assigned: asiby » Unassigned
Status: Active » Needs review
FileSize
scald-protect-bypassing-steps-2612714-4.patch1.98 KB

This 'starting point' feature was intended to allow new providers to not implement those two hooks (hook_scald_add_atom_count() and hook_scald_add_form_fill()), where there would not be anything useful to do.
Now if you alter existing providers, please do not patch their functions, just remove them !

Or better, instruct scald core not to call them (we are in a ctools modal multiform wizard, and that's not easy)

The attached patch has just two effective lines, the rest is indentation...

gifad’s picture

gifad CreditAttribution: gifad commented
FileSize
scald-protect-bypassing-steps-2612714-5.patch596 bytes

A perhaps more elegant patch...

NB: tested with scald_audio, scald_file, scald_image, scald_video, scald_iframe, and, of course, scald_gallery.

nagy.balint’s picture

nagy.balint CreditAttribution: nagy.balint commented

It would be nice to still keep the functionality that the provider defines how many entities to create with the count hook even if the step is skipped.

nagy.balint’s picture

nagy.balint CreditAttribution: nagy.balint commented
Status: Needs review » Needs work

Needs work since #6.

Did we miss something when we worked on this last time? #2580337: PHP notices while editing atom in CTools modal box

gifad’s picture

gifad CreditAttribution: gifad commented
Status: Needs work » Needs review

about #6 : This issue is about a third party module disabling the add step, so implicitly it disables the multi upload feature...
This patch has nothing to do with that.

What this issue is pointing out is that the 'starting_step' feature was intended to be used by a provider which does not want to supply the first step functions - and scald core was blindly calling them, just because they exist...

nagy.balint’s picture

nagy.balint CreditAttribution: nagy.balint commented
Status: Needs review » Needs work

In the "scald_add_atom_count" the provider can define how many entities it wants created.
This can be because there is plupload, but it can be for any other reason as well.

It can be that a provider has a custom function to define how many entities it wants, when the provider has no upload mechanism, so its related to some other thing.

It can also be that a provider hard wires that it always wants 2 entities lets say to be created.

So that hook has to be called whether the first step was skipped or not.

In your patches that hook would not be called if the first step is skipped, therefore we loose the above functionality.

In my opinion we should not loose that functionality, and therefore I cant approve the above patches.

gifad’s picture

gifad CreditAttribution: gifad commented
Status: Needs work » Active

Again, my patch is in the context of if (empty($form_state['scald']['atoms'])), it has nothing to do with loosing any functionality, it just fixes the bug of referencing unset variables; anyway, next week scald will migrate to Media, so I give up.

nagy.balint’s picture

nagy.balint CreditAttribution: nagy.balint commented

I suppose you mean Media Entity, and Drupal 8, but that does not mean that scald should not be maintained anymore for drupal 7...

As for the other part. If that form state is empty, it means that it is a new atom creation with the first step skipped. Yet that hook should be able to define how many entities to create, and therefore i still keep that my problem is valid.

asiby’s picture

asiby CreditAttribution: asiby as a volunteer and commented
Title: Code not sufficiently protected against missing for values when bypassing the first scald add form » Code not sufficiently protected against missing values when bypassing the first scald add form