View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005534 | Composr | catalogues | public | 2024-01-07 00:55 | 2024-01-11 14:01 |
| Reporter | Patrick Schmalstig | Assigned To | Patrick Schmalstig | ||
| Severity | Major-bug | ||||
| Status | resolved | Resolution | fixed | ||
| Product Version | 10.0.44 | ||||
| Fixed in Version | 10.0.45 | ||||
| Summary | 0005534: No server-side field validation for field hooks (catalogues) | ||||
| Description | There is no server-side validation when adding or editing catalogue entries. The only validation is JavaScript-side. But someone can modify or bypass the JS in their browser to force validation to pass, thereby resulting in the form getting submitted and the catalogue entry having invalid values. This bug also exists in v11. | ||||
| Tags | No tags attached. | ||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
|
|
Automated response: No server-side field validation for field hooks (catalogues) There is no server-side validation when adding or editing catalogue entries. The only validation is JavaScript-side. But someone can modify or bypass the JS in their browser to force validation to pass, thereby resulting in the form getting submitted and the catalogue entry having invalid values. This fix adds required field validation on a high-level (wherever the hooks are called) and field-specific validation where it was missing in inputted_to_field_value. |
|
|
Fixed in git commit 7a460e1ec8 (https://gitlab.com/composr-foundation/composr/commit/7a460e1ec8 - link will become active once code pushed to GitLab) A hotfix (a TAR of files to upload) has been uploaded to this issue. These files are made to the latest intra-version state (i.e. may roll in earlier fixes too if made to the same files) - so only upload files newer than what you have already. If there are files in a hot-fix that you don't have then they probably relate to addons that you don't have installed and should be skipped. Always take backups of files you are replacing or keep a copy of the manual installer for your version, and only apply fixes you need. These hotfixes are not necessarily reliable or well supported. Not sure how to extract TAR files to your Windows computer? Try 7-zip (http://www.7-zip.org/). hotfix-5534, 2024-01-07 3am.tar (429,056 bytes) |
|
|
Do NOT use themes/default/javascript/checking.js in the hotfix; I accidentally committed test code. |
|
|
Another issue I forgot to mark resolved. This was implemented in v11 too a couple days ago. Not a perfect solution but it gets the job done. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-01-07 00:55 | Patrick Schmalstig | New Issue | |
| 2024-01-07 00:55 | Patrick Schmalstig | Status | non-assigned => assigned |
| 2024-01-07 00:55 | Patrick Schmalstig | Assigned To | => Patrick Schmalstig |
| 2024-01-07 03:48 | Patrick Schmalstig | Note Added: 0008161 | |
| 2024-01-11 14:01 | Patrick Schmalstig | Status | assigned => resolved |
| 2024-01-11 14:01 | Patrick Schmalstig | Resolution | open => fixed |
| 2024-01-11 14:01 | Patrick Schmalstig | Note Added: 0008173 |
