Code Coverage for /Users/ericduran/Sites/drupal/drupal/core/lib/Drupal/Core/Form/FormValidator.php

	Code Coverage
	Classes and Traits			Functions and Methods				Lines
Total	0.00% covered (danger)	0.00%	0 / 1	77.78% covered (warning)	77.78%	7 / 9	CRAP	96.08% covered (success)	96.08%	98 / 102
FormValidator	0.00% covered (danger)	0.00%	0 / 1	77.78% covered (warning)	77.78%	7 / 9	72	96.08% covered (success)	96.08%	98 / 102
__construct				100.00% covered (success)	100.00%	1 / 1	1	100.00% covered (success)	100.00%	6 / 6
executeValidateHandlers				100.00% covered (success)	100.00%	1 / 1	4	100.00% covered (success)	100.00%	6 / 6
validateForm				100.00% covered (success)	100.00%	1 / 1	6	100.00% covered (success)	100.00%	13 / 13
setInvalidTokenError				0.00% covered (danger)	0.00%	0 / 1	2	0.00% covered (danger)	0.00%	0 / 3
handleErrorsWithLimitedValidation				100.00% covered (success)	100.00%	1 / 1	10	100.00% covered (success)	100.00%	18 / 18
finalizeValidation				100.00% covered (success)	100.00%	1 / 1	1	100.00% covered (success)	100.00%	3 / 3
doValidateForm				100.00% covered (success)	100.00%	1 / 1	22	100.00% covered (success)	100.00%	28 / 28
performRequiredValidation				100.00% covered (success)	100.00%	1 / 1	19	100.00% covered (success)	100.00%	19 / 19
determineLimitValidationErrors				0.00% covered (danger)	0.00%	0 / 1	8.30	83.33% covered (warning)	83.33%	5 / 6

1	<?php
2
3	/**
4	* @file
5	* Contains \Drupal\Core\Form\FormValidator.
6	*/
7
8	namespace Drupal\Core\Form;
9
10	use Drupal\Component\Utility\NestedArray;
11	use Drupal\Component\Utility\Unicode;
12	use Drupal\Core\Access\CsrfTokenGenerator;
13	use Drupal\Core\Render\Element;
14	use Drupal\Core\StringTranslation\StringTranslationTrait;
15	use Drupal\Core\StringTranslation\TranslationInterface;
16	use Psr\Log\LoggerInterface;
17	use Symfony\Component\HttpFoundation\RequestStack;
18
19	/**
20	* Provides validation of form submissions.
21	*/
22	class FormValidator implements FormValidatorInterface {
23
24	use StringTranslationTrait;
25
26	/**
27	* The CSRF token generator to validate the form token.
28	*
29	* @var \Drupal\Core\Access\CsrfTokenGenerator
30	*/
31	protected $csrfToken;
32
33	/**
34	* The request stack.
35	*
36	* @var \Symfony\Component\HttpFoundation\RequestStack
37	*/
38	protected $requestStack;
39
40	/**
41	* A logger instance.
42	*
43	* @var \Psr\Log\LoggerInterface
44	*/
45	protected $logger;
46
47	/**
48	* The form error handler.
49	*
50	* @var \Drupal\Core\Form\FormErrorHandlerInterface
51	*/
52	protected $formErrorHandler;
53
54	/**
55	* Constructs a new FormValidator.
56	*
57	* @param \Symfony\Component\HttpFoundation\RequestStack $request_stack
58	* The request stack.
59	* @param \Drupal\Core\StringTranslation\TranslationInterface $string_translation
60	* The string translation service.
61	* @param \Drupal\Core\Access\CsrfTokenGenerator $csrf_token
62	* The CSRF token generator.
63	* @param \Psr\Log\LoggerInterface $logger
64	* A logger instance.
65	* @param \Drupal\Core\Form\FormErrorHandlerInterface $form_error_handler
66	* The form error handler.
67	*/
68	public function __construct(RequestStack $request_stack, TranslationInterface $string_translation, CsrfTokenGenerator $csrf_token, LoggerInterface $logger, FormErrorHandlerInterface $form_error_handler) {
69	$this->requestStack = $request_stack;
70	$this->stringTranslation = $string_translation;
71	$this->csrfToken = $csrf_token;
72	$this->logger = $logger;
73	$this->formErrorHandler = $form_error_handler;
74	}
75
76	/**
77	* {@inheritdoc}
78	*/
79	public function executeValidateHandlers(&$form, FormStateInterface &$form_state) {
80	// If there was a button pressed, use its handlers.
81	$handlers = $form_state->getValidateHandlers();
82	// Otherwise, check for a form-level handler.
83	if (!$handlers && isset($form['#validate'])) {
84	$handlers = $form['#validate'];
85	}
86
87	foreach ($handlers as $callback) {
88	call_user_func_array($form_state->prepareCallback($callback), array(&$form, &$form_state));
89	}
90	}
91
92	/**
93	* {@inheritdoc}
94	*/
95	public function validateForm($form_id, &$form, FormStateInterface &$form_state) {
96	// If this form is flagged to always validate, ensure that previous runs of
97	// validation are ignored.
98	if ($form_state->isValidationEnforced()) {
99	$form_state->setValidationComplete(FALSE);
100	}
101
102	// If this form has completed validation, do not validate again.
103	if ($form_state->isValidationComplete()) {
104	return;
105	}
106
107	// If the session token was set by self::prepareForm(), ensure that it
108	// matches the current user's session. This is duplicate to code in
109	// FormBuilder::doBuildForm() but left to protect any custom form handling
110	// code.
111	if (isset($form['#token'])) {
112	if (!$this->csrfToken->validate($form_state->getValue('form_token'), $form['#token']) \|\| $form_state->hasInvalidToken()) {
113	$this->setInvalidTokenError($form_state);
114
115	// Stop here and don't run any further validation handlers, because they
116	// could invoke non-safe operations which opens the door for CSRF
117	// vulnerabilities.
118	$this->finalizeValidation($form, $form_state, $form_id);
119	return;
120	}
121	}
122
123	// Recursively validate each form element.
124	$this->doValidateForm($form, $form_state, $form_id);
125	$this->finalizeValidation($form, $form_state, $form_id);
126	$this->handleErrorsWithLimitedValidation($form, $form_state, $form_id);
127	}
128
129	/**
130	* {@inheritdoc}
131	*/
132	public function setInvalidTokenError(FormStateInterface $form_state) {
133	$url = $this->requestStack->getCurrentRequest()->getRequestUri();
134
135	// Setting this error will cause the form to fail validation.
136	$form_state->setErrorByName('form_token', $this->t('The form has become outdated. Copy any unsaved work in the form below and then <a href=":link">reload this page</a>.', array(':link' => $url)));
137	}
138
139	/**
140	* Handles validation errors for forms with limited validation.
141	*
142	* If validation errors are limited then remove any non validated form values,
143	* so that only values that passed validation are left for submit callbacks.
144	*
145	* @param array $form
146	* An associative array containing the structure of the form.
147	* @param \Drupal\Core\Form\FormStateInterface $form_state
148	* The current state of the form.
149	* @param string $form_id
150	* The unique string identifying the form.
151	*/
152	protected function handleErrorsWithLimitedValidation(&$form, FormStateInterface &$form_state, $form_id) {
153	// If validation errors are limited then remove any non validated form values,
154	// so that only values that passed validation are left for submit callbacks.
155	$triggering_element = $form_state->getTriggeringElement();
156	if (isset($triggering_element['#limit_validation_errors']) && $triggering_element['#limit_validation_errors'] !== FALSE) {
157	$values = array();
158	foreach ($triggering_element['#limit_validation_errors'] as $section) {
159	// If the section exists within $form_state->getValues(), even if the
160	// value is NULL, copy it to $values.
161	$section_exists = NULL;
162	$value = NestedArray::getValue($form_state->getValues(), $section, $section_exists);
163	if ($section_exists) {
164	NestedArray::setValue($values, $section, $value);
165	}
166	}
167	// A button's #value does not require validation, so for convenience we
168	// allow the value of the clicked button to be retained in its normal
169	// $form_state->getValues() locations, even if these locations are not
170	// included in #limit_validation_errors.
171	if (!empty($triggering_element['#is_button'])) {
172	$button_value = $triggering_element['#value'];
173
174	// Like all input controls, the button value may be in the location
175	// dictated by #parents. If it is, copy it to $values, but do not
176	// override what may already be in $values.
177	$parents = $triggering_element['#parents'];
178	if (!NestedArray::keyExists($values, $parents) && NestedArray::getValue($form_state->getValues(), $parents) === $button_value) {
179	NestedArray::setValue($values, $parents, $button_value);
180	}
181
182	// Additionally, self::doBuildForm() places the button value in
183	// $form_state->getValue(BUTTON_NAME). If it's still there, after
184	// validation handlers have run, copy it to $values, but do not override
185	// what may already be in $values.
186	$name = $triggering_element['#name'];
187	if (!isset($values[$name]) && $form_state->getValue($name) === $button_value) {
188	$values[$name] = $button_value;
189	}
190	}
191	$form_state->setValues($values);
192	}
193	}
194
195	/**
196	* Finalizes validation.
197	*
198	* @param array $form
199	* An associative array containing the structure of the form.
200	* @param \Drupal\Core\Form\FormStateInterface $form_state
201	* The current state of the form.
202	* @param string $form_id
203	* The unique string identifying the form.
204	*/
205	protected function finalizeValidation(&$form, FormStateInterface &$form_state, $form_id) {
206	// Delegate handling of form errors to a service.
207	$this->formErrorHandler->handleFormErrors($form, $form_state);
208
209	// Mark this form as validated.
210	$form_state->setValidationComplete();
211	}
212
213	/**
214	* Performs validation on form elements.
215	*
216	* First ensures required fields are completed, #maxlength is not exceeded,
217	* and selected options were in the list of options given to the user. Then
218	* calls user-defined validators.
219	*
220	* @param $elements
221	* An associative array containing the structure of the form.
222	* @param \Drupal\Core\Form\FormStateInterface $form_state
223	* The current state of the form. The current user-submitted data is stored
224	* in $form_state->getValues(), though form validation functions are passed
225	* an explicit copy of the values for the sake of simplicity. Validation
226	* handlers can also $form_state to pass information on to submit handlers.
227	* For example:
228	* $form_state->set('data_for_submission', $data);
229	* This technique is useful when validation requires file parsing,
230	* web service requests, or other expensive requests that should
231	* not be repeated in the submission step.
232	* @param $form_id
233	* A unique string identifying the form for validation, submission,
234	* theming, and hook_form_alter functions.
235	*/
236	protected function doValidateForm(&$elements, FormStateInterface &$form_state, $form_id = NULL) {
237	// Recurse through all children.
238	foreach (Element::children($elements) as $key) {
239	if (isset($elements[$key]) && $elements[$key]) {
240	$this->doValidateForm($elements[$key], $form_state);
241	}
242	}
243
244	// Validate the current input.
245	if (!isset($elements['#validated']) \|\| !$elements['#validated']) {
246	// The following errors are always shown.
247	if (isset($elements['#needs_validation'])) {
248	$this->performRequiredValidation($elements, $form_state);
249	}
250
251	// Set up the limited validation for errors.
252	$form_state->setLimitValidationErrors($this->determineLimitValidationErrors($form_state));
253
254	// Make sure a value is passed when the field is required.
255	if (isset($elements['#needs_validation']) && $elements['#required']) {
256	// A simple call to empty() will not cut it here as some fields, like
257	// checkboxes, can return a valid value of '0'. Instead, check the
258	// length if it's a string, and the item count if it's an array.
259	// An unchecked checkbox has a #value of integer 0, different than
260	// string '0', which could be a valid value.
261	$is_empty_multiple = (!count($elements['#value']));
262	$is_empty_string = (is_string($elements['#value']) && Unicode::strlen(trim($elements['#value'])) == 0);
263	$is_empty_value = ($elements['#value'] === 0);
264	if ($is_empty_multiple \|\| $is_empty_string \|\| $is_empty_value) {
265	// Flag this element as #required_but_empty to allow #element_validate
266	// handlers to set a custom required error message, but without having
267	// to re-implement the complex logic to figure out whether the field
268	// value is empty.
269	$elements['#required_but_empty'] = TRUE;
270	}
271	}
272
273	// Call user-defined form level validators.
274	if (isset($form_id)) {
275	$this->executeValidateHandlers($elements, $form_state);
276	}
277	// Call any element-specific validators. These must act on the element
278	// #value data.
279	elseif (isset($elements['#element_validate'])) {
280	foreach ($elements['#element_validate'] as $callback) {
281	$complete_form = &$form_state->getCompleteForm();
282	call_user_func_array($form_state->prepareCallback($callback), array(&$elements, &$form_state, &$complete_form));
283	}
284	}
285
286	// Ensure that a #required form error is thrown, regardless of whether
287	// #element_validate handlers changed any properties. If $is_empty_value
288	// is defined, then above #required validation code ran, so the other
289	// variables are also known to be defined and we can test them again.
290	if (isset($is_empty_value) && ($is_empty_multiple \|\| $is_empty_string \|\| $is_empty_value)) {
291	if (isset($elements['#required_error'])) {
292	$form_state->setError($elements, $elements['#required_error']);
293	}
294	// A #title is not mandatory for form elements, but without it we cannot
295	// set a form error message. So when a visible title is undesirable,
296	// form constructors are encouraged to set #title anyway, and then set
297	// #title_display to 'invisible'. This improves accessibility.
298	elseif (isset($elements['#title'])) {
299	$form_state->setError($elements, $this->t('@name field is required.', array('@name' => $elements['#title'])));
300	}
301	else {
302	$form_state->setError($elements);
303	}
304	}
305
306	$elements['#validated'] = TRUE;
307	}
308
309	// Done validating this element, so turn off error suppression.
310	// self::doValidateForm() turns it on again when starting on the next
311	// element, if it's still appropriate to do so.
312	$form_state->setLimitValidationErrors(NULL);
313	}
314
315	/**
316	* Performs validation of elements that are not subject to limited validation.
317	*
318	* @param array $elements
319	* An associative array containing the structure of the form.
320	* @param \Drupal\Core\Form\FormStateInterface $form_state
321	* The current state of the form. The current user-submitted data is stored
322	* in $form_state->getValues(), though form validation functions are passed
323	* an explicit copy of the values for the sake of simplicity. Validation
324	* handlers can also $form_state to pass information on to submit handlers.
325	* For example:
326	* $form_state->set('data_for_submission', $data);
327	* This technique is useful when validation requires file parsing,
328	* web service requests, or other expensive requests that should
329	* not be repeated in the submission step.
330	*/
331	protected function performRequiredValidation(&$elements, FormStateInterface &$form_state) {
332	// Verify that the value is not longer than #maxlength.
333	if (isset($elements['#maxlength']) && Unicode::strlen($elements['#value']) > $elements['#maxlength']) {
334	$form_state->setError($elements, $this->t('@name cannot be longer than %max characters but is currently %length characters long.', array('@name' => empty($elements['#title']) ? $elements['#parents'][0] : $elements['#title'], '%max' => $elements['#maxlength'], '%length' => Unicode::strlen($elements['#value']))));
335	}
336
337	if (isset($elements['#options']) && isset($elements['#value'])) {
338	if ($elements['#type'] == 'select') {
339	$options = OptGroup::flattenOptions($elements['#options']);
340	}
341	else {
342	$options = $elements['#options'];
343	}
344	if (is_array($elements['#value'])) {
345	$value = in_array($elements['#type'], array('checkboxes', 'tableselect')) ? array_keys($elements['#value']) : $elements['#value'];
346	foreach ($value as $v) {
347	if (!isset($options[$v])) {
348	$form_state->setError($elements, $this->t('An illegal choice has been detected. Please contact the site administrator.'));
349	$this->logger->error('Illegal choice %choice in %name element.', array('%choice' => $v, '%name' => empty($elements['#title']) ? $elements['#parents'][0] : $elements['#title']));
350	}
351	}
352	}
353	// Non-multiple select fields always have a value in HTML. If the user
354	// does not change the form, it will be the value of the first option.
355	// Because of this, form validation for the field will almost always
356	// pass, even if the user did not select anything. To work around this
357	// browser behavior, required select fields without a #default_value
358	// get an additional, first empty option. In case the submitted value
359	// is identical to the empty option's value, we reset the element's
360	// value to NULL to trigger the regular #required handling below.
361	// @see \Drupal\Core\Render\Element\Select::processSelect()
362	elseif ($elements['#type'] == 'select' && !$elements['#multiple'] && $elements['#required'] && !isset($elements['#default_value']) && $elements['#value'] === $elements['#empty_value']) {
363	$elements['#value'] = NULL;
364	$form_state->setValueForElement($elements, NULL);
365	}
366	elseif (!isset($options[$elements['#value']])) {
367	$form_state->setError($elements, $this->t('An illegal choice has been detected. Please contact the site administrator.'));
368	$this->logger->error('Illegal choice %choice in %name element.', array('%choice' => $elements['#value'], '%name' => empty($elements['#title']) ? $elements['#parents'][0] : $elements['#title']));
369	}
370	}
371	}
372
373	/**
374	* Determines if validation errors should be limited.
375	*
376	* @param \Drupal\Core\Form\FormStateInterface $form_state
377	* The current state of the form.
378	*
379	* @return array\|null
380	*/
381	protected function determineLimitValidationErrors(FormStateInterface &$form_state) {
382	// While this element is being validated, it may be desired that some
383	// calls to \Drupal\Core\Form\FormStateInterface::setErrorByName() be
384	// suppressed and not result in a form error, so that a button that
385	// implements low-risk functionality (such as "Previous" or "Add more") that
386	// doesn't require all user input to be valid can still have its submit
387	// handlers triggered. The triggering element's #limit_validation_errors
388	// property contains the information for which errors are needed, and all
389	// other errors are to be suppressed. The #limit_validation_errors property
390	// is ignored if submit handlers will run, but the element doesn't have a
391	// #submit property, because it's too large a security risk to have any
392	// invalid user input when executing form-level submit handlers.
393	$triggering_element = $form_state->getTriggeringElement();
394	if (isset($triggering_element['#limit_validation_errors']) && ($triggering_element['#limit_validation_errors'] !== FALSE) && !($form_state->isSubmitted() && !isset($triggering_element['#submit']))) {
395	return $triggering_element['#limit_validation_errors'];
396	}
397	// If submit handlers won't run (due to the submission having been
398	// triggered by an element whose #executes_submit_callback property isn't
399	// TRUE), then it's safe to suppress all validation errors, and we do so
400	// by default, which is particularly useful during an Ajax submission
401	// triggered by a non-button. An element can override this default by
402	// setting the #limit_validation_errors property. For button element
403	// types, #limit_validation_errors defaults to FALSE, so that full
404	// validation is their default behavior.
405	elseif ($triggering_element && !isset($triggering_element['#limit_validation_errors']) && !$form_state->isSubmitted()) {
406	return array();
407	}
408	// As an extra security measure, explicitly turn off error suppression if
409	// one of the above conditions wasn't met. Since this is also done at the
410	// end of this function, doing it here is only to handle the rare edge
411	// case where a validate handler invokes form processing of another form.
412	else {
413	return NULL;
414	}
415	}
416
417	}