Moodle
  1. Moodle
  2. MDL-31714

Core needs centralized data validations for use by core and web services too. truncate_userinfo() not good enough.

    Details

    • Rank:
      38301

      Description

      from MDL-25027 , Sam Hemeryk mentioned "core should be validating the incoming data to make sure that it meets the requirements we have, and any failure to meet those requirements (field length etc) should result in error/exception."

      This is a follow up to that, basically web services needs to consistently provide moodle services. At the moment it is copying the validation routines and that is fine but what is being left out is data length validation. There is an implicit data length being imposed via the GUI which Web services is not validating for at all atm.

      Web services have to implement some sort of DB-parameters context mapping or something to that effect which is able to validate the data length. Also all web service calls must be verified to be validating calls according their relevant GUI (html) input field lengths.

      Thinking about GUI and its HTML based limitation of input length, data can still be posted to moodle bypassing those limitations. Perhaps it might be best to have a centralized way to validate all data lengths (and more? type etc). A data validation lib? This might be useful in managing changes to validations (web services/GUI/mobile app/other)

      truncate_userinfo() seems to be an attempt as this but really isn't useful at all with Web services.

      (this dabbling may provide a hint towards a solution - but its certainly not THE solution - https://github.com/nebgor/moodle/compare/mistress...MDL-25027_ws_validate_n_throw )

        Issue Links

          Activity

          Hide
          Petr Škoda added a comment -

          Hello,

          historically we were validating only in forms because it was the only source of user submitted data, other parts like csv user upload did not verify data much because the input was considered to be trusted.

          If anybody starts working on this please make sure it is compatible with future forms library...

          Ciao

          Show
          Petr Škoda added a comment - Hello, historically we were validating only in forms because it was the only source of user submitted data, other parts like csv user upload did not verify data much because the input was considered to be trusted. If anybody starts working on this please make sure it is compatible with future forms library... Ciao
          Hide
          Tim Hunt added a comment -

          Can we harmonise this with optional/required/clean param:

          Something like

          function validate_param($value, $type) {
              $clean = clean_param($value, $type);
              if ($clean === $value) {
                  return $clean;
              } else {
                  return null;
              }
          }
          

          We already have some param types that do validation, like PARAM_LOCALURL, PARAM_CAPABILITY, etc.

          Show
          Tim Hunt added a comment - Can we harmonise this with optional/required/clean param: Something like function validate_param($value, $type) { $clean = clean_param($value, $type); if ($clean === $value) { return $clean; } else { return null ; } } We already have some param types that do validation, like PARAM_LOCALURL, PARAM_CAPABILITY, etc.
          Hide
          Petr Škoda added a comment -

          proposed validate_param() would not work because our cleaning changes data type which would break on your "===" comparison, sorry

          Show
          Petr Škoda added a comment - proposed validate_param() would not work because our cleaning changes data type which would break on your "===" comparison, sorry
          Hide
          Aparup Banerjee added a comment -

          linking web ervices roadmap.

          Show
          Aparup Banerjee added a comment - linking web ervices roadmap.

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: