Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-64929

Form submission breaks when using POST

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.1 regressions, 3.1.17
    • Fix Version/s: None
    • Component/s: Forms Library
    • Labels:
      None
    • Affected Branches:
      MOODLE_31_STABLE

      Description

      I am creating a sub class of Moodleform for a custom, multipage form. It should be using POST for submission, which appears to be happening. However, is_submitted and get_data() (which calls is_submitted()) return null because MoodleForm::_process_submission() always calls MoodleQuickForm::updateSubmission($submission, $files) with empty arrays. I created a forum post here for what I am trying to do to see if I have the wrong logic. https://moodle.org/mod/forum/discuss.php?d=382892#p1543291 

      I am not sure if I am doing something wrong here, but I think there is a problem with MoodleForm:_process_submission(). After checking which method is being used for submission (ajax, post or get), some kind of security 'trick' (as described in comments) is performed, which the comments suggest should only be performed for a get submission. However, currently this check is always performed and when using post as my form does, $submission and $files are set to empty arrays I assume for security reasons. The result is that updateSubmission() never sets _flagSubmitted to true because it isn't getting any input. 

      I subclassed MoodleForm to override MoodleForm:process_submission() to put the sesskey 'trick' nested inside the preceding conditional in the branch that is supposed to handle $method == _GET. This appears to fix the problem, however I am not sure this is an appropriate solution. Dan Marsden advised me that _process_submission() should be private and that this is probably not a bug, so I created the forum post to see if I am doing something terribly wrong. I am a novice developer however this really seems like a bug, so I'm posted here just in case. I should have posted in the forums first and for that I apologize. 

      My implementation of the problem function is here with the original at the bottom:

      function _process_submission($method) {
      var_dump("original process submission");
      $submission = array();
      if (!empty($this->_ajaxformdata))

      { $submission = $this->_ajaxformdata; }

      else if ($method == 'post')

      { if (!empty($_POST))
      { $submission = $_POST; }

      } else {
      $submission = $_GET;
      merge_query_params($submission, $_POST); // Emulate handling of parameters in xxxx_param().

      // following trick is needed to enable proper sesskey checks when using GET forms
      // the qf_.$this->_formname serves as a marker that form was actually submitted
      if (array_key_exists('qf_'.$this->_formname, $submission) and $submission['_qf__'.$this->_formname] == 1)

      { if (!confirm_sesskey())
      { print_error('invalidsesskey'); }

      $files = $_FILES;
      } else { $submission = array(); $files = array(); }
      }

      $this->detectMissingSetType();

      $this->_form->updateSubmission($submission, $files);
      }

      The original:

      function _process_submission($method)

      { var_dump("original process submission"); $submission = array(); if (!empty($this->_ajaxformdata))
      { $submission = $this->_ajaxformdata; }

      else if ($method == 'post') {
      if (!empty($_POST))

      { $submission = $_POST; }

      } else {
      $submission = $_GET;
      merge_query_params($submission, $_POST); // Emulate handling of parameters in xxxx_param().

      // following trick is needed to enable proper sesskey checks when using GET forms
      // the qf_.$this->_formname serves as a marker that form was actually submitted
      if (array_key_exists('qf_'.$this->_formname, $submission) and $submission['_qf__'.$this->_formname] == 1) {
      if (!confirm_sesskey())

      { print_error('invalidsesskey'); }

      $files = $_FILES;
      } else

      { $submission = array(); $files = array(); }

      }

      $this->detectMissingSetType();

      $this->_form->updateSubmission($submission, $files);
      }

      And this is the original:

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              Apollonaut Anthony De Vellis
              Participants:
              Component watchers:
              Jake Dallimore, Jun Pataleta, Ryan Wyllie
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: