I cannot find general checklist - what to check when it is not called. Can you write it?
For example code snippets where validator is not being called:
$fieldOptions['constraints'] = [
new NotBlank($constraintOptions)
];
$builder->add(
$builder
->create($formField->getId(), EntityType::class, $fieldOptions)
->addModelTransformer(
new EntityCollectionToArrayTransformer($this->registry, $fieldOptions['class'])
)
);
One of things to check - validation groups. Try commenting out any validation groups, so it would work as default. When form adds a collection of forms, those subforms validator constrains also have to have same group. https://symfony.com/doc/3.4/validation/groups.html
When validating just the User object, there is no difference between the Default group and the User group. But, there is a difference if User has embedded objects. For example, imagine User has an address property that contains some Address object and that you've added the Valid constraint to this property so that it's validated when you validate the User object.
If you validate User using the Default group, then any constraints on
the Address class that are in the Default group will be used. But, if
you validate User using the User validation group, then only
constraints on the Address class with the User group will be
validated.
In other words, the Default group and the class name group (e.g. User)
are identical, except when the class is embedded in another object
that's actually the one being validated.
Related
I'm struggling to fully understand the security efficacy of fillable and wondering what to do with columns that can't have a default value and will never be provided by the user.
A mass assignment vulnerability occurs when a user passes an unexpected HTTP request field and that field changes a column in your database that you did not expect. For example, a malicious user might send an is_admin parameter through an HTTP request, which is then passed to your model's create method, allowing the user to escalate themselves to an administrator.
https://laravel.com/docs/8.x/eloquent#mass-assignment
The above snippet from the documentation contains a good example: is_admin. That value wouldn't be directly provided by the user but it still needs to be provided during create().
Another example might be slug. This would likely come from a user-provided title value. This can't have a default value and won't be provided by the user so it needs to be fillable.
As far as efficacy goes, doesn't it make sense for there to be a class of secured input that's identified as (1) not being provided by the user and (2) is fillable? It seems like a column loses its secure-by-default status if it's listed in fillable.
The fillable prevents batch assignment. Disables the use of arrays. Thus, it is protected from external attacks.
Example:
You can protect the is_admin column:
$fillable = ['name', 'password', 'email'];
Then, to be able to update or create the value, you must explicitly set the value in the model and save it, for example:
$user->is_admin = 1;
$user->save();
I have a post-confirmation lambda function that writes user attribute information to a dynamoDB table. I've managed to get access to standard user attributes fields in the "event" parameter by doing stuff like
event.request.userAttributes.sub
but trying to run
event.request.userAttributes.role //where role is the name of my custom attribute
doesn't seem to work. Anyone know what the proper syntax for this is? And do I need to set any special read permissions for custom attributes? I created this custom attribute a long time after I originally made this user pool, if that changes things.
All custom attributes are prefixed with the custom: prefix (Documentation - Custom Attributes).
Therefore (I'll assume you're using JavaScript here- if not feel free to specify and I can change this example), you'd need to use:
event.request.userAttributes['custom:role']
You don't need to set any special read permissions- all the user attributes are returned in the PostConfirmation lambda.
Im using Vue.js in my project. I have a form made with Vue Form Wizard and with Vuelidate to validate the fields. At certain point of the form, the user will be able to add multiples addresses, so I created a array named 'addresses' into the data of my component.
addresses: [
{
street: ''
//there will be more itens here in the future
}
]
Now, in order to validate the fields, I created a validation group where Im gonna add this field, but the point is, I dont know how to 'link' the field (that is inside my array) into the validation group.
In Vuelidate Documentation, there is a section Data Nesting, but i didn't find how to use it with validation groups.
FIDDLE
It's an old question but if I understand it correctly then I guess you can just create a custom validator on the addresses array, and in the validator validate single address objects.
validations: {
addresses: {
customValidator: customValidatorFunction
}
},
Then the customValidatorFunction is gonna get the whole array of addresses, and you can use it to validate all/any object you want in your custom way.
So, I'm looking to create my first angular directive for a validation check. Essentially I want to ensure an user name is unique. This answer is perfect for my first pass, and works as expected for creating a new user.
I'd like this also to work for users who want to change their user name. On the server side, I would write code to check that the user name doesn't exist in the database for any user other than the current user. In other words, if a user is modifying their profile, and the form has a group of fields that include user name, I don't want to form to be invalid if the username already exists, since the reason it exists is that the current user already has it.
So what I would like to do is pass the userId (an integer PK) as a parameter in the ajax call in addition to the user name. The userId exists on the $scope, but I don't know how to modify the directive to allow me to pass additional information.
I would imagine the markup would look something like the following?
<input type="email" ng-model="userEmail"
name="userEmail" required unique-email="userId"/>
Since the uniqueEmail directive does not create a new scope, you can pass the name of the property as shown (unique-email="userId") and then use $eval in your link function:
var userId = scope.$eval(attrs.uniqueEmail);
Note that I'm assuming the link function parameter is named attrs (not attr).
I have a big form organized in some validations groups. For every group in the form there is a corresponding checkbox which tell the server to save group data.
When the user post the form, I need to validate only validation groups whose correspond the checked checkboxes because some of their "sub" fields are required, but only if you activate the group. Otherwise the validator must ignore the required fields.
Actually I do that in my controller. I skip the Symfony's normal validation cycle and manually I validate every field checking for the group activation checkbox.
How I can move this validation logic inside the Form class or in a specific Constraint class used by the entity?
EDIT:
As said below is possibile in symfony 2.1, for now i solved:
$request = $this->get('request');
// myEntity knows the business logic to chose validation groups
$myEntity->collectValidationGroups($request);
$form = $this->createForm(new MyEntityType(), $myEntity);
If you are using Symfony 2.1 then you can set validation group based on submitted data. Check this section.
There is another possibilty than the one offered by 2.1.
You can set the validation_groups attribute on the form using $builder->getData():
// inside buildForm method of a form type:
$builder->setAttribute('validation_groups', $builder->getData()->getValidationGroups());